Show HN: A MitM proxy to see what your LLM tools are sending
github.com141 points by jmuncor 11 hours ago
141 points by jmuncor 11 hours ago
I built this out of curiosity about what Claude Code was actually sending to the API. Turns out, watching your tokens tick up in real-time is oddly satisfying.
Sherlock sits between your LLM tools and the API, showing you every request with a live dashboard, and auto-saved copies of every prompt as markdown and json.
This tool looks like it unconditionally disables tls verification for upstream requests. It shells out to mitmproxy with
"--set", "ssl_insecure=true" This took all of 5 minutes to find reading through main.py on my phone. https://github.com/jmuncor/sherlock/blob/fb76605fabbda351828... Edit: In case it’s not clear, you should not use this. As someone who just set up mitmproxy to do something very similar, I wish this would've been a plugin/add-on instead of a standalone thing. I know and trust mitmproxy. I'm warier and less likely to use a new, unknown tool that has such broad security/privacy implications. Especially these days with so many vibe-coded projects being released (no idea if that's the case here, but it's a concern I have nonetheless). Agee! This was a fun project that I build because it is so hard to understand what "really" is in you context window... What do you mean by plugin/add-on? Add-on to what? Thinking of what to add to it next... Maybe security would be a good direction, or at least visibility of what is happening to the proxy's traffic. Addon to mitmproxy:
https://docs.mitmproxy.org/stable/addons/overview/ Looks like it's implemented that way already? https://github.com/jmuncor/sherlock/blob/fb76605fabbda351828... What would you think of simply using an http relay for all providers? Would that make you feel better secutity wise? also could extend the tool to change the context you are sending and make it more granular to what you want/need... This is great. When I work with AI on large, tricky code bases I try to do a collaboration where it hands off things to me that may result in large number of tokens (excess tool calls, unprecise searches, verbose output, reading large files without a range specified, etc.). This will help narrow down exactly which to still handle manually to best keep within token budgets. Note: "yourusername" in install git clone instructions should be replaced. I had a similar problem, and when claude code (or codex) is running in sandbox, i wanted to put a cap or get notified on large contexts. especially, because once x0K words crossed, the output becomes worser. https://github.com/quilrai/LLMWatcher made this mac app for the same purpose. any thoughts would be appreciated I've been trying to get token usage down by instructing Claude to stop being so verbose (saying what it's going to do beforehand, saying what it just did, spitting out pointless file trees) but it ignores my instructions. It could be that the model is just hard to steer away from doing that... or Anthropic want it to waste tokens so you burn through your usage quickly. Simply assert that : you are a professional (insert concise occupation). Be terse. Skip the summary. Give me the nitty-gritty details. You can send all that using your AI client settings. Would you mind sharing more details about how you do this? What do you add to your AI prompts to make it hand those tasks off to you? Hahahah just fixed it, thank you so much!!!! Think of extending this to a prompt admin, Im sure there is a lot of trash that the system sends on every query, I think we can improve this. You don't need to mess with certificates - you can point CC at a HTTP endpoint and it'll happily play along. If you build a DIY proxy you can also mess with the prompt on the wire. Cut out portions of the system prompt etc. Or redirect it to a different endpoint based on specific conditions etc. Have you tried this with Gemini? or Codex? Have tried with gemini-cli and claude-code both, it works, honestly, it should work with most if not all cli clients Working on this feature right now!! Thank you for the suggestion, will start the branch for it... Whent think of improving the context window usage, now that with an http relay we can start thinking of intercepting the context window, anything that you think could be cool to implement? This is incredibly useful for understanding the black box of LLM API calls. The real-time token tracking is game-changing for debugging why certain prompts are so expensive and optimizing context window usage. Having the markdown/JSON exports of every request makes it trivial to iterate on prompt engineering. Nice work! I'm sure the data gleaned here is illuminating for many users. I'm surprised that there isn't a stronger demand for enterprise-wide tools like this. Yes, there are a few solutions, but when you contrast the new standard of "give everyone at the company agentic AI capabilities" with the prior paradigm of strong data governance (at least at larger orgs), it's a stark difference. I think we're not far from the pendulum swinging back a bit. Not just because AI can't be used for everything, but because the governance on widespread AI use (without severely limiting what tools can actually do) is a difficult and ongoing problem. I had to vibe code a proxy to hide tokens from agents (https://github.com/vladimirkras/prxlocal) because I haven’t found any good solution either. I planned to add genai otel stuff that could be piped into some tool to view dialogues and tool calls and so on, but I haven’t found any good setup that doesn’t require lots of manual coding yet. It’s really weird that there are no solutions in that space. nice, I'm working on something similar with macroons so the tokens can be arbitrarily scopes in time and capability too. Mine uses an Envoy sidecar on a sandbox container. Yes, I was just thinking about how, as engineers, we're trained to document every thought that has ever crossed our minds, for liability and future reference. Yet once an LLM is done with its task, the "hit by a bus" scenario takes place immediately. Could you use an approach like this much like a traditional network proxy, to block or sanitise some requests? E.g. if a request contains confidential information (whatever you define that to be), then block it? I do kinda the opposite where I run my AI in a sandbox. it sends dummy tokens to APIs. the proxy then injects the real creds. so, the AI never has access to creds. https://clauderon.com/ -- not really ready for others to use it though That looks great! Any plans on allowing exports to OpenTelemetry apps like Arize Phoenix? I am looking for ways to connect my Claude Code using Max plan (no API) to it and the best I found was https://arize.com/blog/claude-code-observability-and-tracing..., but it seems kinda overweight. Yeah would love this for logfire Something like sherlock start --otel-endpoint? Yes. It can get a bit more complex as some otels require authentication. You can check Pydantic AI Gateway, Cloudflare AI Gateway or LiteLLM itself. They do similar things. One advantage of yours would be simplicity. interesting that you chose to go the MITM way. https://github.com/quilrai/LLMWatcher here is my take on the same thing, but as a mac app and using BASE_URL for intercepting codex, claude code and hooks for cursor. Pretty slick. I've been wanting something like this that gets stored with a hash that is stored in the corresponding code change commit message. It'd be good for postmortems of unnoticed hallucinations, and might even be useful to "revive" the agent and see if it can help debug the problem it created. I understand this helps if we have our own LLM run time. What if we use external services like ChatGPT / Gemini (LLM Providers)? Shouldn't they provide this feature to all their clients out of the box? This works with claude code and codex... So you can use with any of those, you dont need a local llm running... :) Dang how will Tailscale make any money on its latest vibe coded feature [0] when others can vibe code it themselves? I guess your SaaS really is someones weekend vibe prompt. That's what LLMs enabled. Faster prototyping. Also lots of exposed servers and apps. It's never been more fun to be a cyber security researcher. I think it just has been more fun being into computers overall! It's interesting because if you're into computers it's more accessible than ever and there are more things you can mess with more cheaply than ever. I mean we have some real science fiction stuff going on. At the same time it's probably different for the newer generations. Computers were magical to me and a lot of that was because they were rare. Now they are everywhere, they are just a backdrop to everything else going on. I agree, I remember when the feed forward NN were the shit! And now the LLMs are owning, I think this adoption pattern will start pulling a lot of innovations on other computer science fields. Networking, for example. But the ability to have that peer programer next to you makes it so much more fun to build, when before you had to spend a whole day debugging something, Claude now just helps you out and gives you time to build. Feels like long roadtrips with cruise control and lane keeping assist! So is it just a wrapper around MitM Proxy? > So is it just a wrapper around MitM Proxy? Yes. I created something similar months ago [*] but using Envoy Proxy [1], mkcert [2], my own Go (golang) server, and Little Snitch [3]. It works quite well. I was the first person to notice that Codex CLI now sends telemetry to ab.chatgpt.com and other curiosities like that, but I never bothered to open-source my implementation because I know that anyone genuinely interested could easily replicate it in an afternoon with their favourite Agent CLI. [1] https://www.envoyproxy.io/ [2] https://github.com/FiloSottile/mkcert [3] https://www.obdev.at/products/littlesnitch/ [*] In reality, I created this something like 6 years ago, before LLMs were popular, originally as a way to inspect all outgoing HTTP(s) traffic from all the apps installed in my macOS system. Then, a few months ago, when I started using Codex CLI, I made some modifications to inspect Agent CLI calls too. Curious to see how you can get Gemini fully intercepted. I've been intercepting its HTTP requests by running it inside a docker container with: -e HTTP_PROXY=http://127.0.0.1:8080 -e HTTPS_PROXY=http://host.docker.internal:8080 -e NO_PROXY=localhost,127.0.0.1 It was working with mitmproxy for a very brief period, then the TLS handshake started failing and it kept requesting for re-authentication when proxied. You can get the whole auth flow and initial conversation starters using Burp Suite and its certificate, but the Gemini chat responses fail in the CLI, which I understand is due to how Burp handles HTTP2 (you can see the valid responses inside Burp Suite). Gemini CLI is open source. Don't need to intercept at the network when you can just add inspectGeminiApiRequest() in the source. (I suggest it because I've been maintaining a personal branch with exactly that :) Tried with gemini and gave more headaches than anything else, would love if you can help me adding it to sherlock... I use claude and gemini, claude mainly for coding, so wanted to set it up first. With gemini, ran into the same problem that you did... Kind of yes... But with a nice cli so that you don't have to set it up just run "sherlock claude" and "sherlock start" on two terminals and everything that claude sends in that session then it will be stored. So no proxy set up or anything, just simple terminal commands. :) This is fantastic. Claude doesn't make it easy to inspect what it's sending - which would actually be really useful for refining the project-specific prompts. Love you like it!! Let me know any ideas to improve it... I was thining in the direction of a file system and protocol for the md files, or dynamic context building. But would love to hear what you think. Nice work! Do i need to update Claude Code config after start this proxy service? Nope... You just run "sherlock claude" and that sets up the proxy for you. So you dont have to think about it... And just use claude normally, every prompt you send in that session will be stored in the files. What about SSL/certificates ? I didn't understand the quesion I am sorry. I also assumed Claude Code would need some kind of cert nudging to accept a proxy. But it's in the README: Prompt you to install it in your system trust store lmao WTAF is this? build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/build/lib/sherlock That is what you would call vibe-ception... Hahahahah correcting it now! hahahahahahahaha!!
catlifeonmars - an hour ago
ctippett - 5 hours ago
jmuncor - 5 hours ago
mikehotel - 4 hours ago
Retr0id - an hour ago
jmuncor - 3 hours ago
EMM_386 - 8 hours ago
winchester6788 - 3 hours ago
cedws - 6 hours ago
egberts1 - 4 hours ago
kej - 7 hours ago
jmuncor - 7 hours ago
Havoc - 7 hours ago
jmuncor - 6 hours ago
thehamkercat - 6 hours ago
jmuncor - 3 hours ago
asyncadventure - an hour ago
david_shaw - 8 hours ago
LudwigNagasena - 7 hours ago
dtkav - an hour ago
daxfohl - 4 hours ago
maxkfranz - an hour ago
shepherdjerred - 24 minutes ago
vitorbaptistaa - 3 hours ago
cetra3 - 2 hours ago
jmuncor - 2 hours ago
vitorbaptistaa - an hour ago
winchester6788 - 3 hours ago
daxfohl - 4 hours ago
the_arun - 5 hours ago
jmuncor - 2 hours ago
FEELmyAGI - 7 hours ago
3abiton - 7 hours ago
jmuncor - 7 hours ago
pixl97 - 7 hours ago
jmuncor - 6 hours ago
mrbluecoat - 8 hours ago
guessmyname - 8 hours ago
tkp-415 - 8 hours ago
paulirish - 6 hours ago
jmuncor - 7 hours ago
jmuncor - 7 hours ago
elphard - 6 hours ago
jmuncor - 6 hours ago
alickkk - 8 hours ago
jmuncor - 7 hours ago
andrewstuart - 7 hours ago
jmuncor - 6 hours ago
actionfromafar - 5 hours ago
lifetimerubyist - 3 hours ago
jmuncor - 3 hours ago