WatchTower

Cost tracking + security scanning for AI builders

Documentation

Watchtower MCP

The pre-deploy security gate for vibe-coded apps. It doesn't ask whether your Supabase RLS exists — it logs in as a random user and as the anonymous role and proves whether they can read your other users' data, right inside Claude Code, before you ship.

No URL to paste. No data uploaded. No deploy required. Runs locally in your Claude Code agent loop.

Most scanners flag. Watchtower proves.

Commodity scanner   →   ⚠  "RLS may not be enabled on `profiles`."

Watchtower          →   [CRIT] [PROVEN] the anon role read rows from `profiles`
                        belonging to other accounts — RLS is not isolating users.
                        [CRIT] [PROVEN] the OpenAI key in src/config.ts returned
                        HTTP 200 from the vendor — it is LIVE. Rotate it now.

It runs a live, read-only, rolled-back cross-tenant probe against your database — the CVE-2025-48757 class, where 170+ apps leaked their user tables because RLS was "present" but never actually enforced — and it verifies whether a leaked key is real by calling that key's own vendor. (It also tracks your real Claude Code spend, so deploy day isn't an $8k surprise either.)

Read-only. Local-first. MIT — audit the source. No account. Nothing leaves your machine, except the opt-in key check, which calls only each key's own vendor. The probe can READ, never WRITE — every check is a rolled-back transaction.

Install

npm install -g watchtower-mcp

Add to your Claude Code MCP config (~/.claude/settings.json):

{
  "mcpServers": {
    "watchtower": {
      "command": "watchtower-mcp"
    }
  }
}

Restart Claude Code. You now have 9 tools available.

Tools

Cost Tracking

ToolWhat it does
watchtower_sync_usageImport real token usage automatically from Claude Code's own session logs (~/.claude/projects). Accurate, no manual logging. Run it anytime — already-imported events are skipped.
watchtower_spendView spending (today / week / month, calendar-aligned) with per-model breakdown and how much is estimated
watchtower_budgetSet daily/weekly/monthly budget alerts (warns at 80% and 100%)
watchtower_log_usageManual fallback for non-Claude-Code clients. Prefer sync_usage.

Security Scanning

ToolWhat it does
watchtower_scan_secretsScan source for hardcoded keys/tokens (pure-Node, no shell). Pass verify: true to confirm which keys are actually live via a read-only call to each vendor.
watchtower_scan_supabaseAudit Postgres/Supabase RLS correctness — runs a live, read-only cross-tenant probe to prove whether a random user or the anonymous role can read other users' data. Not just "does RLS exist."
watchtower_scan_headersScan a deployed URL for missing security headers (CSP, HSTS, X-Frame-Options, etc.)

Dashboard

ToolWhat it does
watchtower_statusQuick overview of spending + recent security findings
watchtower_scan_historyHistory of past security findings (de-duplicated)

Usage

Once installed, just ask Claude:

"Sync my Claude Code usage and show this month's spend"
"Scan my project for hardcoded secrets and check if any are live"
"Audit my Supabase database — can other users read my data?"
"Check the security headers on https://myapp.vercel.app"
"Set a $5 daily budget alert"

How It Works

  • Cost trackingwatchtower_sync_usage parses Claude Code's transcript logs (the actual billed token counts) and stores them in a local SQLite database at ~/.watchtower/watchtower.db. Costs are computed from a current pricing table; unknown models are clearly labelled estimated rather than silently mispriced. Spend windows are calendar-aligned (UTC) to reconcile with your Anthropic bill.
  • Secret scanning — runs entirely in-process (no shell), with overlap de-duplication, placeholder/entropy filtering to cut false positives, and secret redaction in all output. With verify: true, each detected key gets a single read-only verification request to its own vendor (Anthropic/OpenAI/Stripe/GitHub) or a local JWT decode (Supabase) — so you learn which leaks are real.
  • RLS correctness — connects with the pg driver (credential stays in-process), then inside read-only, rolled-back transactions it drops to the authenticated and anon roles and attempts to read each table. A row visible to a random non-owner or to the anon role is a proven cross-tenant leak — the CVE-2025-48757 class of breach. Findings backed by a live read are marked [PROVEN].

Security

Watchtower holds itself to the standard it scans for:

  • No shell is invoked anywhere. The secret scanner reads files directly; the RLS audit uses the pg driver, never psql. Caller-supplied paths and connection strings cannot inject commands, and your database password is never placed on a command line.
  • Detected secrets are redacted in all output and are never written to the database.
  • Live-key verification is opt-in (verify: true) and contacts only each key's own vendor over read-only endpoints.

Supported Models

Claude Opus 4.6, Sonnet 4.6, Haiku 4.5, and Sonnet 3.5. Unknown models are priced as an explicit estimate (Sonnet rates) and flagged as such.

Requirements

  • Node.js 18+
  • Claude Code (or any MCP-compatible client)
  • For the RLS audit: a Postgres/Supabase connection string with permission to read schema and (ideally) the authenticated/anon roles. No psql install required.

Development

npm install
npm run build
npm test

License

MIT