Bidirectional MCP context broker

Your coding agent reads ten times more than it needs. Stop paying for it.

tokenmiser sits between your repo and your agent. Reads come back as compressed context; writes go out as targeted mutations instead of full-file rewrites. Same answers, same edits, a fraction of the tokens — a measured floor of 75% reduction across real codebases.

It runs next to your code and wants execution, not data. Your source never leaves your machine. Ever.

7 days, full product, no card. The audit is free forever.

$ tokenmiser audit --dry-run
Detected: TypeScript, Python, Java  ·  1,142 modules
Compiling substrate…
Raw context:      1,624,500 tokens
Compiled context:   133,210 tokens
Reduction:        91.7%
rawcompiled

Example from a real audit. Run it on your repo — one command, --dry-run leaves no state behind.

Setup

One command. Then it disappears.

tokenmiser isn't a tool you use — it's a thing your agents use. init indexes the repo and wires the broker into your agent host by itself. From then on the host spawns it, calls its tools, and reads compiled context instead of raw files.

Step 1

Initialize the repo

Detects your languages, builds the substrate, registers itself in .mcp.json, prints your reduction number. Claude Code out of the box; --gemini and --codex wire those hosts too.

$ tokenmiser init Indexed 1,142 modules. Raw 1.6M tokens → compiled 133k (91.7%) Registered in .mcp.json — restart open sessions.
Step 2 · optional

Seal the profile

--enforce denies the native file tools in this repo, so every read and write routes through the broker — and wires a live savings meter into your Claude Code statusline. --unenforce undoes it; tokenmiser off pauses everything.

$ tokenmiser init --enforce Native file tools denied in this repo. Deny beats allow — undo with --unenforce. Statusline wired: yours is kept if you have one.

There is no step three. Your agent does the rest.

get_context · compressed views, verbatim anchors search · repo grep glob · file listing edit · journaled replace write · rewrite or create verify · typecheck + tests stats · live savings

The complete tool surface your agent sees. Everything else is the repo it already had.

Both directions

Reads compress. Writes compress too.

Half your bill is input tokens spent re-reading files; the other half is output tokens spent rewriting whole files to change three lines. tokenmiser brokers both sides.

Reads: the view, not the file

Every read is served from the compiled substrate, sha-checked against disk on each call.

  • Code arrives as its refracted view — signatures, types, imports, schemas — ~90% smaller than the source it replaces
  • About to edit something? Ask for its anchor — the verbatim span of that one function, member, or heading
  • Markdown serves its outline; pass a focus and only matching sections expand
  • Re-reading an unchanged file returns a short stub, not the whole view again

Writes: the change, not the file

Edits apply as targeted mutations — the agent emits the change, never the whole file.

  • Journal-first, sha-checked against disk — a conflicting external edit loses to disk, never silently overwritten
  • Disk stays the source of truth: your editor and toolchain keep writing normally, a watcher re-ingests changes live
  • verify runs your typecheck and tests where the file lives and returns pass/fail — no file bytes, no read bypass
  • Never a git command — tokenmiser writes your working tree and nothing else

Security posture

Architecturally incapable of leaking your code.

Not a policy promise — a design property. The license server reads exactly three fields — key, machine hash, counters — and discards everything else, so it cannot store source code, repo names, or paths even by accident. Here is the complete list of everything that ever leaves your machine. For beta testers, there is no license server call, so tokenmiser makes no network calls at all.

What leaves your machine

One heartbeat, every 24 hours. Human-readable, publicly documented, this is all of it:

{ "key": "tm_live_…", "machine_hash": "a91f…", // salted + hashed locally "counters": { "raw_equiv_tokens": 41200000, "served_tokens": 3400000, "sessions": 212 } }
  • Aggregate counters only — your meter and your bill, fully transparent
  • Same numbers the stats tool shows you locally

What never does

Verifiable in the binary, the docs, and the network tab.

  • Your source code
  • File paths or repo names
  • Prompts, context, or anything an agent saw
  • Git operations — writes go to your working tree through a journaled, sha-checked path; git stays yours
  • Silent self-updates — no auto-updater; upgrades are explicit and signature-verified
Signed + notarized binaries SBOM per release SECURITY.md uninstall reverses everything init wrote
For the CISO losing sleep over LLM leakage: there are no secrets to manage, no egress to architect, no IAM roles to design. The binary sits next to the code, serves compressed context to a process you already trust, applies that process's edits under a journaled write path, and phones home a counter. That's the whole threat model.

Savings reporting

A number your CFO will actually believe.

  • Conservative by construction. The headline is a discounted floor (default haircut 0.6), printed beside the gross. We apply the haircut so finance doesn't have to.
  • Measured, not estimated. The substrate knows exactly what uncompressed context each serve replaced — and what full-file rewrite each mutation replaced — priced at the rate in force when each run happened. Reads and writes are broken out per tool.
  • Tamper-evident, verifiably. The local ledger is hash-chained and monthly summaries are digest-sealed. tokenmiser verify-ledger re-checks every month's chain on your machine.
  • No cloud, including ours. tokenmiser report emits HTML and CSV locally. Team rollups merge the sealed summaries each machine commits — report --merge — through the repo you already share.
  • On the glass, not just on paper. The Claude Code statusline shows the live raw→served tally as your agent works.
tokenmiser-report-2026-06 conservative floor · haircut 0.6
$1,412
floor savings, June 2026 (gross: $2,353)
reads: raw → served41.2M → 3.4M
writes: rewrite → mutation2.6M → 0.5M
read reduction91.7%
spend without tokenmiser$2,562
machines in rollup3
tokenmiser cost $87 (3 × $29) · floor savings $1,412 — 16.2×
ledger chain 9f3a1c…e77b04 · price table v2026.06 · methodology printed in full on page 1

Pricing

Priced on value delivered, capped on principle.

Tiers step on raw-equivalent tokens served — the value you got, not a punishment for using the thing. Crossing a ceiling triggers a suggestion, never a charge, with 30 days of grace at full function.

Trial
$0
7 days · no card
  • Full product, nothing held back
  • Email → key, that's the signup
  • audit stays free forever
Get a key
Heavy
$59/mo per machine
or $590/yr — 2 months free
  • 50M–500M raw-equiv/mo
  • Everything in Pro
  • Observability export — OTLP and Prometheus into the stack you already run
Start free trial
Max
$99/mo per machine
monthly · hard cap
  • Unlimited tokens served
  • Everything in Heavy
  • There is no tier above this
Start free trial

Your bill can never exceed $99 per machine. That's the whole point of the name.

A running agent session is never killed, throttled, or interrupted by licensing. State changes apply at next spawn — and offline machines keep working on the last signed validation.

Free trial

Email in, key out. Saving by lunch.

Full product for 7 days. No card, no sales call, no onboarding. When it expires, audit keeps working forever.

One email with your key and the install snippet. Nothing else, no list.