Cheatsheet: CostGuard and where your data goes
The CostGuard mental model
Section titled “The CostGuard mental model”A software safety net that watches your BYOK spend against a monthly cap. Warns when you cross a threshold, blocks new sends at 100% (default). The cap-enforcement layer is live at production launch; pre-release builds show the numbers but do not yet enforce.
The three settings (Settings, Budget)
Section titled “The three settings (Settings, Budget)”| Setting | Options | Default |
|---|---|---|
| Monthly cap | $0 (unlimited), $5, $10, $25, $50, $100, custom | Pick what feels comfortable |
| Warn threshold | 50%, 80%, 90%, off | 80% |
| Hard-stop behavior | Block new messages, Warn-and-allow | Block |
What counts toward the cap
Section titled “What counts toward the cap”| Usage type | Counts? | Why |
|---|---|---|
| Pay-as-you-go API keys (Anthropic, OpenAI, Google AI, Groq, most others) | Yes | Per-token billing on your provider account; CostGuard sums it |
| OAuth (Codex via your ChatGPT subscription) | No | Your ChatGPT subscription pays; shows $0 on the Usage dashboard |
| Local models (running on your computer) | No | No provider in the loop; no dollar cost to track |
You can mix providers freely. The cap looks at the paid ones only.
The two visual cues
Section titled “The two visual cues”| State | Indicator | Behavior |
|---|---|---|
| Under warn threshold | Dock row indicator neutral | Send freely |
| At warn threshold (80% by default) | Dock row indicator yellow + one-time notification | Send still works; quiet visual signal |
| At 100% cap | Dock row indicator red | With Block on (default): next send rejected, banner appears in chat. With Warn-and-allow: every send warns but goes through |
The hard-cap banner reads:
Monthly budget reached. Bump your cap in Settings to keep going.Unblocking once you hit the cap
Section titled “Unblocking once you hit the cap”| Path | What it does |
|---|---|
| Raise the cap in Settings, Budget | Unblocks immediately on save |
| Wait for the period to reset | Default rolling 30-day window: oldest day’s spend ages out today. Alternative: calendar-month resets (matches monthly subscription billing) |
Habits that compound to lower cost
Section titled “Habits that compound to lower cost”| Habit | Why it works |
|---|---|
| Pick the right model for the task | Heavyweight models cost 5x to 10x what smaller ones do per token |
| Fresh conversation when topic changes | Long threads carry full history with every new message; cost grows linearly with length |
| Use OAuth (Codex) where you can | Codex calls show $0 against the cap |
| Watch the Usage dashboard weekly | One specific session sometimes ate everything; that tells you what to change |
One thing to know about the OAuth path: it bills through your ChatGPT subscription, so it is governed by that subscription’s consumer terms rather than the API terms; worth a glance if your messages are sensitive.
The data path (one message, end to end)
Section titled “The data path (one message, end to end)”your keyboard vthe Clawless app on your computer vOpenClaw engine (still on your computer) vthe AI provider over the internet <-- the only server in the path vOpenClaw vClawless vyour screenNo Clawless server in the data path. Path is: your computer, the AI provider, your computer.
The three places your stuff lives
Section titled “The three places your stuff lives”| Place | What lives there | Who can read it |
|---|---|---|
| Your computer | API keys (encrypted by Clawless in OS secure storage); conversations, memories, agent definitions, settings (in the Clawless data folder, unencrypted; at-rest safety is the safety of the device, so turn on FileVault on macOS / BitLocker on Windows / LUKS on Linux if at-rest encryption matters) | You, plus anyone with physical access to the machine |
| AI provider servers | Your message and the memories that travel with it, for as long as it takes to generate a reply | The provider, per their terms; most default to not training on API customer data, but read the terms |
| Our license server | License state (trial, active, expired) | Us, for license validation only; no message content reaches here |
The four-party trust model
Section titled “The four-party trust model”| You trust | With what |
|---|---|
| Us | The desktop app does what it claims; local data protected to the standards your operating system supports |
| The AI provider you picked | The contents of your messages and the memories that travel with them |
| OpenClaw (open-source engine) | Being a faithful intermediary; code is auditable, audits exist |
| Any tool, skill, or integration you install | The permissions it asks for, same model as browser extensions |
Closed vs open: the distinction
Section titled “Closed vs open: the distinction”- Clawless is closed-source. The desktop app, the chrome around the engine.
- OpenClaw is open-source. The engine bundled inside Clawless that talks to providers.
They are not the same project. The data path crosses both. The audit story is different for each.
If Clawless went away tomorrow
Section titled “If Clawless went away tomorrow”| What | Status |
|---|---|
| Your conversations, memories, settings, agent definitions, API keys | Still on your computer. They do not vanish when the company does. |
| New app updates | Stop. |
| License check | Grace period built in for short outages. Long term: app eventually requires re-license. |
| Local models | Keep working offline, no cloud or license server needed. The strongest version of the no-cloud guarantee. |
Pitfalls to dodge
Section titled “Pitfalls to dodge”- Setting a cap so high it never trips (you learn nothing about your usage shape)
- Forgetting OAuth (Codex) does not count toward the cap (your dashboard will be quieter than expected if most work is on it)
- Treating Warn-and-allow as the safe default (Block is safer; Warn-and-allow is for specific reasons)
- Comparing the Usage dashboard to the provider’s invoice down to the cent (close match expected; if there is a discrepancy, the provider’s bill is the legal truth, ours is a real-time tracking signal)
- Assuming there is a cloud you can sign into from a second device (there is not; local-first trades cross-device sync for the no-cloud guarantee)
Worth opening once
Section titled “Worth opening once”The Usage dashboard, weekly for the first month. Look for the one session that ate disproportionate budget. That is the most important number on the screen.
What lands next
Section titled “What lands next”You have reached the end of the Getting Started track. The privacy track unpacks the “no Clawless server in the data path” model in full architectural detail. The AI literacy track (“AI Foundations”) covers what models actually are and how they work. Lesson 3 of Track 22 (“Building with Claude”) goes deeper on cost-and-capability tuning if cost optimization is now an interesting topic to you.