Billing: Usage-Based Billing Audit with Claude Code: Sandbox Policy

A production playbook for usage-based billing audit in billing operations using Claude Code: sandbox policy, run-scoped inputs, logs, typed results, and artifacts.

Audience: SaaS billing and finance teams

The problem

SaaS billing and finance teams need usage-based billing audit to run repeatedly against usage events, invoices, contracts, credits, and customer disputes. In billing operations, the pain is not one good answer; it is repeatability, auditability, exception handling, and evidence that survives handoff.

Implementation path

Run usage-based billing audit in an ephemeral sandbox, keep provider credentials in the broker, expose narrow tools, and store logs outside the workspace for review.

Tradeoffs and failure modes

A narrower runtime blocks ambient machine behavior, but it gives security reviewers a concrete boundary. For usage-based billing audit, the practical test is whether a second run can be debugged, retried, and consumed by a product without reading the raw agent transcript.

Runtime boundary

filesystem: /skill and /skill/.argo/inputs only
network: deny by default
artifacts: /skill/output/artifacts
logs: retained outside sandbox
provider: Claude Code

Run this on Argo