Guardrails
The policy layer that gates every agent tool call before it dispatches — spend budgets, rate limits, and human approval — enforced server-side.
Guardrails
Server-side, not advisory
Guardrails run in the CodeSpar runtime, before a tool call reaches a provider — not in your agent's prompt. A blocked call never dispatches, no matter what the model decided. The same rules apply whether the call came from session.execute() or the chat-loop session.send().
Guardrails let you bound what an agent is allowed to do with money. You define policies per project; the runtime evaluates every governed tool call against them and either allows it, blocks it, or holds it for human approval. Every decision is written to the audit chain.
Policy types
| Policy | What it bounds |
|---|---|
| Budget | A spend cap over a window — e.g. R$ 5.000/day or a monthly ceiling per project. Charges and payouts that would exceed it are blocked. |
| Rate limit | How often a tool can be called — calls per minute / per hour, enforced with durable counters (not best-effort in-memory). |
| Approval required | Routes a matching call to a human before it executes. The call is held; an operator approves or rejects it in /dashboard/approvals; on approval it dispatches, on rejection it never does. |
Policies can scope to a tool, a meta-tool, an amount threshold, or a time window, and compose — a payout might be inside budget but still need approval above a threshold.
What this page does not cover
The internal scoring and risk logic CodeSpar uses to evaluate fraud and anomaly signals is proprietary and intentionally out of scope here. This page documents the policy surface you control, not the engine internals.
How a decision flows
agent calls a tool
↓
guardrails evaluate the call against the project's policies
↓ ↓ ↓
allow deny approval-required
↓ ↓ ↓
dispatches returns a deny result held → /dashboard/approvals
→ approve → dispatches
↓ ↓ ↓
every outcome is appended to the audit chainSee also
- Audit chain — every guardrail decision is recorded
- Wallets — programmable spend limits on agent wallets
- Chat-loop governance — guardrails on
session.send()traffic
Wallets
Programmable wallets — per-agent fund pools with mandate-gated debits, multi-rail funding (Pix, TED, USD wire, USDC, BRLA), and automatic reconciliation. Part of the AgentGate managed tier.
Audit chain
An append-only, hash-chained record of every tool call and money movement — exactly-once, tamper-evident, and exportable for compliance.