Capabilities

AgentGuard Spend enforces five cap windows (per-call, per-minute, per-hour, per-day, per-month), four actions (allow, shadow, downgrade, block), a six-level scope hierarchy (tenant → team → user → agent → task → provider), and four capability tiers (read_only, data_write, payment_initiate, payment_execute). Every decision is Ed25519-signed and hash-chained per RFC 8785.

tl;dr

One policy. Hierarchical scopes. Four actions. Five cap windows. Four capability tiers. Three locales. Cryptographic receipts. Eight provider SDKs out of the box. All in-process.

Capability	What you get
Cap windows	per_call per_minute per_hour per_day per_month Any combination. Each window has independent state. A single policy can carry a per-minute burst guard, a daily soft cap, and a monthly ceiling simultaneously.
Cap actions	allow — call passes; logged only shadow — call passes; decision recorded for analysis (no enforcement) downgrade — model parameter rewritten to a cheaper model, then call proceeds block — `AgentGuardBlockedError` raised before the provider is contacted
Scope hierarchy	tenant → team → user → agent → task → provider Caps match the most specific scope key. Set a $50/day team cap, a $10/day per-user cap, and a $2/day per-agent cap — they all apply, the most specific wins.
Capability gating	read_only < data_write < payment_initiate < payment_execute A policy can require a minimum capability tier. Calls without a matching `capabilityClaim` are blocked at the SDK layer — before any tool runs, before any provider charge.
Localization	en-US es-419 Latin American Spanish pt-BR Brazilian Portuguese Block trace messages auto-detect the active locale via `AGENTGUARD_LOCALE`, `LC_ALL`, or system locale. Override explicitly with `locale="es-419"`.
Verification	Every decision produces an Ed25519-signed entry over canonical JSON. Anyone with the public key can verify any receipt — no AgentGuard infrastructure required. Verify a receipt: `agentguard verify --trace latest`
Audit	Decision log is hash-chained with SHA-256. Tampering with any field of any entry invalidates the chain from that point forward and is publicly detectable. The log lives in your storage — file, S3, Postgres, anywhere you point it.
Provider portability	One policy, eight provider SDKs: OpenAI Anthropic Bedrock OpenRouter Together Groq Anyscale vLLM OpenAI-compatible endpoints (OpenRouter, Together, Groq, Anyscale, vLLM) work through the OpenAI binding. Native bindings for Anthropic + Bedrock.

Try it now

Install and see the full block trace, locally, with a real Ed25519 signature, in 30 seconds:

# Python
pip install agentguard-spend
agentguard demo
agentguard verify --trace latest

# or Node
npm install -g @agentguard-run/spend
agentguard demo
agentguard verify --trace latest

One-liner integration

Get caps + signed receipts wrapping any OpenAI / Anthropic / OpenAI-compatible client:

# Python
from openai import OpenAI
from agentguard_spend import easy_install

client = easy_install(OpenAI(), daily_cap_dollars=20)
# done. caps enforced, signed log on disk, signing keys in ~/.agentguard/

The CLI commands

Command	What it does
`agentguard demo`	Deterministic simulation that produces the exact marketing block trace with a real Ed25519 signature over real canonical JSON. No network calls.
`agentguard verify`	Verify a signed receipt's Ed25519 signature + SHA-256 entry hash + chain link. Three green checkmarks = real cryptographic integrity.
`agentguard init`	Scaffolds `agentguard.policy.yaml`, `agentguard_quickstart.py`, and patches `.gitignore`. Idempotent — won't overwrite without `--force`.
`agentguard doctor`	Health check: crypto backend, provider SDK detection, keypair directory writable, policy file present, dry-run block simulation. Green ✓ / red ✗ per item.
`agentguard explain <receipt>`	Pretty-prints a receipt: action, cap math step-by-step, what would unblock (and when), signature breakdown, policy context.

Security posture

No outbound network calls from the SDK or CLI. Ever.
No proxy. Prompts and provider API keys never leave your runtime.
Signing keys stay local. Generated in ~/.agentguard/, 32-byte Ed25519 secret seeds, file mode 0600.
Honors NO_COLOR=1 and AGENTGUARD_COLOR=0 for clean CI logs.
No telemetry. No version checks. No phone-home. Fully offline operation.

Patent notice: Protected by U.S. patent-pending technology (App. Nos. 63/983,615; 63/983,621; 63/983,843; 63/984,626; 64/071,781; 64/071,789; plus DV-2026-007 in active filing). See /patents.