agentguard-spend 0.5.0

All terminology and labels used in AgentGuard materials are descriptive of software functionality only, not legal definitions or guarantees of compliance. Terms like receipt, audit log, evidence, audit trail, and attestation refer solely to cryptographically-signed records produced by the software. Full functional-use disclaimer in README.

agentguard-spend

Functional-Use Disclaimer

DISCLAIMER: All terminology and labels used in AgentGuard’s materials are descriptive of software functionality only, not legal definitions or guarantees of compliance. For example, the terms “receipt,” “audit log,” “evidence,” “audit trail,” and “attestation” refer solely to cryptographically-signed records produced by AgentGuard’s software. These terms do not mean that any record is legally binding evidence, certified by any authority, or equivalent to records maintained by banks, auditors, or courts. Similarly, references to “signed,” “verified,” or “attested” pertain to digital signature processes, not to notarization or governmental attestation. Any use of the word “compliance,” “compliant,” “outcome,” or “settlement” describes the software’s features in a non-regulatory sense. In particular, “capability tier” is merely an internal category of agent permission levels, and does not correspond to any government or industry regulatory classification. Likewise, any statement that an operation “settles” or an outcome is “settled” refers only to the software’s final state, not to any legal settlement. No AgentGuard tool or document should be interpreted as providing legal, financial, or regulatory advice, or as a certified compliance certificate. AgentGuard is not a law firm or auditor and does not guarantee adherence to laws or standards. All use of AgentGuard software is at the user’s risk, and users must ensure independently that their use of AI agents complies with all applicable laws and regulations.* (CONTINUED IN NEXT PARAGRAPH) Throughout this documentation, package metadata, CLI banners, and related materials, any word drawn from compliance or legal contexts (such as “audit,” “evidence,” “settlement,” “credit,” “debt,” “market,” “liquidity,” “maturity,” or similar) is used only in a functional, descriptive sense. For instance, “audit log” simply means a sequence of recorded events; it does not imply an official financial or regulatory audit. The phrase “satisfies” is used to indicate that one software condition meets a programmed check (e.g. satisfying a budget cap), and is not intended to suggest that any legal requirement has been fulfilled. Under no circumstances should AgentGuard’s terminology be taken to indicate that our software is executing regulated financial or legal processes.* No term in our code, documentation, or marketing is meant to designate or characterize any AgentGuard feature as a service subject to banking, securities, derivatives, insurance, real estate, or other regulated activities. For example, “trade,” “trading,” “liquidity,” “maturity,” and similar terms (if ever used) describe algorithmic budget or token flows, not financial transactions. AgentGuard does not act as a broker-dealer, clearinghouse, insurance issuer, or government agency. References to “market” or “liquidation” are metaphorical descriptions of how the software handles tokens or budgets. No AgentGuard action should be construed as offering financial services or operating a regulated marketplace.* Likewise, words like “offer,” “obligation,” “credit,” “debt,” “payment,” or “settle” in our text refer only to hypothetical or illustrative actions of a user’s AI agent or simulated transaction flows. They do not mean that AgentGuard is engaging in any money-handling, offering financial instruments, or guaranteeing any settlement of obligations. If AgentGuard generates an invoice or cost-of-service figure, it is purely illustrative of resource usage, not a binding financial bill. The term “maker/taker” (if used in examples) is purely a naming convention and has no relation to exchange regulation.

The software’s “payment execution” tier is only a capability checkbox, not an actual payment processor. AgentGuard does not transmit money or credit.* Finally, any references to “certify,” “verify,” or “attest” should be read in context of cryptography and computing. For example, when we say a receipt is “signed” or “verified,” we mean via public-key cryptography. AgentGuard does not claim that receipts are admissible legal evidence by default. Users remain responsible for any legal implications of presenting AgentGuard logs or receipts in regulatory audits or court. This disclaimer is intended to ensure AgentGuard’s terms (in this README, license, package descriptions, CLI banner, customer agreements, and /llms.txt) make clear we provide a technical audit tool only. The functionality is delivered “as-is” with no implied regulatory endorsement.

AgentGuard proves what your AI agent attempted, who authorized it, what it cost, and whether it succeeded.

Local-runtime spend caps, capability-gated model routing, and Ed25519-signed receipts for AI agents.

Also available in: Español (LATAM) · Português (BR)

Every policy decision runs inside your process. Prompts, completions, provider API keys, signing keys, policies, and cost overrides never go to AgentGuard infrastructure. OpenRouter calls go directly from your runtime to openrouter.ai with your key.

Quickstart in 90 seconds

pip install agentguard-spend
agentguard auth openrouter
agentguard wizard

The wizard writes:

• ~/.agentguard/policy.yaml
• ~/.agentguard/quickstart.ts
• ~/.agentguard/quickstart.py

It also prints the snippet to paste into your app:

const response = await guardedClient.chat.completions.create({
  model: 'openai/gpt-4o-mini',
  messages: [{ role: 'user', content: 'Run the governed task.' }],
});

Then run your agent. AgentGuard decides locally before any provider call starts, signs the receipt, and applies allow, downgrade, shadow, or block.

Workflow-level caps

Use agentguard_spend.workflow() when one agent run spans many outcomes and needs one shared budget envelope. The SDK signs each step as receipt schema v2, writes checkpoints, and validates the prior chain before resume.

from agentguard_spend import WorkflowConfig, workflow

async with workflow(WorkflowConfig(
    name='migrate_legacy_payments',
    budget_cap_usd=500,
    duration_cap_hours=72,
    checkpoint_every_outcomes=50,
    resume_if_exists=True,
)) as wf:
    for record in records:
        await wf.outcome('migrate_payment', lambda: migrate_payment(record))

Share the public replay URL at https://agentguard.run/verify/workflow/<workflow_id>.

Need help configuring? Run agentguard advisor

agentguard advisor uses your OpenRouter key, or any OpenAI-compatible endpoint you pass with --base-url, to run a local setup dialogue in your terminal. AgentGuard infrastructure never sees the prompts, completions, keys, policy details, or session log.

agentguard advisor

Advisor writes ~/.agentguard/policy.yaml, a language-aware quickstart file, projected savings math, and a local JSONL session log under ~/.agentguard/advisor-sessions/.

Governance Posture

Advisor asks for one operating-style input and uses it to shape the generated policy.

• velocity: high-ship software and AI teams. Starts in shadow, uses permissive capability tiers, and downgrades aggressively to cheaper models.
• standard: most SaaS, e-commerce, real estate, agencies, local services, and startups. Starts in enforce, uses balanced capability tiers, and keeps 90 days of audit retention.
• compliance: law, healthcare, dental, accounting, SOX, fintech, and regulated workflows. Starts in canary, requires stricter capability tiers, blocks regulated overflow instead of downgrading, and keeps 7 years of audit retention.

Override the suggestion when you already know how the team operates:

agentguard advisor --posture velocity
agentguard advisor --posture compliance

custom posture is reserved for the Solo tier Outcome Builder.

Why OpenRouter?

One OpenRouter key gives your team access to hundreds of models across many providers. Your CFO sees one invoice. AgentGuard enforces who uses what, which task tiers can reach which models, and what each call can spend. The OpenRouter key can live in OPENROUTER_API_KEY or ~/.agentguard/openrouter-key with mode 600.

Sync pricing when you want local cost math refreshed:

agentguard models --sync-pricing
agentguard models --task payment-approval
agentguard models --search gpt-4o --json

Pricing overrides are stored locally in ~/.agentguard/cost-overrides.json.

Verify any receipt

Share https://agentguard.run/verify with an auditor or reviewer. Paste a receipt and public key in the browser to verify the Ed25519 signature, entry hash, and chain link. The receipt never leaves the page.

CLI verification is still local:

agentguard demo
agentguard verify --trace latest

Task templates

agentguard wizard ships templates for:

• risk-review: read-only review with a $0.50 per-call cap
• payment-approval: payment initiation review with a $5.00 per-call cap
• chargeback-evidence: evidence assembly with a $1.00 per-call cap
• agent-support: data-write support workflow with a $0.25 per-call cap
• code-scan: long-context read-only scan with a $0.10 per-call cap

Each template sets recommended OpenRouter model assignments, capability tier, fallback model, caps, and system instructions.

Provider bindings

TypeScript includes native OpenAI, Anthropic, and Bedrock bindings. Streaming usage is settled from provider usage events when available, with local token-estimator fallback when usage is missing. Settlement entries are signed into the same hash chain as enforcement decisions.

Python includes OpenAI, Anthropic, Bedrock, LangChain, CrewAI, and LlamaIndex integration helpers.

No proxy

AgentGuard Spend is a library, not a gateway. It does not proxy traffic, store prompts, hold provider keys, or host policy state. The signed log lives in your storage.

Telemetry

Telemetry is opt-in. Set AGENTGUARD_TELEMETRY=1 or run agentguard telemetry enable. The beacon sends only SDK version, runtime, OS family, anonymous install ID, CI flag, TTY flag, and event name. No prompts, completions, provider keys, signing keys, policy details, or cost overrides are sent.

License and usage thresholds

The SDK is free for evaluation, prototyping, non-commercial development, and production deployments processing up to 10,000 enforcement calls per calendar month. Commercial use above that threshold requires a paid license from Dunecrest Ventures Inc. Full terms are in LICENSE.

Patent notice

Protected by U.S. patent-pending technology (App. Nos. 63/983,615; 63/983,621; 63/983,843; 63/984,626; 64/071,781; 64/071,789). 35 U.S.C. § 287 constructive notice. Additional patents pending.