---
title: Guardrails
description: The policy layer that gates every agent tool call before it dispatches — spend budgets, rate limits, and human approval — enforced server-side.
---

import { Callout } from "fumadocs-ui/components/callout";

# Guardrails

<Callout title="Server-side, not advisory" type="info">
Guardrails run in the CodeSpar runtime, **before** a tool call reaches a provider — not in your agent's prompt. A blocked call never dispatches, no matter what the model decided. The same rules apply whether the call came from `session.execute()` or the chat-loop `session.send()`.
</Callout>

Guardrails let you bound what an agent is allowed to do with money. You define policies per project; the runtime evaluates every governed tool call against them and either allows it, blocks it, or holds it for human approval. Every decision is written to the [audit chain](/docs/concepts/audit-chain).

## Policy types

| Policy | What it bounds |
|---|---|
| **Budget** | A spend cap over a window — e.g. R$ 5.000/day or a monthly ceiling per project. Charges and payouts that would exceed it are blocked. |
| **Rate limit** | How often a tool can be called — calls per minute / per hour, enforced with durable counters (not best-effort in-memory). |
| **Approval required** | Routes a matching call to a human before it executes. The call is held; an operator approves or rejects it in **/dashboard/approvals**; on approval it dispatches, on rejection it never does. |

Policies can scope to a tool, a meta-tool, an amount threshold, or a time window, and compose — a payout might be inside budget but still need approval above a threshold.

<Callout title="What this page does not cover" type="warn">
The internal scoring and risk logic CodeSpar uses to evaluate fraud and anomaly signals is proprietary and intentionally out of scope here. This page documents the **policy surface you control**, not the engine internals.
</Callout>

## How a decision flows

```
agent calls a tool
  ↓
guardrails evaluate the call against the project's policies
  ↓                    ↓                         ↓
allow                deny                  approval-required
  ↓                    ↓                         ↓
dispatches      returns a deny result      held → /dashboard/approvals
                                            → approve → dispatches
  ↓                    ↓                         ↓
every outcome is appended to the audit chain
```

## See also

- [Audit chain](/docs/concepts/audit-chain) — every guardrail decision is recorded
- [Wallets](/docs/concepts/wallets) — programmable spend limits on agent wallets
- [Chat-loop governance](/docs/concepts/chat-loop-governance) — guardrails on `session.send()` traffic
