AgentGuardrail — On-Chain Spending Guardrails for AI Agents

> Give your AI agents a wallet they can't abuse. AgentGuardrail deploys ERC-4337 smart accounts with policy-enforced spending limits. Agents cannot move funds beyond what you authorize — enforcement happens at the contract level, not just in software.

Homepage: https://agentguardrail.xyz

Why AgentGuardrail?

AI agents need to move money. The problem is trust: how do you let an agent trade, bridge, or pay for compute without risking runaway spending, compromised keys, or unauthorized actions?

AgentGuardrail solves this with:

On-chain enforcement — AgentSmartAccount.validateUserOp() calls PermissionEnforcer before any transaction executes. Violating transactions revert. There is no override.
Policy-bound accounts — every smart account is deployed against a policy that defines allowed actions, tokens, protocols, chains, and spend limits.
Non-custodial — AgentGuardrail never holds your funds. Enforcement is in the contracts you deploy.
Full audit trail — every intent, validation, and on-chain event is logged with tx hash and block number.

Overview

Every agent gets an ERC-4337 smart account deployed via AgentAccountFactory. The account's validateUserOp() enforces your policy through PermissionEnforcer before any transaction reaches the blockchain. If the action violates the policy — wrong token, wrong protocol, spend limit exceeded — the UserOperation reverts.

Execution path:

Agent builds UserOperation
  → AgentSmartAccount.validateUserOp()
    → PermissionEnforcer.validateAction()
      → Policy constraints checked on-chain
  → EntryPoint executes (only if all checks pass)

The AgentGuardrail API at https://agentguardrail.xyz provides:

A management interface for creating policies and granting permissions
Pre-flight validation for simulation and dashboards
Aggregated audit logs with on-chain event indexing

Most enforcement operations can be done directly against the contracts without the API. The API is most useful for policy management, pre-flight simulation, and audit log queries.

Security & Credential Model (Required)

This skill performs on-chain operations that require JSON-RPC access and transaction signing.

Private keys must never be provided in chat and must never be stored in unconstrained agent memory.

Signing Modes

1. External Signer (Recommended)

The agent prepares a transaction. The runtime forwards it to a secure signer service (HSM, MPC, hosted signer). The signer enforces scope, rate limits, and allowlists. The agent never sees raw private keys.

2. Wallet Connector / User-Approved Signing

Transactions are prepared by the agent. A user wallet (browser, hardware wallet) prompts for approval. Keys remain in the wallet.

3. Scoped Session Keys (Advanced)

Session keys must be policy-restricted, short-lived, and rotated frequently. Never use a long-lived owner EOA private key as a session key.

The Skill Must NOT

Ask users to paste private keys or seed phrases
Store private keys in memory, logs, or prompts
Access unrelated environment variables or local files
Request cloud credentials or system-level secrets
Persist secrets beyond runtime execution

If secure signing is not configured, operate in read-only mode until proper signing is established.

Runtime Configuration

Required (via secure secret storage, not chat):

Variable	Description
----------	-------------
`GUARDRAIL_CHAIN_ID`	Target chain ID (e.g., `8453` for Base, `11155111` for Sepolia)
`GUARDRAIL_RPC_URL`	JSON-RPC endpoint — treat as sensitive, often contains an API key
`GUARDRAIL_SIGNING_MODE`	One of: `external_signer`, `wallet_connector`, `session_key`

Optional:

Variable	Description
----------	-------------
`GUARDRAIL_API_URL`	AgentGuardrail API base. Defaults to `https://agentguardrail.xyz`
`GUARDRAIL_SIGNER_ENDPOINT`	External signer URL — required when `GUARDRAIL_SIGNING_MODE=external_signer`
`GUARDRAIL_SIGNER_AUTH_TOKEN`	Auth token for the external signer — sensitive, store securely
`GUARDRAIL_DASHBOARD_API_KEY`	API key for agentguardrail.xyz management API

The API URL default in all code examples below is https://agentguardrail.xyz. Override with GUARDRAIL_API_URL if self-hosting.

Smart Contract Addresses

Base Mainnet (Chain ID 8453)

Contract	Address
----------	---------
IdentityRegistry	`0xd0978eA4101d6144457bfbF5317499fbb5Fccf01`
PolicyRegistry	`0xc35B3D74521005C7AeA58E1B3483DcBE99B1336B`
PermissionEnforcer	`0xDc602Cf56679FF23dd17Ea65d3c47E7Ba81Eb470`
PriceOracle	`0x32b2088F68427526bE8931C2Dc61eC2520d10F00`
GuardrailFeeManager	`0x980d454d79306AFdB8EE5B01F50BeF84760A8380`
AgentAccountFactory	`0x94991827135fbd0E681B3db51699e4988a7752f1`
EntryPoint (v0.6)	`0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789`

Sepolia Testnet (Chain ID 11155111)

Contract	Address
----------	---------
IdentityRegistry	`0xc1fa477f991C74Cc665E605fC74f0e2B795b5104`
PolicyRegistry	`0x92cd41e6a4aA13072CeBCda8830d48f269F058c4`
PermissionEnforcer	`0x45Aa939A935b6B2Bde32a43aD48cF58AE0D9308d`
PriceOracle	`0x052cDddba3C55A63F5e48F9e5bC6b70604Db93b8`
GuardrailFeeManager	`0x59f50323A5e31ec64470b854c44735EC95929c78`
AgentAccountFactory	`0xb284E09d396F5fbeb49587886FB13a186767F14C`
EntryPoint (v0.6)	`0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789`

> Start on Sepolia. Move to Base Mainnet when policies are validated.

Core Capabilities

1. Deploy a Smart Account

Deploy a new ERC-4337 smart account via AgentAccountFactory. The account is bound to PermissionEnforcer at creation. Deployment is deterministic via CREATE2 — the same owner, agentId, and salt always produce the same address.

One-time creation fee: $10 USD equivalent in ETH.

Direct contract call (recommended):

// Get required creation fee
uint256 fee = factory.getCreationFee();

// Deploy account (send fee as msg.value)
address account = factory.createAccount{value: fee}(
    ownerAddress,   // Controls the account
    agentId,        // bytes32 identifier for this agent
    salt            // bytes32 for CREATE2 determinism
);

Via API:

const apiUrl = process.env.GUARDRAIL_API_URL ?? "https://agentguardrail.xyz";

const response = await fetch(`${apiUrl}/api/v1/agents/${agentId}/deploy-smart-account`, {
  method: "POST",
  headers: { Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}` },
});
const { smart_account_address } = await response.json();

The API path is useful when using dashboard-generated bot signers (the dashboard generates the keypair and handles deployment in one step).

2. Fund a Smart Account

Send ETH directly to the smart account address. Inbound transfers are free — no fee, no contract call needed.

await walletClient.sendTransaction({
  to: smartAccountAddress,
  value: parseEther("1.0"),
});

3. Execute from a Smart Account

Agent executes a transaction from its smart account. validateUserOp() enforces the policy before the transaction reaches the chain — no override exists.

Outbound transfer fee: 10 bps (0.10%), capped at $100 USD per transaction.

// Build the UserOperation
const callData = encodeFunctionData({
  abi: agentSmartAccountABI,
  functionName: "execute",
  args: [destinationAddress, parseEther("1.0"), "0x"],
});

// Submit via ERC-4337 EntryPoint
// The EntryPoint calls validateUserOp → PermissionEnforcer before execution

Fee enforcement occurs inside GuardrailFeeManager. Fee is deducted from the transaction value automatically.

Transfer Amount	Fee
----------------	-----
$1,000	$1.00
$10,000	$10.00
$100,000+	$100.00 (cap)

4. Read Contract State (No Signing Required)

// Get account owner
const owner = await publicClient.readContract({
  address: smartAccountAddress,
  abi: agentSmartAccountABI,
  functionName: "owner",
});

// Get smart account creation fee
const fee = await publicClient.readContract({
  address: factoryAddress,
  abi: agentAccountFactoryABI,
  functionName: "getCreationFee",
});

// Calculate transfer fee before executing
const transferFee = await publicClient.readContract({
  address: feeManagerAddress,
  abi: guardrailFeeManagerABI,
  functionName: "calculateTransferFee",
  args: [parseEther("10.0")],
});

// Check if a permission is active on-chain
const isActive = await publicClient.readContract({
  address: policyRegistryAddress,
  abi: policyRegistryABI,
  functionName: "isPermissionActive",
  args: [agentAddress, permissionId],
});

5. Policy Management

Policies define what an agent is allowed to do: which actions, tokens, protocols, chains, and spend limits. Policies are stored on-chain in PolicyRegistry and enforced by PermissionEnforcer.

On-chain (direct):

// Register a policy on-chain
bytes32 policyId = policyRegistry.registerPolicy(
    bytes32(policyHash),    // Unique identifier
    allowedActions,         // bytes32[] action type hashes
    allowedTokens,          // address[] token contracts
    allowedProtocols,       // address[] protocol contracts
    allowedChains,          // uint256[] chain IDs
    maxValuePerTx,          // uint256 in wei
    maxDailyVolume,         // uint256 in wei
    expiresAt               // uint256 unix timestamp
);

Via API (recommended for most use cases — handles on-chain registration automatically):

const apiUrl = process.env.GUARDRAIL_API_URL ?? "https://agentguardrail.xyz";
const headers = {
  "Content-Type": "application/json",
  Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}`,
};

// Create and activate a policy
const policy = await fetch(`${apiUrl}/api/v1/policies`, {
  method: "POST",
  headers,
  body: JSON.stringify({
    name: "DeFi Trading Policy",
    description: "Allow swaps and transfers with daily limits",
    definition: {
      actions: ["swap", "transfer"],
      assets: {
        tokens: ["0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48"],
        protocols: ["*"],
        chains: [1, 8453],
      },
      constraints: {
        maxValuePerTx: "1000000000000000000",   // 1 ETH
        maxDailyVolume: "10000000000000000000",  // 10 ETH
        maxTxCount: 100,
        requireApproval: false,
      },
      duration: {
        validFrom: "2026-01-01T00:00:00Z",
        validUntil: "2026-12-31T23:59:59Z",
      },
    },
  }),
}).then((r) => r.json());

// Activate it (registers on-chain via PolicyRegistry)
await fetch(`${apiUrl}/api/v1/policies/${policy.id}/activate`, {
  method: "POST",
  headers,
});

PolicyDefinition fields:

Field	Type	Description
-------	------	-------------
`actions`	`string[]`	`swap`, `transfer`, `approve`, `stake`, `unstake`, `deposit`, `withdraw`, `mint`, `burn`, `bridge`, `claim`, `vote`, `delegate`, `lp_add`, `lp_remove`, `borrow`, `repay`, `liquidate`, `*`
`assets.tokens`	`string[]`	Token contract addresses, or `["*"]` for all
`assets.protocols`	`string[]`	Protocol addresses, or `["*"]` for all
`assets.chains`	`number[]`	Allowed chain IDs
`constraints.maxValuePerTx`	`string`	Max per-tx value in wei
`constraints.maxDailyVolume`	`string`	Max daily volume in wei
`constraints.maxWeeklyVolume`	`string`	Max weekly volume in wei
`constraints.maxTxCount`	`number`	Max transactions within the duration
`duration.validFrom` / `validUntil`	`string`	ISO 8601
`conditions`	`array`	Advanced rules: `{ field, operator, value }`. Operators: `eq`, `ne`, `gt`, `gte`, `lt`, `lte`, `in`, `not_in`, `contains`, `regex`

Other policy operations:

// Update (draft policies update in place; active policies create a new version)
await fetch(`${apiUrl}/api/v1/policies/${policyId}`, { method: "PUT", headers, body: JSON.stringify({...}) });

// Revoke (disables on-chain — active permissions using this policy stop validating)
await fetch(`${apiUrl}/api/v1/policies/${policyId}/revoke`, { method: "POST", headers });

// Reactivate
await fetch(`${apiUrl}/api/v1/policies/${policyId}/reactivate`, { method: "POST", headers });

// List / Get / Delete (draft only)
await fetch(`${apiUrl}/api/v1/policies`, { headers });
await fetch(`${apiUrl}/api/v1/policies/${policyId}`, { headers });
await fetch(`${apiUrl}/api/v1/policies/${policyId}`, { method: "DELETE", headers });

6. Permission Management

Permissions link an agent to a policy for a defined period. On-chain, PolicyRegistry.grantPermission() registers the link. PermissionEnforcer reads active permissions during validateUserOp.

On-chain (direct):

// Grant permission on-chain
bytes32 permissionId = policyRegistry.grantPermission(
    agentAddress,   // The smart account address
    policyId,       // bytes32 policy identifier
    validFrom,      // uint256 unix timestamp
    validUntil      // uint256 unix timestamp
);

Revoke on-chain:

policyRegistry.revokePermission(permissionId);

Via API (handles on-chain registration + constraint sync to PermissionEnforcer):

const apiUrl = process.env.GUARDRAIL_API_URL ?? "https://agentguardrail.xyz";
const headers = {
  "Content-Type": "application/json",
  Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}`,
};

// Grant a permission
const permission = await fetch(`${apiUrl}/api/v1/permissions`, {
  method: "POST",
  headers,
  body: JSON.stringify({
    agent_id: "agent-uuid",
    policy_id: "policy-uuid",
    valid_from: "2026-01-01T00:00:00Z",
    valid_until: "2026-12-31T23:59:59Z",
  }),
}).then((r) => r.json());

// Mint it on-chain (registers in PolicyRegistry, syncs constraints to PermissionEnforcer)
const minted = await fetch(`${apiUrl}/api/v1/permissions/${permission.id}/mint`, {
  method: "POST",
  headers,
}).then((r) => r.json());
// minted.onchain_token_id — the on-chain token ID

// Revoke
await fetch(`${apiUrl}/api/v1/permissions/${permission.id}`, { method: "DELETE", headers });

// List (filter by agent or policy)
await fetch(`${apiUrl}/api/v1/permissions?agent_id=${agentId}`, { headers });

> Use the API path when you need the PermissionEnforcer constraints to sync automatically. The direct contract path is sufficient if you are managing PermissionEnforcer constraint updates yourself.

7. Action Validation

On-chain enforcement (primary):

Validation happens automatically inside AgentSmartAccount.validateUserOp() via PermissionEnforcer. You do not call this directly — it runs as part of every UserOperation. Transactions that violate policy constraints revert before execution.

Off-chain pre-flight (via API — useful for dashboards, simulation, agent planning):

const apiUrl = process.env.GUARDRAIL_API_URL ?? "https://agentguardrail.xyz";

// Pre-flight check before building a UserOperation
const result = await fetch(`${apiUrl}/api/v1/validate`, {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}`,
  },
  body: JSON.stringify({
    agent_id: "agent-uuid",
    action: {
      type: "swap",
      token: "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
      protocol: "0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D",
      amount: "500000000000000000",
      chain: 8453,
      to: "0xDef1C0ded9bec7F1a1670819833240f027b25EfF",
    },
  }),
}).then((r) => r.json());
// result.allowed        — boolean
// result.reason         — explanation if denied
// result.permission_id  — matching permission
// result.policy_id      — matching policy
// result.constraints    — active constraints
// result.request_id     — audit trail reference

Simulate (dry-run, no audit record):

const sim = await fetch(`${apiUrl}/api/v1/validate/simulate`, {
  method: "POST",
  headers: { "Content-Type": "application/json", Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}` },
  body: JSON.stringify({
    agent_id: "agent-uuid",
    action: { type: "transfer", amount: "1000000000000000000", chain: 1 },
  }),
}).then((r) => r.json());
// sim.would_allow       — boolean
// sim.current_usage     — current period usage
// sim.remaining_quota   — remaining allowance
// sim.recommendations   — suggested policy adjustments

Batch validate:

// POST /api/v1/validate/batch
// Body: { actions: [...] }  — same structure as single validate

8. Audit & Monitoring

On-chain events (source of truth):

The AgentGuardrail indexer polls contracts every 12 seconds and writes events to the audit log with tx_hash and block_number. Events emitted by the contracts:

Event	Contract	Description
-------	----------	-------------
`EnforcementResult`	PermissionEnforcer	Every validateUserOp result
`ConstraintViolation`	PermissionEnforcer	Policy constraint breached
`UsageRecorded`	PermissionEnforcer	Spend/volume tracked
`Executed`	AgentSmartAccount	Transaction executed
`AccountCreated`	AgentAccountFactory	New smart account deployed

Query via API:

const apiUrl = process.env.GUARDRAIL_API_URL ?? "https://agentguardrail.xyz";

// List audit logs
const logs = await fetch(
  `${apiUrl}/api/v1/audit?agent_id=${agentId}&source=onchain&start_date=2026-01-01T00:00:00Z`,
  { headers: { Authorization: `Bearer ${process.env.GUARDRAIL_DASHBOARD_API_KEY}` } }
).then((r) => r.json());
// Each log entry includes: source ('onchain'|'offchain'), tx_hash, block_number, event_type

// Filter by source
// source=onchain   — events from contract indexer (tx_hash + block_number included)
// source=offchain  — API validation requests

// Export (JSON or CSV)
const csvUrl = `${apiUrl}/api/v1/audit/export?format=csv&start_date=2026-01-01T00:00:00Z`;

Event types: policy.created, policy.activated, policy.revoked, permission.created, permission.minted, permission.revoked, validation.request.

Enforcement Model

All agents are ERC-4337 smart accounts with enforced on-chain policy enforcement. There is no advisory or EOA mode.

AgentSmartAccount.validateUserOp() calls PermissionEnforcer on every UserOperation. Transactions that violate policy constraints revert before execution. The agent cannot bypass enforcement — it is built into the account's validation logic.

Off-chain validation (/api/v1/validate) runs as a pre-flight simulation for dashboards, SDK use, and agent planning. The on-chain PermissionEnforcer performs the final, authoritative enforcement.

Recommended Setup Flow

1. Deploy smart account (AgentAccountFactory.createAccount)
2. Create policy (API) → activate (registers on-chain via PolicyRegistry)
3. Grant permission (API) → mint (syncs constraints to PermissionEnforcer)
4. Agent builds UserOperations — enforcement is automatic
5. Monitor via audit logs or on-chain events

Autonomy & Safety Guidance

Start on Sepolia. All contract addresses are provided above.
Fund accounts with small amounts while validating policies.
Use strict policies — prefer explicit token/protocol allowlists over wildcards.
Enable autonomous execution only with secure signing configured.
Apply rate limits and allowlists at the signer layer as a second line of defense.

Privacy and Data Handling

This skill does not store, log, or transmit private keys, seed phrases, or signer tokens.
GUARDRAIL_RPC_URL may contain an embedded API key. Treat it as sensitive.
GUARDRAIL_SIGNER_AUTH_TOKEN grants signing capability. Store in secure secret storage — never expose in logs, prompts, or chat.
On-chain transactions are public by nature. The skill adds no off-chain data collection beyond what the blockchain records.
The skill does not access local files, browser storage, or environment variables beyond those declared in the manifest.

Design Principles

Contract-first — All enforcement is on-chain. The API is a convenience layer, not the authority.
Policy-bound by default — Every account is bound to a policy at creation. No account is unconstrained.
Non-custodial — AgentGuardrail never holds funds. Enforcement lives in contracts you can verify.
Least privilege — Signing must use scoped, secure integrations. Never expose long-lived owner keys.
Agent and human neutral — Authority derives from ownership and policy, not caller identity.
Infrastructure-grade fees — Fees are enforced at the contract layer. No software bypass exists.

Dashboard

All operations are available via the web dashboard at https://agentguardrail.xyz — manage agents, policies, permissions, and audit logs visually. API keys and bot signer keypairs generated by the dashboard should be stored in secure secret storage and never pasted into chat.

Guardrail Agent Smart Account Wallets

概述