Guardrail

Wallet guardrails for agents.

Overview

Guardrail is the Guard Labs product for giving agents wallet access without shipping a long-lived hot private key.

The human stays the owner through a passkey. The agent can still act autonomously, but only on the runtime path that Guardrail is willing to co-sign under the wallet policy.

The hosted frontend at https://guardlabs.ai serves both as the public homepage and the provisioning surface. The official hosted frontend is pinned to the official backend. If you deploy your own backend, deploy your own frontend with it.

The hosted frontend also publishes a public agent-readable onboarding skill at https://guardlabs.ai/skill.md.

The CLI defaults to the hosted backend at https://api.guardlabs.ai. Pass --backend-url only when you want to target a local or self-hosted backend.

Quickstart

These commands use the published package name and the official Guard Labs domain shape.

Create a wallet request with an official USDC budget limited to $10 per trailing 24 hours.

The example below uses Base Sepolia for safe testing. The same flow also supports Base Mainnet with --chain-id 8453 once production endpoints are configured:

npx @guardlabs/guardrail-cli create \
  --chain-id 84532 \
  --usdc-period daily \
  --usdc-max 10 \
  --usdc-allow transfer,approve,increaseAllowance,permit,transferWithAuthorization

This returns:

• a walletId
• a provisioning URL for the human owner
• local wallet state on disk
• the agent signer address

Share the provisioning URL with the human (they create the passkey and approve the ownership signature in the browser):

https://guardlabs.ai/?walletId=wal_xxx

If the provisioning frontend submits inconsistent passkey artifacts, the backend now rejects them immediately during owner binding instead of letting the wallet fail later during first deployment.

Wait for readiness:

npx @guardlabs/guardrail-cli await wal_xxx

When the wallet reaches ready, the JSON output includes localStatePath and an agentMemoryReminder hint for durable agent memory. This is meant for persistent memory across sessions, not a day-only memory log.

Check the wallet's official USDC balance on its configured chain:

npx @guardlabs/guardrail-cli usdc-balance wal_xxx

Use the ready wallet:

npx @guardlabs/guardrail-cli call wal_xxx \
  --to 0x1111111111111111111111111111111111111111 \
  --data 0xa9059cbb \
  --value-wei 0

If the smart wallet has not been deployed onchain yet, the CLI deploys it automatically before the call.

In this example, Guardrail counts the authorized USDC amount for official USDC transfer, approve, increaseAllowance, Permit, and TransferWithAuthorization. A 4 USDC transfer plus a 6 USDC permit fills the budget. Another 1 USDC action is denied until enough prior usage falls out of the trailing 24-hour window.

Documentation

Detailed documentation lives under docs/:

• Documentation index
• What the product does
• Quickstart
• Runtime policy
• Use cases
• x402 payments
• How it works
• CLI reference
• Local development

Public agent skill:

• Hosted skill.md

Supported Chains

Guardrail currently supports two chains:

Chain	Chain ID	Status
Base	8453	Supported
Base Sepolia	84532	Supported

Local Development

Prerequisites:

• Node.js 22+
• pnpm 10+
• Docker
• Foundry with anvil on your PATH for the local e2e suite

Basic setup:

pnpm install
cp .env.example .env.local
docker compose up -d postgres
pnpm db:migrate
pnpm dev

Useful local URLs:

• frontend: http://localhost:5173
• backend: http://localhost:3000

The backend also ships with a production Dockerfile at apps/backend/Dockerfile. Build it from the repository root with:

docker build -f apps/backend/Dockerfile -t guardrail-backend .

The container runs the checked-in Drizzle migrations automatically before starting the backend server.

For the full local flow, required environment variables, and testing commands, see Local development.

Before starting the backend, fill the per-chain RPC and bundler variables in .env.local. The backend only requires URLs for chains listed in GUARDRAIL_SUPPORTED_CHAIN_IDS, and it fails fast if any enabled chain is missing its runtime URLs.

Coverage across the workspace test suites is available with:

pnpm test:coverage

Developer checks are available with:

pnpm lint
pnpm format:check
pnpm typecheck
pnpm knip
pnpm check

Repository Layout

• apps/backend: Fastify backend, wallet lifecycle, runtime policy enforcement, backend signing
• apps/frontend: public Guard Labs homepage and Guardrail provisioning UI
• apps/cli: CLI used by the agent to create, await, and use wallets
• packages/shared: shared contracts, schemas, chain metadata, and Guardrail config helpers
• packages/zerodev: Kernel and ZeroDev runtime helpers used by Guardrail

Status

This repository is still pre-deployment:

• the CLI is published on npm as @guardlabs/guardrail-cli
• the official hosted frontend domain is https://guardlabs.ai
• the intended official backend domain is https://api.guardlabs.ai
• Base and Base Sepolia are supported
• runtime policy is intentionally narrow and deny-by-default on the agent runtime path

Deployment Model

• the official frontend is paired with the official backend
• provisioning links no longer carry a backend override parameter
• if you self-host the backend, self-host the frontend too

Signer Trust Model

• the human passkey is the durable owner path
• the local agent key alone is not enough to use the runtime path
• the backend signer key alone is not enough to use the runtime path
• the agent + backend runtime path is where Guardrail enforces policy
• the backend operator is trusted for policy enforcement and service availability