Metadata-Version: 2.4
Name: agentguard-spend
Version: 0.13.0
Summary: All terminology and labels used in AgentGuard materials are descriptive of software functionality only, not legal definitions or guarantees of compliance. Terms like receipt, audit log, evidence, audit trail, and attestation refer solely to cryptographically-signed records produced by the software. Full functional-use disclaimer in README.
Project-URL: Homepage, https://agentguard.run
Project-URL: Contact, https://agentguard.run/contact
Project-URL: Repository, https://github.com/MerchantGuardOps/agentguard-site
Author-email: "Dunecrest Ventures Inc." <hello@agentguard.run>
License: AgentGuard(TM) Spend SDK - Alpha License
        Copyright (c) 2026 Dunecrest Ventures Inc.
        
        1. SCOPE.
        This software, including all files under packages/agentguard-spend-python/agentguard_spend/, is
        licensed by Dunecrest Ventures Inc. ("Licensor") subject to the following
        thresholds:
        
          (a) Evaluation Use. Internal evaluation, prototyping, and non-commercial
              development at any call volume.
        
          (b) Free Production Threshold. Production deployments processing 10,000
              or fewer enforcement calls per calendar month, in aggregate across
              all instances operated by the licensee, are permitted under this
              License without additional fee.
        
          (c) Commercial License Required. Production deployments processing more
              than 10,000 enforcement calls per calendar month, deployments
              operated for the benefit of third parties as a service, redistribution,
              sublicensing, public hosting, and republication each require a
              separate commercial license agreement with Licensor.
        
        Commercial-license inquiries: invest@agentguard.run
        
        2. NO PATENT LICENSE GRANTED.
        Nothing in this License grants, expressly or by implication, any patent license
        to any patent, patent application, or other intellectual property right of
        Licensor. All patent rights are expressly reserved. The patent applications
        identified in Section 7 are not licensed by this License.
        
        3. SEPARATE GRANT FOR DEMONSTRATION ASSETS.
        The following assets, and ONLY these assets, are released under the Apache
        License, Version 2.0, the text of which is reproduced or available at
        https://www.apache.org/licenses/LICENSE-2.0:
        
          - The test vectors under packages/agentguard-spend-python/test_vectors/
          - The documentation examples under packages/agentguard-spend-python/examples/
          - The contents of packages/agentguard-spend-python/README.md
        
        The source code under packages/agentguard-spend-python/agentguard_spend/ is NOT included in this
        Apache License 2.0 grant. The Python type definitions, policy engine,
        decision log, store implementation, cost table, and wrapper code under
        agentguard_spend/ are licensed only under the alpha evaluation terms of
        Section 1 above.
        
        4. WARRANTY DISCLAIMER.
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL
        DUNECREST VENTURES INC. BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY
        ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
        DEALINGS IN THE SOFTWARE.
        
        5. SUCCESSORS AND ASSIGNS.
        This License binds and benefits the parties' respective successors and assigns.
        In the event of an asset sale, merger, change of control, or other transfer of
        the Licensor's rights in this software, all rights and obligations under this
        License inure to the benefit of and are binding upon Licensor's successor or
        assignee. Outstanding evaluation grants survive change-of-control, but the
        successor or assignee may, upon thirty (30) days' written notice, terminate
        ongoing evaluation grants in favor of a commercial-license requirement.
        
        6. TERMINATION.
        Licensor may terminate this License with thirty (30) days' written notice for
        any reason or no reason. Upon termination, Licensee shall cease all use of the
        software under agentguard_spend/ and shall destroy all copies in Licensee's possession.
        
        7. PATENT NOTICE (35 U.S.C. § 287).
        Protected by U.S. patent-pending technology, including the following
        provisional patent applications filed with the United States Patent and
        Trademark Office:
        
          - Application No. 63/983,615 (filed February 15, 2026)
          - Application No. 63/983,621 (filed February 15, 2026)
          - Application No. 63/983,843 (filed February 16, 2026)
          - Application No. 63/984,626 (filed February 17, 2026)
          - Application No. 64/071,781 (filed May 21, 2026)
          - Application No. 64/071,789 (filed May 21, 2026)
        
        Additional patents pending. All patent rights expressly reserved per
        Section 2 above.
        
        AgentGuard(TM) is a trademark of Dunecrest Ventures Inc. (USPTO Serial
        No. 99462472, pending). MerchantGuard(TM) is a trademark of Dunecrest
        Ventures Inc. (USPTO Serial No. 99051215, pending).
        
        For commercial licensing: invest@agentguard.run
        
        FUNCTIONAL-USE DISCLAIMER ADDENDUM
        
        DISCLAIMER: All terminology and labels used in AgentGuard’s materials are descriptive of
        software functionality only, not legal definitions or guarantees of compliance. For example, the
        terms “receipt,” “audit log,” “evidence,” “audit trail,” and “attestation” refer solely to
        cryptographically-signed records produced by AgentGuard’s software. These terms do not mean
        that any record is legally binding evidence, certified by any authority, or equivalent to records
        maintained by banks, auditors, or courts. Similarly, references to “signed,” “verified,” or “attested”
        pertain to digital signature processes, not to notarization or governmental attestation. Any use of
        the word “compliance,” “compliant,” “outcome,” or “settlement” describes the software’s features in
        a non-regulatory sense. In particular, “capability tier” is merely an internal category of agent
        permission levels, and does not correspond to any government or industry regulatory classification.
        Likewise, any statement that an operation “settles” or an outcome is “settled” refers only to the
        software’s final state, not to any legal settlement. No AgentGuard tool or document should be
        interpreted as providing legal, financial, or regulatory advice, or as a certified compliance
        certificate. AgentGuard is not a law firm or auditor and does not guarantee adherence to laws or
        standards. All use of AgentGuard software is at the user’s risk, and users must ensure
        independently that their use of AI agents complies with all applicable laws and
        regulations.* (CONTINUED IN NEXT PARAGRAPH)
        Throughout this documentation, package metadata, CLI banners, and related materials, any word
        drawn from compliance or legal contexts (such as “audit,” “evidence,” “settlement,” “credit,” “debt,”
        “market,” “liquidity,” “maturity,” or similar) is used only in a functional, descriptive sense. For
        instance, “audit log” simply means a sequence of recorded events; it does not imply an official
        financial or regulatory audit. The phrase “satisfies” is used to indicate that one software condition
        meets a programmed check (e.g. satisfying a budget cap), and is not intended to suggest that any
        legal requirement has been fulfilled. Under no circumstances should AgentGuard’s terminology be
        taken to indicate that our software is executing regulated financial or legal processes.*
        No term in our code, documentation, or marketing is meant to designate or characterize any
        AgentGuard feature as a service subject to banking, securities, derivatives, insurance, real estate, or
        other regulated activities. For example, “trade,” “trading,” “liquidity,” “maturity,” and similar terms
        (if ever used) describe algorithmic budget or token flows, not financial transactions. AgentGuard
        does not act as a broker-dealer, clearinghouse, insurance issuer, or government agency. References
        to “market” or “liquidation” are metaphorical descriptions of how the software handles tokens or
        budgets. No AgentGuard action should be construed as offering financial services or operating a
        regulated marketplace.*
        Likewise, words like “offer,” “obligation,” “credit,” “debt,” “payment,” or “settle” in our text refer only
        to hypothetical or illustrative actions of a user’s AI agent or simulated transaction flows. They do
        not mean that AgentGuard is engaging in any money-handling, offering financial instruments, or
        guaranteeing any settlement of obligations. If AgentGuard generates an invoice or cost-of-service
        figure, it is purely illustrative of resource usage, not a binding financial bill. The term “maker/taker”
        (if used in examples) is purely a naming convention and has no relation to exchange regulation.
        
        The software’s “payment execution” tier is only a capability checkbox, not an actual payment
        processor. AgentGuard does not transmit money or credit.*
        Finally, any references to “certify,” “verify,” or “attest” should be read in context of cryptography and
        computing. For example, when we say a receipt is “signed” or “verified,” we mean via public-key
        cryptography. AgentGuard does not claim that receipts are admissible legal evidence by default.
        Users remain responsible for any legal implications of presenting AgentGuard logs or receipts in
        regulatory audits or court. This disclaimer is intended to ensure AgentGuard’s terms (in this
        README, license, package descriptions, CLI banner, customer agreements, and /llms.txt) make clear
        we provide a technical audit tool only. The functionality is delivered “as-is” with no implied
        regulatory endorsement.
License-File: LICENSE
Keywords: agent-governance,ai-agent-security,ai-agents,anthropic,audit-log,bedrock,cryptographic-attestation,ed25519,llm,local-first,model-routing,no-proxy,openai,policy-enforcement,spend-control,tamper-evident
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: Other/Proprietary License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.10
Requires-Dist: cryptography>=42
Provides-Extra: all
Requires-Dist: anthropic>=0.30; extra == 'all'
Requires-Dist: boto3>=1.34; extra == 'all'
Requires-Dist: crewai>=0.30; extra == 'all'
Requires-Dist: hvac>=2; extra == 'all'
Requires-Dist: langchain-core>=0.3; extra == 'all'
Requires-Dist: llama-index>=0.10; extra == 'all'
Requires-Dist: openai>=1.0; extra == 'all'
Requires-Dist: psycopg[binary]>=3.1; extra == 'all'
Requires-Dist: redis>=5; extra == 'all'
Provides-Extra: anthropic
Requires-Dist: anthropic>=0.30; extra == 'anthropic'
Provides-Extra: bedrock
Requires-Dist: boto3>=1.34; extra == 'bedrock'
Provides-Extra: crewai
Requires-Dist: crewai>=0.30; extra == 'crewai'
Provides-Extra: dev
Requires-Dist: build>=1.0; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=7; extra == 'dev'
Provides-Extra: kms
Requires-Dist: boto3>=1.34; extra == 'kms'
Provides-Extra: langchain
Requires-Dist: langchain-core>=0.3; extra == 'langchain'
Provides-Extra: llamaindex
Requires-Dist: llama-index>=0.10; extra == 'llamaindex'
Provides-Extra: openai
Requires-Dist: openai>=1.0; extra == 'openai'
Provides-Extra: postgres
Requires-Dist: psycopg[binary]>=3.1; extra == 'postgres'
Provides-Extra: redis
Requires-Dist: redis>=5; extra == 'redis'
Provides-Extra: vault
Requires-Dist: hvac>=2; extra == 'vault'
Description-Content-Type: text/markdown

# agentguard-spend

## Functional-Use Disclaimer

DISCLAIMER: All terminology and labels used in AgentGuard’s materials are descriptive of
software functionality only, not legal definitions or guarantees of compliance. For example, the
terms “receipt,” “audit log,” “evidence,” “audit trail,” and “attestation” refer solely to
cryptographically-signed records produced by AgentGuard’s software. These terms do not mean
that any record is legally binding evidence, certified by any authority, or equivalent to records
maintained by banks, auditors, or courts. Similarly, references to “signed,” “verified,” or “attested”
pertain to digital signature processes, not to notarization or governmental attestation. Any use of
the word “compliance,” “compliant,” “outcome,” or “settlement” describes the software’s features in
a non-regulatory sense. In particular, “capability tier” is merely an internal category of agent
permission levels, and does not correspond to any government or industry regulatory classification.
Likewise, any statement that an operation “settles” or an outcome is “settled” refers only to the
software’s final state, not to any legal settlement. No AgentGuard tool or document should be
interpreted as providing legal, financial, or regulatory advice, or as a certified compliance
certificate. AgentGuard is not a law firm or auditor and does not guarantee adherence to laws or
standards. All use of AgentGuard software is at the user’s risk, and users must ensure
independently that their use of AI agents complies with all applicable laws and
regulations.* (CONTINUED IN NEXT PARAGRAPH)
Throughout this documentation, package metadata, CLI banners, and related materials, any word
drawn from compliance or legal contexts (such as “audit,” “evidence,” “settlement,” “credit,” “debt,”
“market,” “liquidity,” “maturity,” or similar) is used only in a functional, descriptive sense. For
instance, “audit log” simply means a sequence of recorded events; it does not imply an official
financial or regulatory audit. The phrase “satisfies” is used to indicate that one software condition
meets a programmed check (e.g. satisfying a budget cap), and is not intended to suggest that any
legal requirement has been fulfilled. Under no circumstances should AgentGuard’s terminology be
taken to indicate that our software is executing regulated financial or legal processes.*
No term in our code, documentation, or marketing is meant to designate or characterize any
AgentGuard feature as a service subject to banking, securities, derivatives, insurance, real estate, or
other regulated activities. For example, “trade,” “trading,” “liquidity,” “maturity,” and similar terms
(if ever used) describe algorithmic budget or token flows, not financial transactions. AgentGuard
does not act as a broker-dealer, clearinghouse, insurance issuer, or government agency. References
to “market” or “liquidation” are metaphorical descriptions of how the software handles tokens or
budgets. No AgentGuard action should be construed as offering financial services or operating a
regulated marketplace.*
Likewise, words like “offer,” “obligation,” “credit,” “debt,” “payment,” or “settle” in our text refer only
to hypothetical or illustrative actions of a user’s AI agent or simulated transaction flows. They do
not mean that AgentGuard is engaging in any money-handling, offering financial instruments, or
guaranteeing any settlement of obligations. If AgentGuard generates an invoice or cost-of-service
figure, it is purely illustrative of resource usage, not a binding financial bill. The term “maker/taker”
(if used in examples) is purely a naming convention and has no relation to exchange regulation.

The software’s “payment execution” tier is only a capability checkbox, not an actual payment
processor. AgentGuard does not transmit money or credit.*
Finally, any references to “certify,” “verify,” or “attest” should be read in context of cryptography and
computing. For example, when we say a receipt is “signed” or “verified,” we mean via public-key
cryptography. AgentGuard does not claim that receipts are admissible legal evidence by default.
Users remain responsible for any legal implications of presenting AgentGuard logs or receipts in
regulatory audits or court. This disclaimer is intended to ensure AgentGuard’s terms (in this
README, license, package descriptions, CLI banner, customer agreements, and /llms.txt) make clear
we provide a technical audit tool only. The functionality is delivered “as-is” with no implied
regulatory endorsement.

> **AgentGuard proves what your AI agent attempted, who authorized it, what it cost, and whether it succeeded.**
>
> Local-runtime spend caps, capability-gated model routing, and Ed25519-signed receipts for AI agents.

> Also available in: [Español (LATAM)](README.es-419.md) · [Português (BR)](README.pt-BR.md)

Every policy decision runs inside your process. Prompts, completions, provider API keys, signing keys, policies, and cost overrides never go to AgentGuard infrastructure. OpenRouter calls go directly from your runtime to `openrouter.ai` with your key.

## Quickstart in 90 seconds

```bash
pip install agentguard-spend
agentguard auth openrouter
agentguard wizard
```

The wizard writes:

- `~/.agentguard/policy.yaml`
- `~/.agentguard/quickstart.ts`
- `~/.agentguard/quickstart.py`

It also prints the snippet to paste into your app:

```ts
const response = await guardedClient.chat.completions.create({
  model: 'openai/gpt-4o-mini',
  messages: [{ role: 'user', content: 'Run the governed task.' }],
});
```

Then run your agent. AgentGuard decides locally before any provider call starts, signs the receipt, and applies allow, downgrade, shadow, or block.



## Workflow-level caps

Use `agentguard_spend.workflow()` when one agent run spans many outcomes and needs one shared budget envelope. The SDK signs each step as receipt schema v2, writes checkpoints, and validates the prior chain before resume.

```py
from agentguard_spend import WorkflowConfig, workflow

async with workflow(WorkflowConfig(
    name='migrate_legacy_payments',
    budget_cap_usd=500,
    duration_cap_hours=72,
    checkpoint_every_outcomes=50,
    resume_if_exists=True,
)) as wf:
    for record in records:
        await wf.outcome('migrate_payment', lambda: migrate_payment(record))
```

Share the public replay URL at `https://agentguard.run/verify/workflow/<workflow_id>`.

## Need help configuring? Run `agentguard advisor`

`agentguard advisor` uses your OpenRouter key, or any OpenAI-compatible endpoint you pass with `--base-url`, to run a local setup dialogue in your terminal. AgentGuard infrastructure never sees the prompts, completions, keys, policy details, or session log.

```bash
agentguard advisor
```

Advisor writes `~/.agentguard/policy.yaml`, a language-aware quickstart file, projected savings math, and a local JSONL session log under `~/.agentguard/advisor-sessions/`.

## Governance Posture

Advisor asks for one operating-style input and uses it to shape the generated policy.

- `velocity`: high-ship software and AI teams. Starts in `shadow`, uses permissive capability tiers, and downgrades aggressively to cheaper models.
- `standard`: most SaaS, e-commerce, real estate, agencies, local services, and startups. Starts in `enforce`, uses balanced capability tiers, and keeps 90 days of audit retention.
- `compliance`: law, healthcare, dental, accounting, SOX, fintech, and regulated workflows. Starts in `canary`, requires stricter capability tiers, blocks regulated overflow instead of downgrading, and keeps 7 years of audit retention.

Override the suggestion when you already know how the team operates:

```bash
agentguard advisor --posture velocity
agentguard advisor --posture compliance
```

`custom` posture is reserved for the Solo tier Outcome Builder.

## Why OpenRouter?

One OpenRouter key gives your team access to hundreds of models across many providers. Your CFO sees one invoice. AgentGuard enforces who uses what, which task tiers can reach which models, and what each call can spend. The OpenRouter key can live in `OPENROUTER_API_KEY` or `~/.agentguard/openrouter-key` with mode `600`.

Sync pricing when you want local cost math refreshed:

```bash
agentguard models --sync-pricing
agentguard models --task payment-approval
agentguard models --search gpt-4o --json
```

Pricing overrides are stored locally in `~/.agentguard/cost-overrides.json`.

## Verify any receipt

Share https://agentguard.run/verify with an auditor or reviewer. Paste a receipt and public key in the browser to verify the Ed25519 signature, entry hash, and chain link. The receipt never leaves the page.

CLI verification is still local:

```bash
agentguard demo
agentguard verify --trace latest
```

## Task templates

`agentguard wizard` ships templates for:

- `risk-review`: read-only review with a $0.50 per-call cap
- `payment-approval`: payment initiation review with a $5.00 per-call cap
- `chargeback-evidence`: evidence assembly with a $1.00 per-call cap
- `agent-support`: data-write support workflow with a $0.25 per-call cap
- `code-scan`: long-context read-only scan with a $0.10 per-call cap

Each template sets recommended OpenRouter model assignments, capability tier, fallback model, caps, and system instructions.

## Provider bindings

TypeScript includes native OpenAI, Anthropic, and Bedrock bindings. Streaming usage is settled from provider usage events when available, with local token-estimator fallback when usage is missing. Settlement entries are signed into the same hash chain as enforcement decisions.

Python includes OpenAI, Anthropic, Bedrock, LangChain, CrewAI, and LlamaIndex integration helpers.

## No proxy

AgentGuard Spend is a library, not a gateway. It does not proxy traffic, store prompts, hold provider keys, or host policy state. The signed log lives in your storage.

## Telemetry

Telemetry is opt-in. Set `AGENTGUARD_TELEMETRY=1` or run `agentguard telemetry enable`. The beacon sends only SDK version, runtime, OS family, anonymous install ID, CI flag, TTY flag, and event name. No prompts, completions, provider keys, signing keys, policy details, or cost overrides are sent.

## License and usage thresholds

The SDK is free for evaluation, prototyping, non-commercial development, and production deployments processing up to 10,000 enforcement calls per calendar month. Commercial use above that threshold requires a paid license from Dunecrest Ventures Inc. Full terms are in `LICENSE`.

## Patent notice

Protected by U.S. patent-pending technology (App. Nos. 63/983,615; 63/983,621; 63/983,843; 63/984,626; 64/071,781; 64/071,789). 35 U.S.C. § 287 constructive notice. Additional patents pending.
