cap · sandbox · receipt
Covenant Guard
Run your coding agent unattended. It can't spend past your cap, can't touch what you didn't allow, and hands you a signed receipt of everything it did. The guard runs as the parent process, outside the sandbox the agent lives in: it holds the credential, meters the spend, and pulls the plug, none of which the agent can reach around.
install
curl -fsSL https://opencovenant.org/guard/install.sh | shVerifies the release checksums before installing, and fails closed. Also: brew install open-covenant/tap/covenant-guard or build from source with cargo install --path agent-os/crates/covenant-guard.
first run
covguard run --budget 10 -- claude -p "fix the flaky tests" --dangerously-skip-permissionsWorks with Claude Code today, including subscription sessions. Codex wiring is included and marked experimental.
Hard spend cap
Every model call is routed through a local metering proxy that counts spend as the response streams. Cross the cap and the proxy refuses further calls and the guard kills the agent's process group. Overshoot is bounded to the calls already in flight, so it works for headless and interactive runs, and for subscription logins a budget flag can't cover.
OS sandbox
Writes end at the workspace. Credentials (~/.ssh, ~/.aws, gh, docker, kube) are unreadable, the agent's own config is read-only, and all network egress is denied except the loopback proxy. That last part is what makes the cap real: there is no route to the API that skips the meter. Seatbelt on macOS, bubblewrap on Linux.
Signed receipt
Every event lands on a SHA-256 hash chain. On exit the guard writes a receipt carrying spend against cap, files changed, models and tokens, and commands, signed ed25519. covguard verify re-checks it from the event log; change one number and it fails.
the receipt

A run that crossed its cap. The tick marks where the cap sat: overshoot is bounded to the one call that was in flight, and the receipt shows the true number. covguard verify re-checks the signature and the event chain; tamper with any field and it fails.
honest limits
- Prebuilt binaries: macOS arm64 and Linux x86_64. The Linux sandbox needs bubblewrap installed.
- The cap bounds spend; it does not make the agent's edits correct. That is what the receipt and your review are for.
- Codex support is wired (Responses API, config generation) but not yet battle-tested.
source · release
Apache-2.0. The enforcement is open source, so you can audit the thing you trust. covguard-v0.1.0 ships cosign-signed tarballs and checksums. The MCP server is listed in the official MCP Registry as org.opencovenant/guard, published under a DNS-verified namespace on this domain.