Skip to main content

cap · sandbox · receipt

Covenant Guard

Run your coding agent unattended. It can't spend past your cap, can't touch what you didn't allow, and hands you a signed receipt of everything it did. The guard runs as the parent process, outside the sandbox the agent lives in: it holds the credential, meters the spend, and pulls the plug, none of which the agent can reach around.

install

curl -fsSL https://opencovenant.org/guard/install.sh | sh

Verifies the release checksums before installing, and fails closed. Also: brew install open-covenant/tap/covenant-guard or build from source with cargo install --path agent-os/crates/covenant-guard.

first run

covguard run --budget 10 -- claude -p "fix the flaky tests" --dangerously-skip-permissions

Works with Claude Code today, including subscription sessions. Codex wiring is included and marked experimental.

Hard spend cap

Every model call is routed through a local metering proxy that counts spend as the response streams. Cross the cap and the proxy refuses further calls and the guard kills the agent's process group. Overshoot is bounded to the calls already in flight, so it works for headless and interactive runs, and for subscription logins a budget flag can't cover.

OS sandbox

Writes end at the workspace. Credentials (~/.ssh, ~/.aws, gh, docker, kube) are unreadable, the agent's own config is read-only, and all network egress is denied except the loopback proxy. That last part is what makes the cap real: there is no route to the API that skips the meter. Seatbelt on macOS, bubblewrap on Linux.

Signed receipt

Every event lands on a SHA-256 hash chain. On exit the guard writes a receipt carrying spend against cap, files changed, models and tokens, and commands, signed ed25519. covguard verify re-checks it from the event log; change one number and it fails.

the receipt

A Covenant Guard receipt card: stopped at the spend cap, $3.24 of a $3.00 cap, with turns, files, duration, and network, signed and verifiable

A run that crossed its cap. The tick marks where the cap sat: overshoot is bounded to the one call that was in flight, and the receipt shows the true number. covguard verify re-checks the signature and the event chain; tamper with any field and it fails.

honest limits

source · release

Apache-2.0. The enforcement is open source, so you can audit the thing you trust. covguard-v0.1.0 ships cosign-signed tarballs and checksums. The MCP server is listed in the official MCP Registry as org.opencovenant/guard, published under a DNS-verified namespace on this domain.