Stop rogue agents.
Protect every transaction.
The on-chain policy layer between autonomous AI agents and the Solana blockchain. Enforce allow-lists, spending budgets, and AI-powered kill switches — before damage is done.
One instruction: guarded_execute — same security model as traditional finance.
Web3 agents move fast. Their failure modes move faster.
Avg drain time
< 12s
Recovery rate
~3%
Value at risk
$100M+
Today
An agent compromise usually means the treasury and permissions are compromised too. If the key can sign, it can drain.
With Guardrails
Agent Guardrails Protocol separates intent from execution. The agent can request an action, but the policy layer decides whether it's legal, affordable, and safe enough to reach Solana.
How It Works
Three layers. One instruction.
Route agent transactions through guarded_execute. The protocol handles the rest.
Define Policy
Create an on-chain policy: whitelist programs, set per-tx and daily spending limits, configure AI monitoring thresholds.
Execute Guarded
Agent calls guarded_execute instead of raw transactions. The program validates allow-lists and budgets on-chain before CPI.
AI Monitors
Off-chain AI (Guardian Agent) analyzes behavioral patterns in real time. Anomalies trigger an instant on-chain pause — no committee votes needed.
Defense Layers
Hard limits on-chain.
AI judgment off-chain.
Four interlocking defense mechanisms ensure no single point of failure.
Program Allow-Listing
Every CPI target is validated against an on-chain whitelist. Unknown or malicious programs are rejected before execution — not after.
✓ Jupiter Aggregator whitelisted
✓ Marinade Finance whitelisted
✗ Unknown: 7xKX...mQ3d ProgramNotWhitelisted
→ Transaction rejected at instruction level
Spending Budgets
Two-tier caps enforced on-chain. Per-transaction limits catch single large drains. Rolling 24h budgets stop slow bleeds.
per_tx_limit: 2.0 SOL
daily_budget: 20.0 SOL
---
spent_today: 14.2 SOL
remaining: 5.8 SOL
AI Kill Switch
Guardian Agent evaluates every flagged transaction. Suspicious patterns trigger a pause_agent instruction in under 3 seconds.
Real-Time Monitoring & Incident Reports
Live dashboard with SSE streaming, spend gauges, and incident timelines. When an agent is paused, Guardian Agent generates a full postmortem with root cause analysis and policy recommendations.
[14:32:01] ALLOW yield_bot Jupiter swap 1.2 SOL
[14:32:14] FLAG alpha_scan Unknown pgm 4.8 SOL
[14:32:15] FLAG alpha_scan Burst detected
[14:32:16] PAUSE alpha_scan Frozen on-chain (94% conf)
Integration
Five lines to protect your agent.
Wrap your agent's executor with the Guardrails SDK. Works with Solana Agent Kit, LangChain, or any custom agent framework.
// Initialize with your policy
const guard = new GuardrailsClient({
policyId: '8xKZ...policy',
agentKeypair: loadKeypair(),
});
// Every transaction goes through guarded_execute
const tx = await guard.execute({
targetProgram: JUPITER_PROGRAM_ID,
amount: 1.5 * LAMPORTS_PER_SOL,
instruction: swapIx,
});
//✓ Allow-list checked on-chain
//✓ Budget validated on-chain
//✓ AI monitoring triggered
Drop-in replacement
Replace your raw transaction call with guard.execute(). No architecture changes needed.
Framework agnostic
Works with Solana Agent Kit, LangChain, AutoGPT, or any custom agent. Wraps the executor, not the agent logic.
PDA-based custody
Funds live in a policy-owned PDA, not in the agent's keypair. The agent signs, but never holds the keys to the treasury.
Open source
Fully auditable Anchor program. Inspect the on-chain logic yourself — no trust required.
Architecture
End-to-end defense flow
From agent request to on-chain execution — every step is validated, monitored, and auditable.
AI Agent
Requests a transaction via SDK
Guardrails Program
On-chain policy check + CPI
Helius Webhook
Streams events to monitor
AI Judge
Guardian Agent analyzes + pauses
Dashboard
Real-time feed + controls
Live Demo
Watch an attack get stopped.
Three agents running on devnet. One goes rogue. Guardrails catches and freezes it in seconds.
FAQ
Common questions
On-chain protections (allow-lists, budgets) are enforced by the Solana program itself and work independently. The AI monitoring layer adds behavioral analysis on top, but core limits never depend on off-chain availability.
No. Replace your raw transaction call with guard.execute(). The SDK wraps your existing instructions. Your agent logic stays exactly the same.
No. Funds are held in a policy-owned PDA. The agent's keypair can only sign guarded_execute instructions — it never has direct access to the SOL.
Any Solana program. Common choices: Jupiter (swaps), Marinade (staking), Drift (perps), Raydium (AMM). The policy owner can update the whitelist at any time.
Guardian Agent evaluates flagged transactions against the agent's policy, recent history, and anomaly signals (burst frequency, new programs, unusual amounts). It returns ALLOW, FLAG, or PAUSE with a confidence score.
The program is open source and built with Anchor 0.30.1. The on-chain logic is fully inspectable. Community audits are in progress as part of the Solana Frontier hackathon.
The on-chain policy check adds ~2ms to transaction processing (one extra CPI). The AI monitoring is asynchronous and does not add latency to the transaction itself.
Yes. High-value transactions can be escalated to a Squads v4 multisig for human approval before execution, adding an extra authorization layer for critical operations.
Get Started
Protect your agents.
Ship with confidence.
Deploy on-chain guardrails in minutes. Open source, composable, and built for the Solana ecosystem.
Free and open source. Deploy in under 5 minutes.