Safety & Guardrails

Guardrails are hard-coded safety checks that validate every proposed action before it reaches the Wallet Layer. They operate independently of the LLM — even a compromised or hallucinating model cannot bypass them.

Transaction Guardrails

Note: Financial guardrails (per-trade limit, daily volume cap, confirmation threshold) currently only apply to native SOL transactions. SPL token transfers are not subject to these limits on devnet, as there is no reliable on-chain price oracle.

How Validation Works

When the Agent Layer proposes a tool call, the Guardrails engine:

1. Parses the intent — Extracts the action type, amount, and target
2. Loads limits — Reads the current guardrail configuration from SQLite
3. Evaluates rules — Checks the intent against all applicable limits
4. Returns a verdict — Either passed or failed with a reason

Agent proposes: transfer_sol({ to: "7xK...", amount: 5.0 })

Guardrail check:
  ✓ Per-trade limit: 5.0 SOL = 3.2% of portfolio (limit: 5%) → PASS
  ✓ Daily volume: 12.3 SOL today (limit: 50 SOL) → PASS
  ✓ Cool-down: Last trade 45 min ago (limit: 15 min) → PASS
  ✗ Recipient: 7xK... not on allowlist → FAIL

Result: BLOCKED — "Recipient not on allowlist"

If any check fails, the entire action is blocked and the reason is logged.

Emergency Controls

Kill Switch

The Kill Switch is the ultimate safety mechanism:

sigil kill

This immediately:

1. Sets config.kill_switch = true in SQLite
2. Broadcasts system:killed to all connected clients
3. Drops all Keypair references from application memory
4. Blocks all future signing until manually restarted

Per-Agent Kill

sigil kill alpha

Kills a specific agent without affecting others.

Key Principle

Guardrails are not configurable by the LLM. They exist in a separate code path that the reasoning layer cannot modify. This means safety limits hold even if:

• The model is jailbroken
• The model hallucinates incorrect parameters
• A malicious prompt is injected
• The model ignores system constraints