- action
- issue_refund
- amount
- $240.00
- agent
- support_ops_agent
The agent control plane
Stop your AI agents before they do real damage.
Arc is the guardrail between your agents and production. Every action passes an allow / ask / block policy, waits for a human when it’s risky, and runs only as a signed (ES256) request your app verifies — with a cumulative spend cap so a runaway loop can’t quietly burn your budget.
Free to start — no credit card. Add the @geostack/arc SDK when you’re ready to integrate.
arc · decision stream
live
12:04:01 read_account ( id=usr_8841 ) matched policy · read-only allow
12:04:02 issue_refund ( $240.00 ) held for a human — over auto-approve limit ask
12:04:09 increase_ad_budget ( $500,000,000 ) cap exceeded — agent budget is $2,000 / day block
12:04:11 delete_production_db ( name=orders ) default-deny — action not in policy block
$
Why now
Reportedly ~$500,000,000 of Claude usage in one month — because no one set a cap.
Figure reported by Axios from a consultant’s account. The company is unnamed and unconfirmed.
A consultant told Axios an enterprise client ran up roughly half a billion dollars in Claude token spend in a single month after handing out employee licenses with no usage limits — thousands of people running agentic workflows at once. The figure is unconfirmed, but the pattern is on the record: Microsoft cancelled most internal Claude Code licenses ($500–$2,000/eng/mo); Uber burned through its 2026 AI budget by April.
The cap didn’t exist, or wasn’t turned on. Arc is the cap — plus the approval and the kill-switch for the action you can’t undo.
cap reached
next action → blocked
How it works
Four checks between the agent and the thing it can’t take back.
- 01
Policy
allowEach action is allow, ask, or block. Anything you didn't declare is blocked. Default-deny, not default-trust.
- 02
Approval
askRisky actions pause for a human. So does any spend over the cap — the loop waits instead of running.
- 03
Signed execution
signedApproved work ships as a short-lived ES256 JWS your app verifies before any side effect. The agent never holds a broad API key.
- 04
Audit
auditEvery attempt, approval, block, and budget hit lands in a redacted, hash-chained log you can replay.
guard.ts
@geostack/arc
arc.defineActions({
issue_refund: {
risk: "high",
defaultDecision: "ask", // pause for a human
cost: { mode: "field", field: "amount" }, // charge against a budget
},
delete_production_db: { defaultDecision: "block" },
})
// the agent calls this; Arc decides, then signs.
const runtime = arc.createArcAgentRuntime({ agentToken })
const res = await runtime.invoke(appId, "issue_refund", { amount: 240_00 })
if (res.status === "pending_approval") notifyApprover(res.approval_id) // $240 → heldTypeScript-first, fail-closed by default. Sync policy with the arc CLI or the MCP adapter.
What you get
A receipt for every action — even the ones that never ran.
When something runs, it’s a signed request you can verify. When something is blocked, that’s logged too. The chain is tamper-evident: each entry carries the hash of the one before it, so a deleted row breaks the chain.
- timestamp
- 2026-06-04T12:04:02Z
- action
- issue_refund
- payload
- ••••
- approver
- user_421
prev 9b4c…2f11 hash d821…84aa
- ES256
- signed execution, with nonce replay protection
- default-deny
- unknown actions are blocked, not waved through
- hash-chained
- redacted, tamper-evident audit trail
- spend caps
- cumulative budget guardrails, enforced per agent
Works with any agent
or MCP server
- OpenAI
- Anthropic
- Gemini
- Cursor
- Windsurf
Provider-agnostic. Arc wraps the action, not the model — these mark compatibility, not partnerships.
Put one risky agent action behind Arc today.
Wrap your most dangerous action this afternoon. Sign up for a free hosted workspace, integrate the SDK, and guard your first action — free, no credit card.
Next on the roadmap: Arc Auth — scoped, revocable identity for agents.