The words underneath the guardrail.

Runtime controls that constrain what an autonomous AI agent is allowed to do before it acts, not just what it is prompted to do: enforcing spend limits, requiring human approval for risky actions, blocking destructive or irreversible operations, and recording every decision — so an agent with production credentials cannot cause runaway cost or real-world damage.

in Arc Arc is a guardrail for the action, not the prompt: it sits in front of the tool calls that move money or mutate production.

The three decisions Arc returns for every agent action. Allow lets it proceed and be signed; ask pauses it for a human to approve or reject; block stops it outright. Arc is default-deny, so an action with no matching grant is blocked: unconfigured agents fail closed, never open.

in Arc You declare a default decision per action; allow stays autonomous, ask gates a human, block makes it impossible.

Arc never lets an agent call your systems directly. Once policy passes, Arc issues an ES256-signed (JWS) request carrying a body hash, an expiry, and a one-time nonce, delivered to your app's /arc/execute endpoint. Your app verifies it before acting, so only authorized, untampered, non-replayed requests ever execute.

in Arc The @geostack/arc SDK verifies the signature, timestamp, nonce, and body hash before your business logic runs.

A tamper-evident record in which each entry stores the previous entry's hash alongside its own, so any later edit or deletion breaks the chain and becomes detectable. Arc writes one redacted, hash-chained event per decision, approval, and execution — capturing who did what and the allow, ask, or block outcome.

in Arc Computed as sha256(prev_hash + canonical_json). Sensitive fields are redacted; numeric cost is preserved.

A cumulative limit on what an agent or app may spend over a window — rolling or per calendar day or month, not a per-call check. Arc estimates each action's cost, reserves it under a lock, and commits on execution. On breach it can block the action or require human approval, stopping runaway spend.

in Arc Enforced atomically on the hot path, so two concurrent agent loops can't both slip under the same cap.

An autonomous AI agent whose every action routes through Arc before touching production: checked against allow, ask, or block policy and spend budgets, approved by a human when risky, signed, and audited. Arc meters on protected agents — each a distinct agent identity under its control plane — never on human seats.

in Arc One of Arc's two metering units. You pay for agents you actually put behind the guardrail, not for users.

A single high-risk operation an agent attempts — a refund, cancel, delete, or send — that Arc governs end to end. Each one passes policy, may trigger human approval, charges a budget, executes through a signed request your app verifies, and is recorded. Guarded actions are Arc's unit of metering.

in Arc Arc's second metering unit. A read-only call you didn't wrap isn't guarded and isn't metered.

Controls that govern the tools an AI agent invokes over the Model Context Protocol. MCP decides which tools an agent can call; Arc decides whether a specific call runs now. Arc's MCP adapter exposes guarded actions as MCP tools and routes every call through policy, approval, signed execution, and audit.

in Arc Drop-in transport layer — no app code change. The adapter never executes business logic or self-approves.