open source · x402 / AP2

A spending limit for
autonomous agents.

Zaalto SpendGuard is an open-source proxy between your AI agent and the x402 rail. Every payment passes a policy check — allow, block, or escalate — and lands in a signed log.

View on GitHub

Apache-2.0 · Rust · runs local

the gap

Agentic payment standards settled how agents pay. None of them settled what stops an agent from draining a wallet. SpendGuard is the control layer that was left out.

how it works

Four steps in the payment path.

01
Intercept

Your agent routes its x402 calls through SpendGuard. No code change — point the client at the proxy.

02
Decide

Each payment is checked against your cap and policy at the moment of spend.

03
Enforce

Under the limit, the payment passes. Over it, the payment is blocked before it settles.

04
Record

Every allow and block is written to an append-only log — what was paid, what wasn't, and why.

principles

Built like infrastructure that touches money.

Fail-closed

If SpendGuard can't reach a decision, the payment does not happen. A control that fails open is not a control.

Integer money

Amounts are tracked in the asset's smallest unit. No floating-point math on money, ever.

Tamper-evident log

Every decision is signed and append-only — a record your auditor can verify, not just trust.

Open core

The enforcement engine is Apache-2.0. Run it yourself, read every line, fork it if you want.

get started

Set a cap. Point your agent at it.

zaalto.tomlconfig
# global cap, in USDC base units
listen = "127.0.0.1:7402"
asset  = "USDC"
cap    = 25_000_000 # $25.00
log    = "./decisions.jsonl"
decisions.jsonlappend-only
allow {"amount":40000,"total":160000,"cap":25000000}

deny  {"amount":48000000,"reason":"cap_exceeded"}

what's next

Today SpendGuard enforces a cap and logs every decision. Next: step-up approvals, velocity and allowlists, and a console that turns the audit stream into oversight your finance team can sign off on.