@kill-switch/agent-guard 0.1.0

package/README.md

@@ -0,0 +1,147 @@
+# @kill-switch/agent-guard
+
+**Kill Switch for coding agents.** Stop a runaway Claude Code / Cursor / Aider session
+from racking up an LLM bill — before it becomes a $4,200 weekend, an $87k month, or a
+[$500M month](https://www.axios.com/) "after failing to put usage limits on Claude
+licenses for employees."
+
+A coding agent runs a reasoning loop — read, edit, validate, re-check — and **re-sends its
+entire accumulated context on every tool call**. Cost compounds silently. agent-guard puts
+a hard ceiling on that loop with two complementary surfaces that share one budget:
+
+| Surface | What it is | Stops | Works with |
+|---|---|---|---|
+| **Hook** | A Claude Code `PreToolUse` / `UserPromptSubmit` / `Stop` hook that reads the live transcript, prices real token usage, warns at the soft cap and **denies the next tool call** at the hard cap | A single Claude Code session, gracefully | Claude Code |
+| **Proxy** | A local metering reverse-proxy on the agent's API base URL that counts usage from real responses and returns **HTTP 402** at the cap | *Any* agent — the API literally stops answering | Claude Code, Cursor, Aider, raw scripts |
+
+The hook is the friendly, native stop. The proxy is the dumb hard wall that can't be argued
+past. Both feed one ledger with **two budget scopes**:
+
+- **Per-session** — catches a single runaway run.
+- **Daily rolling 24h** — catches many small sessions quietly adding up.
+
+…each with a **soft cap** (warn + alert) and a **hard cap** (block).
+
+## Install
+
+```sh
+npm i -g @kill-switch/agent-guard   # provides `agent-guard` and `ksg`
+```
+
+Or use it through the main Kill Switch CLI as `ks guard …` (same engine, one
+shared ledger/budget) — see [`packages/cli`](../cli).
+
+### Developing from this monorepo
+
+The hook is wired into Claude Code by **absolute path to `dist/cli.js`**, so it
+must be built before `install`, and the bare `agent-guard` / `ksg` commands only
+land on your `PATH` after a link or publish:
+
+```sh
+# from the repo root
+npm run build:agent-guard          # compile src → dist (required before install/link)
+npm run test:agent-guard           # 21 unit tests
+
+# put `agent-guard` / `ksg` on PATH for local dev
+cd packages/agent-guard && npm link
+agent-guard --help                 # now resolves
+
+# unlink when done
+npm rm -g @kill-switch/agent-guard
+```
+
+> ⚠️ If `agent-guard` reports `command not found` (e.g. when a runaway session
+> hits the cap and the recovery command won't run), it just means the package
+> isn't linked/published yet. The block message always prints an **absolute-path**
+> fallback so recovery works regardless, and `ks guard …` works whenever the
+> `ks` CLI is installed. You can also always pause with zero tooling:
+> `touch ~/.kill-switch/agent-guard/PAUSED`.
+
+## Quick start — Claude Code (hook)
+
+```sh
+# Wire the hook into ./.claude/settings.json (use --global for ~/.claude)
+agent-guard install
+
+# Set your caps (USD)
+agent-guard config --session-soft 5 --session-hard 20 --daily-soft 25 --daily-hard 100
+
+# See where you stand any time
+agent-guard status
+```
+
+That's it. On every tool call the hook recomputes the session's real spend from the
+transcript. Cross the soft cap → Claude sees a warning and you get an alert. Hit the hard
+cap → the next tool call is **denied** with a reason, halting the agent.
+
+## Quick start — any other agent (proxy)
+
+```sh
+agent-guard proxy                      # listens on :8787, meters Anthropic by default
+# point your agent at it:
+ANTHROPIC_BASE_URL=http://localhost:8787 claude      # (if NOT using the hook — see caveat)
+OPENAI_BASE_URL=http://localhost:8787/v1 aider       # agent-guard proxy --flavor openai
+```
+
+At the hard cap the proxy returns `402 kill_switch_budget_exceeded` instead of forwarding —
+the agent can't spend another token.
+
+> ⚠️ **Don't run Claude Code through *both* the hook and the proxy** — they'd each meter the
+> same dollars and double-count. Hook for Claude Code; proxy for everything else.
+
+## Budgets
+
+Resolution order (later wins): built-in defaults → `~/.kill-switch/agent-guard/config.json`
+→ environment variables. Env override lets you tighten a single risky run:
+
+```sh
+AGENT_GUARD_SESSION_HARD=10 claude          # one-off $10 ceiling
+```
+
+| Env var | Meaning | Default |
+|---|---|---|
+| `AGENT_GUARD_SESSION_SOFT` | per-session warn (USD) | 5 |
+| `AGENT_GUARD_SESSION_HARD` | per-session block (USD) | 20 |
+| `AGENT_GUARD_DAILY_SOFT` | rolling-24h warn (USD) | 25 |
+| `AGENT_GUARD_DAILY_HARD` | rolling-24h block (USD) | 100 |
+
+A cap of `0` disables that check.
+
+## Alerts
+
+On the first soft/hard trip per scope, agent-guard:
+
+1. appends an event to `~/.kill-switch/agent-guard/events.jsonl` (local audit trail),
+2. posts to Slack if `KILL_SWITCH_SLACK_WEBHOOK` (or `config --slack-webhook`) is set,
+3. reports to the Kill Switch dashboard if `KILL_SWITCH_API_KEY` is set, so agent kills sit
+   alongside your cloud-account kills.
+
+All network alerts are best-effort with a short timeout — a down endpoint never delays the
+agent.
+
+## Pricing
+
+Built-in rates for current Claude and OpenAI models (USD/1M tokens), including Anthropic
+cache multipliers (cache write = input × 1.25, cache read = input × 0.10) — the buckets a
+context-replaying agent loop hits hardest. Unknown models fall back to premium Sonnet-class
+rates so the guard never *under*-counts. Override any model in
+`~/.kill-switch/agent-guard/pricing.json`.
+
+## Commands
+
+```
+agent-guard install [--global] [--command <cmd>]   wire the Claude Code hook
+agent-guard proxy   [--port 8787] [--flavor anthropic|openai] [--upstream URL]
+agent-guard status  [--json]                        spend vs budget
+agent-guard config  [--session-hard N ...]          view/set caps
+agent-guard reset   [--all|--today|--session <id>]  clear the ledger
+agent-guard hook                                    (internal) Claude Code entrypoint
+```
+
+## How it fails
+
+By design, **the hook fails open**: any internal error → exit 0, the agent proceeds. A buggy
+guard must never brick your session. The proxy fails open too (on a metering error it still
+relays the response) but the *budget check itself* fails closed at the 402 wall.
+
+MIT · part of [Cloud Kill Switch](https://kill-switch.net)

package/dist/alert.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Breach alerting — best-effort, fire-and-forget, never throws.
+ *
+ * On a soft/hard trip we:
+ *   1. Always append a line to ~/.kill-switch/agent-guard/events.jsonl (local audit trail).
+ *   2. POST to Slack if a webhook is configured.
+ *   3. POST to the Guardian API if an API key is configured, so the kill shows
+ *      up in the dashboard / existing alert channels alongside cloud-account kills.
+ *
+ * Everything network is wrapped in a short timeout; a down endpoint must not
+ * delay (or crash) the agent's tool call.
+ */
+import { type GuardConfig } from "./config.js";
+import type { Verdict } from "./budget.js";
+export interface AlertEvent {
+    ts: number;
+    source: "hook" | "proxy";
+    sessionId: string;
+    level: Verdict["level"];
+    sessionUSD: number;
+    dailyUSD: number;
+    reasons: string[];
+    action: string;
+    cwd?: string;
+}
+/** Dispatch an alert across all configured channels. Resolves once all attempts settle. */
+export declare function dispatchAlert(cfg: GuardConfig, evt: AlertEvent): Promise<void>;

package/dist/alert.js

@@ -0,0 +1,68 @@
+/**
+ * Breach alerting — best-effort, fire-and-forget, never throws.
+ *
+ * On a soft/hard trip we:
+ *   1. Always append a line to ~/.kill-switch/agent-guard/events.jsonl (local audit trail).
+ *   2. POST to Slack if a webhook is configured.
+ *   3. POST to the Guardian API if an API key is configured, so the kill shows
+ *      up in the dashboard / existing alert channels alongside cloud-account kills.
+ *
+ * Everything network is wrapped in a short timeout; a down endpoint must not
+ * delay (or crash) the agent's tool call.
+ */
+import { appendFileSync } from "node:fs";
+import { eventsPath, ensureGuardDir } from "./config.js";
+import { fmtUSD } from "./cost.js";
+const TIMEOUT_MS = 2500;
+async function postJson(url, body, headers = {}) {
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), TIMEOUT_MS);
+    try {
+        await fetch(url, {
+            method: "POST",
+            headers: { "content-type": "application/json", ...headers },
+            body: JSON.stringify(body),
+            signal: ctrl.signal,
+        });
+    }
+    catch {
+        /* best-effort */
+    }
+    finally {
+        clearTimeout(t);
+    }
+}
+function writeLocal(evt) {
+    try {
+        ensureGuardDir();
+        appendFileSync(eventsPath(), JSON.stringify(evt) + "\n");
+    }
+    catch {
+        /* best-effort */
+    }
+}
+function slackText(evt) {
+    const icon = evt.level === "block" ? "🛑" : "⚠️";
+    const verb = evt.level === "block" ? "BLOCKED a coding agent" : "warning on a coding agent";
+    return [
+        `${icon} *Kill Switch ${verb}*`,
+        `• Session: ${fmtUSD(evt.sessionUSD)}  |  Daily (24h): ${fmtUSD(evt.dailyUSD)}`,
+        `• Action: ${evt.action}`,
+        evt.cwd ? `• Project: \`${evt.cwd}\`` : "",
+        ...evt.reasons.map((r) => `• ${r}`),
+    ]
+        .filter(Boolean)
+        .join("\n");
+}
+/** Dispatch an alert across all configured channels. Resolves once all attempts settle. */
+export async function dispatchAlert(cfg, evt) {
+    writeLocal(evt);
+    const tasks = [];
+    if (cfg.slackWebhook) {
+        tasks.push(postJson(cfg.slackWebhook, { text: slackText(evt) }));
+    }
+    if (cfg.apiKey && cfg.apiUrl) {
+        tasks.push(postJson(`${cfg.apiUrl.replace(/\/$/, "")}/agent-guard/events`, evt, { authorization: `Bearer ${cfg.apiKey}` }));
+    }
+    await Promise.allSettled(tasks);
+}

package/dist/budget.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Budget evaluation — the decision core shared by hook and proxy.
+ *
+ * Two scopes, two thresholds each:
+ *   - session: catches a single runaway run (the $4,200-weekend scenario)
+ *   - daily rolling 24h: catches many small sessions adding up (the $87k-month)
+ *
+ * Verdict levels: ok → warn (soft cap crossed) → block (hard cap reached).
+ * The hard cap is a >= comparison so spend can never exceed it by design.
+ */
+export interface Budget {
+    sessionSoftUSD: number;
+    sessionHardUSD: number;
+    dailySoftUSD: number;
+    dailyHardUSD: number;
+}
+export type VerdictLevel = "ok" | "warn" | "block";
+export interface Verdict {
+    level: VerdictLevel;
+    /** Which scopes tripped, for dedup of warnings and for the alert payload. */
+    triggers: Array<{
+        scope: "session" | "daily";
+        level: "warn" | "block";
+        spentUSD: number;
+        limitUSD: number;
+        pct: number;
+    }>;
+    /** Human-readable summary lines. */
+    reasons: string[];
+}
+export interface Spend {
+    sessionUSD: number;
+    dailyUSD: number;
+}
+export declare function evaluate(spend: Spend, budget: Budget): Verdict;
+/** Stable key for deduping a warn-level trigger so we alert once per scope, not per tool call. */
+export declare function warnKey(scope: "session" | "daily"): string;

package/dist/budget.js

@@ -0,0 +1,42 @@
+/**
+ * Budget evaluation — the decision core shared by hook and proxy.
+ *
+ * Two scopes, two thresholds each:
+ *   - session: catches a single runaway run (the $4,200-weekend scenario)
+ *   - daily rolling 24h: catches many small sessions adding up (the $87k-month)
+ *
+ * Verdict levels: ok → warn (soft cap crossed) → block (hard cap reached).
+ * The hard cap is a >= comparison so spend can never exceed it by design.
+ */
+import { fmtUSD } from "./cost.js";
+function pct(spent, limit) {
+    return limit > 0 ? Math.round((spent / limit) * 100) : 0;
+}
+export function evaluate(spend, budget) {
+    const triggers = [];
+    const reasons = [];
+    const checks = [
+        { scope: "session", spent: spend.sessionUSD, soft: budget.sessionSoftUSD, hard: budget.sessionHardUSD },
+        { scope: "daily", spent: spend.dailyUSD, soft: budget.dailySoftUSD, hard: budget.dailyHardUSD },
+    ];
+    for (const c of checks) {
+        if (c.hard > 0 && c.spent >= c.hard) {
+            triggers.push({ scope: c.scope, level: "block", spentUSD: c.spent, limitUSD: c.hard, pct: pct(c.spent, c.hard) });
+            reasons.push(`${c.scope} spend ${fmtUSD(c.spent)} reached the hard cap of ${fmtUSD(c.hard)}`);
+        }
+        else if (c.soft > 0 && c.spent >= c.soft) {
+            triggers.push({ scope: c.scope, level: "warn", spentUSD: c.spent, limitUSD: c.soft, pct: pct(c.spent, c.soft) });
+            reasons.push(`${c.scope} spend ${fmtUSD(c.spent)} crossed the soft cap of ${fmtUSD(c.soft)} (${pct(c.spent, c.hard > 0 ? c.hard : c.soft)}% of hard cap)`);
+        }
+    }
+    const level = triggers.some((t) => t.level === "block")
+        ? "block"
+        : triggers.some((t) => t.level === "warn")
+            ? "warn"
+            : "ok";
+    return { level, triggers, reasons };
+}
+/** Stable key for deduping a warn-level trigger so we alert once per scope, not per tool call. */
+export function warnKey(scope) {
+    return `warn:${scope}`;
+}

package/dist/cli.d.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * agent-guard CLI — Kill Switch for coding agents.
+ *
+ *   agent-guard install            # wire the Claude Code hook into .claude/settings.json
+ *   agent-guard proxy              # start the token-metering proxy (hard 402 wall)
+ *   agent-guard status             # show current session + daily spend vs budget
+ *   agent-guard config --session-hard 30
+ *   agent-guard reset --today      # clear the ledger
+ *   agent-guard hook               # (internal) invoked by Claude Code on each event
+ */
+export {};

package/dist/cli.js

@@ -0,0 +1,192 @@
+#!/usr/bin/env node
+/**
+ * agent-guard CLI — Kill Switch for coding agents.
+ *
+ *   agent-guard install            # wire the Claude Code hook into .claude/settings.json
+ *   agent-guard proxy              # start the token-metering proxy (hard 402 wall)
+ *   agent-guard status             # show current session + daily spend vs budget
+ *   agent-guard config --session-hard 30
+ *   agent-guard reset --today      # clear the ledger
+ *   agent-guard hook               # (internal) invoked by Claude Code on each event
+ */
+import { Command } from "commander";
+import { fileURLToPath } from "node:url";
+import { runHook } from "./hook.js";
+import { startProxy, resolveUpstream } from "./proxy.js";
+import { loadConfig, configPath, isPaused, pauseExpiry, writePause, clearPause, pausePath, } from "./config.js";
+import { loadLedger, rollingDailyCost } from "./ledger.js";
+import { evaluate } from "./budget.js";
+import { fmtUSD } from "./cost.js";
+import { installHook, setBudget, resetLedger } from "./ops.js";
+const program = new Command();
+program
+    .name("agent-guard")
+    .description("Kill Switch for coding agents — stop runaway Claude Code / Cursor / Aider sessions before they rack up a bill")
+    .version("0.1.0");
+// ── hook (internal) ────────────────────────────────────────────────────────
+program
+    .command("hook")
+    .description("Claude Code hook entrypoint (reads hook JSON from stdin)")
+    .action(async () => {
+    await runHook();
+});
+// ── install ────────────────────────────────────────────────────────────────
+program
+    .command("install")
+    .description("Wire the kill-switch hook into Claude Code settings")
+    .option("--global", "Install into ~/.claude/settings.json (default: project ./.claude/settings.json)")
+    .option("--command <cmd>", "Override the hook command (default: absolute path to this binary)")
+    .action((opts) => {
+    const cliPath = fileURLToPath(import.meta.url);
+    const { settingsPath, command, added } = installHook(cliPath, process.execPath, {
+        global: opts.global,
+        command: opts.command,
+    });
+    const cfg = loadConfig();
+    console.log(`✅ Hook installed → ${settingsPath}`);
+    console.log(`   Events: ${added.length ? added.join(", ") : "(already present — no change)"}`);
+    console.log(`   Command: ${command}`);
+    console.log("");
+    console.log(`   Caps: session soft ${fmtUSD(cfg.budget.sessionSoftUSD)} / hard ${fmtUSD(cfg.budget.sessionHardUSD)}, ` +
+        `daily soft ${fmtUSD(cfg.budget.dailySoftUSD)} / hard ${fmtUSD(cfg.budget.dailyHardUSD)}`);
+    console.log(`   Change them: agent-guard config --session-hard 30 --daily-hard 150`);
+    console.log("");
+    console.log(`   For non-Claude-Code agents (Cursor/Aider/scripts), use the hard proxy instead:`);
+    console.log(`     agent-guard proxy   →   ANTHROPIC_BASE_URL=http://localhost:8787 <your-agent>`);
+    console.log(`   ⚠ Don't run Claude Code through BOTH the hook and the proxy (double counting).`);
+});
+// ── status ───────────────────────────────────────────────────────────────────
+program
+    .command("status")
+    .description("Show current session + daily spend against the budget")
+    .option("--json", "Output as JSON")
+    .action((opts) => {
+    const cfg = loadConfig();
+    const ledger = loadLedger();
+    const now = Date.now();
+    const dailyUSD = rollingDailyCost(ledger, now);
+    const sessions = Object.entries(ledger.sessions)
+        .filter(([, s]) => now - s.lastAt < 24 * 60 * 60 * 1000)
+        .sort((a, b) => b[1].lastAt - a[1].lastAt);
+    const topSession = sessions[0]?.[1].costUSD ?? 0;
+    const verdict = evaluate({ sessionUSD: topSession, dailyUSD }, cfg.budget);
+    if (opts.json) {
+        console.log(JSON.stringify({
+            budget: cfg.budget,
+            dailyUSD,
+            verdict: verdict.level,
+            reasons: verdict.reasons,
+            sessions: sessions.map(([id, s]) => ({ id, ...s })),
+        }, null, 2));
+        return;
+    }
+    const bar = (spent, hard) => {
+        const pct = hard > 0 ? Math.min(100, Math.round((spent / hard) * 100)) : 0;
+        const filled = Math.round(pct / 5);
+        return `[${"█".repeat(filled)}${"░".repeat(20 - filled)}] ${pct}%`;
+    };
+    const paused = isPaused(now);
+    const icon = paused ? "⏸ " : verdict.level === "block" ? "🛑" : verdict.level === "warn" ? "⚠️ " : "✅";
+    console.log(`${icon} agent-guard — ${paused ? "PAUSED (enforcement off)" : verdict.level.toUpperCase()}`);
+    if (paused) {
+        const until = pauseExpiry();
+        console.log(until ? `   resumes ${new Date(until).toLocaleString()}` : "   paused indefinitely — `agent-guard resume` to re-arm");
+    }
+    console.log("");
+    console.log(`Daily (rolling 24h): ${fmtUSD(dailyUSD)} / ${fmtUSD(cfg.budget.dailyHardUSD)}  ${bar(dailyUSD, cfg.budget.dailyHardUSD)}`);
+    console.log("");
+    if (sessions.length === 0) {
+        console.log("No active sessions in the last 24h.");
+    }
+    else {
+        console.log("Active sessions (24h):");
+        for (const [id, s] of sessions.slice(0, 8)) {
+            console.log(`  ${fmtUSD(s.costUSD).padStart(9)} / ${fmtUSD(cfg.budget.sessionHardUSD)}  ${bar(s.costUSD, cfg.budget.sessionHardUSD)}  ${id}`);
+        }
+    }
+    if (verdict.reasons.length) {
+        console.log("");
+        for (const r of verdict.reasons)
+            console.log(`  • ${r}`);
+    }
+});
+// ── pause / resume (escape hatch) ────────────────────────────────────────────
+program
+    .command("pause")
+    .description("Temporarily disable enforcement (escape hatch — hook & proxy fail open)")
+    .option("--minutes <n>", "Auto-resume after N minutes (default: indefinite)")
+    .action((opts) => {
+    const mins = opts.minutes !== undefined ? Number(opts.minutes) : NaN;
+    if (opts.minutes !== undefined && Number.isFinite(mins)) {
+        const until = Date.now() + mins * 60_000;
+        writePause(until);
+        console.log(`⏸  Enforcement paused until ${new Date(until).toLocaleString()} (${mins} min).`);
+    }
+    else {
+        writePause();
+        console.log("⏸  Enforcement paused indefinitely. Re-arm with `agent-guard resume`.");
+    }
+    console.log(`   Sentinel: ${pausePath()}`);
+});
+program
+    .command("resume")
+    .description("Re-arm enforcement after a pause")
+    .action(() => {
+    clearPause();
+    console.log("✅ Enforcement re-armed.");
+});
+// ── proxy ────────────────────────────────────────────────────────────────────
+program
+    .command("proxy")
+    .description("Start the token-metering proxy (returns HTTP 402 at the hard cap)")
+    .option("--port <n>", "Port to listen on", "8787")
+    .option("--flavor <name>", "API flavor for usage parsing: anthropic | openai", "anthropic")
+    .option("--upstream <url>", "Upstream origin (default: api.anthropic.com / api.openai.com)")
+    .action((opts) => {
+    const flavor = opts.flavor === "openai" ? "openai" : "anthropic";
+    startProxy({
+        port: parseInt(opts.port, 10) || 8787,
+        flavor,
+        upstream: resolveUpstream(flavor, opts.upstream),
+    });
+});
+// ── config ───────────────────────────────────────────────────────────────────
+program
+    .command("config")
+    .description("View or set budget caps (written to ~/.kill-switch/agent-guard/config.json)")
+    .option("--session-soft <usd>", "Per-session soft cap (warn)")
+    .option("--session-hard <usd>", "Per-session hard cap (block)")
+    .option("--daily-soft <usd>", "Daily rolling soft cap (warn)")
+    .option("--daily-hard <usd>", "Daily rolling hard cap (block)")
+    .option("--slack-webhook <url>", "Slack incoming-webhook for breach alerts")
+    .action((opts) => {
+    const anySet = ["sessionSoft", "sessionHard", "dailySoft", "dailyHard", "slackWebhook"]
+        .some((k) => opts[k] !== undefined);
+    if (!anySet) {
+        const cfg = loadConfig();
+        console.log(JSON.stringify({ budget: cfg.budget, slackWebhook: cfg.slackWebhook ? "(set)" : undefined }, null, 2));
+        console.log(`\nConfig file: ${configPath()}`);
+        return;
+    }
+    const num = (v) => (v !== undefined ? Number(v) : undefined);
+    const budget = setBudget({
+        sessionSoftUSD: num(opts.sessionSoft),
+        sessionHardUSD: num(opts.sessionHard),
+        dailySoftUSD: num(opts.dailySoft),
+        dailyHardUSD: num(opts.dailyHard),
+        slackWebhook: opts.slackWebhook,
+    });
+    console.log(`✅ Saved → ${configPath()}`);
+    console.log(JSON.stringify(budget, null, 2));
+});
+// ── reset ────────────────────────────────────────────────────────────────────
+program
+    .command("reset")
+    .description("Clear the spend ledger")
+    .option("--all", "Wipe all sessions")
+    .option("--session <id>", "Clear a single session")
+    .option("--today", "Clear sessions active today")
+    .action((opts) => {
+    console.log(`✅ ${resetLedger({ all: opts.all, session: opts.session, today: opts.today })}`);
+});
+program.parseAsync();

package/dist/config.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Configuration & paths for agent-guard.
+ *
+ * Resolution order (later wins): built-in defaults → config file
+ * (~/.kill-switch/agent-guard/config.json) → environment variables.
+ * Env override lets you set a tighter budget for a single risky run without
+ * editing files, e.g. `AGENT_GUARD_SESSION_HARD=10 claude`.
+ */
+import type { Budget } from "./budget.js";
+import type { ModelPricing } from "./pricing.js";
+export interface GuardConfig {
+    budget: Budget;
+    /** Optional pricing overrides merged onto the built-in table. */
+    pricingOverrides?: Record<string, ModelPricing>;
+    /** Kill Switch API key (ks_live_…) for reporting kill events to Guardian. */
+    apiKey?: string;
+    /** Guardian API base URL. */
+    apiUrl?: string;
+    /** Slack incoming-webhook URL for breach alerts. */
+    slackWebhook?: string;
+}
+export declare const DEFAULT_BUDGET: Budget;
+/** ~/.kill-switch/agent-guard — created on demand. */
+export declare function guardDir(): string;
+export declare function ensureGuardDir(): string;
+export declare const ledgerPath: () => string;
+export declare const configPath: () => string;
+export declare const pricingPath: () => string;
+export declare const eventsPath: () => string;
+/**
+ * Escape hatch. The hook/proxy fail OPEN while this sentinel exists, so a human
+ * can always disable enforcement from outside the agent loop — even with zero
+ * tooling: `touch ~/.kill-switch/agent-guard/PAUSED`.
+ *
+ * An empty file pauses indefinitely; a file containing an epoch-ms number pauses
+ * until that time, then enforcement resumes on its own.
+ */
+export declare const pausePath: () => string;
+/** True if enforcement is currently paused (sentinel present and not expired). */
+export declare function isPaused(now: number): boolean;
+/** Read the pause expiry (epoch ms), or null if indefinite/not paused. */
+export declare function pauseExpiry(): number | null;
+export declare function writePause(untilMs?: number): void;
+export declare function clearPause(): void;
+export declare function loadConfig(): GuardConfig;
+/** Merge built-in pricing with any overrides from config. */
+export declare function mergedPricing(cfg: GuardConfig, base: Record<string, ModelPricing>): Record<string, ModelPricing>;