Agentic Guardrails
Guardrails are deterministic checks your agent cannot bypass. They are not prompts. They are not guidelines the AI interprets. They are simple, hard comparisons -- is this trade larger than 5 SOL? Is the price impact above 3%? Has the daily volume cap been reached? -- that run outside the agent's environment before any transaction is signed.
Your agent never touches these checks. When it wants to trade, it sends a request. A separate system loads your guardrail settings, runs every check, and either signs the transaction or rejects it. The agent gets back a yes or a no. There is no negotiation, no "just this once," no way for the AI to talk its way past a limit.
This guide gives you copy-paste configurations for common trading styles, shows you how to simulate trades before going live, and explains how guardrails interact with standing instructions.
How guardrails work
When your agent attempts a trade, three rounds of checks run before anything reaches the chain:
- Market checks -- is the price impact too high? Is the slippage above your tolerance?
- Chain-specific checks -- is the trade size within your limit? Is the program or contract allowed?
- Execution checks -- has the daily volume cap been reached? Is the market liquid enough? Is the token old enough?
Each check is a straightforward comparison: a number against a limit you set. Every check must pass. One failure blocks the trade.
These checks run in a completely separate environment from the agent. The agent cannot see them, modify them, or skip them. Even if the AI model were compromised -- hallucinating, jailbroken, adversarial -- the guardrails hold because the agent's only path to execution goes through these checks.
Recipes
Each recipe below includes a control profile, guardrail settings, and standing instructions you can copy directly into your agent configuration. Adjust the numbers to match your risk tolerance, but use these as starting points.
Research-only
For when you want analysis without any execution risk.
Control profile: Suggest Only
Standing instructions:
I use Cabal primarily for research. Don't suggest trades unless I specifically ask.
Guardrails: Leave at defaults. Since nothing executes in Suggest Only mode, guardrails will not fire. They are still evaluated against proposals -- you will see guardrail badges on any proposal that would have been blocked -- but no capital is at risk.
When to use this recipe:
- Learning what Cabal can do before committing capital
- Evaluating signal sources to see what your agent surfaces
- Getting market analysis and portfolio reviews without execution risk
- Onboarding a new agent and watching how it reasons
Conservative Solana trader
Small, careful positions on Solana with tight risk limits.
Control profile: Autonomous Guardrailed
Guardrail settings:
| Setting | Value | Why |
|---|---|---|
maxTradeSizeSol | 2 | Caps any single trade at 2 SOL. Prevents the agent from placing an outsized bet on a single token. |
maxPriceImpactPct | 3 | Blocks trades that would move the market more than 3%. Keeps you out of thin pools where entry and exit costs eat your edge. |
rollingDailyVolumeCapUsd | 1000 | Limits total trading to $1,000 in any rolling 24-hour window. Even if every individual trade is small, this prevents runaway volume from a hyperactive agent. |
minMarketLiquidityUsd | 10000 | Requires at least $10K in pool liquidity before the agent can trade a token. Filters out micro-cap tokens where slippage is unpredictable. |
minMarketAgeSeconds | 600 | Requires the market to have existed for at least 10 minutes. Avoids brand-new token launches where rug pull risk is highest. |
Standing instructions:
Max 2% of portfolio per trade. Focus on established DeFi tokens. Take profit at 30%, stop loss at 15%.
What each setting prevents:
- maxTradeSizeSol: 2 -- Your agent finds a promising token and wants to go big. Without this limit, a single trade could deploy a large chunk of your portfolio. At 2 SOL, the worst case on any single trade is bounded.
- maxPriceImpactPct: 3 -- The agent wants to swap into a token with thin liquidity. The quoted price impact is 7%. The guardrail blocks the trade because your entry price would be too far from the market price.
- rollingDailyVolumeCapUsd: 1000 -- The agent has been actively trading all day -- ten trades, each under 2 SOL. Even though each trade individually passed, the daily cap blocks trade number eleven because cumulative volume has hit $1,000.
- minMarketLiquidityUsd: 10000 -- A signal comes in for a new token with only $3,000 in its liquidity pool. The guardrail blocks the trade. If you entered, your position would be a significant portion of the pool, making exit difficult.
- minMarketAgeSeconds: 600 -- A token just launched 2 minutes ago. The agent sees early momentum and wants in. The guardrail blocks it because the market has not existed long enough to establish any track record.
Signal follower
Built for signal-driven trading from tracked wallets. The agent acts on wallet activity, but only when the signal meets quality thresholds.
Control profile: Autonomous Guardrailed
Guardrail settings:
| Setting | Value | Why |
|---|---|---|
minSignalValueUsd | 50 | Ignores dust-level signals. The source wallet needs to move at least $50 for your agent to consider acting. |
maxSignalsPerSourcePerHour | 5 | Rate-limits how often a single source can trigger trades. Prevents one noisy wallet from dominating your agent's activity. |
rollingDailyVolumeCapUsd | 2000 | Caps total daily volume at $2,000. Signal-driven trading can generate high volume if multiple sources fire. This is your backstop. |
minMarketLiquidityUsd | 5000 | Requires $5K minimum liquidity. Even if the signal is strong, your agent will not trade tokens that are too thin to exit. |
Standing instructions:
Follow tracked wallet signals. Only act on buys above $50K notional from the source. Always research the token before executing.
Notice the two layers working together: the guardrail (minSignalValueUsd: 50) sets the hard floor on what your agent even looks at, while the standing instruction ("only act on buys above $50K notional from the source") guides the agent to focus on large, high-conviction moves from tracked wallets. The guardrail catches everything the agent might miss; the instruction shapes the agent's judgment.
This recipe pairs with the guide, which covers how to select source wallets, configure signal routing, and tune delivery timing.
Hyperliquid perps
Leveraged perpetual trading on Hyperliquid with strict position and leverage controls.
Control profile: Autonomous Guardrailed
Guardrail settings:
| Setting | Value | Why |
|---|---|---|
maxPositionSizeUsd | 10000 | Caps any single position at $10K notional. Prevents concentration risk on a single trade. |
maxLeverage | 3 | Limits leverage to 3x. The agent cannot open positions with higher leverage even if it believes the setup justifies it. |
allowedCoins | ["BTC", "ETH", "SOL"] | Restricts trading to three liquid perpetual markets. The agent cannot trade alt-perps with thinner order books. |
maxOpenOrders | 10 | Limits resting orders to 10 at any time. Prevents the agent from spreading too thin across entries, exits, and scale-in levels. |
Standing instructions:
Trade BTC, ETH, and SOL perps only. Max 3x leverage. Scale into positions, don't enter all at once.
The standing instruction reinforces the guardrails while adding nuance the guardrails cannot express. "Scale into positions" is a strategy preference -- the agent should build positions gradually rather than entering in a single order. The guardrails enforce the hard limits (leverage, position size, allowed coins), and the standing instructions shape how the agent operates within them.
Multi-chain
Trading across Solana, Base, and Hyperliquid simultaneously. The key to multi-chain configuration is understanding which limits are chain-specific and which are global.
Chain-specific limits:
| Chain | Setting | Value |
|---|---|---|
| Solana | maxTradeSizeSol | 5 |
| Base | maxTradeSizeEth | 0.5 |
| Hyperliquid | maxPositionSizeUsd | 5000 |
| Hyperliquid | maxLeverage | 3 |
Global limits (apply across ALL chains):
| Setting | Value | Note |
|---|---|---|
maxPriceImpactPct | 3 | Same threshold whether trading on Solana, Base, or Hyperliquid |
maxSlippagePct | 1.5 | Tighter slippage for multi-chain where you are managing more surface area |
rollingDailyVolumeCapUsd | 5000 | This is the total across all chains. A $5K cap means $5K combined -- not $5K on Solana plus $5K on Base plus $5K on Hyperliquid. |
minMarketLiquidityUsd | 5000 | Applied to every market regardless of chain |
The most important thing to understand about multi-chain guardrails: rollingDailyVolumeCapUsd is a single pool shared across all chains. If your agent trades $3,000 on Solana and $1,500 on Base, it has $500 of daily volume remaining -- across everything, including Hyperliquid. Plan your daily cap with your total activity in mind, not per-chain activity.
Standing instructions:
Trade across Solana, Base, and Hyperliquid. Prioritize Solana for spot DeFi, Base for established ERC-20 tokens, and Hyperliquid for directional perp trades. Keep total daily volume under $4K to leave buffer against the $5K cap.
Note the standing instruction asks the agent to target $4K, leaving a $1K buffer against the hard $5K cap. The agent will try to stay within $4K. If it drifts past that, the guardrail catches it at $5K. Defense in depth.
Simulate before you trust
Before switching from Suggest Only to Autonomous Guardrailed, test your configuration with trade simulation. Ask your agent:
Simulate buying 3 SOL of JUP.
The simulation runs every check against your current configuration without executing anything. You see exactly what would pass and what would block:
A passing simulation:
Simulation: Buy 3 SOL of JUP
Common checks
maxPriceImpactPct (limit: 3%) .... PASS (estimated: 0.8%)
maxSlippagePct (limit: 2%) ....... PASS (estimated: 0.3%)
Solana checks
maxTradeSizeSol (limit: 5) ....... PASS (requested: 3)
Execution checks
rollingDailyVolumeCapUsd ($5,000) PASS (current 24h: $1,200)
minMarketLiquidityUsd ($5,000) ... PASS (JUP liquidity: $2.1M)
minMarketAgeSeconds (600) ........ PASS (market age: 14 months)
nativeReserveFloor (0.05 SOL) .... PASS (post-trade balance: 8.2 SOL)
Result: ALL CHECKS PASSED
A blocked simulation:
Simulation: Buy 8 SOL of NEWTOKEN
Common checks
maxPriceImpactPct (limit: 3%) .... FAIL (estimated: 12.4%)
maxSlippagePct (limit: 2%) ....... PASS (estimated: 1.1%)
Solana checks
maxTradeSizeSol (limit: 5) ....... FAIL (requested: 8)
Execution checks
rollingDailyVolumeCapUsd ($5,000) PASS (current 24h: $800)
minMarketLiquidityUsd ($5,000) ... FAIL (NEWTOKEN liquidity: $2,300)
minMarketAgeSeconds (600) ........ FAIL (market age: 45 seconds)
nativeReserveFloor (0.05 SOL) .... PASS (post-trade balance: 3.1 SOL)
Result: BLOCKED (4 checks failed)
- Price impact 12.4% exceeds 3% limit
- Trade size 8 SOL exceeds 5 SOL limit
- Market liquidity $2,300 below $5,000 minimum
- Market age 45s below 600s minimum
The blocked simulation shows exactly which checks failed, what the actual values were, and what your limits are. This is how you validate your configuration. Run simulations against realistic trades -- the ones your agent would actually attempt -- and verify that your guardrails are tight enough to block what you want blocked and loose enough to allow what you want to allow.
Do this before enabling autonomous mode. It takes five minutes and saves you from discovering a misconfigured guardrail with real capital.
Guardrails vs. standing instructions
Guardrails and standing instructions serve different purposes. Using the wrong one for the job either leaves you exposed or over-constrains your agent.
| What you want | Use | Example |
|---|---|---|
| A preference the agent should follow | Standing instructions | "Prefer small positions" |
| A hard limit the agent cannot exceed | Guardrail | maxTradeSizeSol: 5 |
| A critical risk limit you cannot afford to have violated | Both | Standing instruction: "Keep positions under 5 SOL." Guardrail: maxTradeSizeSol: 5 |
Standing instructions are guidance. The agent reads them, reasons about them, and follows them most of the time. But they are probabilistic -- the AI interprets them, and interpretation can drift.
Guardrails are deterministic. A number is compared against a limit. The agent's reasoning is irrelevant -- if the trade exceeds the limit, it is blocked. No interpretation, no judgment call, no vote.
For critical risk limits, use both. The standing instruction makes the agent prefer staying within the limit, so it rarely bumps up against the guardrail. The guardrail makes it impossible to exceed the limit, so the few times the agent's judgment drifts, the check catches it. The instruction handles the 95% case; the guardrail handles the 5%.
Concrete examples:
- "Prefer established tokens over new launches" -- standing instruction. This is a preference that requires judgment. The agent might reasonably trade a newer token if the setup is strong.
- "Cannot trade tokens less than 10 minutes old" -- guardrail (
minMarketAgeSeconds: 600). This is a hard rule. No exceptions, no judgment call. - "Keep daily trading under $2,000" -- use both. Standing instruction: "Target under $2,000 in daily volume." Guardrail:
rollingDailyVolumeCapUsd: 2000. The agent plans its activity around the $2K target. If it miscalculates, the guardrail stops it.
Tuning over time
Your agent tells you when a guardrail blocks a trade -- you will see the rejection in chat with the specific check that failed, the value it attempted, and the limit it hit. You can also ask:
Have any of my guardrails been blocking trades?
If the same check keeps firing, either the limit is too tight for your strategy or your standing instructions need to guide the agent toward smaller sizes. If a guardrail never fires, it might mean the agent is well-calibrated -- or that the limit is so loose it is not protecting you. Tighten it closer to your agent's actual trading range so it acts as a real safety net.
See also
- -- full technical reference for every guardrail setting, its valid range, and its default value
- -- shaping agent reasoning alongside guardrails
- -- getting started with automation