Guardrails
Guardrails are saved execution limits for an agent. They shape what Cabal can prepare, approve, or execute when an agent is acting on your behalf.
Guardrails are most visible in the web app on the agent Control tab and in the CLI through cabal guardrails. They are stored in a versioned v1 schema.
Control profile matters
Guardrails are enforced according to the agent's control profile:
| Control profile | How guardrails apply |
|---|---|
suggest-only | Venue guardrails are checked during simulation and approval preparation. Execution limits apply only to autonomous signal-triggered execution. |
autonomous-guardrailed | Venue guardrails are enforced in guarded trading paths. Execution limits apply to autonomous signal-triggered execution. |
autonomous-unrestricted | Saved guardrails remain editable and preserved, but they are not enforced while Full Access is active. |
If a trade or authority change needs user approval, Cabal should surface the relevant guardrail result before the action is submitted.
Schema shape
The canonical guardrail settings object is versioned:
{
"version": 1,
"common": {
"maxPriceImpactPct": 5,
"maxSlippagePct": 2
},
"solana": {
"maxTradeSizeSol": 10,
"allowedPrograms": [],
"blockedAddresses": []
},
"ethereum": {
"maxTradeSizeEth": 1,
"allowedContracts": [],
"blockedAddresses": [],
"allowedChainIds": []
},
"execution": {
"nativeReserveFloor": "0.05",
"rollingDailyVolumeCapUsd": "5000",
"minSignalValueUsd": "1",
"maxSignalsPerSourcePerHour": 10,
"minMarketLiquidityUsd": "1000",
"minMarketAgeSeconds": 300
},
"hyperliquid": {
"maxPositionSizeUsd": "5000",
"maxOpenOrders": 20,
"allowedCoins": ["SOL", "BTC"],
"maxLeverage": 5
}
}
All sections stay in one object so the web app, CLI, and orchestrator evaluate the same saved policy.
Common limits
| Field | Meaning |
|---|---|
common.maxPriceImpactPct | Maximum price impact tolerated by prepared trades. |
common.maxSlippagePct | Maximum slippage tolerated by prepared trades. |
Chain limits
| Field | Meaning |
|---|---|
solana.maxTradeSizeSol | Maximum Solana trade size in SOL display units. |
solana.allowedPrograms | Optional allowlist of Solana programs. |
solana.blockedAddresses | Solana addresses the agent should not interact with. |
ethereum.maxTradeSizeEth | Maximum Ethereum trade size in ETH display units. |
ethereum.allowedContracts | Optional allowlist of EVM contracts. |
ethereum.blockedAddresses | EVM addresses the agent should not interact with. |
ethereum.allowedChainIds | Optional allowlist of EVM chain ids. |
Solana is the primary v0 execution path. Ethereum fields are part of the schema so future EVM paths can preserve the same settings object.
Execution limits
Execution limits apply to autonomous signal-triggered behavior and other guarded execution paths:
| Field | Meaning |
|---|---|
execution.nativeReserveFloor | Minimum native asset reserve to keep available. |
execution.rollingDailyVolumeCapUsd | Rolling daily notional volume cap. |
execution.minSignalValueUsd | Minimum signal value before autonomous execution is considered. |
execution.maxSignalsPerSourcePerHour | Per-source signal rate limit. |
execution.minMarketLiquidityUsd | Minimum market liquidity threshold. |
execution.minMarketAgeSeconds | Minimum market age before the agent can act. |
Numeric string fields are strings on purpose. They preserve decimal precision across the web app, CLI, orchestrator, and database.
Hyperliquid limits
| Field | Meaning |
|---|---|
hyperliquid.maxPositionSizeUsd | Maximum Hyperliquid position size in USD notional. |
hyperliquid.maxOpenOrders | Maximum number of open orders. |
hyperliquid.allowedCoins | Optional allowlist of coins. Values are normalized to uppercase. |
hyperliquid.maxLeverage | Maximum leverage allowed for prepared actions. |
Hyperliquid account setup still requires the venue-specific readiness checks described in .
CLI
Read the saved guardrails:
cabal guardrails read
Pull the current server-side settings into a local file:
cabal guardrails pull
Propose an update:
cabal guardrails propose-update guardrails.json
High-risk changes are treated as controlled authority changes. The CLI can prepare the intent, but browser confirmation may still be required before Cabal applies it.