Skip to content

feat(cli): add burn guardrails#237

Open
ozymandiashh wants to merge 1 commit into
getagentseal:mainfrom
ozymandiashh:feat/burn-guard
Open

feat(cli): add burn guardrails#237
ozymandiashh wants to merge 1 commit into
getagentseal:mainfrom
ozymandiashh:feat/burn-guard

Conversation

@ozymandiashh
Copy link
Copy Markdown
Contributor

@ozymandiashh ozymandiashh commented May 5, 2026

Summary

CodeBurn already gives strong post-hoc cost visibility, but there was no small command for catching runaway spend while it is happening. This adds codeburn guard, a one-shot local guardrail check that flags sessions or local-hour windows once they reach configurable USD thresholds.

What changed

  • add codeburn guard with default thresholds of $3 per session and $10 per local hour
  • support existing report-style filters: --period, --from, --to, --provider, --project, and --exclude
  • add --json for scripts and --fail-on-alert for cron/CI workflows
  • aggregate hourly spend from parsed assistant calls using local timezone bucketing
  • sort alerts by threshold severity so the most urgent guardrail breach appears first
  • document the command and add an Unreleased changelog entry

Why one-shot first

A daemon/watch mode could come later, but a one-shot command keeps this first version small and composable. Users can run it manually, from cron, or inside shell scripts without introducing background process state or notification preferences in this PR.

Example

codeburn guard
codeburn guard -p week --max-session-usd 5 --max-hourly-usd 20
codeburn guard --json --fail-on-alert

Validation

  • npx vitest run tests/guard.test.ts
  • npx vitest run
  • npm run build
  • node dist/cli.js guard --help
  • node dist/cli.js guard --from 2999-01-01 --to 2999-01-02 --json

Note: full npx tsc --noEmit is currently blocked on origin/main by existing src/providers/copilot.ts type errors; this branch does not touch that provider.

@ozymandiashh ozymandiashh marked this pull request as ready for review May 5, 2026 22:18
@AgentSeal AgentSeal added needs-testing needs-validation PR requires validation against real-world usage before review and removed needs-testing labels May 12, 2026
@ozymandiashh
Copy link
Copy Markdown
Contributor Author

ozymandiashh commented May 17, 2026
edited
Loading

Validation run on macOS arm64 with private details omitted. This is behavior proof, not just build proof.

What was checked:

  • guard was run with deliberately low thresholds so real local usage produced alert output.
  • The JSON alert list contained both session and hour alert types, proving both guardrail paths can fire.
  • A future empty date range (2999-01-01 to 2999-01-02) returned zero projects/sessions/calls and an empty alerts array, proving the no-data path does not fabricate alerts.

Commands:

  • npx vitest run tests/guard.test.ts - 7/7 tests passed.
  • npx tsx src/cli.ts guard -p today --provider claude --max-session-usd 1 --max-hourly-usd 1 --json - JSON parsed and contained both alert classes.
  • npx tsx src/cli.ts guard --from 2999-01-01 --to 2999-01-02 --json - JSON parsed with empty totals/alerts.

No project names, prompts, paths, session IDs, raw costs, usage totals, or private product details are included here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-validation PR requires validation against real-world usage before review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ozymandiashh @AgentSeal