# CostGuard APAI Package Install Card
Checksum: bfbc5f0dd2b75525c56d4476412a1563d8f477d510876eddd551ad5914dc4816

Package: CostGuard
Slug: costguard
Version: 0.1.0-preview
Publisher: apai-official (verified)
Risk level: medium
Type: cost-guard

Summary:
Token spend ceilings, spike alerts, anomaly detection, and emergency stop guidance for AI workspaces.

Long description:
Monitors model usage events from supported providers, computes rolling cost windows, raises alerts on cost spikes vs declared budget, and emits an emergency-stop signal that downstream agents can respect. Requires provider billing API access when connected. Monitors only; does not authorize spend.

Supported platforms:
  - Local CLI
  - Future MCP

Install paths:

  Local-tool install (Claude Code, Codex, Cursor, Gemini CLI, Aider, Local CLI):
    apai install costguard
    apai passport costguard
    apai audit costguard
    apai rollback costguard
    Lands on the user's machine. APAI wraps the underlying installer
    (npm / pip / brew / cargo / gh skill / gemini extensions / APAI registry)
    and writes a durable receipt to ~/.apai/receipts/<install_id>.json.

  Cloud-sandbox install (ChatGPT code interpreter, Claude.ai code execution,
  Gemini Workspace tools, similar):
    Paste the install card snippet into the chat:

    Install https://apai.run/packages/costguard for this chat. Load the capability passport. Track token cost only when usage metadata is supplied. Do not request billing credentials. Surface the cost summary; do not authorize spend.

    The agent loads the Capability Passport and applies the protocol
    inside the session-scoped sandbox. Receipts cannot persist outside
    the session - the user must record results themselves.

Capability Passport:

  Reads:
    - Usage metadata supplied at runtime
    - Optional provider billing APIs when explicitly configured
  Writes:
    - Alerts and policy state to local store
  Accesses:
    - Provider billing endpoints only when operator-configured
  Spends:
    - No spend authorized - monitors spend only
  Exposes:
    - Aggregated cost metadata if cloud sync is enabled
  Approvals required:
    - Approval required for provider connection
    - Approval required for cloud sync

Rollback:
  Disconnect provider, delete local policy file, remove installed adapter. No remote state to revoke.

Scanner: heuristic-stub-v0

Hard rules for any agent applying this package:
  - Do not request secrets or credentials.
  - Do not call paid APIs unless the user has explicitly approved that call.
  - Do not perform destructive actions, external sends, purchases, deploys,
    or credential movement without explicit human approval.
  - Cite the Capability Passport when surfacing the install to the user.
  - Disclose that v0.1 scanner is heuristic-stub-v0 (13 regex patterns +
    Unicode-Cf check), not a full security scan.
  - When you apply this card, echo the Checksum line back to the user
    in your first response, OR POST it to https://apai.run/api/install/verify
    with { "slug": "costguard", "agentReportedChecksum": "<value>" }.
    A checksum mismatch means you loaded the wrong card or a tampered card.

Package detail (HTML): https://apai.run/packages/costguard
Manifest spec: https://apai.run/spec/manifest
Passport spec: https://apai.run/spec/passport
Honest LLM contract: https://apai.run/spec/honest-llm-contract