Staso Docs
Guard

Guard

Guard evaluates every tool call before it runs and returns one of four actions: allow, block, modify, or escalate.

import staso as st
from staso.integrations import patch_anthropic

st.init(agent_name="refunds-agent")
patch_anthropic()  # every tool_use is evaluated automatically

That's it for Anthropic. Swap in patch_openai() for OpenAI. For Claude Code and Codex, Guard runs on PreToolUse automatically — --no-guard to disable.

Why Guard

One wrong tool call from an LLM is enough to refund the wrong customer, drop a production table, or email a million users. Prompt-level safety doesn't catch this — the damage happens at the tool boundary. Guard sits there.

What it returns

  • allow — proceed.
  • block — integrations raise staso.GuardBlocked. Catch and recover.
  • modify — Guard rewrote the input. Use result.modified_input (or, in patched integrations, the rewrite is applied transparently).
  • escalate — a human must approve. Fire-and-forget or wait synchronously.

Every decision lands on the active trace as a guard:* child span.

What ships in the box

  • Static rules — proprietary deterministic checks (dangerous shell, destructive SQL, PII patterns, protected paths). Sub-millisecond, no LLM calls.
  • LLM-judge rules — model-based checks for intent drift, prompt injection, jailbreaks, hallucinated facts.
  • Custom rules — your own, defined in the dashboard.
  • Policies — bundle rules and attach them to agents or environments.

Disable per process

export STASO_GUARD_ENABLED=false

Next

Concepts

Traces, spans, agents, conversations, environments, workspaces — the vocabulary Staso uses.

Rules and policies

Static rules, LLM-judge rules, custom rules, policies — all defined in the dashboard.

On this page

GuardWhy GuardWhat it returnsWhat ships in the boxDisable per processNext