Enterprise

Commerce orchestration for teams that need control.

When your AI agents handle real money, you need policies, mandates, audit trails, and compliance. CodeSpar Enterprise gives you the governance layer.

Capabilities

Seven layers of control.

Policy Engine

Per-agent budgets, deny-lists, time windows. Define what each agent can spend, where, and when.

HMAC Mandates

Signed authorization tokens, revocable at any time. Cryptographic proof that every transaction was approved.

Payment Router

6 rails, 12 currencies, cost-optimized. Route payments through the cheapest available path automatically.

Escrow

Milestone-based releases with built-in dispute resolution. Funds move only when conditions are met.

Audit Trail

Immutable hash chain of every agent action. Export-ready for compliance and internal review.

Complete Loop

6 APIs orchestrated, zero human intervention. From quote to payment to fulfillment, fully automated.

Programmable Wallets

Per-agent fund pools with mandate-gated debits. Multi-rail funding — instant transfer, card, wire, stablecoin — on the same ledger. Reconciliation automatic.

How it works

Five guardrails. One command.

Every payment runs through the same pipeline. Your agent thinks. CodeSpar enforces. Nothing moves until every check passes, and every step is recorded forever.

app.codespar.dev/guardrails

admin@acme.io

Governance

◆Policies

◈Mandates

≡Audit

184

↬Routes

!Alerts

Status

All systems OK

Policy

agent-checkout

Active

DailyR$ 7.200 / 10.000

WeeklyR$ 12.350 / 50.000

Per txR$ 1.820 / 5.000

Deny list

RUIRgambling

Alert at

80% of limit

Active mandates

3 signed · HMAC

agent-checkout

mdt_agen

payroll · refundsR$ 5,000 / tx

expires in 23d

refund-bot

mdt_refu

refunds onlyR$ 2,000 / tx

expires in 14d

payout-agent

payrollR$ 25,000 / tx

expires in 3h

Audit ledger · 184 events · sealedLive

Policies that prevent disaster.

Per-agent spend limits, time windows, allowed categories, geographic restrictions, deny-lists. Your CFO writes the rules. Your agent follows them.

Daily, weekly, monthly budgets per agent
Deny-lists for categories, countries, counterparties
Instant alerts when an agent hits 80% of budget

policy.ts

const policy = {
  agentId: "agent-checkout",
  limits: {
    daily:  10000,
    weekly: 50000,
    perTx:  5000,
  },
  denyList: ["RU", "IR", "gambling"],
  alerts:   { at: 0.8 },
};

Programmable Wallets

Per-agent fund pools, mandate-gated debits.

The agent physically cannot spend beyond the wallet's available balance — regardless of what the mandate says. Database constraints refuse overdraw at the storage layer, even if app logic has a bug. Multi-rail funding lands on the same ledger; reconciliation against provider receipts runs automatically.

Four non-overridable invariants

Mandate-gated debits

Every wallet debit must reference a signed mandate with cap and expiry. Enforced at the database layer — not in app code. Bypassing it requires a coordinated bug across the verifier, the policy engine, and the storage layer.

Cross-tenant blocked

Wallets are project-scoped. Every read filters by (org_id, project_id) from the auth context; foreign keys cascade on org delete. A wallet from another tenant returns 404, not 403 — existence cannot be probed.

Negative balance impossible

wallet_balances has a CHECK (balance_minor >= 0 AND available_minor >= 0 AND available_minor <= balance_minor). An overdraw rolls the transaction back; the runtime returns a typed InsufficientFundsError. App-layer bugs cannot land a negative balance.

Reconciliation flags humans

Every debit pairs with a provider receipt. Mismatches past the grace window land in wallet_recon_anomalies. The operator triages — the engine never auto-resolves. Auditor-grade evidence by construction.

Funding rails

Provider-agnostic by design. Every webhook adapter normalizes payments to the same internal vocabulary; the funding bridge auto-credits the bound wallet. Adding a new provider is one adapter entry — wallet code untouched.

Rail	Currency	Settlement
Pix	BRL	Instant (T+0)
Card	USD / BRL	Synchronous
TED · Wire transfer	BRL	T+0 to T+1
USD wire	USD	T+1 to T+2
Stablecoin onramp	USDC	On-chain confirm
Stablecoin onramp	BRLA	On-chain confirm

Built for LATAM commerce

Multi-currency, no FX drag

Hold BRL natively, USD natively, and BR-pegged stablecoin natively — same ledger, no USD round-trip on every spend cycle.

LATAM rails first

Pix as a first-class funding source. The provider catalog is the wedge — not an afterthought wired through a US-centric stack.

DB-enforced segregation

The four non-overridable invariants live as database constraints — not policies in app code. Auditors read the schema, not the runtime.

Read the concept →See the cookbook

Free demo

See CodeSpar in action.

30 minutes. No commitment. Watch a live agent run the Complete Loop — Pix, NF-e, shipping, WhatsApp — on your use case.

code<spar>

Demo live

Watch the agent charge, invoice, ship, and reconcile — in real time with your scenario.

30 minutes

Google Meet / Zoom

LGPD-compliant

No implementation fee

In the session

A walkthrough of the orchestration layer for your use case
A live agent executing the Complete Loop — Pix, NF-e, Melhor Envio, WhatsApp
A tailored architecture sketch, sent within one business day
Go-live in 5–7 business days after sign-off

Go-live in 5–7 business days

No minimum contract

LGPD-compliant

Response within 24h