Permission Guard — validates an agent's requested action against its defined scope before execution. Detects out-of-scope access, privilege escalation, and flags dangerous operations like delete, execute, admin, and deploy even when technically permitted. Stops agents from doing more than they're supposed to. $0.002/req via x402 on Base.