guardedSubmit makes denials visible: it dry-runs the transaction first, and on a policy abort it records the denial and returns without submitting — no gas burned. An allowed transaction submits for real and the chain event indexes it.
| Arg | Type | Notes |
|---|---|---|
client | SuiJsonRpcClient | Used for the devInspect dry-run. |
exec | (tx) => Promise<{ digest }> | Submits on allow (e.g. keypairExecutor). |
sender | string | The agent address (dry-run sender). |
tx | Transaction | A built PTB, e.g. from buildSwap. |
audit | GuardAudit | { baseUrl, token, agent_id, action_type, amount?, asset? }. |
What it does
devInspectTransactionBlockto dry-run the PTB assender.dryRunResultclassifies the effects. On success, submit viaexec.- On a policy abort, post a
deniedaudit row with the decoded reason and return{ ok: false, reason_code }. The transaction is never submitted. - On a non-policy failure (DeepBook liquidity, gas), return
{ ok: false }with noreason_codeand no audit row. That is not a policy decision; surface it rather than recording a denial.
dryRunResult
effects.status; on failure decodes the policy abort. Use it when you run devInspect yourself and want to branch on the outcome without submitting.
A swap that passes the dry-run is a policy decision, not a guaranteed fill. The agent submits a gated DeepBook order; on a thin testnet book it may fill zero.
ok: true means the policy permitted the action and the transaction landed.Reads and decodePolicyAbort
Read live state from chain and map abort codes to reasons.