Guardian Agent (production)

Guardian executes inside the Intertrace Next.js deployment (e.g. Vercel), not on the Railway gateway. The gateway forwards LLM traffic and posts telemetry to /api/gateway/event; Guardian consumes that data from Supabase when it runs.

Scheduled passes use Vercel Cron, defined in the project’s vercel.json. Each path must receive Authorization: Bearer <CRON_SECRET>— Vercel sets this automatically when CRON_SECRET exists on the deployment.

Hobby plans only allow daily (or slower) cron expressions. The default repo config staggers five Guardian jobs across UTC hours (e.g. 05:00–09:00). Invocations may occur at any time within that hour on Hobby.

For sub-daily sweeps (e.g. critical every 5 minutes), move the project to Vercel Pro and replace the crons block with tighter schedules. Copy the suggested JSON from the repository file docs/GUARDIAN-PRODUCTION.md after upgrading.

Production should include working Supabase service credentials, OPENAI_API_KEY (for graph/LLM steps), CRON_SECRET (for Vercel Cron auth), and should not set GUARDIAN_DISABLED=true unless you intentionally want no-op runs.

Optional: GUARDIAN_EVENT_TRIGGERS=1 lets gateway/integration ingest debounce extra Guardian sweeps per org (see dashboard Guardian console for deployment status). Operator display mode can be set with GUARDIAN_OPERATOR_MODE (Monitor, Recommend, Approval Required, Enforcement Ready).

From any machine, call a cron path with your production origin and secret, for example curl -sS -H "Authorization: Bearer YOUR_CRON_SECRET" "https://YOUR_ORIGIN/api/cron/guardian/critical-events". A 401 means the Bearer token does not match; 503 often means CRON_SECRET is missing.

You can use GitHub Actions, Railway cron, or an external HTTP scheduler to GET or POST the same routes with the same Bearer header if you prefer not to use Vercel’s built-in cron.