# 101 Things to Build with Civic > 95+ connected tools. 968+ configurable guardrails. 14 universal protections. > Build AI agents that connect to real tools — every connection governed. --- ## How to Read This Each use case specifies: - **What it does** — one-line description - **Tools** — which MCP servers power it - **Build with** — recommended framework from [Civic's integrations](https://docs.civic.com/civic/quickstart) - **Why guardrails matter** — the specific protections that make this safe and why they're essential - **Complexity** — Starter / Intermediate / Advanced ### Supported Frameworks | Framework | Language | Best For | Recipe | |-----------|----------|----------|--------| | **Anthropic SDK** | TypeScript | Direct Claude integration, streaming | [docs](https://docs.civic.com/civic/recipes/anthropic) | | **OpenAI Agents SDK** | TypeScript | OpenAI-native agents with tool approval | [docs](https://docs.civic.com/civic/recipes/openai-agents) | | **OpenAI SDK** | TypeScript/Python | Standard chat completions with tools | [docs](https://docs.civic.com/civic/recipes/openai-sdk) | | **Vercel AI SDK** | TypeScript | Next.js apps with streaming UI | [docs](https://docs.civic.com/civic/recipes/vercel-ai-sdk) | | **LangChain / LangGraph** | Python | Stateful agents, complex chains, memory | [docs](https://docs.civic.com/civic/recipes/langchain) | | **Pydantic AI** | Python | Type-safe Python agents | [docs](https://docs.civic.com/civic/recipes/python-pydantic) | | **Google ADK** | Python | Gemini-native or multi-model agents | [docs](https://docs.civic.com/civic/recipes/google-adk) | | **CrewAI** | Python | Multi-agent teams with roles | [docs](https://docs.civic.com/civic/recipes/crewai) | | **AutoGen** | Python | Multi-agent conversations | [docs](https://docs.civic.com/civic/recipes/autogen) | | **LlamaIndex** | Python | RAG + tool use over documents | [docs](https://docs.civic.com/civic/recipes/llamaindex) | | **Mastra** | TypeScript | TypeScript-native agent framework | [docs](https://docs.civic.com/civic/recipes/mastra) | | **Semantic Kernel** | C# / .NET | Enterprise .NET agents | [docs](https://docs.civic.com/civic/recipes/semantic-kernel) | | **Haystack** | Python | Pipeline-based NLP agents | [docs](https://docs.civic.com/civic/recipes/haystack) | | **DSPy** | Python | Programmatic prompt optimization | [docs](https://docs.civic.com/civic/recipes/dspy) | | **Agno** | Python | Lightweight Python agents | [docs](https://docs.civic.com/civic/recipes/agno) | | **CAMEL-AI** | Python | Role-playing multi-agent simulation | [docs](https://docs.civic.com/civic/recipes/camel-ai) | | **SmolagAgents** | Python | HuggingFace lightweight agents | [docs](https://docs.civic.com/civic/recipes/smolagents) | | **Flowise** | No-code | Visual drag-and-drop agent builder | [docs](https://docs.civic.com/civic/recipes/flowise) | | **Dify** | No-code | No-code AI app platform | [docs](https://docs.civic.com/civic/recipes/dify) | | **Claude Desktop** | Interactive | Personal use, 2-minute setup | [docs](https://docs.civic.com/civic/quickstart/clients/claude-desktop) | | **Cursor / VS Code** | IDE | Developer-in-the-loop coding | [docs](https://docs.civic.com/civic/quickstart/clients/cursor) | | **Goose** | Interactive | Block's open-source agent | [docs](https://docs.civic.com/civic/quickstart/clients/goose) | --- ## Table of Contents - [Personal Productivity](#personal-productivity) (1–10) - [Sales & Revenue](#sales--revenue) (11–22) - [Marketing & Growth](#marketing--growth) (23–34) - [Customer Support](#customer-support) (35–44) - [Engineering & DevOps](#engineering--devops) (45–58) - [Data & Analytics](#data--analytics) (59–70) - [Finance & Accounting](#finance--accounting) (71–82) - [HR & People Ops](#hr--people-ops) (83–88) - [Legal & Compliance](#legal--compliance) (89–93) - [Content & Design](#content--design) (94–98) - [IoT & Physical World](#iot--physical-world) (99–101) --- ## Personal Productivity ### 1. Personal Assistant Agent ⭐ S-TIER **Starter** · Claude Desktop An AI that reads your email, manages your calendar, and drafts responses — but can only email approved domains and can't see threads from unverified senders. **Tools:** Google Gmail, Google Calendar, Google Docs **Why guardrails matter:** This is the agent everyone builds first — and the one most likely to go wrong without controls. Without guardrails, a personal assistant with Gmail access could email your entire contact list, read sensitive threads, or schedule meetings with anyone. Civic's domain-verified sending and thread filtering means you can give an agent real email access without giving it the keys to your entire professional life. - **Send to Verified Recipients Only** — agent can only email approved domains, preventing accidental sends to clients or strangers - **Sensitive Content Filter** — blocks sending emails containing PII, credentials, or flagged patterns - **Create Event Verified Domains Only** — can only invite attendees from your org's domain - **Thread Verified Senders Only** — hides email threads from unverified senders entirely - **Maximum Attendees Per Event** — prevents mass-invite accidents - **Safe Email Search** — blocks searching for passwords, SSN, credit card terms --- ### 2. Inbox Zero Agent **Intermediate** · LangGraph Reads, labels, and triages your IMAP inbox. Moves newsletters to folders, flags action items, drafts replies. The agent can never permanently delete an email — only soft-delete to trash. **Tools:** IMAP Email, Google Gmail, Notion **Why guardrails matter:** Giving an agent write access to your inbox is terrifying without deletion protection. One bad classification and years of email history could vanish. Civic's IMAP guardrails enforce soft-delete, cap batch sizes, and protect your inbox folder — the agent can organize freely but can't cause irreversible damage. - **Prevent Permanent Deletion** — forces soft-delete to trash, never permanent - **Maximum Delete Batch Size (10)** — prevents catastrophic bulk deletion - **Protect INBOX from Deletion** — the inbox itself is untouchable - **Allowed Destination Folders** — moves only to approved folders - **Block Common Sensitive Terms in Search** — can't search for passwords, SSN, API keys - **Email Verified Senders Only** — blocks content from unverified senders --- ### 3. Document Q&A Agent **Starter** · LlamaIndex Search across Drive, Dropbox, and Notion to answer team questions. Every response has PII auto-redacted and credentials stripped — the agent never sees raw sensitive data. **Tools:** Google Drive, Dropbox, Notion, Mistral OCR **Why guardrails matter:** Knowledge bases contain PII, API keys, financial data, and credentials buried in documents. Without response-level redaction, a Q&A agent becomes a PII extraction tool. Civic's guardrails mask sensitive data before the LLM ever sees it, and folder scoping ensures the agent only accesses approved directories. - **Mask PII in File Content** — SSN, credit cards, emails auto-masked in Drive files - **Redact Credentials in File Content** — API keys and tokens stripped before the agent reads them - **Allowed Folder IDs (Drive/Dropbox)** — agent only accesses approved folders - **Approved Databases (Notion)** — queries restricted to approved Notion databases - **Block Internal Network URLs (OCR)** — prevents SSRF when scanning documents - **Filter Sensitive Extensions (Dropbox)** — .key, .pem, .env files redacted from search --- ### 4. Meeting Prep Briefing Agent **Starter** · Anthropic SDK Before each meeting, pulls attendee context from HubSpot, recent Slack threads, and relevant docs. Generates a one-page prep brief. CRM contact details are auto-masked. **Tools:** Google Calendar, HubSpot, Slack, Google Docs **Why guardrails matter:** Meeting prep requires cross-system reads, which means the agent touches CRM contacts, email threads, and internal docs. HubSpot's guardrails mask PII and hide sensitive custom properties so the agent gets context without exposing raw customer data. - **Redact Contact PII (HubSpot)** — masks emails and phones in CRM data - **Hide Custom Properties (HubSpot)** — sensitive deal fields stay hidden - **Restrict List Properties (HubSpot)** — only approved properties returned - **Event Time Range Restriction** — limits calendar lookback window - **Document ID Blocklist (Docs)** — specific sensitive docs are off-limits --- ### 5. Cross-Account Calendar Sync ⭐ S-TIER **Intermediate** · LangGraph Syncs calendar events across multiple Google accounts — creating busy blocks on a target calendar from source calendars. The agent can only read from specific source calendars, can only write to specific target calendars, can never delete events, can't touch recurring series, and sensitive event details are auto-redacted before syncing. This is where Civic's guardrails are strictly stronger than OAuth scopes. **Tools:** Google Calendar, Slack **Why guardrails matter:** OAuth scopes are a blunt instrument — `calendar.events` grants full read/write on ALL calendars. A sync daemon with that scope can delete events, modify attendees, overwrite recurring series, or read sensitive meeting details it was never meant to see. Google Calendar's 39 guardrails replace coarse OAuth with fine-grained policy: per-calendar read/write control, deletion blocking, recurring event protection, attendee redaction, content filtering, and time-range restrictions. This is the clearest "guardrails > scopes" demo — the same OAuth token, but Civic's policy layer restricts what operations are actually permitted, on which calendars, during which time windows. And if the sync goes wrong at 2am, Civic's kill switch stops it instantly — no token revocation ceremony through Google's UI. - **Allowed Calendar IDs** — source calendars: only reads from specific approved calendar IDs, not "all calendars" - **Create Event Allowed Calendars** — target calendar: only writes busy blocks to the designated target calendar ID - **Block Delete Event** — the sync agent can NEVER delete events, period - **Protect Recurring Events** — recurring event series can't be modified or deleted - **Protected Calendars From Modification** — prevents modifying events on source calendars (read-only) - **Protected Calendars From Deletion** — prevents deletion of events on protected calendars - **Hide Event Attendees** — attendee lists stripped from synced copies (privacy) - **Event Content Filter** — redacts sensitive info from event descriptions before syncing - **Event Description Filter** — redacts events with sensitive keywords entirely - **Block Past Event Modifications** — historical events are immutable - **Event Time Range Restriction** — limits sync window (no reading years of history) - **Sensitive Event Filter** — hides events containing confidential information from the sync - **List Verified Calendars Only** — only approved calendars appear in listings --- ### 6. Presentation Builder Agent **Intermediate** · Vercel AI SDK Takes a brief, researches content from Drive, builds slides in Google Slides, adds Canva-designed visuals. Can't modify protected presentations or inject external images. **Tools:** Google Slides, Google Drive, Canva, Tavily **Why guardrails matter:** Slides agents that pull from the web risk injecting external URLs, overwriting exec decks, or leaking speaker notes. Civic's slide guardrails block external URL insertion, protect critical presentations by ID, and redact speaker notes from responses. - **Protected Presentation IDs** — critical decks are untouchable - **Block External URLs (Slides)** — prevents external image/link injection - **Redact Speaker Notes** — internal notes hidden from agent - **Allowed Design Types (Canva)** — restricts AI-generated design types - **Maximum Batch Requests** — caps batch update operations per call - **Block Text Replacement** — prevents find-replace that could expose sensitive data --- ### 7. Note-to-Task Converter **Starter** · Agno Reads Notion meeting notes, extracts action items, creates ClickUp tasks with assignees, posts a summary to Slack. Can only read from approved Notion pages and write to approved databases. **Tools:** Notion, ClickUp, Slack **Why guardrails matter:** Meeting notes often contain sensitive context — HR discussions, financial plans, legal matters. Notion's approved page guardrails ensure the agent only reads from sanctioned sources, and protected pages prevent accidental overwrites of existing docs. - **Approved Pages (Retrieve)** — agent can only read sanctioned Notion pages - **Protected Pages (Update)** — existing important pages can't be overwritten - **Approved Databases** — task creation scoped to approved Notion databases - **Batch Operation Size Limit** — caps bulk writes across Notion - **Search Term Filter** — blocks searching for sensitive internal terms --- ### 8. Weekly Cross-Tool Digest **Starter** · Pydantic AI Every Monday, compiles: unread Gmail highlights, upcoming Calendar events, open Jira tickets, and Slack threads into a Google Doc digest. Sensitive content filtered across all sources. **Tools:** Google Gmail, Google Calendar, Atlassian (Jira), Slack, Google Docs **Why guardrails matter:** A cross-tool digest agent reads broadly. Without guardrails, it could pull sensitive Jira issues, private calendar events, or confidential email threads into a document anyone might access. Civic's per-tool filters ensure each source is scoped and sanitized. - **Allowed Email Labels (Gmail)** — only processes approved label categories - **Block Access to Specific Issues (Jira)** — sensitive tickets excluded - **Hide Sensitive Issue Fields (Jira)** — assignee/reporter details hidden - **Event Content Filter (Calendar)** — redacts sensitive event descriptions - **Blocked Title Keywords (Docs)** — prevents creating docs with flagged titles --- ### 9. Email Draft Review Agent **Intermediate** · Anthropic SDK Reviews Gmail drafts before sending: checks tone, compliance with company guidelines, and flags sensitive content. Can read drafts but can't send — only creates reviewed copies. **Tools:** Google Gmail, Google Docs, Slack **Why guardrails matter:** An agent that can send email is a risk. An agent that can only read and draft is safe. Civic's Gmail guardrails let you give read access while restricting sends to verified domains only — or blocking sends entirely while allowing draft creation. - **Draft Content Filter** — blocks drafts containing sensitive patterns - **Approved Email Domains** — if sending is enabled, restricted to approved domains - **Maximum Recipients** — caps recipient count - **Sensitive Content Filter** — catches PII/credentials before send - **Single Recipient Only** — locks sends to specific verified addresses --- ### 10. Shared Drive Gatekeeper **Intermediate** · Pydantic AI Monitors Google Drive shared folders for misplaced files, sensitive content in public folders, and credential leaks. Alerts on Slack. Can only read — never create or move files outside allowed folders. **Tools:** Google Drive, Slack, Google Sheets **Why guardrails matter:** Shared Drives are where credentials leak. Civic's Drive guardrails redact API keys, passwords, and tokens from file content at the response level — the agent can scan for problems without ever seeing the raw sensitive data it's flagging. - **Redact Credentials in File Content** — API keys, passwords, tokens stripped - **Mask PII in File Content** — SSN, credit cards, emails masked - **Block Wildcard Search Patterns** — prevents matching all files - **Allowed Folder IDs** — scoped to approved directories only - **Block Dangerous Formats in List** — redacts executables from listings - **Maximum File Size for Content Access** — blocks files larger than 10MB --- ## Sales & Revenue ### 11. Sales Operations Copilot ⭐ S-TIER **Intermediate** · LangGraph Syncs deal data between Salesforce and comms tools. Updates pipeline stages, logs activities, alerts reps on Slack. Financial data is redacted from every response; record deletion is blocked at the guardrail level. **Tools:** Salesforce, HubSpot, Slack, Google Gmail **Why guardrails matter:** A CRM agent with write access is the highest-stakes enterprise use case. One bad prompt and the agent could delete accounts, expose revenue numbers, or email customers directly. Civic's Salesforce guardrails (34 specific rules) block deletion of core objects, redact financial fields from all responses, and restrict DML operations to a vetted object allowlist. This is where guardrails go from "nice-to-have" to "I can't deploy without this." - **Block Account/Contact/Lead/Opportunity/Case Deletion** — 5 separate deletion blocks on core CRM objects - **Redact Financial Data** — Amount, Revenue, Price fields hidden from agent in all responses - **Restrict DML to Vetted Objects** — allowlist for which Salesforce objects the agent can write to - **Limit DML Batch Size** — caps records per write operation - **Block User Object Queries** — prevents querying the User table (privilege discovery) - **Redact Contact PII (HubSpot)** — masks emails and phones in cross-CRM syncs --- ### 12. Pipeline Deal Tracker **Starter** · Claude Desktop Keeps Pipedrive deals in sync with Slack updates and Sheets reports. Deal values are redacted, deletion is blocked across all entity types, and only your pipeline is visible. **Tools:** Pipedrive, Slack, Google Sheets **Why guardrails matter:** Pipedrive's 32 guardrails block deletion on every entity type — deals, orgs, persons, pipelines, stages, notes, activities. Combined with deal value redaction and owner-scoped filtering, the agent can manage your pipeline without seeing money or destroying records. - **Block Deal/Org/Person/Pipeline/Stage/Note/Activity Deletion** — 7 separate deletion blocks - **Redact Deal Financial Data** — deal value hidden from agent - **Filter Deals by Owner** — scoped to your team's deals only - **Restrict to Vetted Pipeline IDs** — only approved pipelines visible - **Redact Email Addresses** — PII stripped from all Pipedrive responses - **Restrict Activity Types** — only approved activity types (call, meeting, etc.) --- ### 13. Lead Enrichment Agent **Intermediate** · CrewAI Multi-agent team: Researcher finds contacts via Hunter.io/Findymail, Enricher validates emails and pulls company data, Loader pushes qualified leads to ActiveCampaign. PII masked, VIP contacts protected. **Tools:** Hunter.io, Findymail, ActiveCampaign, Google Sheets **Why guardrails matter:** Lead enrichment agents that write to your marketing database need strict controls. ActiveCampaign's 70 guardrails prevent bulk email enumeration, protect VIP contacts from unauthorized access, and block PII (SSNs, credit cards) from being stored in custom fields. - **Block Email Enumeration** — prevents wildcard searches on contacts - **Block VIP Contact Access** — high-value contacts protected from agent reads - **Redact PII from Field Values** — blocks SSNs/credit cards in contact fields - **Block Sensitive List Names** — can't create lists with sensitive naming - **Valid Sender URL** — requires approved domains on list sender URLs - **Limit Contact Search Results** — caps results to prevent bulk data export --- ### 14. CRM Hygiene Agent **Intermediate** · Pydantic AI Scans HubSpot for duplicate contacts, stale deals, and missing properties. Bulk-updates records and generates a hygiene report. Can't change ownership, access archived records, or modify restricted properties. **Tools:** HubSpot, Google Sheets, Slack **Why guardrails matter:** HubSpot's 57 guardrails give you fine-grained control over what a hygiene agent can touch. Block owner changes (prevents reassignment chaos), restrict which properties can be updated (protect formulas and integrations), and filter by data classification (keep sensitive records out of reports). - **Block Owner Changes** — engagement ownership can't be reassigned - **Restrict Update Properties** — only approved properties can be modified - **Block Archived Objects** — can't access archived/deleted records - **Filter Objects by Owner** — scoped to your team's records - **Limit Batch Update Size** — caps bulk update operations - **Filter by Data Classification** — results filtered by data sensitivity level --- ### 15. Proposal Generator **Advanced** · Anthropic SDK Pulls deal context from Salesforce, client history from HubSpot, templates from Drive. Generates a proposal doc with financials redacted and emails it as a draft restricted to approved domains. **Tools:** Salesforce, HubSpot, Google Drive, Google Docs, Google Gmail **Why guardrails matter:** Proposals contain pricing, client details, and competitive intel. Civic ensures the agent never sees raw financial data from Salesforce, can only email drafts to approved domains, and can only access templates from whitelisted Drive folders. - **Redact Financial Data (Salesforce)** — Amount, Revenue, Price fields hidden - **Restrict Queries to Vetted Objects** — can only read approved Salesforce objects - **Allowed Folders for File Creation (Drive)** — proposals only in approved directory - **Draft Content Filter (Gmail)** — blocks drafts with sensitive content - **Approved Email Domains (Gmail)** — draft sends restricted to your domain - **Hide Custom Properties (HubSpot)** — sensitive deal metadata hidden --- ### 16. Account Health Monitor **Intermediate** · LangGraph Monitors Salesforce accounts for churn signals — declining engagement, escalating support tickets, missed renewals. Alerts account teams on Slack. Data scoped to the agent's permitted accounts. **Tools:** Salesforce, Intercom, Slack, Google Sheets **Why guardrails matter:** A churn detection agent needs broad read access across CRM and support tools, which makes scoping critical. Civic's owner-based filtering ensures the agent only sees accounts it's authorized for, and deletion blocking prevents any "cleanup" actions on at-risk accounts. - **Filter Records by Owner** — only sees accounts belonging to approved owners - **Block Account Deletion** — at-risk accounts can't be "cleaned up" - **Restrict Queries to Vetted Objects** — limited to approved object types - **Redact Financial Data** — revenue numbers hidden from churn analysis - **Limit Query Result Size** — caps SOQL results - **Block Contact Deletion** — contacts on at-risk accounts are protected --- ### 17. Outbound Sequence Builder **Intermediate** · CrewAI Researcher agent identifies prospects via Tavily, Enricher validates with Findymail, Loader creates ActiveCampaign contacts and enrolls them in approved drip sequences. High-value automation enrollment requires explicit approval. **Tools:** Tavily, Findymail, ActiveCampaign, Google Sheets **Why guardrails matter:** Enrolling contacts in automations is a high-stakes action — wrong sequence, wrong contact, and you damage relationships. Civic's ActiveCampaign guardrails gate high-value automation enrollment, block specific automation IDs, and prevent accidental unsubscribes. - **High-Value Automation Approval** — requires approval for high-value drip enrollment - **Block Automation IDs** — specific automations off-limits - **Block Sensitive Tags** — can't apply protected tag categories - **Prevent Unsubscribe Status** — blocks malicious/accidental bulk unsubscribes - **Limit Field Value Length** — caps data written to contact fields - **Block Required Tag Removal** — compliance tags can't be stripped --- ### 18. Win/Loss Analyst **Intermediate** · DSPy Analyzes closed Salesforce opportunities, reads associated email threads, generates pattern reports in Sheets. Can't query User or Profile objects, and all financial data is redacted. **Tools:** Salesforce, Google Gmail, Google Sheets **Why guardrails matter:** Win/loss analysis means reading across opportunities, contacts, and emails. Salesforce's guardrails block Profile and User table queries (preventing org discovery), redact financial fields (the agent sees win/loss patterns, not dollar amounts), and redact password fields. - **Block Profile Queries** — prevents querying Profile object (privilege discovery) - **Block User Object Queries** — prevents querying User table - **Redact Financial Data** — Amount, Revenue fields hidden - **Redact Password Fields** — tokens/secrets stripped from all responses - **Limit Query Result Size** — caps SOQL results - **Safe Email Search (Gmail)** — blocks searching for sensitive terms --- ### 19. Deal Room Agent **Advanced** · Vercel AI SDK Creates a dedicated Google Drive folder for each Pipedrive deal. Populates with templates, shares with stakeholders, tracks activity. Path traversal and executable file creation blocked. **Tools:** Pipedrive, Google Drive, Google Docs, Slack **Why guardrails matter:** Auto-creating Drive folders means the agent generates file names and paths. Without path traversal protection, a prompt injection could escape the intended directory. Civic blocks `../` sequences in file names, prevents executable file creation, and restricts creation to approved folders. - **Block Path Traversal in File Names** — prevents `../` directory escape - **Block Executable File Creation** — can't create .exe, .sh, .bat files - **Allowed Folders for File Creation** — restricted to approved parent directories - **Maximum File Content Size** — caps file size at 1MB - **Block File URL Parameter** — prevents external file fetching via fileUrl - **Restrict to Vetted Pipeline IDs (Pipedrive)** — only approved deals get rooms --- ### 20. Commission Calculator **Intermediate** · Pydantic AI Reads closed-won deals from Salesforce, applies rules from a protected Google Sheet, posts payout summaries to Slack. The commission sheet can't be overwritten — only empty cells are writable. **Tools:** Salesforce, Google Sheets, Slack **Why guardrails matter:** Commission data is both sensitive and critical. Civic's Sheets guardrails prevent overwriting existing data (protecting formulas and historical records), block formula injection (preventing malicious cell values), and restrict input to RAW mode (no formula evaluation). - **Prevent Data Overwrite (Sheets)** — only writes to empty cells - **Block Formula Injection** — prevents `=IMPORTRANGE` and other formula attacks - **Restrict Input to RAW** — forces plain values, no formula evaluation - **Block Modification of Protected Spreadsheets** — critical sheets are read-only - **Restrict Queries to Vetted Objects (Salesforce)** — only reads Opportunity - **Limit Query Result Size** — caps results per SOQL query --- ### 21. Sales Forecast Agent **Advanced** · LangGraph Aggregates pipeline data from Pipedrive and HubSpot, runs trend analysis, produces forecast decks in Google Slides. Financial values are redacted — the agent works with pipeline stage and probability, not dollar amounts. **Tools:** Pipedrive, HubSpot, Google Sheets, Google Slides, Slack **Why guardrails matter:** Forecast agents need to read deal data across CRMs while never exposing actual revenue numbers. Pipedrive's deal value redaction and HubSpot's financial data pattern filtering strip dollar amounts from responses, so the agent forecasts from stage/probability data only. - **Redact Deal Financial Data (Pipedrive)** — deal values hidden - **Filter Data by Pattern (HubSpot)** — regex-based financial data filtering - **Filter Deals by Pipeline** — scoped to approved pipelines - **Protected Presentation IDs (Slides)** — existing forecast decks are read-only - **Restrict to Vetted User IDs (Pipedrive)** — owner-scoped data - **Limit Deals Pagination Size** — caps per-page results --- ### 22. RFP Response Agent **Advanced** · Anthropic SDK Reads RFP documents from Dropbox, pulls case studies from Confluence, assembles a response in Google Docs. Sensitive extensions (.key, .pem, .env) auto-filtered from file searches. **Tools:** Dropbox, Atlassian (Confluence), Google Docs, Google Drive **Why guardrails matter:** Dropbox's 55 guardrails provide comprehensive file safety: folder scoping (source and destination), malicious format blocking, sensitive extension filtering, and email domain validation on file paths. The agent assembles RFPs from approved content without exposure to credentials or keys. - **Allowed Folders Only (Dropbox)** — source files scoped to RFP library - **Block Malicious Formats** — prevents accessing dangerous file types - **Filter Sensitive Extensions** — .key, .pem, .env redacted from search - **Block Sensitive Search Terms** — can't search for passwords, credentials - **Block Specific Space IDs (Confluence)** — case studies from approved spaces only - **Blocked Content Patterns (Docs)** — prevents writing flagged content --- ## Marketing & Growth ### 23. Marketing Campaign Manager ⭐ S-TIER **Intermediate** · OpenAI Agents SDK Spins up Meta ad campaigns with Canva-designed creatives, tracks performance in Google Analytics. Every campaign has mandatory budget caps and geo-targeting — the agent physically cannot create an uncapped global campaign. **Tools:** Meta Ads, Google Analytics, Canva, ActiveCampaign **Why guardrails matter:** This is the most intuitive guardrail demo: "Your agent can create ad campaigns but can never spend more than $X/day or run ads without geographic targeting." Meta Ads' 18 guardrails enforce budget ceilings at both campaign and ad set level, require geo-targeting on every ad set, and force archive-over-delete to preserve history. - **Limit Campaign Daily Budget** — hard cap on daily spend per campaign - **Limit Campaign Lifetime Budget** — hard cap on total spend per campaign - **Limit Ad Set Daily/Lifetime Budget** — caps at the ad set level too - **Require Geographic Targeting** — every ad set must have geo-targeting - **Require Budget for New Campaigns** — can't create budget-less campaigns - **Block Campaign Deletion** — forces archive instead of delete (preserves data) - **Restrict Lookalike Audience Ratio** — limits to ≤5 to prevent overly broad audiences --- ### 24. Email Campaign Autopilot **Intermediate** · LangGraph Manages ActiveCampaign contacts and drip sequences. The agent can enroll contacts in automations but can't mass-unsubscribe, strip compliance tags, or immediately remove contacts from active sequences. **Tools:** ActiveCampaign, Google Gmail, Google Sheets **Why guardrails matter:** ActiveCampaign's 70 guardrails are the deepest per-tool set on the platform. A rogue email agent could unsubscribe your entire list, remove CAN-SPAM compliance tags, or rip contacts out of nurture sequences. Civic blocks all of these at the request level. - **Prevent Unsubscribe Status** — blocks setting subscription status to unsubscribed - **Block Critical Automation Removal** — protects enrollment in essential flows - **Block Required Tag Removal** — compliance tags (CAN-SPAM, GDPR) can't be stripped - **Minimum Enrollment Duration** — prevents immediate removal from automations - **Redact PII from Field Values** — blocks SSNs/credit cards in contact data - **Block Email Enumeration** — prevents wildcard contact searches - **High-Value Automation Approval** — gated enrollment for high-value sequences --- ### 25. Ad Spend Guardian **Intermediate** · Mastra Monitors active Meta Ads campaigns, alerts when spend approaches budget limits, and can pause ad sets — but can never delete campaigns, increase budgets, or create new spending commitments. **Tools:** Meta Ads, Slack, Google Sheets **Why guardrails matter:** The inverse of the campaign manager: this agent watches spend but can't increase it. Budget limit guardrails work in reverse here — the agent can read spend data (with account balance redacted) and take protective action, but budget-increase guardrails prevent it from raising caps. - **Redact Account Balance** — agent sees spend trends, not raw balances - **Redact Payment and Credit Information** — funding sources hidden - **Redact Business IDs** — org identifiers stripped - **Limit Campaign Daily Budget Update** — can't raise budgets - **Limit Campaign Lifetime Budget Update** — can't raise lifetime caps - **Prevent Direct Active to Deleted Transition** — must pause before archive --- ### 26. Social Media Content Agent **Intermediate** · CrewAI Multi-agent team: Writer creates copy, Designer generates Canva visuals, Publisher posts to Twitter and Bluesky. Canva's SSRF protection prevents importing from unauthorized domains. **Tools:** Twitter, Bluesky, Canva, Google Sheets **Why guardrails matter:** A social agent that can import images from URLs is an SSRF vector. Canva's upload guardrails restrict import domains to an allowlist and block specific domains, preventing the agent from fetching from internal networks or malicious sources. - **Allowed Asset Upload Domains (Canva)** — SSRF protection on URL imports - **Block Asset Upload Domains** — explicit blocklist for dangerous sources - **Allowed Import Domains** — design imports restricted to approved CDNs - **Allowed Design Types** — restricts AI-generated design types - **Redact Sensitive Design Text** — catches leaked API keys in visual content - **Limit Generation Assets** — caps assets per AI generation request --- ### 27. Landing Page Builder **Intermediate** · Vercel AI SDK Takes a product brief, generates copy, creates Canva hero images, publishes to Webflow CMS. Content filtered before publish, design imports restricted to approved domains. **Tools:** Canva, Webflow, Google Docs, Tavily **Why guardrails matter:** Publishing agents that push content to production websites need content filtering and import controls. Canva's SSRF guardrails prevent fetching from internal networks, and content pattern blocking catches sensitive data before it reaches Webflow. - **Allowed Import Domains (Canva)** — only approved CDNs - **Block Asset Upload Domains (Canva)** — explicit blocklist - **Blocked Content Patterns (Docs)** — catches sensitive content before publish - **Redact Sensitive Design Text** — API keys/passwords caught in designs - **Block Pro Export Quality** — prevents unauthorized high-res exports - **Limit Export Pages** — caps pages exported at once --- ### 28. Ad Creative Generator **Intermediate** · CrewAI Three-agent team: Analyst pulls top-performing ad data from Meta Ads, Designer generates variations in Canva, Reviewer scores against brand guidelines. Payment info auto-redacted from ad account data. **Tools:** Meta Ads, Canva, Google Sheets **Why guardrails matter:** Accessing Meta Ads data exposes account financials — balance, spend caps, payment methods. Civic's response guardrails strip all financial and billing data from ad account responses, so the creative team gets performance data without financial exposure. - **Redact Account Balance** — balance, amount_spent, spend_cap hidden - **Redact Payment and Credit Information** — funding sources stripped - **Redact Business IDs** — org identifiers hidden - **Allowed Design Types (Canva)** — restricts AI generation types - **Block Pro Export Quality** — prevents unauthorized high-quality exports - **Limit Insights Results (100 max)** — caps data returned per request --- ### 29. Newsletter Builder **Intermediate** · Anthropic SDK Curates content from Notion wiki, Google Docs drafts, and web content (Firecrawl). Assembles an HTML newsletter in ActiveCampaign. PII in source content is auto-redacted before the agent composes. **Tools:** Notion, Google Docs, Firecrawl, ActiveCampaign **Why guardrails matter:** Newsletters pull from internal sources that may contain PII. Civic's response guardrails strip PII from Google Docs content and Notion pages before the agent sees them, so personal data never ends up in a mass email. - **PII Patterns to Redact (Docs)** — SSN, email, phone patterns stripped from doc content - **Approved Pages (Notion)** — only sanctioned source pages readable - **Retain Markdown and URL Only (Firecrawl)** — strips metadata, saves tokens - **Block Sensitive List Names (ActiveCampaign)** — can't create lists with flagged names - **Valid Sender URL** — requires approved domains on list sender URLs - **Block Email Enumeration (ActiveCampaign)** — prevents wildcard contact searches --- ### 30. SEO & Analytics Agent **Intermediate** · Haystack Crawls your site with Firecrawl, pulls Google Analytics performance data, generates SEO recommendations in Notion. User-scoped dimensions blocked — the agent sees aggregate data only. **Tools:** Firecrawl, Google Analytics, Notion, Tavily **Why guardrails matter:** Google Analytics' 41 guardrails are privacy-focused: blocking user-scoped dimensions prevents individual tracking, PII filtering strips emails/phones from dimension values, and geo-detail hiding redacts sub-country data. The agent analyzes traffic without identifying individuals. - **Block User-Scoped Dimensions (GA)** — prevents individual user tracking - **Filter Report PII** — strips emails and phone numbers from dimension values - **Hide Report Geo Details** — redacts geographic info below country level - **Redact Report User IDs** — user identifiers stripped from all results - **Restrict Report Properties** — scoped to approved GA properties - **Retain Markdown and URL Only (Firecrawl)** — clean scrape data --- ### 31. Google Ads Performance Agent **Intermediate** · Pydantic AI Pulls campaign and ad performance from Google Ads, correlates with Analytics conversion data, generates weekly reports in Sheets. PII and user-level data auto-stripped. **Tools:** Google Ads, Google Analytics, Google Sheets **Why guardrails matter:** Correlating ads data with analytics means the agent touches conversion tracking and user-scoped data. Civic's GA guardrails block revenue metrics in realtime reports, redact conversion tracking details in Ads links, and filter IP addresses from report data. - **Block Realtime Revenue Metrics (GA)** — revenue/conversion metrics blocked in realtime - **Redact Conversion Tracking (GA)** — tracking details hidden in Ads links - **Filter IP Addresses (GA)** — IP data stripped from reports - **Restrict Realtime Properties** — scoped to approved properties - **Report Row Limit** — caps rows returned per report - **Block Formula Injection (Sheets)** — protects report spreadsheets --- ### 32. Influencer Outreach Agent **Intermediate** · CrewAI Researcher finds contacts via Findymail and web search, Drafter creates personalized outreach, Sender creates Gmail drafts (never sends directly). Draft content auto-filtered for compliance. **Tools:** Findymail, Tavily, Google Gmail, Google Sheets **Why guardrails matter:** Outreach agents that draft cold emails need content controls. Civic's Gmail guardrails filter draft content for compliance, restrict email sends to approved domains, and limit recipients per message — preventing an agent from mass-emailing. - **Draft Content Filter** — blocks drafts with sensitive/non-compliant content - **Approved Email Domains** — sends restricted to approved domains - **Maximum Recipients** — caps recipients per email - **Sensitive Content Filter** — catches PII in outgoing drafts - **Single Recipient Only** — locks sends to one verified address per email --- ### 33. Event Promotion Agent **Intermediate** · OpenAI Agents SDK Creates Calendar events, designs invite graphics in Canva, posts to social channels, sends email invites via ActiveCampaign. Attendee lists verified, calendar creation scoped to approved calendars. **Tools:** Google Calendar, Canva, Twitter, Bluesky, ActiveCampaign **Why guardrails matter:** Event agents that create calendar entries and send invites need attendee controls. Civic's calendar guardrails verify attendee domains, block specific email addresses, and limit attendees per event — preventing mass-invite accidents. - **Blocked Event Attendees** — specific emails/domains blocked from invites - **Maximum Attendees Per Event** — caps attendees to prevent mass invites - **Create Event Allowed Calendars** — only approved calendars writable - **Block Google Meet Creation** — controls whether video links are auto-added - **Block Event Attachments** — prevents Drive file attachments on events - **Block Sensitive Tags (ActiveCampaign)** — protected tag categories --- ### 34. Competitor Ad Monitor **Intermediate** · Pydantic AI Tracks competitor ad spending patterns via Meta Ads insights, logs findings in Sheets, alerts on Slack when spending changes. All financial account data (balance, payment methods, spend caps) auto-redacted. **Tools:** Meta Ads, Google Sheets, Slack, Tavily **Why guardrails matter:** Even read-only access to Meta Ads exposes financial data. Civic's response guardrails strip balance, amount_spent, spend_cap, funding_source, payment_method, and billing info from all ad account responses. The agent sees campaign performance, not financial exposure. - **Redact Account Balance** — balance and spend data hidden - **Redact Payment and Credit Information** — funding sources stripped - **Redact Business IDs** — org identifiers hidden - **Limit Insights Results (100 max)** — caps data per request - **Block Formula Injection (Sheets)** — protects analysis spreadsheets - **Restrict Input to RAW (Sheets)** — prevents formula evaluation --- ## Customer Support ### 35. Customer Support Triage ⭐ S-TIER **Intermediate** · LangGraph Reads Intercom conversations, creates Jira tickets in the support project, updates Confluence runbooks, notifies the team on Slack. The agent can't touch protected issues, transition critical tickets, or create pages outside the runbook space. **Tools:** Intercom, Atlassian (Jira + Confluence), Slack **Why guardrails matter:** Atlassian's 72 guardrails are the most comprehensive on the platform. Support triage agents need to create issues but never close critical incidents, write to Confluence but never modify protected pages. Civic's Jira guardrails enforce transition restrictions (the agent can't move P1s to "Done"), project scoping (creates only in approved projects), and content filtering (blocks sensitive keywords in comments). This is the textbook example of "the agent can help without causing damage." - **Block Creation in Specific Projects** — agent only creates in the support project - **Prevent Transitions on Protected Issues** — can't close or reopen critical incidents - **Block Edits to Specific Issues** — sensitive issues are fully read-only - **Block Page Creation in Spaces (Confluence)** — writes only in runbook space - **Require Transition Comments** — every status change must have context - **Limit Comment Length** — prevents verbose auto-generated comments - **Redact User Information** — assignee and reporter details hidden --- ### 36. IT Helpdesk Agent **Intermediate** · OpenAI Agents SDK Monitors IMAP support inbox, creates Jira tickets, searches Confluence for solutions, replies to users. Batch operations are capped, deletion is soft-only, and attachments are verified-sender-only. **Tools:** IMAP Email, Atlassian (Jira + Confluence), Slack **Why guardrails matter:** IT helpdesks process untrusted email — potential phishing, malicious attachments, social engineering. IMAP's guardrails block attachment downloads from unverified senders and enforce verified-sender-only content access. Combined with batch size limits and soft-delete enforcement, the agent handles tickets safely. - **Attachment Verified Senders Only** — blocks downloads from unverified senders - **Email Verified Senders Only** — blocks content from unverified domains - **Prevent Permanent Deletion** — forces soft-delete to trash - **Maximum Delete/Copy/Move Batch Size** — all batch ops capped - **Protected Source Folders** — can't move emails from protected folders - **Block Sensitive JQL Queries (Jira)** — can't search confidential issues --- ### 37. Knowledge Base Auto-Updater **Intermediate** · Anthropic SDK Analyzes resolved Intercom conversations, identifies common questions, creates or updates Confluence FAQ articles. Version messages required on every update, space scoping enforced. **Tools:** Intercom, Atlassian (Confluence), Slack **Why guardrails matter:** An agent that writes to your knowledge base can cause content sprawl or overwrite critical docs. Confluence's guardrails enforce space scoping (creates only in FAQ space), require version messages (audit trail for every change), and block content with sensitive keywords. - **Block Page Creation in Spaces** — writes only to FAQ/runbook space - **Require Version Messages** — every update must include a changelog entry - **Filter Page Creation Content** — blocks pages with sensitive keywords - **Limit Page Content Size** — caps page body length - **Block Updates to Protected Pages** — critical articles are read-only - **Prevent Status Changes** — can't change page from published to draft --- ### 38. Ticket Auto-Categorizer **Starter** · Agno Reads new Jira issues, auto-assigns priority and labels based on content, routes to the right team. Can't change protected issues, restricted issue types enforced, certain users blocked from assignment. **Tools:** Atlassian (Jira), Slack **Why guardrails matter:** Auto-categorization requires write access to issue fields. Jira's guardrails restrict which issue types the agent can set, block assignment to specific users (preventing agents from assigning to executives or on-leave staff), and protect specific issues from any edits. - **Restrict Issue Types** — allowlist for issue types the agent can create - **Prevent Assignment to Specific Users** — blocklist for assignees - **Block Edits to Specific Issues** — critical issues untouchable - **Block Specific Transitions** — certain status changes blocked - **Filter Comment Content** — blocks comments with sensitive keywords - **Block Comments on Specific Issues** — some issues have no-comment rules --- ### 39. Escalation Manager **Intermediate** · LangGraph Monitors Jira for aging P1 tickets, checks Slack for related discussion threads, creates escalation events on Google Calendar. Can't modify protected calendars or schedule during blackout periods. **Tools:** Atlassian (Jira), Slack, Google Calendar **Why guardrails matter:** Escalation agents that create calendar events need temporal and calendar-level scoping. Civic's Calendar guardrails block scheduling during restricted periods (off-hours, holidays), protect executive calendars from modification, and verify attendee domains. - **Block Access to Specific Issues (Jira)** — sensitive tickets excluded from monitoring - **Prevent Transitions on Protected Issues** — can't resolve tickets during escalation - **Protected Calendars From Modification** — exec calendars untouchable - **Event Blackout Periods** — no scheduling during off-hours/holidays - **Blocked Event Attendees** — certain email addresses blocked - **Restrict Time Changes (Calendar)** — blocks moving events to restricted periods --- ### 40. Customer Onboarding Agent **Intermediate** · Vercel AI SDK Creates onboarding task lists in ClickUp, schedules kickoff meetings, sends welcome emails, shares Drive folders. Event attendees verified, email domains approved, file creation scoped. **Tools:** ClickUp, Google Calendar, Google Gmail, Google Drive **Why guardrails matter:** Onboarding agents touch every tool in your stack. Without domain verification, the agent could email the wrong person or invite unauthorized attendees. Civic's cross-tool guardrails verify email domains on Calendar invites and Gmail sends, and restrict Drive file creation to onboarding folders. - **Create Event Verified Domains Only** — only org-domain attendees - **Approved Email Domains (Gmail)** — sends only to approved domains - **Allowed Folders for File Creation (Drive)** — restricted to onboarding directory - **Block Executable File Creation** — prevents dangerous file types - **Maximum Attendees Per Event** — prevents mass invites - **Block Path Traversal in File Names** — prevents directory escape --- ### 41. SLA Tracker **Intermediate** · Mastra Monitors Jira ticket ages against SLA thresholds, escalates breaches to Slack, maintains an SLA dashboard in Sheets. Sensitive issues excluded from monitoring, user info redacted. **Tools:** Atlassian (Jira), Slack, Google Sheets **Why guardrails matter:** SLA monitoring requires broad read access to Jira, but some tickets are confidential. Issue-level blocking ensures sensitive tickets (HR, legal, security) are invisible to the SLA agent, while field redaction hides assignee details from dashboards. - **Block Access to Specific Issues** — confidential tickets excluded - **Hide Sensitive Issue Fields** — assignee/reporter details hidden - **Redact User Information** — user data stripped from responses - **Limit Search Results** — caps JQL result set - **Block Formula Injection (Sheets)** — protects SLA dashboard - **Filter Issue History** — changelog redacted from responses --- ### 42. Customer Feedback Analyzer **Intermediate** · DSPy Reads NPS surveys from Sheets, analyzes Intercom transcripts, categorizes feedback themes, posts insights to Notion. PII in survey responses and cells auto-redacted. **Tools:** Google Sheets, Intercom, Notion, Slack **Why guardrails matter:** Survey data contains PII — names, emails, phone numbers in free-text responses. Sheets' cell-level PII redaction masks SSNs, emails, and phone numbers before the agent reads them, preventing PII from leaking into feedback reports. - **Redact PII in Cells (Sheets)** — masks SSN, email, phone in cell values - **Hide Cells Matching Patterns** — redacts cells matching custom regex patterns - **Block Full Spreadsheet Read** — prevents unbounded data access - **Approved Databases (Notion)** — writes only to feedback database - **Restrict Range Size** — caps cells readable per request - **Search Sensitive Content Filter (Notion)** — redacts sensitive content in searches --- ### 43. Shared Mailbox Manager **Intermediate** · Anthropic SDK Manages MS365 shared mailboxes: reads, categorizes, and routes incoming messages to appropriate teams. HTML auto-converted to Markdown, unnecessary metadata stripped for token efficiency. **Tools:** MS365 Mail, Slack, Notion **Why guardrails matter:** MS365 Mail's 18 guardrails are unique — they're all response transforms focused on token efficiency. HTML→Markdown conversion, metadata stripping, and field retention make shared mailbox processing dramatically cheaper and more reliable for LLMs. - **HTML to Markdown Email Converter** — converts HTML bodies to Markdown - **Remove Unnecessary Mail Metadata** — strips conversationId, webLink, flags - **Retain Only Essential Mail Fields** — keeps only id, subject, from, dates, body - **HTML to Markdown (Shared Mailbox)** — same transform for shared mailbox reads - **Remove Metadata (Shared Mailbox)** — strips tracking fields - **Retain Essential Fields (Shared Mailbox)** — minimal field set --- ### 44. Confluence Runbook Maintainer **Intermediate** · Anthropic SDK Monitors resolved support tickets, identifies outdated runbook pages, suggests updates, creates new runbooks for recurring issues. Space-scoped, version-messaged, content-filtered. **Tools:** Atlassian (Confluence), Atlassian (Jira), Slack **Why guardrails matter:** An agent writing to Confluence can create sprawl, overwrite critical docs, or leak sensitive info. Civic's Confluence guardrails enforce: space scoping (can only create in runbook space), version messages (audit trail), content filtering (blocks sensitive keywords), and page protection (critical docs read-only). - **Block Page Creation in Spaces** — only writes to runbook space - **Filter Page Creation Content** — blocks pages with sensitive keywords - **Require Version Messages** — every edit must include changelog - **Block Updates to Pages** — critical pages protected by ID - **Prevent Page Moves** — can't move pages to other spaces - **Limit Page Content Size** — caps page body length --- ## Engineering & DevOps ### 45. Code Review & Issue Triage **Intermediate** · Cursor (IDE) Monitors GitHub PRs and Sentry errors, creates Linear issues for bugs, posts triage summaries to Slack. Everything scoped to vetted repos and orgs — the agent physically cannot see private repos or non-approved organizations. **Tools:** GitHub, Sentry, Linear, Slack **Why guardrails matter:** GitHub's 30 guardrails enforce a "vetted org/repo" access model. Every operation — code search, PR listing, issue creation — is scoped to pre-approved organizations and repositories. Combined with Sentry's org-level scoping and Linear's team restrictions, the agent triages within strict boundaries. - **Restrict to Vetted Organizations (GitHub)** — all operations scoped to approved orgs - **Restrict to Vetted Repositories (GitHub)** — all operations scoped to approved repos - **Redact Private Repositories** — private repos invisible in all responses - **Allowed Organizations Only (Sentry)** — error data scoped to your org - **Block Issue Creation in Non-Vetted Teams (Linear)** — issues only in approved teams - **Redact Commit Author Email** — developer PII protected --- ### 46. PR Reviewer Bot **Intermediate** · OpenAI Agents SDK Reviews GitHub PRs against team standards, checks for security patterns, posts inline review comments. Can only see vetted repos; private repos are invisible. **Tools:** GitHub, Slack **Why guardrails matter:** A PR reviewer needs code access, which means it could read any repo in the org without scoping. GitHub's request-level guardrails restrict code search, PR listing, and repository search to pre-approved repos — the agent can't discover or access anything outside its scope. - **Restrict Code Search** — only searches within vetted repositories - **Filter Code Search Results** — redacts results from non-vetted repos - **Restrict to Vetted Repositories** — all operations scoped - **Filter Pull Requests to Vetted Repos** — only sees approved-repo PRs - **Redact PR Author Information** — author details hidden - **Redact Private Repositories** — private repos invisible --- ### 47. Infrastructure Monitor **Advanced** · LangGraph Correlates Cloudflare traffic anomalies, Grafana dashboard metrics, and Sentry error spikes. Creates incident timelines, manages Slack-based escalation, and tracks resolution in Linear. **Tools:** Cloudflare (Radar, Observability, DNS), Grafana, Sentry, Slack, Linear **Why guardrails matter:** Multi-tool observability agents touch every monitoring system. Sentry's 15 guardrails enforce org-level and project-level scoping across all operations — the agent monitors only approved services. Combined with Linear's team/project restrictions, escalation stays in scope. - **Allowed Organizations Only (Sentry)** — all Sentry access scoped to your org - **Allowed Projects Only by Slug (Sentry)** — project-level access control - **Block Project/Team Creation (Sentry)** — agent monitors, doesn't configure - **Block Issue Creation in Non-Vetted Teams (Linear)** — escalation scoped - **Restrict to Vetted Project Names (Linear)** — project access controlled - **14 universal guardrails** — PII/prompt injection protection on all Cloudflare/Grafana --- ### 48. Dependency Security Scanner **Starter** · Goose Scans GitHub dependencies with Socket, flags supply chain vulnerabilities, creates Linear issues for critical findings. Code search restricted to vetted repos. **Tools:** GitHub, Socket, Linear, Slack **Why guardrails matter:** Supply chain attacks make dependency scanning critical. GitHub's code search guardrails ensure the agent only scans vetted repos — preventing it from indexing or discovering code outside its authorized scope. Linear's team restrictions keep findings filed correctly. - **Restrict Code Search (GitHub)** — only searches vetted repositories - **Filter Code Search Results** — redacts results from non-vetted repos - **Restrict to Vetted Organizations** — org-level scoping - **Block Issue Creation in Non-Vetted Teams (Linear)** — findings in correct team - **Restrict to Vetted Project Names (Linear)** — project access controlled - **Redact Workspace URLs (Linear)** — prevents workspace enumeration --- ### 49. Release Notes Generator **Starter** · Anthropic SDK Reads GitHub commits and PRs since last release, filters to vetted authors, publishes to Confluence. Author emails redacted; space-scoped page creation enforced. **Tools:** GitHub, Atlassian (Confluence), Slack **Why guardrails matter:** Release notes pull from git history, which contains author emails and potentially sensitive branch names. GitHub's response guardrails redact author emails and filter commits to vetted contributors. Confluence's space scoping ensures notes land in the right space. - **Redact Commit Author Email** — developer PII stripped - **Filter Commits to Vetted Authors** — only approved contributors shown - **Filter Branches to Vetted List** — hides experimental/sensitive branches - **Block Page Creation in Spaces (Confluence)** — scoped to release notes space - **Require Version Messages** — changelog context on every update - **Filter Page Creation Content** — blocks sensitive keywords --- ### 50. Incident Postmortem Writer **Intermediate** · Anthropic SDK After a Sentry incident, gathers error traces, Slack discussion, and Grafana metrics. Generates a structured postmortem in Google Docs. Project-scoped Sentry access, blocked content patterns in docs. **Tools:** Sentry, Slack, Grafana, Google Docs **Why guardrails matter:** Postmortems need broad incident data but shouldn't expose other projects' errors. Sentry's project-level guardrails ensure the agent only sees errors from the affected service, while Docs' content pattern blocking prevents the postmortem from containing credentials or keys. - **Allowed Projects Only (Sentry)** — only approved projects' errors visible - **Get Issue Details Allowed Projects Only** — error details scoped - **Search Issues Allowed Projects Only** — error search scoped - **Blocked Content Patterns (Docs)** — prevents writing credentials/keys - **Maximum Content Size (Docs)** — caps document length - **14 universal guardrails on Grafana** — PII/injection protection on metrics --- ### 51. Salesforce Apex Security Auditor **Advanced** · Pydantic AI Reviews Salesforce Apex code for security anti-patterns: `without sharing` classes, delete operations on core objects, bulk DML in anonymous Apex. Creates findings in Linear. **Tools:** Salesforce, Linear, Slack **Why guardrails matter:** Salesforce's Apex-specific guardrails (8 rules) are uniquely powerful: they block `without sharing` and `System.runAs` in Apex classes, prevent anonymous Apex from running delete operations or bulk DML, restrict Apex class names to an allowlist, and block delete patterns in triggers. The agent audits code safety while being constrained by the same rules it checks. - **Block System Mode Apex** — blocks `without sharing` and `System.runAs` - **Block Anonymous Apex Delete Operations** — prevents deletes in anonymous Apex - **Block Bulk DML in Anonymous Apex** — prevents Database class DML - **Block Dangerous Apex Delete Patterns** — blocks delete on core objects in Apex - **Block Apex Trigger Delete Patterns** — blocks deletes in trigger code - **Restrict Apex Class Names** — allowlist for class naming --- ### 52. Sprint Planning Assistant **Intermediate** · CrewAI Analyzes Linear backlog, estimates effort from historical data, suggests sprint compositions. Scoped to vetted teams and projects; admin status and user activity timestamps redacted. **Tools:** Linear, Slack, Google Sheets **Why guardrails matter:** Sprint planning requires reading across all team issues, which means the agent could discover team structures and user activity. Linear's guardrails redact admin status (preventing privilege discovery) and last-seen timestamps (protecting user privacy). - **Restrict to Vetted Team Names** — only approved teams visible - **Filter Issues to Vetted Projects** — issues scoped to approved projects - **Redact User Admin Status** — prevents privilege discovery - **Redact User Last Seen Status** — protects user activity privacy - **Redact Workspace URLs** — prevents workspace enumeration - **Block Email Addresses in Searches** — can't search users by email --- ### 53. Database Migration Validator **Advanced** · Pydantic AI Runs read-only validation queries against PostgreSQL staging: checks row counts, schema diffs, data integrity post-migration. Full SQL injection protection suite active. **Tools:** PostgreSQL, Slack, Google Sheets **Why guardrails matter:** PostgreSQL's 22 guardrails form the strongest SQL protection suite on the platform. Even "just running validation queries" on a staging database needs injection protection — a prompt injection in migration data could escalate to a write operation without guardrails. - **Block Write Operations** — prevents INSERT/UPDATE/DELETE/DDL - **Block Dynamic SQL Construction** — stops `||`, CONCAT, CHR injection - **Block Query Stacking** — prevents multi-statement injection via semicolons - **Block SQL Comments** — prevents comment-based injection (-- and /* */) - **Block System Tables Access** — no pg_catalog, information_schema - **Protect Sensitive Columns** — blocks queries on specified columns - **Block Function Execution** — prevents stored procedure calls --- ### 54. GitHub Org Security Auditor **Starter** · Claude Desktop Reviews repository settings, branch protection, and team access across your GitHub org. User PII (real name, email, location, private repo counts) auto-redacted. **Tools:** GitHub, Slack, Google Sheets **Why guardrails matter:** Security auditing means reading user and team data, which exposes PII. GitHub's response guardrails redact real names, email addresses, locations, private repo counts, and private gist counts from all user data — the agent audits access patterns without learning personal details. - **Redact User Real Name** — real names hidden from user data - **Redact User Email Addresses** — emails stripped - **Redact User Location** — location data hidden - **Redact Owned Private Repos Count** — private repo info hidden - **Redact Total Private Repos Count** — total private repos hidden - **Redact Private Gists Count** — gist info hidden - **Restrict to Vetted Organizations** — scoped to your org only --- ### 55. Log Analyzer **Intermediate** · LlamaIndex Queries Cloudflare Observability logs and Elasticsearch indices, identifies patterns and anomalies, generates diagnostic summaries in Notion. Write-scoped to approved databases. **Tools:** Cloudflare Observability, Elasticsearch, Notion, Slack **Why guardrails matter:** Log analysis agents read broadly across observability data. Notion's guardrails ensure findings are written only to approved databases, and protected pages prevent overwriting existing analysis. Universal guardrails on Cloudflare and Elasticsearch provide PII and injection protection. - **Approved Databases (Notion)** — writes only to diagnostics database - **Protected Pages (Notion)** — existing analysis pages read-only - **Search Term Filter (Notion)** — blocks sensitive term searches - **Batch Operation Size Limit (Notion)** — caps bulk writes - **14 universal guardrails on Cloudflare** — PII/injection protection - **14 universal guardrails on Elasticsearch** — baseline protection --- ### 56. API Documentation Generator **Intermediate** · Anthropic SDK Reads GitHub source code and PRs, pulls library docs from Context7, generates API documentation in Confluence. Space-scoped, content-filtered, private pages enforced. **Tools:** GitHub, Context7, Atlassian (Confluence) **Why guardrails matter:** API docs generated from source code might inadvertently include credentials, internal URLs, or sensitive patterns in code comments. Confluence's content filtering blocks pages with sensitive keywords, and space scoping ensures docs land in the right space. - **Restrict to Vetted Repositories (GitHub)** — only reads approved repos - **Block Page Creation in Spaces (Confluence)** — only API docs space - **Filter Page Creation Content** — blocks sensitive keywords - **Limit Page Content Size** — caps page body - **Prevent Private Page Creation** — enforces visibility - **Require Version Messages** — changelog on every update --- ### 57. MSSQL Read-Only Analyst **Advanced** · Pydantic AI Queries MS-SQL databases for business intelligence. Full T-SQL injection protection: no xp_cmdshell, no OPENROWSET, no query stacking, no system table access. WHERE clause required on any UPDATE. **Tools:** MS-SQL, Google Sheets, Slack **Why guardrails matter:** MSSQL's 24 guardrails are the deepest database protection set: they block extended stored procedures (xp_cmdshell, xp_regwrite), external data access (OPENROWSET, OPENDATASOURCE, OPENQUERY), system stored procedures (sp_configure), dynamic T-SQL construction, and SQL comments. This is enterprise-grade database agent security. - **Block Extended Stored Procedures** — no xp_cmdshell, xp_regwrite - **Block External Data Access** — no OPENROWSET, OPENDATASOURCE, OPENQUERY - **Block System Stored Procedures** — no sp_configure, sp_addlinkedserver - **Block System Tables Access** — no sys.*, INFORMATION_SCHEMA, master, msdb - **Block Dynamic T-SQL Construction** — no CONCAT, CHAR/NCHAR, hex literals - **Require WHERE Clause on UPDATE** — prevents accidental bulk updates - **Block Query Stacking** — no semicolons for multi-statement injection --- ### 58. Workflow Automation Monitor **Intermediate** · Agno Watches n8n workflow executions, detects failures, creates Linear issues for broken automations, alerts on Slack. Issue creation scoped to approved teams and projects. **Tools:** n8n, Linear, Slack **Why guardrails matter:** Automation monitoring needs to create issues in the right team when workflows fail. Linear's team and project restrictions ensure issue creation is scoped, and workspace URL redaction prevents the agent from discovering org structure. - **Block Issue Creation in Non-Vetted Teams (Linear)** — scoped to ops team - **Restrict to Vetted Project Names** — project-level access control - **Restrict to Vetted Project IDs** — ID-level access control - **Redact Workspace URLs** — prevents workspace enumeration - **Redact User Admin Status** — hides privilege info - **14 universal guardrails on n8n** — baseline protection --- ## Data & Analytics ### 59. Secure Data Analyst ⭐ S-TIER **Intermediate** · Pydantic AI Runs SQL queries against your warehouse, writes results to Sheets. The agent physically cannot write data, construct dynamic SQL, access system tables, read sensitive columns, or exfiltrate data via COPY/UNLOAD. This is the strongest technical guardrail demo on the platform. **Tools:** PostgreSQL, Redshift, Google Sheets, Google Slides **Why guardrails matter:** SQL injection protection is Civic's most technically differentiated guardrail. Across PostgreSQL (22 guardrails) and Redshift (17 guardrails), every known SQL injection vector is blocked: query stacking, dynamic SQL construction (CONCAT, CHR, hex literals), SQL comments, stored procedure execution, system table access, and COPY/UNLOAD data exfiltration. Column-level masking blocks queries on sensitive fields. This is what "defense in depth" looks like for database agents. - **Block Write Operations** — prevents INSERT/UPDATE/DELETE/DDL across all databases - **Block Dynamic SQL Construction** — stops CONCAT, CHR/CHAR, hex literal injection - **Block Query Stacking** — no semicolons for multi-statement injection - **Block SQL Comments** — prevents comment-based injection (--, /* */) - **Block System Tables Access** — no pg_catalog, information_schema, stv_*, stl_* - **Protect Sensitive Columns** — blocks queries on salary, SSN, password columns - **Block COPY/UNLOAD (Redshift)** — prevents bulk data exfiltration - **Block Function Execution** — prevents stored procedure calls - **Query Length Limit** — prevents resource exhaustion - **Result Row Limit** — caps rows returned per query --- ### 60. Secure Database Admin Assistant ⭐ S-TIER **Advanced** · LangGraph Helps DBAs query across PostgreSQL, MySQL, MSSQL, and MongoDB. Every database has its own injection protection suite. Tables are protected regardless of aliasing or obfuscation attempts. **Tools:** PostgreSQL, MySQL, MS-SQL, MongoDB **Why guardrails matter:** The anti-aliasing guardrail is unique: it blocks access to protected tables regardless of how they're referenced — aliased, quoted, schema-qualified, or obfuscated. Combined with character set enforcement and JOIN complexity limits, this is the most thorough database security agent possible. - **Protect Tables (Anti-Aliasing)** — blocks protected tables regardless of aliasing tricks - **Block Extended Stored Procedures (MSSQL)** — no xp_cmdshell - **Block External Data Access (MSSQL)** — no OPENROWSET/OPENDATASOURCE - **Enforce Basic SQL Character Set** — restricts to approved characters - **Enforce Custom Character Set** — org-defined character restrictions - **Limit JOIN Complexity** — caps JOINs per query - **Block Query Stacking** — across all 4 databases - **Require WHERE Clause on UPDATE (MSSQL)** — prevents bulk updates - **Block Table Schema Access (MySQL)** — hides schema details - **Filter Table Listings (MySQL)** — hides protected tables from listings --- ### 61. Executive Dashboard Builder **Advanced** · Vercel AI SDK Pulls data from Google Analytics, Salesforce, and Stripe into a live dashboard. Financial data redacted across all three sources — the dashboard shows trends, not dollar amounts. **Tools:** Google Analytics, Salesforce, Stripe, Google Sheets **Why guardrails matter:** Executive dashboards aggregate sensitive data from multiple systems. Civic's cross-tool redaction strips financial data from Salesforce responses, customer emails from Stripe responses, and user identifiers from GA reports. The dashboard shows business metrics without raw sensitive data. - **Restrict Report Properties (GA)** — scoped to approved properties - **Redact Report User IDs (GA)** — user identifiers stripped - **Restrict Queries to Vetted Objects (Salesforce)** — object-level scoping - **Redact Financial Data (Salesforce)** — Amount, Revenue, Price hidden - **Redact Customer Sensitive Data (Stripe)** — customer emails masked - **Filter Payment Intent Status (Stripe)** — only approved payment statuses visible --- ### 62. Product Analytics Agent **Intermediate** · Haystack Queries Mixpanel and PostHog for user behavior, correlates with Elasticsearch logs, writes insights to Sheets. Universal guardrails protect all analytics queries; Sheets prevents formula injection. **Tools:** Mixpanel, PostHog, Elasticsearch, Google Sheets **Why guardrails matter:** Product analytics agents process user-level behavioral data. While Mixpanel and PostHog use universal guardrails, Google Sheets' specific guardrails prevent formula injection in reports — stopping `=IMPORTRANGE` or `=IMAGE` attacks that could exfiltrate data from shared analytics sheets. - **Block Formula Injection (Sheets)** — prevents malicious formula values - **Restrict Input to RAW** — forces plain values, no formula evaluation - **Prevent Data Overwrite** — only writes to empty cells - **Block Full Spreadsheet Read** — prevents unbounded data access - **Restrict Range Size** — caps cells per read operation - **14 universal guardrails on analytics tools** — PII/injection protection --- ### 63. Data Quality Monitor **Intermediate** · Pydantic AI Runs validation queries against PostgreSQL: checks for nulls, duplicates, outliers, schema drift. Full SQL injection protection active even for "just" validation queries. **Tools:** PostgreSQL, Google Sheets, Slack **Why guardrails matter:** "It's just validation queries" is how injection attacks happen. Even read-only monitoring agents need the full SQL protection suite — a prompt injection embedded in data could escalate to system table reads or function execution without guardrails. - **Block Write Operations** — read-only enforcement - **Block Dynamic SQL Construction** — injection prevention - **Block System Tables Access** — no pg_catalog access - **Block Function Execution** — no stored procedure calls - **Query Length Limit** — prevents resource exhaustion - **Result Row Limit** — caps output size --- ### 64. Google Analytics Privacy Agent **Intermediate** · Pydantic AI Generates analytics reports with privacy controls: user-scoped dimensions blocked, geo details hidden below country level, IP addresses filtered, user IDs redacted. The agent sees aggregate trends, not individuals. **Tools:** Google Analytics, Google Sheets, Slack **Why guardrails matter:** Google Analytics' 41 guardrails form the most comprehensive analytics privacy suite on the platform. User-scoped dimension blocking, multi-level PII filtering (emails, phones, IPs, transaction IDs), geographic detail suppression, and property-level scoping make this the model for privacy-first analytics. - **Block User-Scoped Dimensions** — prevents individual user tracking - **Filter Report PII** — strips emails and phones from dimension values - **Hide Report Geo Details** — redacts sub-country geographic data - **Redact Report User IDs** — user identifiers stripped - **Filter IP Addresses** — IP data removed from reports - **Filter Transaction IDs** — transaction identifiers stripped - **Redact Report Emails** — email and phone dimensions hidden - **Report Row Limit** — caps rows returned - **Restrict Report Properties** — scoped to approved properties --- ### 65. Customer Segmentation Agent **Advanced** · LangGraph Queries Redshift for behavioral data, runs clustering analysis, pushes segments to ActiveCampaign as tags. Write-blocked on Redshift, sensitive columns protected, tag operations controlled. **Tools:** Redshift, ActiveCampaign, Google Sheets, Slack **Why guardrails matter:** Segmentation requires reading PII-adjacent behavioral data. Redshift's write blocking prevents any data modification, sensitive column protection hides raw PII from segmentation queries, and ActiveCampaign's tag guardrails prevent applying protected tag categories. - **Block Write Operations (Redshift)** — read-only enforcement - **Protect Sensitive Columns** — salary, SSN, email columns blocked - **Block COPY/UNLOAD** — prevents bulk data exfiltration - **Restrict SELECT * Usage** — no wildcard column access - **Block Sensitive Tags (ActiveCampaign)** — protected tag categories - **Block Email Enumeration (ActiveCampaign)** — no wildcard searches --- ### 66. Redshift Data Exfiltration Guard **Intermediate** · Agno Monitors and validates Redshift queries: blocks COPY/UNLOAD (bulk export), external schema access (Spectrum), and maintenance operations. Logs all query patterns to Sheets. **Tools:** Redshift, Google Sheets, Slack **Why guardrails matter:** Redshift's 17 guardrails specifically target data exfiltration: COPY/UNLOAD blocking prevents bulk data export, external schema access blocking prevents Spectrum/federated query abuse, and maintenance operation blocking prevents VACUUM/ANALYZE resource exhaustion. - **Block COPY/UNLOAD Operations** — prevents bulk data export - **Block External Schema Access** — prevents Spectrum/federated queries - **Block Maintenance Operations** — prevents VACUUM/ANALYZE resource abuse - **Block Write Operations** — read-only enforcement - **MaxRows Parameter Limit** — caps result set size - **Block System Tables Access** — no stv_*, stl_*, svv_*, pg_* access --- ### 67. A/B Test Analyst **Intermediate** · DSPy Reads experiment configs from Notion, pulls metrics from Google Analytics and PostHog, calculates significance, reports results. User-scoped dimensions blocked for privacy. **Tools:** Google Analytics, PostHog, Notion, Google Sheets **Why guardrails matter:** A/B test analysis requires user-level metrics, which risks individual identification. GA's guardrails block user-scoped dimensions and sensitive dimension combinations, ensuring the agent calculates significance from aggregate data only. - **Block Sensitive Dimension Combinations (GA)** — prevents identifying combos - **Block User-Scoped Dimensions** — no individual tracking - **Redact Report User IDs** — identifiers stripped - **Restrict Report Properties** — scoped to approved properties - **Approved Databases (Notion)** — experiment configs from approved DB - **Report Row Limit** — caps data per report --- ### 68. MySQL Read-Only Analyst **Intermediate** · Pydantic AI Queries MySQL databases for reporting. Write operations fully blocked, table listings filtered, schema access restricted. Character set enforcement prevents encoding-based attacks. **Tools:** MySQL, Google Sheets, Slack **Why guardrails matter:** MySQL's 16 guardrails include a unique table listing filter: protected tables are hidden from `SHOW TABLES` and table listing resources, preventing the agent from even discovering sensitive tables exist. Combined with write blocking and schema access restriction, this is clean read-only database access. - **Block Write Operations** — prevents all DML and DDL - **Filter Table Listings** — hides protected tables from listings - **Block Table Schema Access** — prevents schema detail reads on protected tables - **Block Function Execution** — no stored procedure calls - **Protect Tables (Anti-Aliasing)** — blocks access regardless of aliasing - **Result Row Limit** — caps output rows --- ### 69. ETL Pipeline Monitor **Intermediate** · Mastra Monitors Redshift query performance, checks for stale tables, validates row counts post-ETL. Bulk export operations blocked even for monitoring agents. **Tools:** Redshift, Slack, Google Sheets **Why guardrails matter:** ETL monitoring agents need to query production warehouses. Even "just checking row counts" could be exploited for data exfiltration via COPY/UNLOAD without guardrails. Civic's Redshift protection ensures the monitoring agent can validate without risk. - **Block COPY/UNLOAD Operations** — prevents bulk export even for monitors - **Block External Schema Access** — no Spectrum abuse - **Block Write Operations** — read-only enforcement - **Block Maintenance Operations** — prevents VACUUM/ANALYZE - **MaxRows Parameter Limit** — caps result sets - **Block System Tables Access** — system catalogs hidden --- ### 70. Cross-Database Query Agent **Advanced** · LangGraph Queries PostgreSQL, MySQL, and MSSQL in a single workflow — joining results across databases. Each database has its own injection protection suite; anti-aliasing protection prevents table access tricks across all three. **Tools:** PostgreSQL, MySQL, MS-SQL, Google Sheets **Why guardrails matter:** Cross-database agents face injection vectors from three different SQL dialects simultaneously. Civic applies each database's specific guardrail suite independently — PostgreSQL's 22, MySQL's 16, and MSSQL's 24 guardrails all active at once, with per-database character set enforcement and table protection. - **Block Dynamic SQL Construction** — across all 3 databases (different patterns per dialect) - **Block Query Stacking** — semicolons blocked on all 3 - **Protect Tables Anti-Aliasing** — works per-database - **Block System Tables Access** — database-specific system catalog blocking - **Enforce Character Set** — per-database character restrictions - **Block SQL Comments** — injection prevention across dialects --- ## Finance & Accounting ### 71. Invoice Automation Agent ⭐ S-TIER **Advanced** · Semantic Kernel Creates Stripe invoices from Salesforce deal data, tracks payment status, reconciles with QuickBooks. Every write operation — create invoice, create price, finalize invoice — requires admin role. Non-admins are blocked at the guardrail level. **Tools:** Stripe, QuickBooks, Salesforce, Google Sheets **Why guardrails matter:** Stripe's 24 guardrails are the deepest admin-gating system on the platform. Nearly every financial write operation (create invoice, create price, create coupon, create payment link, finalize invoice, create refund, cancel subscription, update subscription) is gated by admin role. Combined with price floors/ceilings and refund caps, this is the most controlled financial agent possible. - **Block Create Invoice for Non-Admin** — invoice creation requires admin - **Block Create Price for Non-Admin** — price setting requires admin - **Block Finalize Invoice for Non-Admin** — finalization requires admin - **Block Create Refund for Non-Admin** — refunds require admin - **Maximum Price Amount** — caps unit price ceiling - **Minimum Price Amount** — enforces price floor - **Maximum Refund Amount** — caps refund ceiling per transaction - **Redact Customer Sensitive Data** — customer emails masked --- ### 72. Subscription Manager ⭐ S-TIER **Advanced** · Anthropic SDK Handles Stripe subscription lifecycle: upgrades, downgrades, coupon applications, cancellations. Every action admin-gated. Coupon discounts capped at both percentage and dollar amount. **Tools:** Stripe, HubSpot, Slack, Google Sheets **Why guardrails matter:** Subscription management is the highest-risk Stripe operation. An agent that can cancel subscriptions or apply 100% discount coupons could destroy revenue. Civic's guardrails gate every operation by admin role AND cap coupon values — double protection on the most dangerous actions. - **Block Cancel Subscription for Non-Admin** — cancellation gated - **Block Update Subscription for Non-Admin** — changes gated - **Block Create Coupon for Non-Admin** — coupon creation gated - **Maximum Coupon Percentage** — caps discount percentage - **Maximum Coupon Amount** — caps discount dollar amount - **Approved Customer Email Domains** — customer creation restricted - **Block Create Payment Link for Non-Admin** — payment links gated - **Payment Link Quantity Limit** — caps quantity on payment links --- ### 73. E-Commerce Operations Agent ⭐ S-TIER **Advanced** · Vercel AI SDK Monitors Shopify orders, processes Stripe payments, updates inventory in Sheets, sends order updates via MS365 Mail. Payment operations admin-gated, product naming enforced, HTML auto-converted for email processing. **Tools:** Shopify, Stripe, MS365 Mail, Google Sheets **Why guardrails matter:** E-commerce agents touch payments, inventory, and customer communication simultaneously. Stripe's admin-gating prevents unauthorized payment actions, product name patterns enforce naming conventions (preventing typosquatting), and MS365's HTML→Markdown conversion makes email processing reliable and token-efficient. - **Block Create Payment Link for Non-Admin** — payment links gated - **Payment Link Quantity Limit** — caps quantities - **Product Name Pattern (Stripe)** — enforces naming conventions - **Approved Customer Email Domains (Stripe)** — customer creation restricted - **Block Create Product for Non-Admin** — product creation gated - **HTML to Markdown (MS365)** — reliable email processing - **Remove Unnecessary Mail Metadata (MS365)** — token-efficient reads --- ### 74. Expense Report Processor **Intermediate** · Pydantic AI Reads receipt emails, extracts data via Mistral OCR, categorizes in Bill.com, summarizes in Sheets. OCR output has PII auto-redacted; SSRF protection on URL-based OCR. **Tools:** Google Gmail, Mistral OCR, Bill.com Spend & Expense, Google Sheets **Why guardrails matter:** Mistral OCR's 4 guardrails target two risks: SSRF (blocking localhost and private IP URLs) and PII in extracted text (redacting SSN, credit cards, phones, emails from OCR output). The agent extracts receipt data without seeing raw PII in scanned documents. - **OCR URL — Block Internal Network URLs** — SSRF protection on URL-based OCR - **OCR Base64 — Maximum Payload Size** — prevents memory exhaustion (10MB cap) - **OCR URL — Redact PII from Extracted Text** — SSN, cards, phones, emails stripped - **OCR Base64 — Redact PII from Extracted Text** — same for base64 uploads - **Message Content Filter (Gmail)** — filters sensitive email content - **Block Formula Injection (Sheets)** — protects expense summaries --- ### 75. Crypto Portfolio Tracker **Starter** · Claude Desktop Tracks prices and market data for your approved coins only. The agent can't see trending coins, new listings, or gainers/losers outside your vetted list — preventing exposure to unvetted assets. **Tools:** CoinGecko, Google Sheets, Slack **Why guardrails matter:** CoinGecko's 11 guardrails enforce an asset allowlist across every endpoint: price queries, historical data, market charts, OHLC candles, search, trending, new listings, and gainers/losers. The agent is blind to any coin not on your approved list. - **Restrict to Vetted Coin IDs** — only approved coins queryable - **Restrict Simple Price to Vetted Coins** — price data scoped - **Restrict Market Chart to Vetted Coins** — chart data scoped - **Filter Trending to Vetted Coins** — trending feed filtered - **Filter New Coins to Vetted List** — new listings filtered - **Filter Gainers/Losers to Vetted Coins** — movement data filtered - **Filter Market Data to Vetted Coins** — market data filtered --- ### 76. Stripe Payment Dashboard **Intermediate** · Vercel AI SDK Real-time payment monitoring: tracks payment intents, filters by status, alerts on failures. Customer data redacted, sensitive search terms blocked, payment statuses filtered. **Tools:** Stripe, Google Sheets, Slack **Why guardrails matter:** Payment monitoring agents need read access to transaction data, but shouldn't see raw customer information. Stripe's response guardrails redact customer email data from listings and filter payment intents to approved statuses only. - **Redact Customer Sensitive Data** — emails masked in customer listings - **Customer List Limit** — caps customers returned per query - **Filter Payment Intent Status** — only approved statuses visible - **Block Sensitive Search Terms** — blocks searches for sensitive patterns - **Safe Search Patterns** — restricts to approved search patterns - **Block Formula Injection (Sheets)** — protects dashboard --- ### 77. AP Automation Agent **Intermediate** · LangGraph Processes incoming bills from Bill.com, matches to POs in Sheets, routes for approval. Protected spreadsheets are read-only; the agent can only write to empty cells. **Tools:** Bill.com AP/AR, AWS Billing, Google Sheets, Slack **Why guardrails matter:** Accounts payable agents modify financial spreadsheets. Civic's Sheets guardrails prevent overwriting existing data (protecting formulas and historical entries), block formula injection, and enforce read-only on protected spreadsheets. - **Block Modification of Protected Spreadsheets** — critical sheets read-only - **Prevent Data Overwrite** — only writes to empty cells - **Block Formula Injection** — prevents malicious formulas - **Restrict Input to RAW** — forces plain values - **Restrict Range Size** — caps cells per read - **14 universal guardrails on Bill.com/AWS** — baseline protection --- ### 78. Revenue Recognition Agent **Advanced** · Semantic Kernel Maps Stripe payment data to QuickBooks accounts, generates revenue schedules in Sheets. Payment intents filtered by status; protected sheet ranges enforced. **Tools:** Stripe, QuickBooks, Google Sheets **Why guardrails matter:** Revenue recognition requires precise financial data handling. Stripe's payment intent filtering ensures only approved statuses are visible, and Sheets' protected range modification blocking prevents changes to accounting-formula cells. - **Filter Payment Intent Status (Stripe)** — only approved statuses - **Redact Customer Sensitive Data** — customer PII masked - **Block Protected Range Modification (Sheets)** — accounting cells protected - **Block Full Spreadsheet Read** — prevents unbounded access - **Customer List Limit** — caps query results - **14 universal guardrails on QuickBooks** — baseline protection --- ### 79. Payment Reconciliation Agent **Advanced** · Pydantic AI Compares Stripe transactions against PayPal records and bank statements in Sheets. Sensitive search terms blocked across both payment platforms, customer data redacted. **Tools:** Stripe, PayPal, Google Sheets, Slack **Why guardrails matter:** Reconciliation agents search across payment platforms, and those searches could match sensitive patterns (card numbers, bank routing). Stripe's sensitive search term blocking and safe search pattern enforcement prevent the agent from querying for dangerous terms. - **Block Sensitive Search Terms (Stripe)** — blocks dangerous search patterns - **Safe Search Patterns (Stripe)** — restricts to approved patterns - **Redact Customer Sensitive Data** — customer emails masked - **Block Formula Injection (Sheets)** — protects reconciliation sheets - **Prevent Data Overwrite (Sheets)** — append-only - **14 universal guardrails on PayPal** — baseline protection --- ### 80. Financial Reporting Agent **Advanced** · Anthropic SDK Queries Redshift for financial data, pulls QuickBooks reports, produces monthly P&L in Google Slides. Sensitive columns (salary, revenue, cost) protected at query level; write operations blocked. **Tools:** Redshift, QuickBooks, Google Slides, Google Sheets **Why guardrails matter:** Financial reports pull from warehouse data where sensitive columns must be protected. Redshift's column-level protection blocks queries on specified fields, and write blocking ensures the agent can never modify source data. - **Protect Sensitive Columns (Redshift)** — salary/revenue/cost columns blocked - **Block Write Operations** — read-only enforcement - **Block COPY/UNLOAD** — prevents data export - **Block External Schema Access** — no Spectrum queries - **Protected Presentation IDs (Slides)** — existing reports read-only - **Block External URLs (Slides)** — prevents external content injection --- ### 81. CardPointe Payment Agent **Intermediate** · Mastra Processes credit card authorizations, manages customer payment profiles for recurring billing, generates transaction reports. Universal guardrails protect all payment operations. **Tools:** CardPointe, Google Sheets, Slack **Why guardrails matter:** Payment processing agents handle card data. While CardPointe uses universal guardrails, the prompt injection and PII protection are critical here — preventing the agent from being manipulated into logging card numbers or exposing payment profiles. - **14 universal guardrails** — prompt injection and PII protection on all payment ops - **Block Formula Injection (Sheets)** — protects transaction reports - **Restrict Input to RAW (Sheets)** — prevents formula evaluation - **Prevent Data Overwrite (Sheets)** — append-only transaction log - **Block Full Spreadsheet Read** — prevents unbounded data access --- ### 82. Stripe Product Catalog Manager **Intermediate** · OpenAI Agents SDK Manages Stripe product catalog: creates products and prices with naming pattern enforcement, price floors and ceilings. All write operations admin-gated. **Tools:** Stripe, Google Sheets, Slack **Why guardrails matter:** Product catalog changes directly affect what customers see and pay. Stripe's product name pattern enforcement prevents typosquatting or brand-inconsistent naming, while price floors/ceilings prevent $0 products or $999,999 pricing errors. - **Block Create Product for Non-Admin** — product creation gated - **Product Name Pattern** — enforces naming conventions - **Block Create Price for Non-Admin** — price setting gated - **Maximum Price Amount** — caps price ceiling - **Minimum Price Amount** — enforces price floor - **Approved Customer Email Domains** — customer creation restricted --- ## HR & People Ops ### 83. HR Onboarding Coordinator **Intermediate** · OpenAI Agents SDK Schedules onboarding meetings, creates Notion tasks, sends welcome emails. Calendar blackout periods enforced, exec calendars protected, email recipients verified. **Tools:** Google Calendar, Google Gmail, Notion, Slack, Insperity **Why guardrails matter:** Onboarding agents schedule meetings and send emails to new hires. Calendar guardrails prevent scheduling during company blackouts (holidays, all-hands), protect executive calendars from modification, and verify attendee domains — ensuring the agent can't book exec time or email the wrong person. - **Event Blackout Periods** — no scheduling during holidays or freezes - **Protected Calendars From Modification** — exec calendars untouchable - **Block Delete Event** — can't remove existing events - **Single Recipient Only (Gmail)** — welcome emails to verified address only - **Draft Content Filter (Gmail)** — blocks sensitive content in drafts - **Approved Page Parents (Notion)** — onboarding docs only in HR database --- ### 84. Recruiting Pipeline Agent **Intermediate** · LangGraph Tracks candidates in Sheets, schedules interviews via Calendar, sends status update emails, logs notes in Notion. Candidate PII masked in spreadsheets, interview attendees domain-verified. **Tools:** Google Sheets, Google Calendar, Google Gmail, Notion **Why guardrails matter:** Recruiting data contains PII — candidate names, emails, phone numbers, salary expectations. Sheets' cell-level PII redaction masks this data before the agent processes it, and Calendar's domain verification ensures interviews are only scheduled with org-domain attendees. - **Redact PII in Cells (Sheets)** — masks SSN, email, phone in candidate data - **Hide Cells Matching Patterns** — custom regex matching for PII - **Create Event Verified Domains Only** — interview attendees verified - **Approved Email Domains (Gmail)** — status emails to approved domains only - **Approved Page Parents (Notion)** — notes only in recruiting database - **Block Protected Range Modification (Sheets)** — formula cells protected --- ### 85. Performance Review Aggregator **Intermediate** · Anthropic SDK Collects peer feedback from Google Forms (Sheets), manager notes from Notion, compiles anonymized review summaries in Docs. PII patterns auto-redacted across all sources. **Tools:** Google Sheets, Notion, Google Docs **Why guardrails matter:** Performance data is among the most sensitive in any org. Sheets' PII redaction strips names and emails from feedback responses, Notion's approved page restriction scopes input, and Docs' PII pattern redaction catches anything that slips through. - **Redact PII in Cells (Sheets)** — strips PII from feedback responses - **Hide Cells Matching Patterns** — custom regex for sensitive patterns - **Block Full Spreadsheet Read** — prevents unbounded access - **Approved Pages (Notion)** — only sanctioned feedback pages - **PII Patterns to Redact (Docs)** — catches PII in compiled reviews - **Restrict Range Size (Sheets)** — caps cells per read --- ### 86. Offboarding Checklist Agent **Intermediate** · Mastra When an employee departs: creates ClickUp checklist, blocks calendar deletion of recurring events, notifies IT on Slack. The agent can process offboarding without destroying calendar history. **Tools:** ClickUp, Google Calendar, Slack, Google Drive **Why guardrails matter:** Offboarding agents need to modify accounts without destroying history. Calendar's guardrails protect recurring events from deletion and block deletion of events with VIP attendees — ensuring the departing employee's meeting history is preserved. - **Protect Recurring Events** — can't delete event series - **Protect VIP Events** — events with certain attendees can't be deleted - **Protected Calendars From Deletion** — calendar-level protection - **Block Delete Event** — deletion blocked (use cancellation instead) - **Allowed Folders for File Creation (Drive)** — archive folder scoped - **Block Path Traversal** — prevents directory escape --- ### 87. ServiceTitan Field Staff Agent **Intermediate** · Pydantic AI Coordinates ServiceTitan jobs, schedules routes via Calendar, logs notes in Notion. Customer PII (phone, email, address) auto-redacted. Technicians filtered by business unit. **Tools:** ServiceTitan, Google Calendar, Notion, Slack **Why guardrails matter:** ServiceTitan's 6 guardrails are all PII-focused: customer phone/email/address redaction, caller information masking, call recording URL hiding, and technician access scoping by business unit. The agent dispatches without seeing any customer personal details. - **Redact Customer PII** — phone, email, address auto-masked - **Redact Location Addresses** — street addresses hidden - **Filter Technicians by Business Unit** — only authorized techs visible - **Redact Caller Information** — caller phone and personal info masked - **Redact Call Recording URLs** — recordings and transcripts protected - **Redact Form Responses** — sensitive form data hidden --- ### 88. Insperity HR Data Agent **Intermediate** · Anthropic SDK Accesses employee data and payroll information through Insperity, generates workforce reports in Sheets. Universal guardrails protect all HR data with PII and prompt injection filtering. **Tools:** Insperity, Google Sheets, Slack **Why guardrails matter:** HR and payroll data is the most sensitive in any org. Universal guardrails provide PII auto-redaction and prompt injection protection on all Insperity responses. Sheets guardrails prevent formula injection in payroll reports and protect existing data from overwrite. - **14 universal guardrails on Insperity** — PII/injection protection on all HR data - **Block Formula Injection (Sheets)** — protects payroll reports - **Prevent Data Overwrite (Sheets)** — payroll data is append-only - **Block Full Spreadsheet Read** — prevents bulk export of HR data - **Restrict Range Size** — caps cells per read - **Block Modification of Protected Spreadsheets** — payroll sheets locked --- ## Legal & Compliance ### 89. Contract Review Agent **Advanced** · LlamaIndex Reads contracts from Dropbox, extracts key terms via OCR, flags risky clauses, logs findings in Sheets. Sensitive file extensions auto-filtered; SSRF protection on OCR; folder-scoped access. **Tools:** Dropbox, Mistral OCR, Google Sheets, Slack **Why guardrails matter:** Contract review requires reading files that may contain keys, credentials, or encrypted content alongside legal text. Dropbox's 55 guardrails provide the deepest file safety: folder scoping (both source and destination), malicious format blocking, sensitive extension filtering (.key, .pem, .env), and email domain validation on file paths. - **Allowed Folders Only (Dropbox)** — scoped to contracts directory - **Block Malicious Formats** — prevents accessing dangerous file types - **Filter Sensitive Extensions** — .key, .pem, .env files hidden - **Block Sensitive Search Terms** — can't search for passwords/credentials - **OCR Redact PII from Extracted Text** — PII stripped from scanned contracts - **Block Internal Network URLs (OCR)** — SSRF protection --- ### 90. GDPR Data Subject Request Handler ⭐ S-TIER **Advanced** · LangGraph On DSR request, searches Gmail, HubSpot, Salesforce, and Sheets for the subject's data. Compiles a report with PII auto-redacted from each source. The agent finds data without exposing it. **Tools:** Google Gmail, HubSpot, Salesforce, Google Sheets **Why guardrails matter:** GDPR DSR handling is the perfect guardrail use case: the agent must search for personal data across multiple systems while simultaneously redacting it from its own responses. Civic's per-tool PII redaction means the agent can locate where data exists and generate a DSR report without ever seeing raw PII — it maps data locations, not data values. - **Redact Contact PII (HubSpot)** — masks emails and phones in CRM data - **Redact Financial Data (Salesforce)** — financial fields hidden - **Block User Object Queries (Salesforce)** — prevents user table access - **Redact PII in Cells (Sheets)** — masks PII in spreadsheet data - **Safe Email Search (Gmail)** — prevents sensitive term searches - **Hide Cells Matching Patterns (Sheets)** — custom PII pattern matching - **Search Results Filter (Gmail)** — filters results with sensitive content --- ### 91. Compliance Audit Trail Agent **Intermediate** · Pydantic AI Monitors Cloudflare audit logs for policy violations, cross-references with Sentry access patterns, logs findings in Notion. Org-scoped access across all tools. **Tools:** Cloudflare Audit Logs, Sentry, Notion, Slack **Why guardrails matter:** Compliance agents need broad monitoring access scoped to your organization. Sentry's org-level and project-level guardrails ensure the agent only sees your services, while Notion's database scoping keeps findings in the approved compliance database. - **Allowed Organizations Only (Sentry)** — scoped to your org - **Allowed Projects Only (Sentry)** — project-level access control - **Approved Databases (Notion)** — writes to compliance database only - **Protected Pages (Notion)** — existing findings read-only - **14 universal guardrails on Cloudflare** — PII/injection protection - **Batch Operation Size Limit (Notion)** — caps bulk writes --- ### 92. HubSpot Data Compliance Agent **Intermediate** · Pydantic AI Monitors HubSpot for data compliance: filters by data classification, hides pipeline objects from unauthorized views, redacts PII from search results, blocks regex search operators. **Tools:** HubSpot, Google Sheets, Slack **Why guardrails matter:** HubSpot's 57 guardrails include data classification filtering — the agent only sees records matching its authorized classification level. Combined with PII redaction in search results and regex operator blocking (preventing broad data extraction), this is enterprise data governance for CRM. - **Filter by Data Classification** — records filtered by sensitivity level - **Redact Search PII** — PII stripped from search results - **Block Search Operators** — blocks regex, contains operators - **Hide Pipeline Objects** — objects from restricted pipelines hidden - **Redact Contact PII** — masks PII in contact objects - **Limit Filter Groups** — caps search filter complexity --- ### 93. Notion Access Control Agent **Intermediate** · Anthropic SDK Enforces Notion workspace governance: restricts page creation to approved parents, protects critical databases from updates, filters sensitive content from searches and queries. **Tools:** Notion, Slack **Why guardrails matter:** Notion's 18 guardrails create a comprehensive access control layer: approved database/page parents control where content is created, protected pages/data sources prevent unauthorized modifications, and search/query-level content filtering redacts sensitive results. - **Approved Database Parents** — page creation restricted to approved databases - **Approved Page Parents** — page creation restricted to approved parents - **Protected Pages (Update)** — critical pages can't be modified - **Protected Data Sources** — protected databases can't be updated - **Search Sensitive Content Filter** — redacts sensitive search results - **Query Sensitive Content Filter** — redacts sensitive query results - **Search Term Filter** — blocks searching for sensitive terms --- ## Content & Design ### 94. Content Ops Pipeline **Advanced** · CrewAI Multi-agent team: Writer drafts in Google Docs, Designer creates in Canva, Publisher pushes to Webflow. Content pattern blocking catches sensitive data, SSRF protection on Canva imports. **Tools:** Google Docs, Canva, Webflow, Twitter, Bluesky **Why guardrails matter:** Publishing pipelines where AI creates and pushes content need pre-publish filtering. Canva's guardrails catch leaked API keys in design text, block imports from unauthorized domains (SSRF), and restrict AI generation to approved design types. - **Blocked Content Patterns (Docs)** — catches sensitive content before publish - **Redact Sensitive Design Text (Canva)** — catches API keys/passwords in designs - **Allowed Import Domains (Canva)** — SSRF protection on imports - **Allowed Design Types** — restricts AI generation types - **Block Pro Export Quality** — controls export resolution - **Allowed Asset Upload Domains** — SSRF protection on uploads --- ### 95. Canva Design Governance Agent **Intermediate** · Pydantic AI Manages Canva design library: enforces export format restrictions, filters designs by owner, restricts folder access, controls AI generation types. Sensitive text in designs auto-redacted. **Tools:** Canva, Slack, Google Sheets **Why guardrails matter:** Canva's 27 guardrails create a comprehensive design governance layer: export format allowlists prevent unauthorized formats, owner-based filtering scopes visibility, folder ID restrictions control access, and SSRF protection on uploads/imports prevents the agent from fetching from internal networks. - **Allowed Export Formats** — allowlist for export types (PDF, PNG, etc.) - **Filter Designs by Owner** — only shows designs from approved owners - **Allowed Folder IDs** — folder access scoped - **Block Move to Folder** — restricted destination folders - **Redact Sensitive Design Text** — catches leaked secrets in designs - **Limit Search Results** — caps design search output - **Redact Export URLs** — download URLs hidden from agent --- ### 96. Documentation Site Updater **Intermediate** · Vercel AI SDK Reads API changes from GitHub PRs, generates updated doc pages, pushes to Webflow CMS, notifies on Slack. PR access scoped to vetted repos; branch listings filtered. **Tools:** GitHub, Webflow, Slack **Why guardrails matter:** Documentation agents that read PRs and push to production websites need strict repo scoping. GitHub's guardrails filter PRs, branches, and code search to vetted repos only — the agent can't discover or reference code from unauthorized repositories. - **Filter Pull Requests to Vetted Repos** — only approved-repo PRs visible - **Filter Branches to Vetted List** — hides experimental/sensitive branches - **Restrict to Vetted Repositories** — all operations scoped - **Redact Commit Author Email** — developer PII protected - **Restrict Repository Search** — search scoped to vetted repos - **14 universal guardrails on Webflow** — baseline protection --- ### 97. Content Localization Agent **Advanced** · AutoGen Multi-agent conversation: Translator localizes content, Reviewer validates accuracy, Publisher updates Webflow pages. PII patterns redacted from source content before translation. **Tools:** Google Docs, Google Sheets, Webflow, Notion **Why guardrails matter:** Localization agents process content that may contain PII, cultural references, or sensitive business terms. Docs' PII pattern redaction strips personal data before translation, and Notion's protected pages prevent overwrites of approved translations. - **PII Patterns to Redact (Docs)** — strips PII before translation - **Blocked Content Patterns (Docs)** — catches sensitive content - **Protected Pages (Notion)** — approved translations read-only - **Block Modification of Protected Spreadsheets (Sheets)** — glossary locked - **Approved Databases (Notion)** — writes to localization database only - **14 universal guardrails on Webflow** — baseline protection --- ### 98. Dropbox Security Scanner **Intermediate** · Pydantic AI Scans Dropbox for security risks: sensitive file extensions, malicious formats, files in wrong directories. Folder-scoped, regex search blocked, large files filtered. **Tools:** Dropbox, Slack, Google Sheets **Why guardrails matter:** Dropbox's guardrails include regex search blocking (preventing broad pattern matching attacks), large file filtering (hiding files above a threshold), and email domain validation on file paths (ensuring files from non-approved domains are invisible). - **Block Regex Search Patterns** — prevents broad pattern matching - **Block Sensitive Search Terms** — blocks credential term searches - **Filter Large Files** — hides files above size threshold - **Filter Sensitive Extensions** — .key, .pem, .env auto-redacted - **Block Malicious Formats** — dangerous file types blocked - **Email Domain Filter** — files from non-approved email domains hidden --- ## IoT & Physical World ### 99. Smart Home Voice Agent ⭐ S-TIER **Starter** · Claude Desktop Control lights, climate, and appliances through natural language. The agent physically cannot touch locks, garage doors, or gates — and temperature is hard-capped at safe limits. This is the most intuitive guardrail demo: "The AI controls your lights but can't unlock your door." **Tools:** Home Assistant, Google Calendar **Why guardrails matter:** Home Assistant's 15 guardrails are all physical-world safety controls. Critical device class blocking prevents the agent from operating locks, doors, garage doors, and gates. Temperature and brightness hard caps prevent extreme environmental settings. Area and floor scoping restricts control to approved zones. These guardrails are instantly understandable — everyone immediately gets why an AI shouldn't unlock your front door. - **Block Critical Device Classes (Turn On)** — locks, doors, garage, gates off-limits - **Block Critical Device Classes (Turn Off)** — same for turn-off operations - **Maximum Temperature Limit** — hard cap prevents dangerously hot settings - **Minimum Temperature Limit** — hard cap prevents dangerously cold settings - **Maximum Brightness Limit** — prevents full-blast light changes - **Allowed Areas Only (Turn On/Off)** — restricted to specific rooms - **Allowed Floors Only (Turn On/Off)** — restricted to specific building floors - **Allowed Device Classes Only** — only explicitly permitted device types --- ### 100. Morning Routine Orchestrator **Starter** · Pydantic AI At wake time: gradually increases light brightness, reads today's calendar events, summarizes top emails, sets climate to preferred temperature. Device classes restricted, brightness capped. **Tools:** Home Assistant, Google Calendar, Google Gmail, Slack **Why guardrails matter:** A morning routine agent that controls physical devices needs the same critical device blocking as any Home Assistant agent — plus brightness caps for gradual wake-up (no full-blast at 6am) and temperature limits for safe climate adjustment. - **Block Critical Device Classes** — locks, doors, gates off-limits - **Maximum Brightness Limit** — gradual brightness increase, not full blast - **Allowed Areas Only** — bedroom/bathroom only, not entire house - **Maximum Temperature Limit** — safe climate adjustment - **Minimum Temperature Limit** — prevents freezing settings - **Event Content Filter (Calendar)** — redacts sensitive event descriptions --- ### 101. Smart Office Manager **Intermediate** · Google ADK Manages meeting room lights and climate based on Calendar occupancy. Turns on lights before meetings, adjusts temperature based on room size, dims after hours. Floor and area scoped. **Tools:** Home Assistant, Google Calendar, Slack, Google Sheets **Why guardrails matter:** Office automation agents control physical infrastructure across multiple floors and zones. Home Assistant's floor and area scoping ensures the agent only manages approved meeting rooms — it can't reach into server rooms, executive offices, or security zones. - **Allowed Areas Only** — restricted to meeting rooms - **Allowed Floors Only** — restricted to office floors - **Climate Control Allowed Areas Only** — climate scoped to meeting rooms - **Maximum/Minimum Temperature Limit** — safe range enforcement - **Allowed Device Classes Only** — only lights and climate, nothing else - **Allowed Calendar IDs** — only reads meeting room calendars --- ## Appendix A: Guardrail Themes | Theme | Guardrails | Where It Applies | |-------|-----------|-----------------| | **Access Scoping** | Vetted orgs/repos, allowed folder IDs, approved databases, allowed calendar IDs, pipeline/team restrictions | GitHub (30), Sentry (15), Drive (29), Dropbox (55), Notion (18), Calendar (39), Pipedrive (32), Linear (12) | | **PII Auto-Redaction** | SSN, credit cards, emails, phone numbers masked on response | Drive, Sheets (42), Docs (21), Salesforce (34), HubSpot (57), ActiveCampaign (70), ServiceTitan (6), GA (41) | | **Credential Stripping** | API keys, passwords, tokens removed from file/design content | Drive (29), Dropbox (55), Canva (27), Confluence, PostgreSQL (22) | | **Financial Data Redaction** | Deal values, revenue, prices, account balances, payment methods hidden | Salesforce (34), Pipedrive (32), Stripe (24), Meta Ads (18), HubSpot (57) | | **Deletion Blocking** | Per-entity deletion prevention across CRM, project management, marketing | Salesforce (5 objects), Pipedrive (7 entities), HubSpot, Jira, ActiveCampaign, Meta Ads, Calendar | | **Admin-Gating** | Write operations require admin role | Stripe (8 operations: invoice, price, product, refund, coupon, payment link, subscription cancel/update) | | **Budget Caps** | Daily/lifetime limits, coupon caps, refund ceilings, price floors/ceilings | Meta Ads (campaign + ad set level), Stripe (prices, coupons, refunds, payment links) | | **Batch Size Limits** | Bulk operations capped per request | IMAP (14), Pipedrive (32), HubSpot (57), Notion (18), ActiveCampaign (70) | | **SQL Injection Suite** | Query stacking, dynamic SQL, system tables, stored procs, anti-aliasing, character set enforcement | PostgreSQL (22), MySQL (16), MSSQL (24), Redshift (17) = 79 total DB guardrails | | **SSRF Protection** | Internal network URL blocking on upload/import/OCR | Canva (27), Mistral OCR (4) | | **Physical Safety** | Critical device blocking, temperature/brightness limits, area/floor scoping | Home Assistant (15) | | **Prompt Injection** | Universal detection and blocking | All 95+ tools | --- ## Appendix B: Framework Selection Guide | If you need... | Use this | Why | |----------------|----------|-----| | Fastest prototype | **Claude Desktop** | 2-minute setup, zero code | | Next.js web app | **Vercel AI SDK** | Native streaming, React hooks, Civic Auth integration | | TypeScript backend | **Anthropic SDK** | Direct MCP via `mcp_servers` param, no tool loop | | OpenAI models | **OpenAI Agents SDK** | `hostedMcpTool()`, tool approval control | | Python agent with memory | **LangGraph** | Stateful graphs, checkpointing, `MultiServerMCPClient` | | Type-safe Python | **Pydantic AI** | `MCPServerStreamableHTTP`, FastAPI integration | | Multi-agent team | **CrewAI** | Role-based agents with `MCPToolWrapper` | | Multi-agent debate | **AutoGen** | Conversational agent patterns | | RAG + tools | **LlamaIndex** | Document indexing + tool calling | | Prompt optimization | **DSPy** | Programmatic prompt tuning | | .NET / Enterprise | **Semantic Kernel** | C# native, Azure integration | | NLP pipelines | **Haystack** | Pipeline-based, modular | | Google ecosystem | **Google ADK** | `McpToolset` with LiteLLM for Claude | | No-code builder | **Flowise** or **Dify** | Visual drag-and-drop | | Developer IDE | **Cursor** / **VS Code** | In-editor agent | | Lightweight Python | **Agno** or **SmolagAgents** | Minimal overhead | | Terminal agent | **Goose** | Block's open-source agent | --- ## Getting Started Every use case above can be built today: 1. **Create a Civic account** at [app.civic.com](https://app.civic.com) 2. **Add tool servers** — connect the MCP servers your use case needs 3. **Configure guardrails** — set the security rules for your deployment 4. **Pick a framework** — follow the [recipe](https://docs.civic.com/civic/recipes) for your chosen stack 5. **Connect and build** — point your agent at `https://app.civic.com/hub/mcp` Every use case inherits **14 universal guardrails** (prompt injection detection, PII filtering, rate limiting) before any tool-specific rules apply. **Docs:** [docs.civic.com](https://docs.civic.com) · **Community:** [Slack](https://join.slack.com/t/civic-developers/shared_invite/zt-37tv9fyo7-aDT43mUjOFQwdQFmfZLTRw)