Run AI Agents Without Fear
Your AI agents can't push to main, leak credentials, or destroy your repo. 26 built-in safety checks block catastrophic actions before they execute. Install in 30 seconds. Sleep at night.
Mandatory Execution Control
AgentGuard delivers production-grade enforcement. Unknown actions are denied by default. Every agent action passes through a vendor-neutral governance boundary.
Default-Deny Enforcement
Unknown actions are denied by default. Only explicitly allowed actions execute. The governance kernel transitions from fail-open to fail-closed — the same security posture as production firewalls.
ActionContext Normalization
A vendor-neutral action representation decouples the policy engine from Claude, Copilot, LangGraph, or any other framework. One policy governs all agents regardless of provider.
Production-Grade Kernel
Sub-millisecond evaluation latency. 26 invariants, 92 destructive patterns, tamper-evident audit chain. The reference monitor architecture enterprises require for autonomous agent deployment.
See It In Action
Install, configure a policy, run a governed session, and view the Cloud dashboard — in 30 seconds.
$ npx aguard claude-init
✓ Hooks installed → .claude/settings.json
✓ Policy scaffolded → agentguard.yaml
✓ Go kernel ready (3.2MB, <3ms/eval)
$ aguard guard --policy agentguard.yaml
AgentGuard Runtime Active
policy: agentguard.yaml | invariants: 26 | patterns: 92
✓ file.write src/auth/service.ts
✓ test.run vitest (4,394 passed)
✓ git.commit "feat: add auth service"
✗ git.push main → DENIED (protect-main)
⚠ invariant protected-branch violated
$ aguard inspect --last
12 actions | 1 denial | escalation: NORMAL
evidence pack → .agentguard/evidence/run_...
What AgentGuard Prevents
Real scenarios blocked by the governance kernel. No configuration required.
The Problem
- AI agents execute file writes, shell commands, and git operations with no safety net
- One bad tool call can push to main, leak secrets, or delete production files
- No audit trail means no way to understand what happened or why
- Traditional AI safety focuses on model behavior, not execution-layer enforcement
The Solution
- Deterministic decision point between proposal and execution
- YAML policies declare what agents can and cannot do — version-controlled boundaries
- 26 built-in invariants + 92 destructive patterns detected automatically
- Pre-execution simulation predicts impact before anything runs
Works with
Built for Safety at Scale
Everything you need to govern AI agent actions in development, CI, and production environments.
26 Safety Invariants
Secret detection, credential protection, branch guards, blast radius limits, lockfile integrity, script injection, CI/CD protection, network egress control, governance self-modification prevention. Always on.
92 Destructive Patterns
rm -rf, sudo, docker prune, DROP TABLE, pkill, systemctl—detected and classified by the AAB before execution.
Deterministic Kernel
Same action + same policy = same decision. Every time. No probabilistic surprises.
Impact Simulation
Filesystem, git, and package simulators predict blast radius and risk level before execution.
YAML Policies
Version-controlled boundaries. Four enforcement modes (monitor / educate / guide / enforce) + pack for quick setup. Per-invariant overrides. 8 built-in packs.
Full Audit Trail
48 event kinds across JSONL or SQLite. Inspect, replay, export, diff, and attach evidence to PRs.
Escalation System
NORMAL → ELEVATED → HIGH → LOCKDOWN. Repeated violations trigger automatic lockdown.
RTK Token Optimization
Integrated with RTK for 60-90% token savings. Shell commands auto-rewrite to compact output after governance approval. Git, npm, cargo, docker, kubectl, and more.
Agent Identity
Declare agent role (developer, reviewer, ops, security) and driver (human, claude-code, copilot, ci). Identity flows to telemetry, persona-scoped policies, and cloud dashboard.
Agents That Learn
Educate mode captures governance lessons into persistent memory. Agents improve over time—junior agents level up through the governance training ladder without hard blocks slowing delivery.
Pre-Push Branch Protection
Git pre-push hooks enforce branch protection rules from agentguard.yaml. Blocks pushes to protected branches at the git layer, not just at the agent layer.
Kernel Architecture
Every agent action passes through a governed pipeline. Seven stages, deterministic outcome.
The kernel is the single decision point. Same action + same policy = same outcome. No side channels, no probabilistic evaluation, no exceptions.
Action Authorization Boundary
The AAB normalizes raw tool calls into 43 canonical action types across 10 classes. Every agent operation—whether a Bash command, file write, or git push—gets classified before evaluation.
Simulation Engine
Three simulators (filesystem, git, package) predict impact before execution. High-risk simulations can flip ALLOW → DENY at runtime. Blast radius scored 0–100.
Escalation State Machine
Tracks denial and violation counts. Escalation levels persist as state-change events. In LOCKDOWN, all actions are denied until a human resets the state.
Go Kernel — Near-Zero Overhead
A single 3.2 MB static binary. No dependencies. Evaluates every tool call in under 3ms.
2ms
Startup time
vs 67ms Node.js
<3ms
Hook evaluation
vs 290ms Node.js
2.7MB
Memory usage
vs 80MB Node.js
3.2MB
Binary size
vs 281MB node_modules
Fleet Impact
| Scenario | Node.js | Go Kernel | Saved |
|---|---|---|---|
| Single session (100 calls) | 29s | 0.3s | 28.7s |
| 30-min coder session (~400 calls) | 1 min 56s | 1.2s | ~2 min |
| Daily fleet (100 agents × 2 runs) | 96 min | 1 min | 95 min/day |
| Monthly fleet | 48 hours | 30 min | 47.5 hrs/mo |
Agents get 8% more productive time per session. Ships automatically via npm install — a postinstall script downloads the prebuilt binary for your platform. Works with both Claude Code and GitHub Copilot hooks.
25 Built-in Invariants
Safety checks that run on every action. Zero configuration. Always on.
| Invariant | Severity | Description |
|---|---|---|
| no-secret-exposure | CRITICAL | Blocks access to .env, credentials, .pem, .key files |
| no-credential-file-creation | CRITICAL | Blocks creation of SSH keys, .netrc, cloud credentials, Docker config |
| protected-branch | HIGH | Prevents direct push to main/master |
| no-force-push | HIGH | Forbids force push that rewrites shared history |
| no-skill-modification | HIGH | Prevents modification of .claude/skills/ files |
| no-scheduled-task-mod | HIGH | Prevents modification of scheduled task files |
| no-package-script-injection | HIGH | Blocks package.json modifications that alter lifecycle script entries |
| blast-radius-limit | MEDIUM | Enforces file modification limit (default 20 files) |
| test-before-push | MEDIUM | Requires tests pass before git push |
| lockfile-integrity | LOW | Ensures package.json changes sync with lockfiles |
| no-cicd-config-modification | CRITICAL | Prevents modification of CI/CD pipeline configurations |
| no-governance-self-modification | CRITICAL | Prevents agents from modifying governance config and policy files |
| no-permission-escalation | HIGH | Blocks filesystem permission escalation (setuid, sudoers, ownership) |
| transitive-effect-analysis | HIGH | Detects scripts whose contents would be denied if executed directly |
| no-network-egress | HIGH | Denies HTTP requests to non-allowlisted domains |
| no-destructive-migration | MEDIUM | Flags migration files containing DROP, TRUNCATE, or destructive DDL |
| large-file-write | MEDIUM | Enforces file write size limits to prevent data dumps |
| no-container-config-modification | MEDIUM | Blocks modification of Dockerfile and container config files |
| no-env-var-modification | MEDIUM | Prevents modification of environment variables and shell profiles |
| recursive-operation-guard | LOW | Flags recursive operations combined with write/delete actions |
| no-ide-socket-access | HIGH | Blocks access to IDE socket files (vscode-ipc-*.sock) |
Quick Start
Install, run the setup wizard, and you're governed.
$ npm install -g aguard$ cd your-project
$ aguard claude-init
# Wizard: choose enforcement mode + policy pack
# Creates agentguard.yaml + installs Claude Code hooks$ aguard cloud login
# Opens browser → GitHub or Google OAuth → CLI auto-configures
# Visit: agentguard-cloud-dashboard.vercel.app$ aguard status
✓ Claude Code hooks installed
✓ Policy file (agentguard.yaml)
✓ Runtime activeCloud Dashboard
Real-time governance telemetry for your whole team. Multi-tenant workspaces, GitHub/Google OAuth, live agent visualization.
Team Dashboard
Governance runs, violation timelines, analytics. Sign in with GitHub or Google.
Live Office Visualization
2D visualization of agent activity in real time. See your agents working — share a link with your team.
SSO & Multi-Tenant
GitHub and Google OAuth. Isolated team workspaces. Invite-based access control.
agentguard cloud login
# Opens browser → select workspace → doneAnonymous Telemetry by Default
Telemetry is opt-in and anonymous until you connect a workspace. No PII collected without consent.
agentguard telemetry # manage settings
agentguard cloud status # check connectionNot Like Other Tools
AgentGuard operates at the execution layer — after the model decides what to do, before the action touches your system.
Policy as Code
Define governance boundaries in YAML. Compose multiple policies with precedence. Drop them in your repo root.
# agentguard.yaml
id: my-project
name: My Project Policy
mode: guide # monitor | educate | guide | enforce
pack: essentials # curated invariant profile
# Per-invariant overrides
invariants:
blast-radius-limit: educate
no-secret-exposure: enforce
no-force-push: guide
rules:
- action: git.push
effect: deny
branches: [main, master]
reason: Direct push to protected branch
- action: file.write
effect: deny
target: "**/.env"
reason: Secrets files must not be modified
- action: file.read
effect: allow
reason: Reading is always safeDeny rules block dangerous actions
Prevent direct pushes to protected branches, force pushes, and secrets file modifications.
Allow rules grant explicit permission
Safe operations like file reads are explicitly allowed. Clear intent, no ambiguity.
Four enforcement modes
monitor, educate, guide, enforce. Educate allows actions but teaches correct patterns. Guide blocks and suggests corrected commands the agent can retry. Graduate from observe → educate → guide → enforce at your own pace.
Composable with precedence
Stack multiple policies: --policy base.yaml --policy team.yaml. Later policies take precedence.
8 built-in policy packs
Use pack: essentials for quick setup. Compose with extends for soc2, hipaa, enterprise, and more.
35 CLI Commands
Full lifecycle governance from your terminal.
Governance
- guard — Start governed runtime
- inspect — Action graph + decisions
- events — Raw event stream
- analytics — Violation patterns
- status — Governance session status
- audit-verify — Audit chain integrity
Replay & Debug
- session-viewer — Interactive HTML dashboard
- replay — Session timeline replay
- diff — Compare two sessions
- traces — Policy evaluation traces
- simulate — Impact prediction
Portability & CI
- export / import — Session portability
- ci-check — CI verification
- evidence-pr — PR evidence reports
- policy validate — Policy linting
- policy-verify — Structure verification
Plugins
- plugin list — Installed plugins
- plugin install — Add a plugin
- plugin remove — Remove a plugin
- plugin search — Search npm
Setup & Integration
- claude-init — Claude Code hooks
- copilot-init — GitHub Copilot hooks
- cloud login — Device code auth (browser OAuth)
- cloud events/runs — Query cloud data
- auto-setup — Auto-detect & configure
- config — Show/get/set config
- init — Scaffold extensions
- demo — Interactive showcase
Adoption & Migration
- adoption — Metrics & onboarding
- learn — Interactive tutorials
- migrate — Version migration
Claude Code Mapping
- Write/Edit → file.write
- Read → file.read
- Bash → shell.exec / git.*
- Glob/Grep → file.read
Integrations
Governance where your agents already work.
Claude Code
Inline hook integration — no daemon, no sidecar. Fires on every tool call, evaluates policies in-process, and exits. Fail-open by design.
$ aguard claude-initGitHub Copilot
Same governance engine for Copilot CLI. Tool names normalized to canonical actions. All policies and invariants apply identically.
$ agentguard copilot-initGoose (Block)
Open-source AI agent by Block. Governed via ShellForge orchestration layer. Runs on local or cloud GPUs (Ollama). Same policies, same invariants.
$ shellforge run goose "your task"VS Code Extension
Sidebar panels for run status and history. Inline diagnostics for invariant violations. Real-time governance notifications.
GitHub Actions
Reusable CI workflow for governance verification. Evidence packs attached to pull requests. Policy validation in your pipeline.
Audit-Ready by Design
Every agent action is recorded, queryable, and exportable. Wake up to evidence, not mystery.
JSONL + SQLite
Append-only audit trail with indexed queries. Portable JSONL export for CI and archival.
Deterministic Decisions
Same action + same policy = same decision. No probabilistic evaluation. Reproducible outcomes.
Evidence Packs on PRs
Attach governance evidence summaries to pull requests. Provable compliance in code review.
Policy Composition
Org-wide base + team overrides. 8 built-in packs: essentials, strict, soc2, hipaa, enterprise, ci-safe, engineering-standards, open-source.
Session Replay & Diff
Replay any governance session. Compare runs side-by-side. Forensic analysis built in.
Session Viewer
Interactive HTML dashboard with action timeline, escalation progression, and violation breakdown. Auto-opens when a Claude Code session ends. Shareable via --share.
Export & Portability
Export sessions as portable JSONL. Import across environments. CI-ready verification.
What’s Next
AgentGuard is evolving from advisory interception to mandatory execution control. Here’s the trajectory.
v3.0 Major Release — Production-Grade Enforcement
Default-deny kernel + KE-2 ActionContext + Deployment Gate. Every agent action passes a tamper-evident governance boundary before touching your environment. The Go kernel makes hook evaluation ~100x faster. Full release notes →
Deployment Gate — Pre-Push Governance
Agents cannot push code without passing governance checks. Tests-before-push invariant, branch protection, lockfile integrity, and commit scope guard enforce a mandatory gate before any code reaches your repo. agentguard ci-check integrates into any CI pipeline.
Go Kernel — go/
High-performance governance kernel in Go. 3.2 MB static binary, <3ms hook evaluation, ~100x faster than Node.js. Now the default enforcement runtime for Claude Code and Copilot hooks.
Phase 6 — Reference Monitor Hardening
Default-deny unknown actions. PAUSE and ROLLBACK intervention types. All known bypass vectors closed.
Studio Runtime — Governed Workspace Bootstrapping
aguard init studio wizard detects your project type, CI pipeline, test framework, and agent runtimes — then generates a tailored agentguard.yaml. Execution profiles: development, ci-safe, strict, enterprise. Pairs with ShellForge for local governed agents.
Phase 7 — Capability-Scoped Sessions
Each governance run gets a bounded authority set via RunManifest. No capability, no effect.
Phase 9 — Multi-Agent Integrations
Framework adapters for LangGraph, CrewAI, AutoGen, OpenAI Agents SDK. Generic MCP adapter. Cursor integration.
Phase 13 — Environmental Enforcement
OS-level sandboxing via Bubblewrap and Seatbelt. Read-only mounts, network deny-by-default, credential stripping.
Agent Identity & Telemetry Attribution
Session identity prompt, --agent-name CLI flag, MCP persona, role-based policy scoping, cloud telemetry attribution. Pre-push branch protection hooks.
Phase 14 — Multi-Agent Governance
PID-bound capability tokens, cross-agent policy negotiation, fleet orchestration, shared state contracts.
Phase 18 — Remote Governance Runtime
Server mode, centralized event ingestion, remote policy distribution, multi-repo governance, team dashboard.
Open Source
Apache 2.0 Licensed
AgentGuard is built in the open. Write invariants, create policy packs, build adapters, or contribute a renderer.