Governed by AgentGuard · Go binary · Zero cloud

Local AI Agents.
Governed.

Name: ShellForge
Author: AgentGuardHQ

ShellForge runs autonomous AI agents on your machine with policy enforcement on every tool call. No cloud. No API keys. No data leaves your laptop.

Get Started View on GitHub

3.2 MB

Static binary

<3ms

Hook evaluation

Stack layers

Cloud deps

shellforge

# Install ShellForge

$ brew install AgentGuardHQ/tap/shellforge

# Set up governance in any repo

$ shellforge setup

✓ Ollama running (qwen3:8b)

✓ AgentGuard enforce mode active

✓ agentguard.yaml created

# Run a governed agent

$ shellforge agent "find test gaps"

[AgentGuard] shell.exec → ALLOWED

[AgentGuard] file.write → ALLOWED

[AgentGuard] git.push --force → DENIED

↳ invariant: no-force-push violated

✓ Agent self-corrected, push cancelled

$ █

What Is It

A governance wrapper for any local agent

ShellForge is not an agent framework. It's the enforcement layer that sits between your agent driver and the real world. The agent decides what it wants to do. ShellForge decides whether it's allowed.

Agent Driver

Crush · Claude Code · Copilot · Codex · Gemini

↓ tool call

AgentGuard Governance Kernel

allow · deny · audit · every. single. call.

↓ approved

Your Environment

Files · Shell (RTK) · Git · Network · OpenShell sandbox

Crush handles execution. Dagu handles orchestration. AgentGuard wraps them all with policy enforcement.

The Stack

Best-in-class components, governed end-to-end

Each layer is an independent best-of-breed tool. ShellForge wires them together and adds governance at the enforcement boundary.

INFER

Ollama

Local LLM inference with Metal GPU on Apple Silicon. Pull any model — qwen3:8b for everyday tasks, qwen3:30b for production quality on M4 Pro.

ollama pull qwen3:8b

✓ Model ready (5.2 GB)

OPTIMIZE

RTK

Token compression layer — 70–90% reduction on shell output. Agents see compact, structured results instead of raw terminal noise. More signal, fewer tokens spent.

rtk git diff → 80% savings

rtk vitest run → 99.5% savings

EXECUTE

Crush

Go-native AI coding agent with TUI and headless mode. Uses Ollama for local inference. Full tool-calling loop — reads files, writes code, runs shell commands.

shellforge run crush "fix the bug"

→ agent loop started

ORCHESTRATE

Dagu

YAML DAG workflows with cron scheduling and a web UI. Run multi-step agent pipelines, schedule recurring tasks, observe runs in a browser dashboard.

shellforge serve agents.yaml

→ web UI at localhost:8080

GOVERN

AgentGuard

Policy enforcement on every action — allow, deny, or correct. 26 built-in invariants, 93 destructive patterns, tamper-evident audit trail. The enforcement boundary agents cannot bypass.

[DENIED] git push --force

[ALLOWED] file.write src/

SANDBOX

OpenShell + DefenseClaw

Kernel-level isolation via Docker on macOS. DefenseClaw scans for supply chain risks — AI Bill of Materials. Optional but recommended for untrusted workloads.

OpenShell: Docker sandbox active

DefenseClaw: scanner ready

Quick Start

From zero to governed agent in 5 minutes

macOS (Apple Silicon or Intel) or Linux.

1 Install ShellForge

# macOS via Homebrew

$ brew tap AgentGuardHQ/tap

$ brew install shellforge

# From source

$ git clone https://github.com/AgentGuardHQ/shellforge.git

$ cd shellforge && go build -o shellforge ./cmd/shellforge/

2 Install Ollama and pull a model

$ brew install ollama

$ ollama serve # leave running

$ ollama pull qwen3:8b # ~6 GB, good balance

# or: ollama pull qwen3:30b (19 GB, best — M4 Pro 48GB recommended)

# or: ollama pull qwen3:1.7b (1.2 GB, fastest)

3 Set up governance in any repo

$ cd ~/your-project

$ shellforge setup

✓ agentguard.yaml created

✓ AgentGuard enforce mode active

# Edit agentguard.yaml to customize policy

4 Run a governed agent

$ shellforge agent "describe what this project does"

$ shellforge agent "find test gaps and suggest improvements"

$ shellforge agent "create a hello world program"

# Every tool call passes through governance before execution

Governance

Policy-as-code for any agent driver

Every tool call — file write, shell command, git push — passes through agentguard.yaml before execution. When an action is denied, the correction engine feeds structured feedback back to the model so it can self-correct — not just fail.

26 built-in invariants

Secret exposure, protected branches, blast radius, test-before-push, lockfile integrity and 21 more — active by default.

Default-deny enforcement

Unknown actions are denied. Only explicitly allowed actions execute. Same posture as a production firewall.

Correction engine

Denials include structured context. The model understands why it was blocked and retries with a compliant action.

Any CLI driver

Claude Code, Copilot CLI, Codex, Gemini, Crush — tool names normalized to canonical actions. One policy governs all.

agentguard.yaml

mode: enforce  # enforce | monitor

policies:
  - name: no-force-push
    action: deny
    pattern: "git push --force"

  - name: no-destructive-rm
    action: deny
    pattern: "rm -rf"

  - name: no-secret-access
    action: deny
    pattern: "*.env|*id_rsa"

  - name: allow-src-writes
    action: allow
    scope: ["src/**", "tests/**"]

invariants:
  - tests-before-push
  - no-credential-file-creation
  - lockfile-integrity

Choose Your Model

Pull any model via Ollama. ShellForge works with all of them.

Model	Params	RAM	Best For
qwen3:1.7b	1.7B	~1.2 GB	Fast tasks, prototyping
qwen3:4b	4B	~3 GB	Balanced reasoning
qwen3:8b	8B	~6 GB	Good balance (recommended)
qwen3:30b	30B	~19 GB	Production quality (M4 Pro 48GB)

Your agents. Your machine. Your rules.

Local inference, zero cloud, policy enforcement on every action. ShellForge is governed AI for developers who don't want to ask permission.

View ShellForge on GitHub Install AgentGuard

Local AI Agents.Governed.