Agentguard
No description available
Install / Use
/learn @chitinhq/AgentguardREADME
AI coding agents (Claude Code, Codex CLI, GitHub Copilot CLI, Google Gemini CLI, OpenCode, Goose, and more) run autonomously — writing files, executing commands, pushing code. AgentGuard prevents them from doing catastrophic things: no accidental pushes to main, no credential leaks, no runaway destructive loops. 26 built-in safety checks, zero config required.
For individuals: stop your AI from wrecking your machine or repo. For teams: govern agents at scale, with audit trails that pass compliance.
What Problem Does AgentGuard Solve?
AI coding agents can write files, execute shell commands, push code, and access sensitive repositories — all autonomously. Most agent frameworks focus on making agents more capable, but nothing governs what they actually do at runtime.
AgentGuard intercepts AI coding agent actions before they execute and enforces safety rules. It acts like a firewall for AI agents — sitting between the agent and your system, evaluating every action against configurable policies before it happens.
Without AgentGuard, a single hallucinated command can:
- Force-push to main and wipe your production branch
- Leak API keys by writing them to committed files
- Delete critical infrastructure with a runaway
rm -rf - Merge untested code by bypassing review gates
AgentGuard prevents all of this with 26 built-in safety checks that work out of the box. No code changes required — install, configure your policy, and your agents are governed.
Works with every major AI coding agent: Claude Code, Codex CLI, GitHub Copilot, Google Gemini CLI, Goose, and any MCP-compatible client.
Early Access
Get notified about v3.0, security updates, and team features:
Join early access → — Cloud waitlist, v3.0 announcements GitHub Discussions → — ask questions, share your setup
Get Started
npm install -g @red-codes/agentguard
cd your-project
agentguard claude-init
# Interactive wizard: choose enforcement mode and a policy pack
# → Creates agentguard.yaml, installs Claude Code hooks, and activates governance
Or use npx without a global install:
cd your-project
npx @red-codes/agentguard claude-init
→ Sign up for Cloud — team governance, fleet dashboard, real-time telemetry → Join GitHub Discussions — ask questions, share your setup
The claude-init wizard walks you through setup interactively:
Choose an enforcement mode:
❯ 1) Monitor — log threats, don't block (recommended to start)
2) Educate — log + explain why the action was flagged
3) Guide — log + suggest a corrected command
4) Enforce — block dangerous actions immediately
Enable a policy pack?
❯ 1) essentials — secrets, force push, protected branches, credentials
2) strict — all 26 invariants enforced
3) none — monitor only, configure later
Verify it's running:
agentguard status
# ✓ Claude Code hooks installed
# ✓ Policy file (agentguard.yaml)
# ✓ Runtime active
Test a deny rule without executing anything:
echo '{"tool":"Bash","command":"git push origin main"}' | agentguard guard --dry-run
# ✗ git.push main → DENIED (protect-main)
Non-interactive setup (CI or scripted installs):
agentguard claude-init --mode monitor --pack essentials
Ready for the cloud? — team governance, fleet dashboard, real-time telemetry across all your agents: agentguard-cloud-dashboard.vercel.app/onboarding · GitHub Discussions — questions, setup help, community
Cloud Dashboard & Live Office
Connect to the AgentGuard Cloud for team governance, real-time telemetry, and multi-tenant management:
npm install -g @red-codes/agentguard # Install AgentGuard
agentguard cloud login # Opens browser → authenticate → CLI auto-configures
| Link | Description | |------|-------------| | Dashboard | Team dashboard — runs, violations, analytics |
Agent Identity
Every governed session has an identity. Set it via the CLI flag or let the interactive prompt ask:
agentguard guard --agent-name my-agent
# Or omit --agent-name and an interactive prompt will ask for role + driver
Identity consists of a role (developer, reviewer, ops, security, ci) and a driver (human, claude-code, copilot, opencode, ci). Identity flows to cloud telemetry for attribution, dashboard grouping, and persona-scoped policy rules.
What It Does
| Capability | Details |
|------------|---------|
| Policy enforcement | YAML rules with deny / allow / escalate — drop agentguard.yaml in your repo |
| 26 built-in invariants | Secret exposure, protected branches, blast radius, path traversal, CI/CD config, package script injection, and more |
| 48 event kinds | Full lifecycle telemetry: ActionRequested → ActionAllowed/Denied → ActionExecuted |
| Real-time cloud dashboard | Telemetry streams to your team dashboard; opt-in, anonymous by default |
| Multi-tenant | Team workspaces, GitHub/Google OAuth, SSO-ready |
| Agent SDK | Programmatic governance for custom integrations and RunManifest-driven workflows |
| Agent identity | Declare agent role + driver for governance telemetry — automatic prompt or CLI flag |
| Pre-push hooks | Branch protection enforcement via git pre-push hooks, configured from agentguard.yaml |
| Three enforcement surfaces | Hook mode (CLI adapters), embedded mode (Go library), and gateway mode (MCP-to-MCP proxy) |
| Works with | Claude Code, Codex CLI, GitHub Copilot CLI, Google Gemini CLI, OpenCode, Goose (Block), any MCP client |
Policy Format (YAML)
Drop agentguard.yaml in your repo root. It's picked up automatically.
Minimal policy
mode: monitor # monitor | educate | guide | enforce
pack: essentials # curated invariant profile
rules:
- action: git.push
effect: deny
branches: [main, master]
reason: Protected branch — use a PR
Enforcement Modes
Four enforcement modes control how AgentGuard responds to policy violations:
| Mode | Blocks? | Suggests? | Behavior |
|------|---------|-----------|----------|
| monitor | No | No | Log only — observe violations without interfering |
| educate | No | Yes | Allow + attach a suggestion explaining the violation via additionalContext |
| guide | Yes | Yes | Block + attach a suggestion with a correctedCommand the agent can retry |
| enforce | Yes | No | Deny the action outright |
Set the mode globally and override per-invariant:
mode: monitor # global default
invariants:
no-secret-exposure: enforce # always block secrets (hardcoded)
blast-radius-limit: educate # explain but don't suggest a fix
no-force-push: guide # suggest the safe alternative
In educate and guide modes, denied decisions include a suggestion field:
{
"effect": "deny",
"mode": "guide",
"suggestion": {
"message": "Force push is not allowed on protected branches",
"correctedCommand": "git push origin main"
}
}
Full schema reference
# Metadata
id: my-project
name: My Project Policy
description: Governance for the Acme repo
severity: 4 # 1 (lowest) – 5 (highest)
version: "1.0.0"
agentguardVersion: ">=2.3.0" # minimum AgentGuard version
# Enforcement mode
mode: enforce # monitor | educate | guide | enforce
# Policy pack (curated invariant profiles)
pack: essentials # essentials | strict | or a named pack
# Compose with other policies (paths or built-in pack names)
extends:
- soc2
- hipaa
- ./policies/team-overrides
# Per-invariant mode overrides
invariants:
no-secret-exposure: enforce
blast-radius-limit: monitor
no-force-push: enforce
# Disable specific invariants entirely
disabledInvariants:
- lockfile-integrity
# Default persona (conditions for the agent running this policy)
persona:
model: claude-sonnet-4-6
provider: anthropic
trustTier: verified
autonomy: supervised
riskTolerance: low
role: developer
tags: [internal, ci]
# Rules
rules:
# Basic deny rule
- action: git.push
effect: deny
branches: [main, master]
