AgentGuard is local-first. Cloud is optional and adds hosted policy, redacted audit sync, session timelines, and approval workflows.
npm install -g @goplus/agentguard
agentguard initThis creates ~/.agentguard/config.json, ~/.agentguard/audit.jsonl, and local cache paths.
AGENTGUARD_API_KEY=ag_live_xxxxx \
agentguard connect --url https://agentguard.gopluslabs.ioconnect stores the API key locally, fetches /api/v1/policies/effective, and caches the policy. If Cloud is unavailable, AgentGuard keeps enforcing with cached policy or the bundled default policy.
Prefer AGENTGUARD_API_KEY or an ignored .env.local file over passing secrets as CLI flags, because shell history can persist command-line arguments.
- Agent host sends tool metadata to
agentguard protect. - AgentGuard evaluates locally by default.
- Local audit is written to
~/.agentguard/audit.jsonl. - Connected clients sync redacted audit events to
/api/v1/events/ingest. require_approvalcreates/api/v1/approvalsand blocks the action until reviewed.
Use AGENTGUARD_DECISION_MODE=cloud or agentguard protect --decision-mode cloud only when Cloud should be authoritative for a specific hook.
agentguard status
agentguard doctor
agentguard scan ./skills/example
agentguard protect --agent claude-code --action-type shell --tool-name BashFor the full native API contract, see AgentGuard Cloud Native API.
The normal test suite uses mocks and never touches Cloud. To verify a real test environment, build first and pass credentials through your shell:
npm run build
AGENTGUARD_CLOUD_URL=https://your-agentguard-cloud.example.com \
AGENTGUARD_API_KEY=ag_live_xxxxx \
npm run test:cloud-liveYou may also keep local-only credentials in an ignored .env.local file:
AGENTGUARD_CLOUD_URL=https://your-agentguard-cloud.example.com
AGENTGUARD_API_KEY=ag_live_xxxxxThen run:
set -a
. ./.env.local
set +a
npm run test:cloud-liveDo not commit .env.local, .env, ~/.agentguard/config.json, or any real API key.