LIVE

Python runtime guardrails with MCP visibility.

AgentGuard is the MIT-licensed runtime layer for AI agents: enforce budget, loop, timeout, and rate limits in code, then inspect traces, alerts, usage, costs, and budget health through MCP when you need a dashboard.

Buy AgentGuard Pro at $39/mo after the 14-day trial. The free SDK stays local when you only need runtime enforcement.

6,247+ downloads667 downloads / last month288 MCP downloads / last month3 GitHub starsMITClaude Code, Cursor, and Codex MCPMCP v0.2.2v1.2.13

Observed package downloads, updated hourly. SDK totals use Pepy first, then Pypistats no-mirror overall data when Pepy is unavailable; SDK recent-month counts use Pypistats; MCP recent-month counts use npm. Downloads are a usage signal, not an adoption proof. Tracked copy is shown when metric upstreams are unavailable.

Start AgentGuard Pro trial Connect MCP View on GitHub View on PyPI

AgentGuard publishes a verified PyPI package, npm MCP package, official MCP Registry entry, MIT license, source repo, local proof commands, and no required hosted service for the first guarded run.

Source proof: Verified PyPI links; PyPI shows repository, docs, issues, and changelog links for bmdhodl/agent47.
Local proof: No key required; The SDK can run doctor, demo, quickstart, report, and incident commands locally.
Supply chain: MIT, Python 3.9+; The source repo declares the MIT license, and the PyPI package advertises Python 3.9+ support.
Runtime scope: Zero runtime deps; The core SDK keeps guardrails in-process instead of adding a required hosted service.

External install surfaces

npm MCP package@agentguard47/mcp-server MCP Registryio.github.bmdhodl/agentguard47 PulseMCPbmdhodl-agentguard47

§ 001 / RUNTIME RISK

Agents stop being toys the first time they touch production.

Developers are right to start with scripts and demos. The risk starts when the same agent gets credentials, API budgets, database access, or a deploy path. AgentGuard is the boring runtime layer that fails closed before the run keeps moving.

Toy scripts become production systems

If an agent can spend money, call tools, or touch real data, it is no longer a toy script. It needs limits before the next run.

The bad run costs real money

If an agent can delete records, send email, merge code, or touch prod, missing runtime limits are a bug. Give the run a stop condition before damage keeps growing.

Prevention beats post-mortems

Observability tells you what happened after the run. AgentGuard raises inside the process before the bad run keeps going.

Runtime is the durable layer

Framework and provider checks are useful, but they move with each stack. AgentGuard keeps the runtime ceiling in your Python code.

Install the SDK

Put hard budget, loop, timeout, and rate limits inside the Python agent code that spends money.

Open the dashboard

Create a read key, keep event history, and see the traces your team needs later.

Create read key

Connect MCP

Let Claude Code, Cursor, Codex, or another MCP client inspect traces, alerts, usage, costs, and budget health.

Not sure what to guard?

Scan your agent idea first.

Describe the workflow, tools, users, and expected usage. The Agent Roadmap Scanner returns likely runtime risks, first guardrails, and where AgentGuard fits.

Run the scanner

MCP setup

Give your coding agent a read-only view of AgentGuard.

The MCP server does not replace the Python SDK. The SDK stops bad runs. The MCP server lets your editor inspect retained traces, alerts, usage, costs, and budget health after you connect a read key from the dashboard.

Claude Code / Claude Desktop

{
  "mcpServers": {
    "agentguard": {
      "command": "npx",
      "args": [
        "-y",
        "@agentguard47/mcp-server"
      ],
      "env": {
        "AGENTGUARD_API_KEY": "ag_your_read_key_here"
      }
    }
  }
}

Cursor .cursor/mcp.json

{
  "mcpServers": {
    "agentguard": {
      "command": "npx",
      "args": [
        "-y",
        "@agentguard47/mcp-server"
      ],
      "env": {
        "AGENTGUARD_API_KEY": "ag_your_read_key_here"
      }
    }
  }
}

Open raw mcp.json

Command

npx -y @agentguard47/mcp-server

Credential

Read-only ag_... API key

Tools

traces, alerts, usage, costs, and budget health

Quickstart

Install it, trip a guard, then wire it into your agent.

AgentGuard is not magic middleware. You record usage where money or loops happen. When a limit trips, it raises an AgentGuardError with the reason.

1. Install

Install `agentguard47` from PyPI. Import `agentguard` in Python. That is the public SDK module exposed by the package.

macOS/Linux venv

Use when a project virtual environment is active and you want pip tied to that Python interpreter.

Windows venv

Use the Python launcher on Windows when it selects the environment you run.

uv project

Use in a uv-managed project to add AgentGuard to pyproject.toml.

Short pip

Use when pip already points at the Python environment your agent runs in.

Or install via the Claude Code skill / Codex skill / Markdown install guide.

2. Prove local setup

Run the doctor before wiring your real agent.

agentguard doctor --json

3. Catch failures

Budget, loop, timeout, and rate guards raise before the run keeps spending.

except AgentGuardError as exc:
    print(f"stopped: {exc}")

minimal raw python

from agentguard import (
    AgentGuardError,
    BudgetGuard,
    LoopGuard,
    RateLimitGuard,
    TimeoutGuard,
    Tracer,
)

budget = BudgetGuard(max_calls=3)
loop = LoopGuard(max_repeats=3)
rate = RateLimitGuard(max_calls_per_minute=60)
timeout = TimeoutGuard(max_seconds=5)
tracer = Tracer(service="inbox-agent", guards=[rate])

try:
    with timeout:
        with tracer.trace("agent.run") as span:
            for step in range(5):
                budget.consume(calls=1)
                loop.check("search", {"query": "same query"})
                span.event("tool.call", data={"step": step, "tool": "search"})
except AgentGuardError as exc:
    print(f"AgentGuard stopped the run: {exc}")

openai wiring

from agentguard import AgentGuardError, BudgetGuard, LoopGuard, TimeoutGuard, Tracer
from agentguard.instrument import patch_openai
from openai import OpenAI

budget = BudgetGuard(max_cost_usd=2.00, max_calls=20)
loop = LoopGuard(max_repeats=3)
timeout = TimeoutGuard(max_seconds=300)
tracer = Tracer(service="support-agent")
patch_openai(tracer)

client = OpenAI()

try:
    with timeout:
        with tracer.trace("agent.openai") as span:
            for step in range(20):
                budget.consume(calls=1)
                span.event("agent.step", data={"step": step})
                response = client.chat.completions.create(
                    model="gpt-4o-mini",
                    messages=[{"role": "user", "content": "Summarize this inbox"}],
                )
                loop.check("chat.completions.create", {"step": step})
                print(response.choices[0].message.content)
                break
except AgentGuardError as exc:
    print(f"AgentGuard stopped the run: {exc}")

What it does

Agent policy, audit, and runtime guardrails. Self-hosted. MCP-aware. Works with the model providers and frameworks you already use.

MCP-aware policy

Allow or deny tool calls per declarative policy. Stop an agent from touching a tool you never approved.

from agentguard import PolicyGuard

policy = PolicyGuard.from_file("policy.yml")
policy.check_tool("github.delete_repo", args)

Audit log

Every decision, every payload digest, structured output. Replay what the agent did and why it was allowed.

from agentguard import Tracer

tracer = Tracer(service="inbox-agent", sink="jsonl:/var/log/agent.jsonl")
tracer.event("tool.call", data={"tool": "search"})

Multi-provider

Works with Anthropic, OpenAI, and local LLMs. Same policy, same audit, regardless of which model you call.

from agentguard.instrument import patch_openai, patch_anthropic

patch_openai(tracer)
patch_anthropic(tracer)

Budget + rate guardrails

Hard ceilings on spend, calls, and call rate. Raises before the run keeps spending.

from agentguard import BudgetGuard, RateLimitGuard

budget = BudgetGuard(max_cost_usd=5.00, max_calls=50)
rate = RateLimitGuard(max_calls_per_minute=60)

OpenTelemetry exporter

Feed your existing dashboard. Traces and metrics ship as OTLP to the collector you already run.

from agentguard.exporters import OtlpExporter

exporter = OtlpExporter(endpoint="http://otel-collector:4317")
tracer = Tracer(service="prod-agent", exporters=[exporter])

Compliance-friendly

No telemetry leaves your network unless you wire it. Self-hosted by default. Prompts and responses never leave your infra.

# Local JSONL sink, no outbound calls
tracer = Tracer(service="phi-agent", sink="jsonl:/secure/audit.jsonl")

Built for

Teams who need to prove what their agents did, not just hope they behaved.

Engineering in regulated industries

Healthcare, finance, government. Self-hosted policy + audit that meets your compliance review.

Platform teams shipping internal agents

One governance layer across every agent your developers deploy. MCP-aware out of the box.

Security and compliance reviewers

Approve agent deployments with confidence. Decision logs, payload digests, replayable history.

Use this when

Your agent can call paid APIs in a loop.
You need a hard ceiling on calls, cost, elapsed time, or call rate.
You are shipping agents across more than one framework.
You want local guardrails first and MCP visibility later.

Do not use this when

You only need prompt-injection defense.
You only need JSON schema or output validation.
You need human approval workflows before every action.
You need a runtime SDK outside Python.
You expect the MCP server to enforce Python runtime guards by itself.

Want more like this?

AI agent builds, real costs, what works. M-F only when there is something worth sending. No fluff.

Why this exists

I wrote AgentGuard because the existing options all point at a different problem. Lakera is about prompt injection. Guardrails AI is about output validation. Platform-native guardrails ship with a single vendor and lock you in. None of them stop an agent from burning $200 of OpenAI credit in a runaway loop at 2 AM.

AgentGuard is runtime only. It sits between your code and the model, counts cost and tool calls and wall-clock time, and raises before you get the surprise bill. It works the same whether you're calling GPT-5, Claude, a local llama.cpp server, or something I haven't heard of yet.

I built it for my own agents. I run it on my autotrader and on the agents that post this blog. If it works for me at 2 AM, it should work for you.

FAQ

Do I need the SDK or the MCP server?: Use the SDK when you want hard runtime enforcement inside Python code. Use the MCP server when you want Claude Code, Cursor, Codex, or another MCP client to inspect retained traces, alerts, costs, and budget health from the hosted dashboard.
Why is the install name different from the import name?: Install `agentguard47` from PyPI. Import `agentguard` in Python. That is the public SDK module exposed by the package.
Why not use framework-native guardrails?: Framework guardrails usually handle model policy, tool schemas, or output validation. AgentGuard handles runtime failure: budget, loop, timeout, and rate limits. It is the layer you keep when you swap frameworks.
What data leaves my machine?: The OSS SDK does not need a network call to enforce guards. Trace events go to the sink you choose. If you use a local JSONL sink, they stay local. If you wire the hosted dashboard, send runtime metadata only. Do not put prompts or responses into trace data unless you intend to store them.
What is OSS and what is hosted?: The Python SDK and MCP server are open source. The hosted trial is for dashboards, retained event history, read API keys, and alerts when you want a product surface around runtime events.
Is this a one-person product?: AgentGuard is a one-developer product by design: small surface, local-first SDK, public docs, and no custom integration promises. Paid plans cover the hosted dashboard, retained events, alerts, and team visibility.
Which stacks does this work with?: Raw Python works directly. The SDK also exposes modules for OpenAI, LangChain, LangGraph, and CrewAI. You still decide where tool calls, costs, and events are recorded.

	Open source	Pro	Team
Price	Free	$39/mo	$79/mo
Runtime guards	yes	yes	yes
Local telemetry	yes	yes	yes
MIT license	yes	yes	yes
Read-only MCP server	Free pkg	Read key	Team keys
Hosted dashboard	no	yes	yes
Event history	Local	500K	5M
Users	1	1	10
Email alerts	no	yes	yes
Team visibility	no	no	yes
	`pip install agentguard47`	Start 14-day trial	Start 14-day trial