[bmdpat]
LIVE

Agent policy + audit. In your infra. MCP-native.

AgentGuard is the open-source governance layer for teams running AI agents in production. Self-hosted, MCP-aware, audit-ready.

5,000+ downloads3 starsMITMCP readyv1.2.10

Observed package downloads from PyPI, updated hourly. Counts include mirror noise filtered out where the upstream supports it. Downloads are a usage signal, not an adoption proof. A conservative floor is shown when every upstream is unavailable.

Open dashboardConnect MCPView on GitHub
1

Install the SDK

Put hard budget, loop, timeout, and rate limits inside the agent code that spends money.

2

Open the dashboard

Create a read key, keep event history, and see the traces your team needs later.

Create read key
3

Connect MCP

Let your coding agent ask AgentGuard for traces, alerts, usage, costs, and budget health.

Not sure what to guard?

Scan your agent idea first.

Describe the workflow, tools, users, and expected usage. The Agent Roadmap Scanner returns likely runtime risks, first guardrails, and where AgentGuard fits.

Run the scanner

MCP setup

Give your coding agent a read-only view of AgentGuard.

The MCP server does not replace the Python SDK. The SDK stops bad runs. The MCP server lets your editor inspect retained traces, alerts, usage, costs, and budget health after you connect a read key from the dashboard.

Claude Code / Claude Desktop
{
  "mcpServers": {
    "agentguard": {
      "command": "npx",
      "args": ["-y", "@agentguard47/mcp-server"],
      "env": {
        "AGENTGUARD_API_KEY": "ag_your_read_key_here"
      }
    }
  }
}
Cursor .cursor/mcp.json
{
  "mcpServers": {
    "agentguard": {
      "command": "npx",
      "args": ["-y", "@agentguard47/mcp-server"],
      "env": {
        "AGENTGUARD_API_KEY": "ag_your_read_key_here"
      }
    }
  }
}

Command

npx -y @agentguard47/mcp-server

Credential

Read-only ag_... API key

Tools

traces, alerts, usage, costs, budget health

Quickstart

Install it, trip a guard, then wire it into your agent.

AgentGuard is not magic middleware. You record usage where money or loops happen. When a limit trips, it raises an AgentGuardError with the reason.

1. Install

PyPI package name is agentguard47.

2. Prove local setup

Run the doctor before wiring your real agent.

agentguard doctor --json

3. Catch failures

Budget, loop, timeout, and rate guards raise before the run keeps spending.

except AgentGuardError as exc:
    print(f"stopped: {exc}")
minimal raw python
from agentguard import (
    AgentGuardError,
    BudgetGuard,
    LoopGuard,
    RateLimitGuard,
    TimeoutGuard,
    Tracer,
)

budget = BudgetGuard(max_calls=3)
loop = LoopGuard(max_repeats=3)
rate = RateLimitGuard(max_calls_per_minute=60)
timeout = TimeoutGuard(max_seconds=5)
tracer = Tracer(service="inbox-agent", guards=[rate])

try:
    with timeout:
        with tracer.trace("agent.run") as span:
            for step in range(5):
                budget.consume(calls=1)
                loop.check("search", {"query": "same query"})
                span.event("tool.call", data={"step": step, "tool": "search"})
except AgentGuardError as exc:
    print(f"AgentGuard stopped the run: {exc}")
openai wiring
from agentguard import AgentGuardError, BudgetGuard, LoopGuard, TimeoutGuard, Tracer
from agentguard.instrument import patch_openai
from openai import OpenAI

budget = BudgetGuard(max_cost_usd=2.00, max_calls=20)
loop = LoopGuard(max_repeats=3)
timeout = TimeoutGuard(max_seconds=300)
tracer = Tracer(service="support-agent")
patch_openai(tracer)

client = OpenAI()

try:
    with timeout:
        with tracer.trace("agent.openai") as span:
            for step in range(20):
                budget.consume(calls=1)
                span.event("agent.step", data={"step": step})
                response = client.chat.completions.create(
                    model="gpt-4o-mini",
                    messages=[{"role": "user", "content": "Summarize this inbox"}],
                )
                loop.check("chat.completions.create", {"step": step})
                print(response.choices[0].message.content)
                break
except AgentGuardError as exc:
    print(f"AgentGuard stopped the run: {exc}")

What it does

Agent policy, audit, and runtime guardrails. Self-hosted. MCP-aware. Works with the model providers and frameworks you already use.

MCP-aware policy

Allow or deny tool calls per declarative policy. Stop an agent from touching a tool you never approved.

from agentguard import PolicyGuard

policy = PolicyGuard.from_file("policy.yml")
policy.check_tool("github.delete_repo", args)

Audit log

Every decision, every payload digest, structured output. Replay what the agent did and why it was allowed.

from agentguard import Tracer

tracer = Tracer(service="inbox-agent", sink="jsonl:/var/log/agent.jsonl")
tracer.event("tool.call", data={"tool": "search"})

Multi-provider

Works with Anthropic, OpenAI, and local LLMs. Same policy, same audit, regardless of which model you call.

from agentguard.instrument import patch_openai, patch_anthropic

patch_openai(tracer)
patch_anthropic(tracer)

Budget + rate guardrails

Hard ceilings on spend, calls, and call rate. Raises before the run keeps spending.

from agentguard import BudgetGuard, RateLimitGuard

budget = BudgetGuard(max_cost_usd=5.00, max_calls=50)
rate = RateLimitGuard(max_calls_per_minute=60)

OpenTelemetry exporter

Feed your existing dashboard. Traces and metrics ship as OTLP to the collector you already run.

from agentguard.exporters import OtlpExporter

exporter = OtlpExporter(endpoint="http://otel-collector:4317")
tracer = Tracer(service="prod-agent", exporters=[exporter])

Compliance-friendly

No telemetry leaves your network unless you wire it. Self-hosted by default. Prompts and responses never leave your infra.

# Local JSONL sink, no outbound calls
tracer = Tracer(service="phi-agent", sink="jsonl:/secure/audit.jsonl")

Built for

Teams who need to prove what their agents did, not just hope they behaved.

Engineering in regulated industries

Healthcare, finance, government. Self-hosted policy + audit that meets your compliance review.

Platform teams shipping internal agents

One governance layer across every agent your developers deploy. MCP-aware out of the box.

Security and compliance reviewers

Approve agent deployments with confidence. Decision logs, payload digests, replayable history.

Use this when

  • Your agent can call paid APIs in a loop.
  • You need a hard ceiling on calls, cost, elapsed time, or call rate.
  • You are shipping agents across more than one framework.
  • You want local guardrails first and MCP visibility later.

Do not use this when

  • You only need prompt-injection defense.
  • You only need JSON schema or output validation.
  • You need human approval workflows before every action.
  • You need a JavaScript SDK today.
  • You expect the MCP server to enforce Python runtime guards by itself.

Open source, Pro, Team

The open source SDK and MCP server are always free. Pro and Team add the hosted dashboard, read keys, longer event history, and email alerts.

 Open sourceProTeam
PriceFree$39/mo$79/mo
Runtime guardsyesyesyes
Local telemetryyesyesyes
MIT licenseyesyesyes
Read-only MCP serverFree pkgRead keyTeam keys
Hosted dashboardnoyesyes
Event historyLocal500K5M
Users1110
Email alertsnoyesyes
Team visibilitynonoyes
pip install agentguard47Start trialStart trial

Want more like this?

AI agent builds, real costs, what works. M-F only when there is something worth sending. No fluff.

Why this exists

I wrote AgentGuard because the existing options all point at a different problem. Lakera is about prompt injection. Guardrails AI is about output validation. Platform-native guardrails ship with a single vendor and lock you in. None of them stop an agent from burning $200 of OpenAI credit in a runaway loop at 2 AM.

AgentGuard is runtime only. It sits between your code and the model, counts cost and tool calls and wall-clock time, and raises before you get the surprise bill. It works the same whether you're calling GPT-5, Claude, a local llama.cpp server, or something I haven't heard of yet.

I built it for my own agents. I run it on my autotrader and on the agents that post this blog. If it works for me at 2 AM, it should work for you.

FAQ

Do I need the SDK or the MCP server?
Use the SDK when you want hard runtime enforcement inside Python code. Use the MCP server when you want Claude Code, Cursor, Codex, or another MCP client to inspect retained traces, alerts, costs, and budget health from the hosted dashboard.
Why is the install name different from the import name?
Install `agentguard47` from PyPI. Import `agentguard` in Python. That is the public SDK module exposed by the package.
Why not use framework-native guardrails?
Framework guardrails usually handle model policy, tool schemas, or output validation. AgentGuard handles runtime failure: spend, repeated tool calls, call rate, and elapsed time. It is the layer you keep when you swap frameworks.
What data leaves my machine?
The OSS SDK does not need a network call to enforce guards. Trace events go to the sink you choose. If you use a local JSONL sink, they stay local. If you wire the hosted dashboard, send runtime metadata only. Do not put prompts or responses into trace data unless you intend to store them.
What is OSS and what is hosted?
The Python SDK and MCP server are open source. The hosted trial is for dashboards, retained event history, read API keys, and alerts when you want a product surface around runtime events.
Which stacks does this work with?
Raw Python works directly. The SDK also exposes OpenAI patching and integration modules for LangChain, LangGraph, and CrewAI. You still decide where tool calls, costs, and events are recorded.

Start the 14-day trial.

No credit card until day 14.

Start trial