# AgentGuard > AgentGuard is an open-source runtime firewall for AI agents. It sits between an agent and its tools, evaluates a policy on every call, and emits a signed, replayable audit log. Built and maintained by Lictorate. - Site: https://agentguard.lictorate.com - Source: https://github.com/Caua-ferraz/AgentGuard - License: Apache 2.0 - Stage: v0.4 public preview · waitlist open - Maintainer: Cauã Ferraz (cauaferraz@lictorate.com) ## What it is AgentGuard runs in your process. The agent issues a tool call; AgentGuard evaluates a policy (YAML or Rego); the call proceeds, is redacted, or is denied. Every decision is hash-chained to the next, producing an end-to-end replayable audit log. ## What problem it solves Models with tools removed the gap between intent and action. A user typing `DELETE FROM users` is rare and reviewed; an agent constructing the same query is common and is not. AgentGuard is the deterministic, auditable enforcement layer between the agent's decision and the system that carries it out — so a hijacked prompt never becomes a hijacked production system. ## Principles 1. **Authority before action.** Policy precedes execution. No model output reaches a tool until the rules permit it. 2. **Defense in depth.** One prompt injection should not be catastrophic. Enforcement is the layer that contains the blast radius when alignment fails. 3. **Auditable enforcement.** Every decision visible. Every rule reviewable. Security teams should read code, not hope. ## How it works 1. **Wrap.** One adapter call wraps the framework you already use. Every tool invocation passes through the gate. 2. **Decide.** Policy in YAML or Rego. Match on tool, args, host, time, identity. Allow, block, redact, or require human approval. 3. **Audit.** Hash-chained, signed audit log. Stream to S3, Loki, or your SIEM. Replay any agent run end-to-end. ## Integrations - **LangChain** (Python · TypeScript) - **CrewAI** (Python) - **browser-use** (Python) - **MCP** — Model Context Protocol (stdio · SSE) ## Pricing - **AgentGuard Core** — `$0` forever. Apache 2.0. Full runtime, all adapters, hash-chained audit log, self-hosted single binary or library. - **Hosted Dashboard** — paid, early access, waitlist open. One-click install, visual policy editor, multi-environment rollout, optional managed audit storage (opt-in), SSO/RBAC. The OSS runtime is free forever. The hosted dashboard is the paid layer; the open core stays open. ## Data residency By default, prompts, tool args, and results never leave your network — the runtime makes no outbound calls. If you opt in to the hosted dashboard, you choose what gets sent. ## Roadmap - **Q1 · 2026** — Lictorate incorporated. First runtime prototype. Policy DSL drafted. - **Q2 · 2026** — AgentGuard v0.1 published. LangChain & MCP adapters. Apache 2.0, public repo. - **Now · v0.4** — 4 framework adapters live. Signed audit log shipping. Design-partner waitlist open. - **Next · H2 2026** — Stable policy schema (semver). Hosted dashboard private beta. Browser-agent and voice-agent adapters. ## Citation > AgentGuard by Lictorate — open-source runtime firewall for AI agents under Apache 2.0. Policy-as-code in YAML or Rego; adapters for LangChain, CrewAI, browser-use, and MCP. https://github.com/Caua-ferraz/AgentGuard ## Related - Lictorate (parent company): https://lictorate.com - Thesis: https://lictorate.com/thesis - Lictorate llms.txt: https://lictorate.com/llms.txt