What are the requirements for AI Runtime Guard?

AI Runtime Guard requires the following environment variables: AIRG_AGENT_ID (optional). You'll also need a compatible MCP client like Claude Desktop or Claude Code.

Is AI Runtime Guard free to use?

Yes, AI Runtime Guard is open source and free to use. You can find the source code on GitHub.

What MCP clients support AI Runtime Guard?

AI Runtime Guard works with any MCP-compatible client including Claude Desktop (Anthropic's official desktop app), Claude Code (CLI tool), Cursor, and other editors with MCP support.

How do I configure AI Runtime Guard?

Configure AI Runtime Guard by adding it to your MCP client's config file. For Claude Desktop, edit claude_desktop_config.json and add the server configuration. See the Configuration section above for a ready-to-use example.

AI Runtime Guard MCP Server

Q: How do I install AI Runtime Guard?

Install AI Runtime Guard by running: python -m pip install ai-runtime-guard

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal

python -m pip install ai-runtime-guard

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal

claude mcp add ai-runtime-guard -- node "<FULL_PATH_TO_AI_RUNTIME_GUARD>/dist/index.js"

Replace <FULL_PATH_TO_AI_RUNTIME_GUARD>/dist/index.js with the actual folder you prepared in step 1.

README.md

Enforce a policy layer before any file or shell action takes effect.

ai-runtime-guard

Your agent can say anything. It can only do what policy allows.

AI agents with filesystem and shell access can delete files, leak credentials, or execute destructive commands, often without the user realizing it until it is too late.

ai-runtime-guard is an MCP server that sits between your AI agent and your system, enforcing a policy layer before any file or shell action takes effect. No retraining, no prompt engineering, no changes to your agent or workflow, just install, configure once, and your agent operates within the boundaries you set.

What it does

Blocks dangerous operations: rm -rf, sensitive file access, privilege escalation, and more are denied before execution.
Gates risky commands behind human approval (optional): configurable commands require explicit operator sign-off via a web GUI before the agent can proceed.
Simulates blast radius: wildcard operations like rm *.tmp are evaluated against real files before running, and blocked if they exceed a safe threshold.
Controls network behavior: configure command-level network policy with monitor-only mode, domain allowlist/denylist, and optional unknown-domain blocking.
Supports multi-agent policy isolation: apply per-agent policy overrides keyed by AIRG_AGENT_ID while keeping shared runtime controls.
Backs up before it acts: destructive or overwrite operations create automatic backups with full restore support.
Provides robust logging and reporting: all allowed/blocked actions are logged to activity.log and indexed into reports.db for dashboard/log views.

Current state

Policy management is available in the local GUI (commands, paths, extensions, network, advanced policy).
Agent management is available in the GUI (Settings -> Agents), including profile-based MCP config generation.
Per-agent policy overrides are supported and enforced by AIRG_AGENT_ID.
Full runtime visibility is available through activity.log and reports/dashboard views (reports.db).
Stable release notes are tracked in CHANGELOG.md, with in-progress work in docs/CHANGELOG_DEV.md.

Who it is for

Developers and power users running AI agents (Claude Desktop, Cursor, Codex, or any MCP-compatible client) who want guardrails on what the agent can actually do to their system.

Known boundary

AIRG enforces policy only for actions that pass through AIRG MCP tools.
Native client tools outside MCP (for example Claude Code Glob, Read, Write, Edit, Bash) are outside AIRG enforcement and can bypass workspace/path restrictions.
For AIRG policy boundaries to be effective, operators must disable native shell/file tools in the client using official configuration methods.
Treat this as a deployment requirement, not optional hardening.
For Claude Code, an MCP-only sample skill is provided at docs/mcp-only.md and can be saved to <workspace>/.claude/skills/mcp-only.md.

Design scope

AIRG is designed to reduce accidental damage from AI agent mistakes or hallucinations.
AIRG is not positioned as a full malicious-actor containment system.
Core controls:
- block high-risk destructive/exfiltration commands and paths
- enforce workspace boundaries
- gate mass/wildcard actions with simulation and budget limits
- optionally require human approval for selected risky actions
- automatically back up destructive/overwrite targets before applying changes
- log allowed/blocked actions and operator decisions to an audit trail

How it works

Python MCP server with policy-driven enforcement loaded from policy.json
Default profile is basic protection: severe actions blocked, everything else allowed
Advanced controls available for opt-in: simulation gating, human approval workflows, cumulative budget limits, and shell workspace containment modes (off/monitor/enforce)
Local web GUI for policy editing, approval management, and audit log review

Requirements

Python:

Required: Python >=3.10 (project package metadata enforces this).
Recommended on macOS: Python 3.12+ (Homebrew or python.org install).
macOS system Python 3.9 is often too old and may fail dependency install.

How to run

Quick start (package install):

python3 -m venv .venv-airg && source .venv-airg/bin/activate
python -m pip install --upgrade pip
python -m pip install ai-runtime-guard
airg-setup (guided) or airg-setup --defaults --yes (unattended defaults)
airg-doctor

For source-clone setup, TestPyPI flow, and advanced options, see `docs/INSTALL.md`.

What is optional

Web GUI is optional, but strongly recommended for policy operations, approvals, agent profile management, and reporting.
GUI background service (airg-service) is option

Environment Variables

AIRG_AGENT_IDUsed for per-agent policy overrides and isolation.

Configuration

claude_desktop_config.json

{"mcpServers": {"ai-runtime-guard": {"command": "python", "args": ["-m", "ai_runtime_guard"]}}}

Try it

→List the files in the current directory while ensuring the AI Runtime Guard policy is active.

→Execute a shell command to check system status, respecting the configured network and shell policies.

→Review the recent activity logs to see which agent actions were blocked by the runtime guard.

Frequently Asked Questions

What are the key features of AI Runtime Guard?

Blocks dangerous shell operations like rm -rf and unauthorized file access.. Gates risky commands behind human approval via a web GUI.. Simulates blast radius for wildcard operations to prevent accidental mass deletions.. Enforces command-level network policies including domain allowlisting.. Automatically creates backups for destructive or overwrite operations..

What can I use AI Runtime Guard for?

Preventing AI agents from accidentally deleting critical project files during development.. Restricting AI agents to specific workspace directories to avoid unauthorized system access.. Auditing agent behavior by logging all file and shell actions to a central database.. Requiring human sign-off before an agent executes high-risk system commands..

How do I install AI Runtime Guard?

Install AI Runtime Guard by running: python -m pip install ai-runtime-guard

What MCP clients work with AI Runtime Guard?

AI Runtime Guard works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep AI Runtime Guard docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.

Open Conare

View all ai-tools servers →