HOL Guard Features

Runtime control for AI coding agents, from one machine to a whole team.

See what Guard checks before an action runs, what stays local, what Guard Cloud adds, and how review, evidence, supply-chain protection, and fleet controls fit together.

Runtime interception

Guard evaluates actions before side effects occur.

Intercept

Runtime decision

Blocked before execution

Attempted action

Install @workspace/cli

npm install @workspace/cli --workspace

Why this was paused

The request reaches outside the current workspace policy before the package manager runs.

Matched policy / risk

Workspace package boundary

Medium risk

Attempted action

Install @workspace/cli

npm install @workspace/cli --workspace

Matched policy

Workspace package boundary

Decision

Blocked before execution

Redacted receipt

Recorded locally with an integrity hash. Raw detail is redacted.

Next action

The request remains available for a deliberate review decision.

Technical details

Receipt ID

receipt-marketing-intercept-1

Runtime capabilities

  • Launch interception and wrappers

    Installs supported harness launchers and wrappers so Guard can evaluate actions before they run.

    Claude CodeCodex CLICursorOpenCodeGemini CLIGoose
    LocalProTeam
  • Action controls

    Checks supported shell, file, MCP, skill, prompt-sensitive, and package actions before side effects.

    ShellFilesMCPSkillsPromptsPackages
    LocalProTeam
  • Safe Decode

    Inspects supported encoded command content without executing it.

    Encoded shell content
    LocalProTeam
  • Cloud-outage independence

    Continues local policy checks when Guard Cloud is unavailable.

    Local enforcement
    LocalProTeam

Policy and enforcement

Layered policy from a single machine to a whole team.

Proof rules

Each rule matches a condition and enforces an action. Rules are evaluated in order.

  • Block unknown package installsBlock

    Package is outside workspace policy and registry trust list.

  • Review new MCP server connectionsReview

    MCP server is not in the approved server list.

  • Warn on sensitive file accessWarn

    File path matches sensitive surface pattern.

  • Require re-approval for credential useRequires re-approval

    Credential has not been re-approved within the retention window.

  • Sandbox untrusted package installsSandbox required

    Package trust score is below the configured threshold.

  • Allow trusted tool executionAllow

    Tool is in the approved tool list and has a valid trust match.

  • Block network exfiltration attemptsBlock

    Network request targets a known exfiltration endpoint.

Policy capabilities

  • Local policy and project overrides

    Applies machine policy with project-level overrides for supported agent actions.

    Machine policyProject policy
    LocalProTeam
  • Local blocking and warnings

    Blocks denied actions and warns when policy requires a human decision.

    BlockWarnApproval
    LocalProTeam
  • Policy integrity tooling

    Detects and repairs supported policy integrity problems on the local machine.

    Policy verificationPolicy repair
    LocalProTeam
  • Policy suggestions

    Turns reviewed activity into suggested policy updates for an operator to accept or reject.

    Policy review
    ProTeam
  • Shared policy memory

    Shares reviewed policy decisions across authorized workspace members.

    Workspace policyDecision memory
    Team

Review and decisions

Pause, review, and decide with scoped actions that are signed and receipted.

Needs review

Requests waiting for a policy decision

D

npm install @workspace/cli

1d
Codex

Developer workstation

D

npm install review-queue-mcp

1d
Codex

Developer workstation

Selected request

Review a scoped package install

Guard paused a package change before the tool could run it.

Action
Review the scoped package request.
Actor / harness
Codex · Developer workstation
Policy reason
The package is outside the current workspace policy.
Scope
Workspace
Decision
Needs decision

Read-only proof. Actions are demonstrated in the review preview above.

Remembered decisions

  • Scoped package install recordedA previous package request was recorded with its decision context.
    Approved

Decision scopes

Each decision can be scoped from a single item to a team-wide policy rule.

  • ItemApplies to a single request only.
  • SessionApplies for the duration of the current session.
  • ProjectApplies within a project directory.
  • MachineApplies across all projects on a machine.
  • WorkspaceApplies across authorized workspace members.
  • TeamApplies across all machines in a team.
  • PolicyCreates a reusable policy rule from the decision.

Decision actions

Allow or block at each scope. Every action is signed and recorded with a receipt.

AllowBlockAllow onceAllow for sessionAllow for projectAllow for machineAllow for workspaceAllow for teamDeny for sessionDeny for projectDeny for machineDeny for workspaceDeny for teamCreate policy rule

Review capabilities

  • Decision memory

    Reuses scoped approval decisions across connected Guard sessions.

    ApprovalsDecision scopes
    ProTeam
  • Shared review and assignment

    Lets teams review and assign Guard requests in a shared workflow.

    Review queueAssignments
    Team

Evidence and history

Every decision is signed, receipted, and auditable. Sensitive fields are redacted.

Receipt summary

BlockYes

Package install blocked before execution. The request reaches outside the current workspace policy.

Timestamp

July 13, 2026 2:22 PM (UTC)

Actor

Guard operator

Harness

Codex CLI

Asset

@workspace/cli

Action

Package install

Decision

Blocked

Outcome

Blocked

Decision replay

Blocked package install outside workspace policy. Decision applies to future matching requests at workspace scope.

Approver
Guard operator
Confidence
high
Resulting scope
workspace
Policy
Workspace package boundary

Timeline and history

  • Package install blockedPackage install blocked before execution.July 13, 2026 2:22 PM (UTC)
  • Scoped package install approvedPrevious package request was approved for this workspace scope.July 13, 2026 11:52 AM (UTC)

Custody timeline

  1. captured

    Action intercepted before package manager execution.

    Guard runtime · July 13, 2026 2:22 PM (UTC)

  2. evaluated

    Matched workspace package boundary policy. Decision: block.

    Policy engine · July 13, 2026 2:22 PM (UTC)

  3. stored

    Receipt stored locally with integrity hash.

    Evidence store · July 13, 2026 2:22 PM (UTC)

Technical details

Receipt ID

rcpt-proof-7f3a2b8e1c

sha256:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2

Raw detail

[redacted]

Safe payload

{
  "action": "package-install",
  "asset": "@workspace/cli",
  "decision": "block",
  "policy": "Workspace package boundary",
  "redacted": true
}

Evidence capabilities

  • Receipts, explain output, and approval center

    Keeps local receipts and exposes policy explanations and pending approvals.

    ReceiptsExplainApproval center
    LocalProTeam
  • Cross-session and cross-device history

    Brings synchronized Guard activity together across connected sessions and machines.

    SessionsMachines
    ProTeam
  • Searchable activity

    Searches synchronized action and decision evidence in Guard Cloud.

    Action historyDecision history
    ProTeam
  • Incident summaries

    Groups relevant Guard evidence into incident summaries for investigation.

    Incidents
    ProTeam
  • Evidence exports

    Exports synchronized Guard activity for offline review and retention workflows.

    ActivityAudit evidence
    ProTeam
  • Shareable records

    Creates controlled records that teammates can use during review and response.

    Evidence records
    ProTeam
  • Cases and audit history

    Maintains team cases and an auditable history of supported administrative and review actions.

    CasesAudit history
    Team

Supply-chain protection

2 capabilities

Supply-chain review

An illustrative review state using Guard's shipped firewall capabilities.

Review required
  • MCP and Skill drift visibility

    Shows changes to connected MCP servers and skills so operators can review drift.

  • Cloud Firewall UI

    Reviews supported MCP, skill, and package changes in the Guard Cloud firewall.

  • MCP and Skill drift visibility

    Shows changes to connected MCP servers and skills so operators can review drift.

    MCP serversSkills
    ProTeam
  • Cloud Firewall UI

    Reviews supported MCP, skill, and package changes in the Guard Cloud firewall.

    MCPSkillsPackages
    ProTeam

Fleet controls and administration

7 capabilities

Machine continuity

  1. 01

    Enforce locally

    Policy checks stay on each protected machine.

  2. 02

    Pair securely

    Connect interactive machines, remote hosts, and CI runners.

  3. 03

    Route team work

    Bring connected evidence and review into shared workflows.

  • Machine pairing

    Connects a local Guard installation to Guard Cloud with a short-lived pairing flow.

    Interactive machines
    ProTeam
  • Headless pairing

    Connects supported remote and automated machines without an interactive browser on the host.

    Remote hostsCI runners
    ProTeam
  • Workspaces and roles

    Organizes Guard resources in workspaces with role-based access.

    WorkspacesRoles
    Team
  • Service principals

    Provides non-human workspace identities for supported automation.

    AutomationAPI access
    Team
  • Resource ownership

    Assigns accountable owners to supported Guard resources.

    MachinesPoliciesCases
    Team
  • Team billing and limits

    Manages workspace billing and plan limits for Guard Cloud teams.

    BillingUsage limits
    Team
  • Team administration and exports

    Provides workspace administration and supported team-level exports.

    AdministrationExports
    Team

Integrations

6 capabilities

Route the signal, keep the context

Guard review or incident

A supported event carries its evidence and policy context.

DigestNotificationSlackGitHubJiraPagerDutyEmailWebhooks
  • Digests and notifications

    Sends Guard activity digests and supported operational notifications.

    DigestNotification
    ProTeam
  • Slack integration

    Routes supported Guard notifications and review actions through Slack.

    Slack
    Team
  • GitHub integration

    Connects supported Guard review and evidence workflows with GitHub.

    GitHub
    Team
  • Jira integration

    Connects supported Guard case and review workflows with Jira.

    Jira
    Team
  • PagerDuty integration

    Routes supported Guard incidents into PagerDuty response workflows.

    PagerDuty
    Team
  • Email and webhook integrations

    Delivers supported Guard notifications through email and outbound webhooks.

    EmailWebhooks
    Team

Plans

Local enforcement is free and works without Cloud. Pro and Team add sync, alerts, and shared policy.

Free

$0/mo
Devices
1
Retention
7 days
Cloud sync
Not included
Team policy
Not included

Pro

3-day trial

$15/mo

$12/mo billed annually

Devices
5
Retention
180 days
Cloud sync
Included
Team policy
Not included

Team

3-day trial

$30/seat/mo

$24/mo billed annually

Devices
25
Retention
365 days
Cloud sync
Included
Team policy
Included

Enterprise

$0/mo
Devices
500
Retention
365 days
Cloud sync
Included
Team policy
Included

Compatibility

Guard installs on macOS, Linux, and Windows and supports the AI coding agents below.

Platforms

macOSLinuxWindows

Supported AI coding agents

Codex
Claude Code
OpenCode
Copilot CLI
Cursor
Gemini CLI
Hermes
OpenClaw
Antigravity
Kimi
Grok
Pi
Z Code

Security model

Guard is built for serious runtime security without harsh dashboarding or forced upgrade pressure.

Local-first enforcement

Policy checks run on your machine. Guard Cloud adds sync and team operations, but local enforcement works without it.

Action-level interception

Guard evaluates shell, file, MCP, skill, prompt-sensitive, and package actions before side effects occur.

Auditable evidence

Receipts, explanations, and approval decisions are captured locally and can be synchronized to Guard Cloud.

No forced upgrades

Local Guard is useful on its own. Cloud tiers add capabilities without degrading the local experience.

Risk-report privacy

Raw self-assessment answers are retained for up to 90 days. Private report links expire after 30 days. Report delivery does not opt you into marketing.

PrivacyTerms