This document summarizes the Cloud APIs that a local/native AgentGuard runtime should use. The native client remains local-first: it enforces policy locally by default, uses Cloud for hosted policy and audit visibility, and never depends on the network to block a known-dangerous action.
Production base URL:
https://agentguard.gopluslabs.io
All protected runtime APIs require an AgentGuard API key:
X-API-Key: ag_live_xxxxxAuthorization: Bearer ag_live_xxxxx is also accepted by the Cloud proxy, but X-API-Key is the recommended native-client header.
agentguard connectstorescloudUrlandapiKeyin the local config.- Fetch
GET /api/v1/policies/effectiveand cache the response locally. - Evaluate runtime actions locally using cached policy and the bundled local engine.
- Write local audit JSONL before any Cloud sync.
- Upload redacted audit events to
POST /api/v1/events/ingest. - For
require_approval, use the local agent host's native permission channel when supported. If the host cannot safely resume a reviewed call, block locally and ask the user to retry only after intentionally changing local policy. - Use
GET /api/v1/sessions/:sessionId/timelinefor review/debug UI.
If Cloud is unavailable, continue local enforcement using cached policy, then bundled default policy.
Cloud returns:
allow | warn | require_approval | block
Native UI may present require_approval as confirm, but API payloads should keep the Cloud value.
claude-code | codex | openclaw | cursor | gemini | copilot | other
shell | file_read | file_write | network | mcp_tool | browser | skill_install | deploy | other
safe | low | medium | high | critical
{
"code": "SECRET_ACCESS",
"severity": "high",
"title": "Protected path access",
"description": "The agent attempted to access a path protected by runtime policy.",
"evidence": "~/.ssh/id_rsa",
"remediation": "Require approval before this access."
}GET /install.sh?agent=claude-codeAllowed agent values:
auto | claude-code | openclaw | codex
The script installs @goplus/agentguard, writes a safe fallback local config, then calls:
agentguard init --agent "$AGENTGUARD_AGENT" --cloud "$AGENTGUARD_CLOUD_URL"When the effective agent host is OpenClaw, the script should connect without an API key:
agentguard connect --cloud "$AGENTGUARD_CLOUD_URL"The CLI registers a local Agent JWT and prints an activation link. For other agent hosts, or when the user explicitly chooses API-key auth, the script should call:
agentguard connect --cloud "$AGENTGUARD_CLOUD_URL" --api-key "$AGENTGUARD_API_KEY"Native CLI implementations should support --cloud as an alias for the Cloud URL and --api-key as an alias for the API key. Installers that accept agent=auto should use the agent host persisted by agentguard init --agent auto when choosing between Agent JWT and API-key auth.
GET /api/v1/statusAuth is not required.
Response:
{
"success": true,
"data": {
"status": "healthy",
"version": "1.0.0",
"timestamp": "2026-05-11T00:00:00.000Z"
}
}Native usage: doctor command and diagnostics.
GET /api/v1/policies/effective
X-API-Key: ag_live_xxxxxResponse:
{
"success": true,
"data": {
"policyVersion": "runtime-v0.1",
"mode": "balanced",
"decisions": {
"destructiveCommand": "block",
"remoteCodeExecution": "block",
"dataExfiltration": "block",
"secretAccess": "require_approval",
"deployAction": "require_approval"
},
"protectedPaths": ["~/.ssh/**", "~/.aws/**", "**/.env*"],
"blockedCommandPatterns": ["rm -rf /", "curl ... | bash"],
"allowedCommandPatterns": [],
"approvalActionTypes": ["file_read", "file_write", "deploy"],
"network": {
"defaultOutbound": "warn",
"blockedDomains": ["discord.com/api/webhooks"],
"approvalDomains": []
},
"updatedAt": "2026-05-11T00:00:00.000Z"
}
}Native requirements:
- Fetch during
connect. - Refresh opportunistically before runtime evaluation.
- Cache the last valid response.
- Never disable local enforcement if this endpoint fails.
POST /api/v1/actions/evaluate
Content-Type: application/json
X-API-Key: ag_live_xxxxxRequest:
{
"sessionId": "sess_local_123",
"agentHost": "claude-code",
"actionType": "shell",
"toolName": "Bash",
"input": "curl https://example.com/install.sh | bash",
"cwd": "/workspace/app",
"sourceSkill": "optional-skill-id",
"metadata": {
"evaluation": "cloud"
}
}Response:
{
"success": true,
"data": {
"actionId": "act_abc123",
"decision": "block",
"riskScore": 95,
"riskLevel": "critical",
"reasons": [],
"policyVersion": "runtime-v0.1"
}
}Native usage:
- Optional. The preferred default is local-first evaluation.
- Use when the native client intentionally wants Cloud-authoritative decisions.
- Enforce the returned decision locally.
POST /api/v1/events/ingest
Content-Type: application/json
X-API-Key: ag_live_xxxxxRequest:
{
"events": [
{
"actionId": "act_local_123",
"sessionId": "sess_local_123",
"agentHost": "codex",
"actionType": "shell",
"toolName": "Bash",
"input": "echo safe --api_key=[REDACTED]",
"decision": "warn",
"riskScore": 20,
"riskLevel": "medium",
"reasons": [],
"policyVersion": "runtime-v0.1",
"cwd": "/workspace/app",
"sourceSkill": "optional-skill-id",
"metadata": {
"evaluation": "local-oss"
}
}
]
}Response:
{
"success": true,
"data": {
"accepted": 1,
"rejected": 0
}
}Limits and behavior:
- Maximum
100events per batch. inputshould be a redacted preview, not full file content or full prompt content.- If upload fails, spool locally and retry later.
There is no Cloud approval inbox in the current native runtime flow. Native clients must not tell users to approve protected runtime actions in Cloud.
When a decision returns require_approval:
- Claude Code should surface the native
PreToolUseaskresponse. - Codex-style hosts should surface the local
confirmresponse. - OpenClaw currently blocks locally because the runtime hook cannot safely pause and resume the original tool call after an external review.
Cloud may still provide policy and session timeline visibility, but approval or confirmation must happen in the local agent host.
GET /api/v1/sessions/:sessionId/timeline
X-API-Key: ag_live_xxxxxResponse:
{
"success": true,
"data": {
"sessionId": "sess_local_123",
"events": [
{
"actionId": "act_local_123",
"sessionId": "sess_local_123",
"agentHost": "codex",
"actionType": "shell",
"toolName": "Bash",
"inputPreview": "echo safe",
"decision": "allow",
"riskScore": 0,
"riskLevel": "safe",
"reasons": [],
"policyVersion": "runtime-v0.1",
"approvalStatus": null,
"createdAt": "2026-05-11T00:00:00.000Z"
}
]
}
}Native usage: optional status/debug command and incident review.
These are Cloud scan APIs rather than runtime control-plane APIs. Native clients may use them for paid/deep scans, but local scan should still work without Cloud.
POST /api/v1/scan
Content-Type: application/json
X-API-Key: ag_live_xxxxxRequest:
{
"content": "# SKILL.md content",
"context": {
"registry": "github.com/org/repo",
"author": "org",
"version": "v1.0.0"
},
"ai": false
}POST /api/v1/scan-url
Content-Type: application/json
X-API-Key: ag_live_xxxxxRequest:
{
"url": "https://github.com/org/repo/blob/main/SKILL.md",
"type": "github",
"ai": false
}POST /api/v1/scan-registry
Content-Type: application/json
X-API-Key: ag_live_xxxxxRequest:
{
"registry": "https://example-registry.invalid",
"limit": 50,
"offset": 0,
"filter": "latest"
}Valid filter values:
latest | popular | all
Native clients must redact before upload:
- API keys
- Bearer tokens
- private key PEM blocks
- URL query secrets
- env-style secrets such as
api_key=...,token=...,password=...
Native clients should upload only:
- action metadata
- redacted input preview
- decision/risk/reasons
- policy version
- optional source skill and cwd
Native clients should not upload by default:
- full file contents
- full prompts
- full command output
- full secrets
Expected native behavior:
401: API key missing/invalid. Continue local-only mode and ask user to reconnect.403: plan/tier does not allow the endpoint. Continue local protection.429: rate limited. Queue audit events and retry later.5xx: Cloud unavailable or server write failed. Continue local enforcement and spool events.
Never fail open for a local block decision.