OpenGuardrailsOpenGuardrailsDocs

Instrument your own agent

The Hermes integration is a worked example, not a special case. Any agent framework connects to OGR the same way. If your framework exposes a tool/exec lifecycle, you can secure it.

pip install openguardrails   # the vendor-neutral reference runtime (zero deps)

The four steps

1. Find your interception points

Map your framework's hooks to OGR altitudes. You want, in priority order:

Most agent frameworks have at least the first two. Hermes exposed all four as plugin hooks, so no forking was needed.

2. Emit a GuardEvent at each point

Translate the hook's arguments into a GuardEvent. Mint a guard_id at the first altitude and propagate it (a guard-context) to the exec point so they correlate.

from openguardrails import GuardEvent, Provenance

ev = GuardEvent(
    kind="tool_call", observation_point="agent_hook",
    subject={"agent_id": "my-agent", "agent_type": "custom"},
    payload={"name": tool_name, "arguments": args},
    provenance=current_session_provenance(),   # trusted by default; untrusted if tainted
    guard_id=guard_id, session_id=session_id,
)

3. Evaluate against a Runtime

Build one Runtime from your policy.json and ask it for a decision.

from openguardrails import Runtime
from openguardrails.detectors.config_rules import ConfigRulesDetector
from openguardrails.detectors.llm_judge import LLMJudgeDetector

runtime = Runtime(
    detectors=[ConfigRulesDetector(policy["config_rules"]), LLMJudgeDetector()],
    policy=policy,
)
verdict = runtime.evaluate(ev)

4. Enforce the verdict

if verdict.decision not in ("allow", "modify", "redact"):
    return block(reason=verdict.reasons)   # your framework's "don't run this" path

At the sandbox altitude, "enforce" can also mean run the command under a real sandbox (srt / OpenShell) compiled from the same policy — so a rephrased command can't bypass the intent check.

Reference implementation

The Hermes plugin is ~250 lines and demonstrates all four steps:

Graceful degradation

If your framework has no sandbox, you still get the agent_hook altitude — OGR enforces on intent, and records that the adversary-proof layer was unavailable. Add a sandbox later without changing your policy.

Start from Configure a policy and adapt the bridge to your framework's hooks.