Guardian Runtime — Local-first governance & cost control

Your terminal AI agent
is leaking your secrets
to the cloud.

Terminal AI agents read your entire codebase for context — including .env files, database configs, and API keys — then ship it all to remote LLMs.
Guardian is the local firewall that intercepts every prompt before it leaves your machine.

$ pip install guardian-runtime
Star on GitHub View on PyPI
Python 3.9+ 109 tests passing OpenAI · Gemini · Claude Apache 2.0 Local-first
guardian proxy --log-level INFO
14:02:11
# Agent initiated request to remote LLM
14:02:12
Intercepting request [req_8f9a2b] for analysis...
14:02:12
Scanning 14,205 tokens of context...
14:02:13
[BLOCKED] Critical violation detected in prompt.
14:02:13
Rule: prevent_secret_leak
14:02:13
Match: Found sk-proj-49f2... in src/config/.env
14:02:13
Connection dropped. Secret safely contained locally.
Seamlessly protects your favorite terminal tools
The Reality

AI agents are powerful.
But they are reckless.

You give them access to your terminal and codebase. They read files to gain context. But they don't know the difference between a config file and a state secret.

⚠️

The Problem

When you ask an agent to "fix the database connection", it reads your config files, including .env. It then packages that entire context into a massive prompt and sends it to a remote LLM provider.

Your production database credentials, API keys, and customer PII just left your machine. You have zero visibility into what was sent.

# Inside the agent's hidden payload:
"Here is the context for the user's codebase:"
DATABASE_URL=postgres://user:secret@prod-db...
STRIPE_SECRET_KEY=sk_live_xxxxxxxxxxxx

The Solution

What if you had a local firewall sitting between your agent and the cloud?

Guardian Runtime intercepts HTTP requests from your agent on your local machine. It scans the prompt payload for secrets and PII using fast regex — no ML models required. If it's clean, it forwards it. If it contains a secret, it blocks the request instantly.

# Guardian intercepts on localhost:
[SCAN] Checking payload...
[MATCH] STRIPE_SECRET_KEY detected.
[ACTION] Request blocked. Secret contained locally.
Architecture

A transparent proxy.
Zero friction.

Guardian runs as a local HTTP server that mimics the APIs of popular LLM providers. Point your agent's base URL to localhost. The agent never knows the difference.

🤖

Terminal Agent

Cursor, Copilot, etc.

🛡️

Guardian Proxy

localhost:8080

☁️

Remote LLM

OpenAI, Anthropic, Gemini

Clean Prompt (Forwarded)
Secret / PII (Blocked)
Integration

Setup in 2 minutes

No Docker. No complex config. Just pip install and one environment variable.

1

Install & run the proxy

Terminal
# Install via pip
$ pip install guardian-runtime

# Start the local proxy
$ guardian proxy
⛨ Guardian Proxy listening on http://localhost:8080
2

Point your agent to localhost

Claude Code
Aider
Cursor
# For Anthropic-based agents
$ export ANTHROPIC_BASE_URL="http://localhost:8080"
$ claude
Toolkit

Built for control

Four layers of protection that work together silently in the background.

🔑

Secret & PII Blocking

Detects OpenAI, Anthropic, AWS, Stripe, Razorpay, GitHub keys and more. Also blocks PII like Aadhaar, PAN, SSNs, credit cards, emails, and phone numbers before they leave your machine.

# Intercepting prompt payload...
[MATCH] Found sk-proj-xxxx... in context
[MATCH] Found AADHAAR pattern in user message
[ACTION] Connection dropped locally. Zero data sent.
💸

FinOps & Cost Limits

Prevent agents from burning your budget in infinite loops. Set token limits per request, daily spend budgets, and per-session cost caps.

$10.00
Daily Budget Limit
📊

Local Observability

Run guardian logs to see what your agent is sending in real-time. All logs stored locally at ~/.guardian/logs/. Zero telemetry sent to our servers.

Prompt Optimization

Automatically compress agent prompts by stripping whitespace, deduplicating system messages, and trimming unnecessary chat history. Typical savings: 20–60%.

14,200
Original Tokens
~8,500
Optimized (−40%)