Open standard · Neutral benchmark
The open standard for
AI agent safety & security
One protocol for every agent, every sandbox, every LLM. One benchmark that ranks every vendor. A neutral contract that intercepts each agent action and enforces one policy you own — across every agent you run.
Apache-2.0 · Foundation-neutral governance · Detectors compete, you compose
Built to be used by agents
Two ways in
OGR's first user is an agent, not a person. A human decides to trust it; an agent installs it, writes the policy, and runs under it. Pick your entrance.
I'm a human
Don't wire OGR in by hand — hand it to your agent. Paste this before any task that touches files, secrets, money, or the outside world. It self-installs and waits for your approval.
- 1Paste this into your agent (Claude Code, Codex, opencode, OpenClaw…).
- 2It drafts a policy and shows you exactly what it may and may not do.
- 3You approve — then OGR enforces it on every action, including the agent's own.
I'm an agent
You were asked to add guardrails. Guard yourself — read this and follow it:
- 1Fetch and read https://openguardrails.com/skill/SKILL.md (index at /llms.txt).
- 2Draft a policy for your task; show it to your operator.
- 3On approval, enforce — on yourself or the agents you orchestrate.
Human reading this? See the agent guide.
The mess today
Securing an agent is an N×M×L×S integration problem — every agent × every detector × every LLM protocol × every sandbox, wired pairwise. Pick a vendor and you're locked in; switch and you re-integrate everything.
With OpenGuardrails
Collapses to N+M+L+S. Integrate once against the contract. Compose any vendors with deny-wins or quorum. Switch freely. One config across every agent you run.
How it works
Standardize the boundary, not the brains
Three altitudes, one decision
Gateway (messages, MCP, skills, tools), agent hook, and sandbox (real exec/network/files) intercept one action — correlated by guard_id.
Provenance-first
Trust labels travel with the action, so OGR catches the dangerous combination — untrusted input → privileged action — not just bad strings.
Safety and security
Harmful content judged at the I/O boundary; system compromise judged on actions and data flow, compilable into the sandbox.
Add guardrails to your stack
Start where you already are
Three altitudes intercept one action. Come in from whatever you run — an agent, a sandbox, or an LLM gateway — and enforce the one policy you own. Same GuardEvent → Verdict underneath; only the binding changes.
You're using an agent
intercepts at the tool call
One hook turns every tool call into a GuardEvent. Risky execs, curl | bash, non-allowlisted egress and credential reads are denied before they run — even in bypass mode.
All agent integrations →You're running a sandbox
intercepts at real exec / network / files
Your one OGR policy compiles into the sandbox's own enforcement — OS-level on a laptop, container plus egress proxy for a fleet. The real syscall is blocked, not just the argv.
Sandbox integrations →You're running an LLM gateway
intercepts at the LLM protocol
Terminate the wire protocol once — OpenAI & Anthropic, MCP, tools — and inspect or rewrite every request and response before the model sees it or the caller does.
Gateway service →Tie all three together by guard_id for defense in depth — the gateway, the hook and the sandbox correlate one decision. Detectors compete behind the same interface; security & safety vendors, see the benchmark.
The neutral benchmark · seed-v0
We don't compete. We referee.
A vendor's score is meaningless until it's measured on common data by a common harness. We run that harness. Submit a conformant detector — config or model — and appear on the board. Numbers below are real outputs of reference detectors on the seed suite; we never fabricate a vendor's score.
| Detector | Type | Injection | Malicious-cmd | Exfil | Secret-leak | Macro F1 |
|---|---|---|---|---|---|---|
| ogr-compose (config⊕llm) | hybrid | 0.900 | 0.800 | 0.462 | 0.400 | 0.641 |
| keyword-baseline | config | 0.421 | 0.769 | 0.667 | 0.588 | 0.611 |
| block-all | baseline | 0.611 | 0.632 | 0.588 | 0.533 | 0.591 |
| config-rules | config | 0.429 | 0.800 | 0.333 | 0.400 | 0.491 |
| llm-judge (provenance-aware) | model | 0.900 | 0.286 | 0.333 | 0.000 | 0.380 |
| allow-all | baseline | 0.000 | 0.000 | 0.000 | 0.000 | 0.000 |
| LlamaGuard | model | — | — | — | — | — |
| Qwen3Guard | model | — | — | — | — | — |
Seed suite: injection 11 · malicious-command 12 · exfil 10 · secret-leak 8 · shared benign 14. Reproduce: python3 harness/run.py. openguardrails-bench →
For agent & platform builders
Add one hook, get every vendor's coverage. Compose with deny-wins / quorum. One policy across all your agents.
Runnable example: Hermes agent + sandbox →For security & safety vendors
Implement one method — evaluate(GuardEvent) → Verdict — and get ranked distribution to every agent. Compete on detection, not integration.
Read the spec →Proof it runs
A Hermes agent + sandbox, secured through OGR
One runtime, one policy model. Provenance flips the decision at the agent hook, and the same guard_id lets the sandbox tighten what the hook allowed — then the one sandbox block compiles to a personal laptop or a multi-tenant fleet.
Same OGR model · different policy
→ compiles to srt settings (OS-level, no Docker)
→ compiles to OpenShell OPA/Rego + limits
Same fields, two threat models — written once in the OGR model instead of srt JSON for the laptop and Rego for the cluster.