AI Agents Need Real-Time Guardrails. Here’s How We Built Timeplus AgentGuard.

A real-time detection and response engine that turns agent traces & tool call into signals and enforces decisions before execution

If you have shipped an AI coding agent into production lately, you already know the uneasy feeling. The agent reads your repo, runs shell commands, installs npm packages, calls third-party APIs. Every one of those steps is genuinely useful, and every one of them is a new attack surface that nobody on your security team has ever audited.

That gap is what AgentGuard is built to close.

AgentGuard is an open application that sits next to your agent fleet, ingests every hook event in real time, runs streaming SQL detection rules across them, and — when you ask it to — synchronously pauses dangerous tool calls until a human says yes. It runs on top of Timeplus, a streaming SQL engine, and currently supports three agent runtimes: OpenClaw, Claude Code, and Hermes.

In this article, I'll give you technical tour of how it works under the hood. If you'd like an intro to AgentGuard from our CEO Ting Wang, check out our announcement blog here, and the slide deck here. 

Is your existing security stack is the right shape?

Enterprise security tooling assumes a world where attacks are slow enough for humans to triage. That world is gone the moment you deploy autonomous agents.

A modern agent will identify a target, draft three exploit paths, and execute one of them in the time it takes you to open the alert. It will fan out hundreds of tool calls in parallel across a fleet. A single prompt injection inside a webpage your agent scraped can cascade into shell commands, file reads, and outbound HTTP — completing the kill chain before any SOC analyst has finished their coffee.

Traditional tools and layers were not designed for this physics:

The job AgentGuard takes on is machine-speed detection and prevention — sub-second, streaming, agent-native, and rule-customizable in plain SQL.

AgentGuard Architecture

Three layers. The agent ships events. Timeplus runs SQL on them. The Golang backend turns the result into a dashboard, an alert stream, and — for the synchronous case — a long-poll endpoint that holds the agent's tool call hostage until a human decides.

The interesting engineering is in how those three layers cooperate. Three pieces are worth zooming into.

Part 1: The CIM — write a rule once, run it everywhere

Every agent runtime exposes hooks under a different name with a different payload shape. OpenClaw fires llm_output. Claude Code emits an OTel log called api_request. Hermes calls it post_llm_call. The token count is at event_data.lastAssistant.usage.input in OpenClaw, at log_attributes['input_tokens'] in OTel, and at event_data.usage.input_tokens in Hermes.

If your detection rules had to know that, you would write three versions of every rule and maintain them forever. AgentGuard fixes this with a Common Information Model (CIM) — one normalized schema, populated by per-agent materialized views:

A mv_cim_claudecode, a mv_cim_openclaw, and a mv_cim_hermes MV each translate their agent's vocabulary into this schema and fan into the same stream. Downstream, every rule reads from agentguard_cim_event and never knows which runtime produced the row.

The economic effect is large: you write the Prompt Injection Shield rule once, and it applies to your Claude Code developers, your OpenClaw deployments, and your Hermes services on day one. New agent runtime? Add one MV; every rule you have already written keeps working.

Part 2: Detection rules are just streaming SQL

Every rule in AgentGuard is a CREATE MATERIALIZED VIEW that selects from agentguard_cim_event and inserts into agentguard_security_events. 

That is the entire abstraction. A rule is a SQL query that, every time a row arrives that matches it, writes a row into the security events stream. There is no DSL, no rule engine, no proprietary expression language. If you can read SQL, you can read an AgentGuard rule. If you can write SQL, you can write a custom one.

Out of the box, AgentGuard ships 130+ rules and here are some examples:

Rules can be enabled or disabled from the dashboard. You can fork them, replace them, add your own. There is also a SQL console (/investigate) so your security engineers can poke at the raw streams without leaving the app.

Part 3: The synchronous hold — pause an agent on its own hook

Detection is half the story. Prevention is the other half, and it is where AgentGuard does something most observability tools cannot: it can stop a tool call before it executes, and it does so without burning a single LLM token while it waits.

The mechanism rides on a quirk of every modern agent CLI: they all expose a synchronous PreToolUse (or before_tool_call, or pre_tool_call) hook. If your hook handler returns within the timeout, you get to vote allow or deny on the tool call. AgentGuard's plugin uses that vote to long-poll its own backend.

Here is the actual plugin code from agents/openclaw/agentguard-plugin/src/holds.ts:

const HOLD_TIMEOUT_MS = 540_000; // under any sane hook timeout

export async function requestHold(event, toolInput, config) {
  const url  = `${config.agentguardUrl}/api/holds`;
  const ctrl = new AbortController();
  const t    = setTimeout(() => ctrl.abort(), HOLD_TIMEOUT_MS);
  const resp = await fetch(url, {
    method:  "POST",
    headers: { "Content-Type": "application/json" },
    body:    JSON.stringify({ deployment_id, agent_id, session_id,
                              tool_name, tool_input, hook_payload }),
    signal:  ctrl.signal,
  });
  clearTimeout(t);
  return await resp.json() as HoldDecision;
}

Nine minutes of patience on the agent's side. On the AgentGuard side, the request kicks off this sequence:

While the human deliberates, the agent is asleep on the hook. The LLM is not generating. No tokens are burning. Every tool call in that session that matches the same rule will be gated by the same policy, because Decide() includes pre-existing open threats in its input — so one human "deny" can govern an entire session without you having to re-prompt every step.

Three policies per rule, set on the /rules/:id page:

• log_only — record the threat, never pause the agent. The default.

• auto_block — fire and deny without prompting a human. Use this for invariants you never want to negotiate.

• hold — pause for human Approve/Deny in the UI.

You pick the policy per rule. The Privilege Guard rule can be log_only in dev, hold in staging, auto_block in production. Same SQL. Same dashboard. Three behaviors.

Try it in Five Minutes

Run following docker command to quick try AgentGuard:

docker run -p 8080:8080 \
  -e TIMEPLUS_HOST=timeplus.example.com \
  ghcr.io/timeplus-io/agentguard:latest

That brings up AgentGuard. Open http://localhost:8080, walk the setup wizard to connect to your Timeplus instance, and the connect agent link will give you the install commands for OpenClaw, Claude Code, or Hermes. Detection rules are off by default — you turn them on per rule, set a block_policy, and watch the live threat feed on the dashboard.

AI agents have moved into the enterprise faster than most security teams have a story for. The honest answer is not to slow the agents down. It is to give your SecOps team a tool that runs at the same speed the agents do — streaming, SQL-customizable, hookable into the agent's own decision loop.

That is the bet AgentGuard makes. It is built on streaming SQL primitives anyone on your team can read, and it ships with enough out-of-the-box rules that you can be in active prevention mode in under thirty minutes. Then you write your own rules — because nobody knows your risk model better than you do.

Get started with AgentGuard: timeplus.com/agentguard 

Join our Slack: timeplus.com/slack