Ardur Runtime governance for AI agents

source

Ardur Personal Hub

Ardur Personal is the local product shape for regular users. It protects local

Ardur Personal is the local product shape for regular users. It protects local AI-agent actions where Ardur owns the tool boundary, and it labels everything else honestly as observed or unknown.

The first release-candidate path is Claude Code.

First Run

Install Ardur with its Python dependencies:

cd <ardur-repo>
pip install -e python/
ardur --version

Create a simple guardrail file:

ardur profile init --template read-only --path ARDUR.md

Edit ARDUR.md if needed:

# Ardur Guardrails
Mode: read only
Mission: Review this project without changing files or running commands.
Protect folder: .
Max tool calls: 100
Duration: 1d

## Allow
- Read files
- Search files

## Block
- Run shell commands
- Edit files
- Write files

Turn on Claude Code protection:

ardur protect claude-code --profile ARDUR.md

Start Claude Code with the exact command Ardur prints. It includes VIBAP_HOME=... so the hook can find the active passport and the Python environment where Ardur is installed:

VIBAP_HOME=/path/to/.vibap claude --plugin-dir /path/to/plugins/claude-code

Check for missing tools, plugin files, or active passport before using it:

ardur doctor-claude-code

If claude is missing, install Claude Code first. If plugin files are missing, use the checked-in plugins/claude-code directory or reinstall Ardur from a complete release artifact.

Options Users Can Choose

  • read-only: review code without editing files or running commands.
  • safe-coding: edit files inside the protected folder, but block shell commands.
  • ARDUR.md: plain Markdown profile for the same settings, suitable for non-technical users.
  • Advanced CLI flags: ardur protect claude-code --scope . --mode read-only and ardur protect claude-code --scope . --mode safe-coding.

The Markdown profile compiles into the same Mission Passport and receipt path as advanced CLI setup. No policy capability is removed.

For source installs, pip install -e python/ installs Ardur’s required Python dependencies from python/pyproject.toml. The development Homebrew formula is not the stable public install path yet; it must be regenerated from a tagged release with Python resource stanzas before it is advertised to non-technical users.

Hub Setup

The Hub receives browser, desktop, and CLI observations and signs standard Ardur evidence.

ardur setup
ardur hub

ardur setup writes a local Hub token to the Ardur Personal config and prints it once for setup. Keep that token local. The browser extension uses it to talk to the Hub; arbitrary websites should not be able to read Hub exports or submit fake observations.

On macOS, ardur setup also installs a per-user LaunchAgent plist at ~/Library/LaunchAgents/dev.ardur.personal-hub.plist so the Hub can be managed through launchctl or brew services start ardur-personal. The plist is inert until you load it — ardur hub runs the Hub directly without going through launchctl. Run ardur uninstall to remove the plist.

Browser Evidence

The browser extension is beta evidence collection, not enforcement over hidden provider behavior.

  1. Start the Hub.
  2. Load examples/ardur-personal-extension as an unpacked extension.
  3. Paste the Hub token from ardur setup.
  4. Enable the current AI site.
  5. Optional: enable visible-text capture for readable excerpts.
  6. Review evidence in the popup or dashboard.

CLI And Desktop Boundaries

ardur run -- <command> can enforce simple non-interactive local commands, but it is not the first-class path for interactive CLIs such as Codex or Claude in this release candidate. Codex hooks and Claude Desktop MCP packaging are explicit next-cycle work.

ardur desktop-observe records local desktop observations on macOS. It does not control hidden provider-side behavior.

Evidence Levels

  • enforced: Ardur controlled the local action boundary.
  • attested: Ardur signed an observation or receipt.
  • observed: a local adapter saw browser, desktop, or CLI state.
  • blocked: Hub or hook policy denied a controllable action.
  • insufficient_evidence: the relevant provider-side activity was not locally visible.

Boundary

Ardur can protect Claude Code local tool calls and other adapter-mediated local actions. It cannot control hidden server-side behavior inside Claude, ChatGPT, Grok, Codex web, Kimi, or other third-party services unless those providers expose a tool/action boundary that Ardur owns.