Skip to main content
Back to Journal
Developer ToolsOpen Source

theGuard CLI: The Commands That Matter

Most developer tools have too many commands. You install them, run the help screen, and get a wall of options that all seem equally important. None of them are.

theGuard has a lot of commands. But in practice, you only need a handful. Here are the ones that matter.

On and Off

The most important commands are the simplest:

the-guard on
the-guard off

the-guard on enables all guards instantly. Push guard, delete guard, everything. One command, full protection.

the-guard off disables everything, but it requires email verification first. This is intentional. If an AI agent could run the-guard off without any check, it would just disable its own guard whenever it wanted to do something dangerous. The email code ensures a human is making the decision.

This is probably the most important design decision in the whole tool. Turning protection on should be frictionless. Turning it off should require proof that a human is in the loop.

Adding Custom Rules

theGuard ships with 170+ built-in rules across 18 platforms. But your project probably has its own dangerous operations that we did not anticipate. Custom rules handle that.

the-guard rule add "npm publish"
the-guard rule add "kubectl apply -f" --guard push
the-guard rule add "docker push" --guard push --name "Docker registry push"

The first command adds "npm publish" as a delete guard rule (the default). Any time an AI agent tries to run npm publish, theGuard blocks it and requires verification.

The second adds a push guard rule for kubectl apply. Push guard rules show the verification code in the terminal (a speed bump), while delete guard rules send the code via email (true 2FA).

For MCP tools, use add-tool:

the-guard rule add-tool mcp__custom__deploy --guard push

Listing and Removing Rules

the-guard rule list
the-guard rule remove "npm publish"

rule list shows all your custom rules organized by guard type. rule remove takes the exact pattern string and removes it.

Checking Status

the-guard status

Shows you the current state of everything: which guards are active, what platforms are enabled, how many operations are pending, and recent activity from the audit log. Add --json for machine-readable output.

The Verify Flow

When theGuard blocks something, you need to verify:

the-guard verify ABC123

For push guard with random codes, the code is shown in the terminal. For email-verified operations, check your inbox. Enter the code and retry the operation.

The Real Workflow

In practice, here is how most people use theGuard:

  1. npx the-guard init once when setting up a project
  2. the-guard on at the start of each work session
  3. Work normally. theGuard is invisible until it blocks something.
  4. the-guard verify <code> when prompted
  5. the-guard off (with email verification) when you need to do something that should not be guarded

That is five commands. Everything else is there when you need it, but those five cover 95% of daily use.

theGuardCLIDeveloper Experience

Related Articles

OpenRouter: The API Router Every AI Developer Should Know About

A deep dive into OpenRouter, the unified API that gives you access to 200+ AI models through a single endpoint. How it works, what it costs, and when it makes sense over direct API access.

From One AI Tool to Six: How theGuard Adapts to Any Coding Agent

How the adapter pattern lets theGuard protect six different AI coding tools through a single shared rule engine.

Building theGuard: An AI Failsafe System

Why I built a safety layer for AI agents and how three enforcement layers keep autonomous systems in check.