Orbit Authority Guardian

Guardian keeps AI agents from crossing lines you did not mean to move.

Wrap Hermes, OpenClaw, Claude Code, Codex, wrappers, hooks, and custom agent surfaces with enforceable checks before shell commands, repo changes, deploys, secrets access, and cloud actions execute.

Wrap your first agent Review implementation paths

Orbit Authority cockpit

Guardian action trace

Tool calls — including bypass attempts — become authority requests before risky commands touch the machine.

Decision pipeline active

policy: no-prod-writespolicy: spend-limit-5kpolicy: human-approval-requiredpolicy: standing-refunds-500policy: secret-access-blocked

Actor	Requested action	Surface	Risk	Verdict
Claude Code	git push --force main	Repo	High	ESCALATE
OpenClaw	ORBIT_BYPASS=1 cat .env.production	Secrets	Critical	BLOCK
Codex	npm test -- --runInBand	Shell	Low	ALLOW

Built for real agent toolchains.

Guardian is not OpenClaw-only. It wraps the tool path your agents already use.

Hermes

Cron jobs, PR watchers, release scripts, long-running automations.

OpenClaw

Local agent runtime and tool-call checkpoints.

Claude Code

Hooks around shell, file, repo, and package-manager actions.

Codex

Wrapper checkpoints for command and repo mutation paths.

Wrappers

gh, kubectl, terraform, docker, ssh, and internal CLIs.

Custom hooks

Any surface that can ask: actor, action, scope, context.

The authority loop

Actor requests a consequential action.

agent: ORBIT_BYPASS=1 terraform destroy workspace=prod

Orbit Authority checks authority and scope.

policy: production protected + bypass attempt detected

Allow, escalate to a human, or deny.

BLOCK before execution

Receipt and audit trail recorded.

Denial receipt records actor, command, policy, session origin, and bypass attempt.

Every tool call has a policy now.