Website · Blog · Documentation · Changelog · Stack
Faramesh is a tool for enforcing execution authorization on AI agents.
An agent action is any tool call, API invocation, database query, or external side effect that an autonomous agent attempts to perform. Faramesh provides a unified, non-bypassable gate between what the agent wants to do and what actually executes. It enforces policy-as-code at runtime and emits a deterministic, hash-verified decision record for every single action.
Modern AI agents decide on their own when to call tools, access production systems, or trigger real-world operations. There is still no standard way to answer "Should this specific action be allowed right now?" before any code runs. Every team ends up writing the same custom approval and audit logic from scratch. This is where Faramesh steps in.
Key features:
| Policy-as-Code Enforcement | Define exactly what agents are allowed to do in a single policy.yaml that lives in git. faramesh policy-test runs in CI and fails PRs that add unauthorized actions. One source of truth — versioned, reviewed, and enforced at runtime. |
| Runtime Execution Gate | Every tool call passes through a deterministic Action Authorization Boundary before execution. Returns ALLOW, DENY, or PENDING (human approval). Fail-closed by default — no match means denied. Works with LangChain, CrewAI, AutoGen, MCP, and any custom tool. |
| Tamper-Evident Decision Log | Every authorization decision is recorded with a canonical request hash, policy version hash, and outcome reason code. Full audit trail — no more guessing from traces. |
| Agent Profiles | Scope what tools and operations each agent is permitted to even attempt, before the policy engine runs. Per-agent allow-lists enforce least-privilege at the identity layer. |
| CLI-First Management | faramesh serve, faramesh approve <id>, faramesh deny <id>, faramesh policy-diff, live metrics, and native OpenTelemetry export. Drop-in wrapper: one line of code around any @tool decorator or MCP server. |
For more information, refer to the What is Faramesh? page on the Faramesh website.
Install and run in 30 seconds:
pip install faramesh
faramesh serveOpen http://localhost:8000 — the dashboard is live.
from faramesh.integrations import govern
# LangChain
from langchain.tools import ShellTool
tool = govern(ShellTool(), agent_id="my-agent")
# CrewAI
from crewai_tools import FileReadTool
tool = govern(FileReadTool(), agent_id="my-agent")
# AutoGen
governed_fn = govern(my_function, agent_id="my-agent", framework="autogen")
# Any custom tool or MCP server
tool = govern(my_tool, agent_id="my-agent")That's it. Every call now routes through Faramesh before it executes.
Edit policies/default.yaml:
rules:
- match:
tool: shell
op: "*"
require_approval: true
description: "Shell commands need a human to approve"
- match:
tool: http
op: get
allow: true
- match:
tool: "*"
op: "*"
deny: true
description: "Deny everything else"Rules are first-match-wins. No match = denied by default (fail-closed).
Agent wants to run a tool
↓
Faramesh evaluates the policy
↓
┌────────────────────────────────────────┐
│ ALLOW → tool runs immediately │
│ DENY → PermissionError raised │
│ PENDING → paused, you approve/deny │
│ in the dashboard or CLI │
└────────────────────────────────────────┘
Approve or deny from the web UI, CLI, or HTTP API:
faramesh approve <action-id>
faramesh deny <action-id>If you use OpenClaw, install the plugin:
openclaw plugins install @faramesh/openclawEvery tool call OpenClaw makes is then governed by Faramesh automatically — no code changes to your agent.
docker compose up| File | Contents |
|---|---|
| QUICKSTART.md | Step-by-step setup, SDK examples, CLI reference |
| ARCHITECTURE.md | How the execution gate works |
| CONTRIBUTING.md | How to contribute |
| CHANGELOG.md | What changed |
| policies/examples/ | Ready-to-use policy examples |
Full documentation: faramesh.dev/docs
Faramesh Core is the open-source engine. Faramesh Horizon is the managed cloud version — credential sequestration, multi-tenant governance, signed DPR chains, and no deployment required.