faramesh.devBETA
docs
github
community
get started →
open source · free · no account required
Rules your AI agent
actually can't break.
Your AI agent can read files, send emails, run code, move money. Most "governance" tools use another AI to watch it, which means it probably won't do the bad thing. Probably.
Faramesh is different. Your rules are code, not suggestions to an AI. Every action is checked against them before it runs. If the rule says no, it's no. Every single time.
$curl -fsSL https://raw.githubusercontent.com/faramesh/faramesh-core/main/install.sh | bash
all install options →
the problem
AI agents can do real damage. Most have no hard limits.
An agent can delete your database, blast emails to every customer, or issue a $50,000 refund. Without Faramesh, nothing stops it. There's no checkpoint. No approval step. No record of what happened.
Some tools claim to solve this with AI, a second model that "monitors" the first. But that's just more probability on top of probability. You don't want your database deletion policy to be a suggestion. Faramesh enforces rules with code. No model in the middle. No guessing.
how it works
Every action gets a verdict before it runs.
Faramesh is a policy guard for AI agent tool calls. Every time your agent tries to do something, Faramesh checks it against your rules and returns one of three verdicts:
PERMITYour rule said yes. The action runs.
DENYBlocked. Nothing runs. The agent is told why.
DEFERHeld for a human to approve or deny. The agent waits.
If Faramesh itself has an error, the action is blocked. It never fails open.
set your rules
Policies in FPL , built for agents, not infrastructure.
FPL is the standard policy language for Faramesh. It has first-class constructs for sessions, budgets, delegation, and mandatory deny (deny!) , things that YAML and Rego can only approximate. Write in FPL directly, or in plain English and let Faramesh compile it for you. YAML is also supported.
agent my-agent { default permit rules { deny! shell/run when cmd matches "rm -rf|DROP TABLE" reason: "destructive command blocked" defer stripe/refund when amount > 500 notify: "finance-team" } }
compile natural language: faramesh policy compile intent.txt
one command
Govern any agent. Zero code changes.
Prepend faramesh run to whatever you already run. Faramesh detects the framework, patches tool dispatch, strips ambient API keys, and sets up network interception , automatically.
faramesh run -- python agent.py
Works with 13 frameworks out of the box:
LangGraph · LangChain · CrewAI · AutoGen · Pydantic AI · Google ADK · LlamaIndex · AWS Strands · OpenAI Agents · Smolagents · Haystack · Deep Agents · MCP Servers
Credentials brokered through 6 backends: Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, 1Password, Infisical.
Runs on Linux, macOS, and Windows. Linux gets kernel-level enforcement (seccomp-BPF, Landlock, network namespaces). macOS and Windows get proxy-based interception and credential brokering.
get started
Up and running in 2 minutes.
Install, then run. Faramesh sets everything up for you.
1. install
curl -fsSL https://raw.githubusercontent.com/faramesh/faramesh-core/main/install.sh | bash
2. govern your agent
faramesh run -- python agent.py
That's it. Faramesh detects your framework, loads your policy, and starts governing. Every tool call is checked. Every decision is logged. Run faramesh audit tail to watch live.
works with your stack
Deep governance for every runtime.
Faramesh doesn't just "support" these tools. It hooks into their internals so every tool call is governed before it executes , not after.
OpenClaw
Faramesh wraps OpenClaw's tool dispatch. Every tool call goes through your policy before OpenClaw executes it. Ambient credentials are stripped and brokered. read the guide →
NemoClaw
NemoClaw agents run inside Faramesh's sandbox. Faramesh owns the process, patches the framework, and enforces network-level isolation on Linux. read the guide →
Deep Agents (LangChain)
Deep Agents are LangGraph-based. Faramesh patches BaseTool.run() and injects middleware at the AgentMiddleware layer. Multi-agent delegation is tracked. read the guide →
Claude Code / Cursor
Faramesh governs MCP tool calls from IDE agents. Wrap the MCP server with faramesh mcp wrap and every tool call is policy-checked. read the guide →
docs spotlight
Ship with the right guides first.
If you are deploying this week, start with these pages. They cover MCP governance, production hardening, and failure recovery.
MCP governance
Wrap MCP servers and enforce tool-call policy before execution.
open guide →
Run and monitor
Live verdict streams, metrics export, and operational observability.
open guide →
Production setup
Hardening baseline, identity model, and rollout checklist.
open guide →
Troubleshooting
Fast fixes for daemon startup, adapters, and policy mismatches.
open guide →
Free and open source. The SDK runs fully self-hosted with no account required. When you're ready for more, Faramesh Cloud Platform (FCP) adds a web dashboard, team approval workflows, Slack alerts, and compliance-ready audit exports.
read the docs
github
cloud platform , coming soon
MIT License
docs
github
community
get started →