Faramesh core
Governance-as-Code for AI agents. Declarative constraints with deterministic enforcement. Provisioning Identity, Tool-based rules, Brokering Credentials & Ensuring safe deployment
Declare permissions in `governance.fms`. A local daemon permits, defers, or denies each tool call before it runs. Decisions are hash-chained in a WAL. No SDK lock-in. No cloud required. The project is written primarily in Go, distributed under the Other license, first published in 2026. Key topics include: agent-governance, agent-governance-toolkit, agent-runtime, agent-security, agentic-ai.
Every agent tool call is a policy decision.
Declare permissions in governance.fms. A local daemon permits, defers, or denies each tool call before it runs. Decisions are hash-chained in a WAL. No SDK lock-in. No cloud required.
Install
bashcurl -fsSL https://install.faramesh.dev/install.sh | bash faramesh version
Also Homebrew, npx, Go install, or build from git. All install paths →
Works with the agent stack you already have
LangGraph · LangChain · CrewAI · OpenAI Agents · Claude Agents SDK · Claude Code · Cursor · MCP · AutoGen · AG2 · LlamaIndex · Pydantic AI · Bedrock · Semantic Kernel
13 frameworks today. SDK shim, MCP proxy, HTTP proxy, or A2A. Pick the tier that matches the agent. Framework guides →
What you get
- Deterministic decisions. Pure functions over policy and the action payload. No LLM in the decision path.
- Non-bypassable enforcement. Local daemon. Every tool call goes through it. No SDK to forget to wrap.
- Identity-bound. SPIFFE SVIDs, OIDC, or cloud workload identity. Credentials brokered at the call site.
- Tamper-evident audit. Decision Provenance Records, hash-chained WAL, optional KMS signing.
A policy
agent "support-bot" {
default deny
rules {
permit crm/customers/read
permit crm/tickets/create
permit email/send if domain == "@yourcompany.com"
defer email/send if domain != "@yourcompany.com"
defer billing/cancel_subscription
deny billing/delete_account
}
rate_limit "email/send": 50 per hour
budget daily {
max $20
on_exceed defer
}
}
External emails go to a human. Cancellations require a click. Deletion is impossible without editing the policy. Daily spend ceiling. Every decision lands in a verifiable log.
More policy patterns → · FPL reference →
How Faramesh compares
Faramesh is the local enforcement daemon for tool-call decisions. It's narrower than full-stack agent platforms (Microsoft AGT) and operates outside the model output evaluation layer (Galileo Agent Control). Detailed comparison →
Documentation
Start here · Why Faramesh · Quickstart · Write your first policy
Concepts · How it works · Interception · Enforcement · Auditing
Reference · FPL · Stack file · CLI · Python SDK · TypeScript SDK
Community
Slack for daily conversation. GitHub Discussions for design proposals. Contributing guide for the policy pack registry and framework adapters.
Project governance, maintainer roles, and the public roadmap are documented in
GOVERNANCE.md, MAINTAINERS.md, and
ROADMAP.md. Faramesh follows the project
Code of Conduct and accepts security reports through
SECURITY.md.
Star this repo if you ship AI agents to production
It helps other engineers find Faramesh.
License
Maintained by
Faramesh is maintained by the Faramesh project maintainers and contributors.
Contributors
Showing top 8 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
Related Repositories
omnigent-ai/omnigent
Omnigent is an open-source AI agent framework and meta-harness: orchestrate Claude Code, Codex, Cursor, Pi, and custom agents — swap harnesses without rewriting, enforce policies and sandboxing, and collaborate in real time from any device.
ucsandman/DashClaw
🛡️The governance runtime for AI agents. Intercept actions, enforce guard policies, require approvals, and produce audit-ready decision trails.
KimYx0207/Meta_Kim
Governed execution layer for AI coding assistants: clarify intent, route capabilities, review evidence, verify results, and write back lessons across Claude Code, Codex, OpenClaw, and Cursor.
markus-global/markus
Not another agent framework — an operating system for AI workforces. Autonomous agents coordinate, remember across sessions, review each other's work, and deliver while you sleep. One command. Zero dependencies. Manage your AI company from your phone.
ThreeMoonsLab/agents-shipgate
The deterministic merge gate for AI-generated agent capability changes — a local-first, static Tool-Use Readiness review for MCP, OpenAPI, and SDK tool surfaces. Open-source CLI + GitHub Action.
elliot35/deterministic-agent-control-protocol
Governance gateway for AI agents — bounded, auditable, session-aware control with MCP proxy, shell proxy & HTTP API. Works with Cursor, Claude Code, Codex, and any MCP-compatible agent.