Skip to content

OpenFirma

Give AI agents a runtime boundary.

OpenFirma puts a local enforcement point between an agent and the outside world. Every outbound call is intercepted, classified, checked against policy, and recorded — before it leaves the machine.

AI agents are no longer just chat boxes. They call APIs, run tools, send messages, read files, and trigger workflows. That is useful, but it also means a bad prompt, a compromised dependency, or a confused model can turn into a real outbound action.

OpenFirma gives those actions a boundary. It routes agent traffic through a local Sidecar, turns each request into a clear intent, checks that intent against capabilities and Cedar policy, and records the decision.

The goal is not to make agents harmless. The goal is to make their power explicit, limited, and observable.

flowchart LR
    user["User or app"] --> agent["Agent"]
    agent -->|"Outbound HTTP or HTTPS"| sidecar["OpenFirma Sidecar"]
    authority["Authority"] -. "Capabilities, policies, revocations" .-> sidecar
    sidecar -->|"ALLOW"| upstream["Upstream services"]
    sidecar -->|"DENY"| blocked["Blocked call"]
    sidecar --> audit["Signed audit log"]

Three infrastructure components matter at first:

  • The Sidecar is the local enforcement point. It intercepts outbound requests and decides whether to forward them.
  • The Authority is the trust root. It signs short-lived capability tokens and streams policy updates and revocations to connected Sidecars.
  • The Audit emitter writes a signed event for every enforcement decision, capturing agent, session, action class, target, outcome, and timing.

Those components are built around four invariants: fail closed, keep the hot path local, make decisions deterministic, and record the exact envelope the policy saw.

If you are new, start with Quickstart. It runs a deterministic local demo with no API keys.

If you want the mental model, read Architecture & invariants and then The enforcement pipeline.

If you already have a workload in mind, pick the closest guide:

For implementation details, the Rust API reference is generated from the workspace crates.