OpenFirma
Give AI agents a runtime boundary.
OpenFirma puts a local enforcement point between an agent and the outside world. Every outbound call is intercepted, classified, checked against policy, and recorded — before it leaves the machine.
See it work
Run a local demo with one allowed request, one denied request, and a signed audit trail.
Understand the model
Learn the Sidecar, Authority, capabilities, policies, interception, and sandbox in order.
Secure a workload
Wrap a coding agent, run the Sidecar standalone, inject credentials, or deploy a web app.
Know what happened
Every decision is written as an audit event you can inspect and verify later.
Why this exists
Section titled “Why this exists”AI agents are no longer just chat boxes. They call APIs, run tools, send messages, read files, and trigger workflows. That is useful, but it also means a bad prompt, a compromised dependency, or a confused model can turn into a real outbound action.
OpenFirma gives those actions a boundary. It routes agent traffic through a local Sidecar, turns each request into a clear intent, checks that intent against capabilities and Cedar policy, and records the decision.
The goal is not to make agents harmless. The goal is to make their power explicit, limited, and observable.
The basic shape
Section titled “The basic shape”flowchart LR
user["User or app"] --> agent["Agent"]
agent -->|"Outbound HTTP or HTTPS"| sidecar["OpenFirma Sidecar"]
authority["Authority"] -. "Capabilities, policies, revocations" .-> sidecar
sidecar -->|"ALLOW"| upstream["Upstream services"]
sidecar -->|"DENY"| blocked["Blocked call"]
sidecar --> audit["Signed audit log"]
Three infrastructure components matter at first:
- The Sidecar is the local enforcement point. It intercepts outbound requests and decides whether to forward them.
- The Authority is the trust root. It signs short-lived capability tokens and streams policy updates and revocations to connected Sidecars.
- The Audit emitter writes a signed event for every enforcement decision, capturing agent, session, action class, target, outcome, and timing.
Those components are built around four invariants: fail closed, keep the hot path local, make decisions deterministic, and record the exact envelope the policy saw.
Where to start
Section titled “Where to start”If you are new, start with Quickstart. It runs a deterministic local demo with no API keys.
If you want the mental model, read Architecture & invariants and then The enforcement pipeline.
If you already have a workload in mind, pick the closest guide:
- Initialize a project to scaffold config, keys, and policies in one command with
firma init. - Secure a local coding agent to wrap Claude Code, Codex, or Cursor with
firma run. - Run the Sidecar standalone for a minimal setup without
firma run, pointing agents at the proxy directly. - Deploy a GenAI web app for a multi-user service that calls LLMs and SaaS APIs.
For implementation details, the Rust API reference is generated from the workspace crates.