faramesh.devBETA
docsgithubcommunityget started →

docs

Getting Started

Core

FPL

Governance

Operations

Reference

github ↗slack ↗community ↗

17 , federation

Federation

Federation is for cross-organization agent workflows where both sides need verifiable governance, not just API trust. If one organization's agent triggers side effects in another environment, both parties need proof of who allowed what, under which policy boundary, and with which trust material.

Faramesh federation builds this using explicit trust bundles and signed receipts. You define exactly which external organization is trusted, what scope applies, and how incoming governance evidence is verified. This prevents an external actor from bypassing your local controls by presenting unsigned or mismatched claims.

Federation operating model

Use federated trust as a narrow, reviewable contract. Keep scopes specific and rotate bundles on a known cadence.

Trust bootstrapExchange and pin trust bundles out-of-band before enabling live interaction.
Scoped accessGrant only the minimum domain/tool scope required for cross-org flows.
Receipt verificationValidate external governance receipts before honoring side-effect requests.
Revocation pathKeep immediate revoke procedures tested and documented for incident response.

Add trusted org

Add an external organisation to the trusted federation set.

bash
faramesh federation trust add --org partner-corp --bundle ./partner-bundle.pem --scope "*"

List trust relationships

Inspect all active federation trust entries.

bash
faramesh federation trust list

Verify receipt

Validate a governance receipt from another organisation.

bash
faramesh federation receipt verify <receipt-token>

Revoke trust

Remove trust for an external organisation immediately.

bash
faramesh federation trust revoke --org partner-corp

Common federation failures

Most federation incidents come from trust hygiene, not cryptography bugs:

!Granting wildcard scopes permanently instead of time-bounded, reviewed scopes.
!Skipping receipt verification because partner traffic is assumed safe.
!Failing to revoke trust entries quickly during third-party incidents.
!Treating trust bundles as static files instead of rotating them like credentials.

Need help? Use any of these support options.

open an issuejoin slackcommunity/forum
MIT License
docsgithubcommunityget started →