governance guides

Deep dive: governing real agent runtimes.

Faramesh doesn't just "support" frameworks , it hooks into their internals so every tool call is governed at the source. These guides show exactly how Faramesh attaches to each runtime and what the enforcement looks like in practice.

OpenClaw

OpenClaw is a tool-calling runtime for LLMs. When you run an OpenClaw agent under Faramesh, every tool dispatch passes through the policy engine before execution.

How Faramesh attaches

Faramesh patches OpenClaw's tool execution layer. When the LLM decides to call a tool, OpenClaw hands the call to Faramesh first. Faramesh evaluates the policy, strips ambient credentials, and either permits (with a broker-issued credential), denies (with a reason), or defers (holding for a human).

faramesh run -- openclaw serve --config agent.yaml

Policy example

agent openclaw-agent {
  default deny
  framework openclaw

  rules {
    deny! shell/* reason: "no shell access"
    permit api/search
    defer api/purchase when amount > 100
      notify: "procurement"
  }

  credential vendor-api {
    backend vault
    path secret/data/vendor
  }
}

Faramesh strips the VENDOR_API_KEY environment variable and only issues it after the policy permits api/purchase. If the agent tries to call a tool that's not in the policy, it gets an immediate DENY.

NemoClaw (NVIDIA)

NemoClaw agents use NVIDIA's NeMo framework for LLM-driven tool use. Faramesh wraps the NemoClaw process and owns it end-to-end: framework patching, credential stripping, network isolation, and full policy enforcement.

How Faramesh attaches

Faramesh starts NemoClaw as a child process via faramesh run. It injects the auto-patcher via PYTHONPATH, patches the tool dispatch layer at import time, and on Linux activates the kernel sandbox (seccomp-BPF, Landlock, network namespace).

faramesh run --enforce full -- python -m nemoclaw.serve --config agent.yaml

Policy example

agent nemoclaw-bot {
  default deny

  budget session {
    max $50
    max_calls 500
  }

  rules {
    deny! shell/*
    deny! fs/write
    permit nemo/generate
    permit nemo/retrieval
    defer nemo/action when risk > 0.7
  }
}

Deep Agents (LangChain / LangGraph)

Deep Agents are multi-agent systems built on LangGraph. They use hierarchical agent graphs where a supervisor agent delegates tasks to specialized sub-agents. Faramesh governs every agent in the graph , the supervisor and every worker.

How Faramesh attaches

Faramesh patches BaseTool.run() in LangChain and injects AgentMiddleware into the LangGraph execution loop. Every tool call from every agent in the graph passes through the policy engine. Delegation between agents is tracked with cryptographic tokens , the supervisor's permissions are the ceiling for any sub-agent.

faramesh run -- python -m deep_agents.main

Policy example

agent supervisor {
  default deny
  framework langgraph

  rules {
    deny! shell/*
    permit search/*
    defer db/write notify: "data-team"
  }

  delegate research-worker {
    scope "search/*"
    ttl 1h
    ceiling inherited
  }

  delegate writer-worker {
    scope "db/write"
    ttl 30m
  }
}

The research-worker can only call search/* tools. If it tries db/write, the delegation token check fails and the call is denied immediately , before the policy engine even evaluates it.

Claude Code / Cursor (MCP)

IDE agents like Claude Code and Cursor use the Model Context Protocol (MCP) to call tools. Faramesh wraps the MCP server process and intercepts every tools/call request at the stdio or HTTP level.

# Wrap an MCP server at stdio level
faramesh mcp wrap -- node your-mcp-server.js

# Or proxy an HTTP MCP server
faramesh serve --mcp-proxy-port 19092 --mcp-target http://127.0.0.1:8080

The IDE agent connects to Faramesh instead of the real MCP server. Faramesh forwards tools/list and other non-tool-call methods unchanged, but every tools/call goes through the policy engine first.