What is Faramesh Labs?

Faramesh Labs is the execution control layer for AI agents. It provides policy-based governance, approval workflows, and production safety for autonomous systems.

How do I install Faramesh Labs?

You can install Faramesh Labs using Homebrew (brew install faramesh/tap/faramesh), Git, Go, or npm. Full install and setup docs are on docs.faramesh.dev.

Is Faramesh Labs production-ready?

Yes, Faramesh Labs is production-ready. It includes governance controls, approval workflows, and comprehensive logging for enterprise deployments.

What kind of agents does Faramesh Labs support?

Faramesh Labs supports all types of AI agents including coding agents, data agents, research agents, and custom autonomous systems.

MCP and IDE agents

Govern MCP and IDE agents before tool descriptions hijack them.

Cursor, Claude Code, Copilot, Windsurf. They all pull tools from MCP servers, and tool descriptions execute as instructions. One poisoned description and the agent works for someone else. Faramesh enforces tool boundaries before the agent acts.

Tools we cover

One layer. Every MCP host.

Faramesh sits between the agent and its tools. Whatever host runs the agent, whatever MCP servers it loads, every tool call goes through policy first. The protocol stays open. The execution path stays governed.

Cursor

Validates MCP tool calls before execution

Claude Code

Intercepts tool invocations and shell commands

Claude Desktop

Governs every MCP server the host loads

GitHub Copilot

Hooks Copilot Workspace and agent mode actions

Windsurf

Validates Cascade tool calls before they run

Custom MCP servers

Wrap your own server, govern every tool

What's at stake

Tool descriptions are code now.

MCP collapses the line between data and instructions. Tool descriptions, tool outputs, and document content all flow into the same context. Whoever controls any of that text controls the agent.

Attack path · representative scenario3 minutes to credential exfiltration

Routine task

Developer adds a new MCP server to their IDE.

Loads tool descriptions

Agent reads the server's tool descriptions into context.

Hidden instructions fire

A description contains injected commands disguised as tool docs.

Agent invokes a second tool

Agent calls a privileged tool with attacker-supplied arguments.

Credentials exfiltrated

Tokens leaked through a public channel. The agent did its job.

Every step looked rational. Faramesh would have stopped step 4 before the second tool fired.

Other MCP and IDE agent risks

Tool poisoning attacks

Tool descriptions are LLM input. Malicious descriptions become instructions the agent follows.

The lethal trifecta

Private data, untrusted content, and external communication in one agent. Steal-by-design.

OAuth and protocol vulns

CVE-2025-6514 hit 437,000 environments through the mcp-remote OAuth proxy alone.

Recent signalsSupabase Cursor SQL injectionJun 2025 GitHub MCP integration hijackMay 2025 8,000+ exposed MCP serversFeb 2026

Keep exploring

Other ways teams use Faramesh.

Use case

Coding agents

Govern Cursor, Claude Code, Copilot, and custom coding agents before they touch production.

Use case

Multi-agent systems

Stop authority drift across orchestrators, planners, and executor agents.

Use case

Customer support agents

Govern AI agents handling customer escalations, refunds, and account changes.

What changes when Faramesh is in front

Tool descriptions can't hijack your agent.

Faramesh treats tool descriptions and outputs as untrusted input. Hidden instructions never reach an action without a policy check first.

MCP servers run within policy, not above it.

Whatever server your IDE loads, every tool call goes through the same policy layer. New server, same enforcement. No supply chain blind spots.

Audit every tool call across every host.

Cursor, Claude Code, Copilot, Windsurf, custom MCP servers. One audit trail with which tool ran, what arguments it used, and which policy approved it.

Ship governed MCP agents.

Early access View on GitHub