We open-sourced gitfence — deterministic guardrails for AI coding agents→ GitHub

Architecture

How Froda AI fits your stack

Every agent does two things: it calls a model, and it calls tools. Govern those two connection points and you govern the whole agent — without touching its code.

Governance Control Plane

Where governance teams author & deploy

Policy Studio
AI Registry + Risk
Trust Center
Roles & RBAC
Kill Switch
policies deploy down

Agent Frameworks

LangGraph
OpenClaw
ZeroClaw
OpenFang
CrewAI
n8n
Other

No SDK. No wrappers. No code changes.

Froda AI Gateway

Model calls

Metered spend · budget caps

Tool calls

Policy on every invocation

ALLOW · BLOCK · REDACT · HITL

4-Layer Policy
PII Redaction
Human-in-the-Loop
Dual-Identity (OBO)

Models & tools

Anthropic / OpenAI
Gmail · Google Workspace
Stripe · Slack
Any MCP server

Reached only after policy passes. Keys stay in the vault — the agent never sees them.

every action recorded down

System of Record

Immutable accountability, per tenant

Immutable Audit Ledger
Per-Agent Cost Metering
Encrypted Credential Vault

Integration

Zero SDK. Two endpoints and a bearer token.

The same integration works whether the agent is built on LangGraph, ZeroClaw, OpenFang, CrewAI, n8n, or anything else. Swap frameworks and nothing about your governance changes.

1. Register the agent

Add the AI system and its agent in the dashboard, pick the framework. The agent is now a governed identity in your registry.

2. Mint an agent-bound token

One bearer token, bound to that agent. Point it at a different agent's endpoint and the gateway returns 403. Revocable in one click.

3. Point the two slots at the gateway

Wire the agent's model slot and tool slot to the gateway URL. That's the whole integration — no library import, no refactor.

agent tool config

# MCP tool endpoint (Streamable HTTP or SSE)

url: https://gateway.froda.ai/mcp/stream/<agent_id>

auth: Bearer <agent_token>

# model calls route through the gateway too

model_base_url: https://gateway.froda.ai/llm

Runtime

What happens on every call

The gateway sits in the execution path. Policy isn't advice the agent can ignore — it's a gate the action can't skip.

tools/list

Zero-trust discovery

The gateway returns only the methods this agent's policy contracts authorize. An unregistered agent sees nothing.

tools/call

Deterministic evaluation

Every invocation is checked against the hierarchical policy — Global → Org → System → Agent — before it runs.

effect

ALLOW · BLOCK · REDACT · HITL

A BLOCK short-circuits before the tool executes and returns a structured reason (matched rule, policy id, request id).

ledger

Immutable audit row

Every call — allowed or blocked — is written to the cryptographic ledger with the agent, tool, policy, and outcome.

Compatibility

Standard transports, first-party connectors

Standard MCP transports

Streamable HTTP and SSE are both served, side by side. Wire whichever your framework prefers — the auth and agent-binding behave identically on both.

Native + MCP connectors

First-party tools (Gmail, Google Workspace, Stripe, Slack) run in-process against the provider API. Everything else connects as a standard MCP server. No local subprocess to manage.

Multi-step stays governed

The gateway returns data; your agent's LLM decides the next step. Each call is independently evaluated, metered, and HITL-routable — the gateway never takes over the workflow.

Data & Deployment

You choose where it runs and what leaves

Runs in your boundary

Deploy as managed SaaS, in your own VPC, or fully on-prem / air-gapped. In a self-hosted deployment, agent traffic and audit data never leave your network.

The gateway sits between your agents and the models and tools they reach. It processes the metadata it needs to make and record a policy decision:

  • Which agent acted, under which policy, and the delegation chain behind it
  • The tool, method, and the specific field values a rule evaluates
  • The decision (ALLOW / BLOCK / REDACT / HITL) and the matched rule

The Multi-Agent Problem

Why guardrails break down

Single-turn guardrails assume one agent, one prompt, one response. Agent-to-agent delegation breaks that assumption — and most governance tools with it.

Legacy guardrails inspect one input and one output. But autonomous agents hand work to other agents — and risk compounds with every hop. Froda AI was built to govern the delegation chain, not just isolated chatbots.

delegation provenance
human:sarah@coAuthorized
SIGNED
agent-orchestratorDelegated · scope: finance
SIGNED
agent-finance-botDelegated · scope: read-only
SIGNED
agent-finance-botAttempted: POST /stripe/charge
BLOCKED

Privilege Escalation Protection (Confused-Deputy Blocked): The downstream delegated scope never granted write access. The execution chain is provenance-stamped end-to-end at runtime.

Every delegation carries the authority it was granted — no more, no less. An agent can't launder a privilege it was never given through a downstream call.

Hierarchical policy inheritance — Global → Org → System → Agent — means one rule can cover the whole organization, with overrides at any level of the chain.

Delegation provenance, confused-deputy blocking, and hierarchical inheritance — shipped. No other governance platform enforces this at the tool-call level.

One-click kill switch

Cut an agent's tool calls, LLM access, and credentials in a single action — instant containment when something goes wrong.

Loop & runaway protection

Cryptographic fingerprinting detects and halts runaway identical tool calls before they burn budget or spam downstream systems.

Per-agent budget caps

Hard spend limits per agent with BLOCK / THROTTLE / WARN. Cost is attributed to the agent identity that incurred it.

Enterprise Readiness

Deploy your way. Procure the easy way.

Choose the deployment model that fits your security and compliance architecture — and pay for it with budget that's already approved.

New

Azure Marketplace

Deploy directly from your Azure tenant.

  • Skip Vendor Onboarding: Pre-vetted listing shortcuts security assessment and procurement review.
  • Counts Toward Your MACC: Transact through your existing Microsoft agreement — purchases burn down Azure committed spend.
  • No New Procurement Cycle: Your cloud budget is your Froda budget. Already approved.
View on Azure Marketplace

Managed Cloud (SaaS)

Best for teams prioritizing speed and zero-ops.

  • Fully Managed: No infrastructure or maintenance overhead.
  • Seamless Integration: Works with your existing AI stack—no refactoring required.
  • Scales With You: From single agents to enterprise-wide governance.
See pricing

Private VPC & On-Prem

Best for enterprises with strict data sovereignty requirements.

  • Full Control: Maintain full control over updates, releases, and policy changes.
  • Zero External Exposure: Keep all data and AI activity within your network—no external exposure.
  • Air-Gapped Ready: Fully deployable in private VPCs, on-prem, and air-gapped environments.
Book a demo

Ready for Governed AI Innovation?

From a zero-trust agent registry to real-time enforcement and compliance—all in one platform.

Book a demo

No credit card required. Deploy from Azure Marketplace or SaaS in under 30 minutes.