We spent most of 2025 watching teams try to 'prompt' their way out of agentic hallucinations. It doesn't work. If you give an LLM-based agent access to a production database or a shell, you are always one 'ignore previous instructions' jailbreak away from a catastrophic incident.

We believe Faramesh is the first project to treat the 'Agent-to-System' bridge as a distributed systems problem rather than a prompting problem.

The hardest part to get right was the Deterministic Canonicalization. LLMs are inherently messy—one model might send {"power": 100.0} while another sends {"power": 100} for the same tool call. To build a reliable Action Authorization Boundary (AAB), we had to ensure that the semantic intent produces a stable, cryptographic hash every single time. Without this, you cannot have reliable RBAC, audit trails, or 'fail-closed' security for autonomous agents.

We’ve open-sourced the core logic today and would love for the community to tear apart our approach in canonicalization.py. We’re specifically interested in whether people think this architecture could eventually be standardized into a formal 'Agentic Firewall' protocol.

The problem with autonomous agents today isn't that they aren't "smart" enough; it’s that they are fundamentally stochastic, while our infrastructure (SQL, APIs, Shell) is deterministic. You are essentially giving a probabilistic model a direct line to your production environment and hoping "system prompts" act as security. As we found out in 2025, prompts are not a security layer. You cannot safely give a probabilistic model a "delete" key and hope the instructions hold.

We built Faramesh to bridge this gap. It is the first formalized Action Authorization Boundary (AAB) for the agentic web—an open-source, protocol-agnostic execution gate designed to sit between an agent’s reasoning engine and the target system.

In 2025, everyone focused on the "Brain" (the model). In 2026, the bottleneck is the "Nervous System" (execution control). The industry is shifting from Model-mania to Infrastructure-mania; we believe agents shouldn't be "trusted"—they should be governed.

How it works: Unlike existing guardrail libraries that use more LLMs to "check" the first LLM (adding more stochasticity), Faramesh introduces a hard, cryptographic gate. It intercepts agent intent, canonicalizes it into a deterministic byte-stream, and validates it against a strict, logic-based policy engine before any code is executed.

Key Technical Details:

- Deterministic Canonicalization: We found that slight variations in JSON or float representation break audit trails. Faramesh handles lexicographical sorting and float normalization (e.g., ensuring 1.0 and 1.00 produce identical bytes) so that identical intent produces identical hashes.

- The AAB Protocol: This defines what an agent is allowed to do across any medium. Whether targeting REST APIs, gRPC, or raw Shell, the control logic remains the same.

- Zero Trust Execution: The agent never touches the target system directly. It sends a "Proposed Action" to the gate. If the engine is confused or a policy is missing, it fails closed and the action is blocked.

- Cryptographic Hashing: Every authorized action is hashed, creating an immutable, replay-protected audit trail of agent intent.

- SDK-First Integration: We’ve released SDKs for Python and Node.js to make this a drop-in layer for existing LangChain/AutoGen stacks.

We’ve open-sourced the core engine and the SDKs. We’re particularly interested in feedback on our canonicalization logic and the policy engine’s performance overhead.

Paper: https://zenodo.org/records/18296731 GitHub: https://github.com/faramesh/faramesh-core PyPI: pip install faramesh NPM: npm install @faramesh/sdk