Offboarding and decommissioning
Remove Faramesh enforcement, export final audit evidence, and retire stacks cleanly.
Before you remove Faramesh
-
Export audit evidence
faramesh audit export --stack ./my-stack --out ./audit-archive faramesh audit verify --stack ./my-stack -
Revoke brokered credentials: rotate Vault paths, cloud IAM roles, and API keys that providers issued to agents.
-
Document final policy: archive
governance.fms,governance.compiled.json, and import pins for retention policy.
Stop enforcement
faramesh destroy --stack ./my-stackOr remove the daemon unit / sidecar from orchestration manifests and redeploy agents without the SDK shim or MCP proxy URL.
Remove interception
| Tier | Undo |
|---|---|
| SDK shim | Restore native tool list in agent code |
| MCP proxy | Point MCP client back to original server URL |
| HTTP proxy | Restore direct vendor endpoint |
Clean local state
faramesh uninstall --binary-onlyUse faramesh uninstall --purge when you also want to remove cached providers, import cache, WAL, and other local Faramesh artifacts.
If you are offboarding a source checkout, run the same command from inside the stack directory so it can remove local stack state as well.
Partial offboarding
To keep audit but pause enforcement, use runtime { mode = "monitor" } (if enabled in your version) or detach providers while retaining WAL verify behavior in staging first.