Faramesh Docs
Tutorials & guides

Auditing agent decisions

A security-focused guide to DPR verification, compliance exports, and evidence workflows with Faramesh.

Security and GRC teams care about what the agent did, under which policy, and whether records were tampered with not about LangGraph nodes.

What to collect

ArtifactLocationPurpose
governance.fms + compiled JSONRepo / CMDBPolicy intent and version
WAL / DPR chain.faramesh/ on hostPer-decision evidence
Provider manifestsImport pins in FPLBinary provenance
Approval recordsCLI / Cloud UIHuman-in-the-loop proof

Verify integrity offline

faramesh audit verify --stack ./my-stack

This replays hash linkage and signature checks using keys in trust { ... } and optional KMS configuration. See Auditing and KMS.

Map to control frameworks

Control themeFaramesh mechanism
Least privilegeDefault deny + explicit permit rules
Segregation of dutiesdefer + approvals over thresholds
Credential protectionProvider-brokered short-lived secrets
Logging integrityHash-chained DPR, external KMS sign
Change managementPinned catalog imports, faramesh plan diffs

Regulated packs (PCI-style redaction, retention) can be composed from catalog policy imports; author org-specific packs in your fork.

Monitoring

  • Export DPR to your SIEM via provider sinks (catalog) or batch export jobs.
  • Alert on POLICY_DENY spikes and repeated POLICY_DEFER timeouts.
  • Correlate agent_id and tool fields in DPR JSON to CMDB owners.

Tutorial. From dev to production

Move a Faramesh stack from in-process stubs to real Vault, SPIFFE, and KMS providers without changing a single rule.

Deploying Faramesh at scale

Topologies, fleet operations, catalog mirrors, and production posture for platform teams.

On this page

What to collectVerify integrity offlineMap to control frameworksMonitoringRelated