capfence
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 6 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in .github/workflows/ci.yml
- eval() — Dynamic code execution via eval() in benchmarks/scorer_benchmark.py
- rm -rf — Recursive force deletion command in benchmarks/scorer_benchmark.py
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Authorization gateway for AI agent tool calls. Blocks unsafe shell, database, filesystem, payment, API, and MCP side effects before execution.
CapFence
CapFence is the authorization gateway between AI agents and real-world side effects.
Models may propose actions. CapFence decides whether those actions are allowed before execution.
Use CapFence when agents can touch shell commands, databases, filesystems, payment APIs, internal APIs, SaaS admin tools, or MCP servers.
Agent -> Proposed action -> CapFence -> Gated executor -> Tool
Denied actions do not reach the downstream tool.
Prompts are not security boundaries. CapFence removes the LLM from the authorization path.
First Blocked Action
An ops agent proposes:
rm -rf /var/lib/postgresql
CapFence returns:
Decision: DENY
Reason: destructive production filesystem operation
Tool invoked: false
Replay: capfence replay audit_sample.jsonl --policy policy.yaml
Install
pip install capfence
Try It Locally
Define a policy:
deny:
- capability: shell.exec.production
contains: "rm -rf"
allow:
- capability: shell.exec.readonly
Evaluate before execution:
from capfence import ActionEvent, ActionRuntime
runtime = ActionRuntime.from_policy("policies/shell.yaml")
event = ActionEvent.create(
actor="ops-agent",
resource="shell",
action="exec",
environment="production",
payload={"command": "rm -rf /var/lib/postgresql"},
)
verdict = runtime.execute(event)
if not verdict.authorized:
raise PermissionError(f"Blocked before execution: {verdict.reason}")
Expected result:
decision: DENY
reason: policy_deny
tool_invoked: false
Replay the decision:
capfence replay audit.jsonl --policy policies/shell.yaml
Replay output:
Recorded: shell.exec.production
Original: DENY
Replayed: DENY
Changed: false
Security Model
CapFence protects the gated tool path.
Recommended architecture:
Agent -> Proposed action -> CapFence -> Gated executor -> Tool
The agent should not hold raw downstream credentials. The executor owns credentials and invokes the tool only after CapFence returns allow.
CapFence is not effective if the agent can call downstream tools directly with raw credentials.
CapFence does not replace sandboxing, secrets management, network controls, IAM, or database-native permissions.
Why Authorization, Not Guardrails?
Prompt guardrails influence what the model says. CapFence controls what the agent is allowed to do.
The security question is not only:
Did the model intend something safe?
The operational question is:
Is this actor authorized to perform this side effect on this resource in this environment?
CapFence is built for that boundary.
How CapFence Is Different
| Category | What it controls | Weakness | CapFence difference |
|---|---|---|---|
| Prompt guardrails | Model text | Soft boundary | CapFence controls execution |
| LLM judges | Generated content | Probabilistic | CapFence uses deterministic policy |
| Observability | Past behavior | After the fact | CapFence blocks before execution |
| Sandboxes | Process/environment | Not business authorization | CapFence evaluates action semantics |
| IAM | Service identity | Too coarse for agent intent | CapFence authorizes each proposed action |
| Runtime contracts | Agent behavior patterns | Broad or abstract | CapFence focuses on concrete side effects |
Use CapFence For
shell.execboundaries before a process is spawned.- MCP tool authorization before the upstream server receives a request.
- Filesystem scope enforcement before secrets or repo-external paths are read.
- Database write and schema-change controls before queries execute.
- Payment or API action thresholds before external state changes.
CapFence Is Not
- An AI governance platform.
- An observability product.
- An orchestration framework.
- A prompt guardrail.
- An AI judge.
- A compliance dashboard.
Core Docs
- Agent authority model
- Action authorization
- Runtime authorization
- Policy model
- Decision receipts
- Credential placement
- Fail-closed enforcement
- Replayability
- Threat model
- MCP interception model
Status
CapFence is pre-1.0 public beta infrastructure. The core local YAML policy runtime is intended for production pilots, while framework adapters, policy packs, external policy backends, and release automation should be validated in your environment before high-risk use.
CapFence controls the gated tool path. It does not replace sandboxing, secrets management, network segmentation, downstream IAM, or database-native controls.
| Capability | Maturity |
|---|---|
| Local YAML policy evaluation | Beta |
| Audit hash chaining and replay | Beta |
| LangChain, LangGraph, CrewAI, OpenAI Agents SDK adapters | Beta |
| MCP, PydanticAI, LlamaIndex, AutoGen adapters | Experimental |
| Starter policy packs and OPA backend path | Experimental |
- Docs: https://capfence.dev/
- PyPI: https://pypi.org/project/capfence/
- Repository: https://github.com/capfencelabs/capfence
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found