Open · vendor-neutral · multi-agent

The control plane for AI agents at work.

Open, vendor-neutral operations layer for multi-agent AI ecosystems. Govern Claude Code, OpenAI Agents, LangGraph, MCP servers, OpenClaw, and custom enterprise agents from one operational surface.

Book a Demo Read the Docs GitHub18

Operations console

The control plane for AI agents at work

One operational surface across mixed agent runtimes — fleet inventory, policy sync, approvals, audit, and incident posture.

Live

Claude Code0

policy v0.4.2

OpenAI Agents0

policy v0.4.2

LangGraph0

1 pending sync

MCP servers0

all approved

Heartbeat0 instances · 0.0% online3 quarantined

Live events0 / hr

Blocked tool call
00:16
repo_push → prod-west-2 (policy:no_prod_shell)
Policy sync
00:08
v0.4.2 active on 47 agents
Approval requested
00:00
shell access by agent-7f · scope: prod-west-2

Approval required

agent-7f requested shell accessscope: prod-west-2 · 2m ago

MCP catalog

0 approved · 0 pending

last review: github-issues @ 00:14

MIT licensed

Self-hosted

Vendor-neutral

AGT-compatible

MCP-native

Queryable audit trail

SSO / OIDC ready

Fail-secure kill switch

The operator gap

AI agents are spreading faster than the operator model.

The problem is rarely local experimentation. The problem is what shows up when the same agents reach into production, across teams, runtimes, and compliance boundaries — with no shared operational surface.

Fragmented runtimes

Claude Code, OpenAI Agents, LangGraph, internal workflows — disconnected operators, disconnected policy.

Untrusted MCP servers

No allow-listing, approval flow, or audit trail for the capabilities agents are actually reaching.

Shadow AI workflows

Autonomous agents touching production systems without governance — and without anyone tracking which.

No queryable evidence

Security and legal cannot reconstruct what an agent did. Logs are scattered, untyped, and inconsistent.

No containment path

Kill switches and approval flows are scattered across tools — or missing entirely when an incident hits.

Capabilities

Everything flows through policy, approval, audit, and response.

One operator model. One queryable event stream. One containment path. Built so the same surface that ships policy also shows runtime posture and the evidence behind every decision.

Multi-agent fleet inventory

Mixed-runtime view of every connected agent: where it runs, what version, which policy, last heartbeat.

Claude Code

OpenAI Agents

LangGraph

MCP servers

OpenClaw

Centralized policy engine

One operator model for permissions, tool scopes, approval thresholds, and audit depth — published once.

MCP governance console

Operator surface for the MCP catalog, approval queue, and audit query — layered on AGT's MCPGateway where present, ClawForge interception elsewhere.

Approval workflows

Operator approvals for tool scopes, MCP servers, policy changes, and shell access — routed and timed-out.

Audit & evidence pipeline

Append-only event store. Query by agent, runtime, policy decision, or operator. Export evidence packs.

Fail-secure kill switch

Heartbeat-bounded propagation with a local fail-secure fallback. Containment that does not require connectivity.

AGT-compatible policy layer

Translate ClawForge policy into Microsoft AGT primitives where the runtime supports it.

Risk signals & anomaly detection

Surface unusual tool-call patterns, policy denials, and approval-rate drift across the fleet.

Operational surfaces

One operational surface across multiple agent ecosystems.

Policy engagement, queryable audit, MCP governance, and incident response — all reading from the same fleet, all queryable across runtimes.

Policy engagement

Mixed-runtime policy profiles, one review queue

Publish one operator model across runtimes; track who is covered, where drift exists, and what is awaiting approval.

Live

Active profilesv0.4.2

Engineering · defaultterminal · git · docs · file_read

claude-codelanggraph

47 agents

Security reviewaudit:full · sandbox-only · no_network

openai-agents

4 agents

MCP allow-listgithub · linear · slack · postgres-read

mcp

23 servers

Review queue2 changes

Cross-runtime · platform org

Add `prod_db_read` to engineering profile

claude-code, langgraphpending

MCP · github-issues

Approve write scope for repo:clawforge

mcpready

Audit & evidence

One queryable event stream across every runtime

Every tool call, policy decision, and approval flows into a queryable, append-only event store. Reconstruct what an agent did, and why.

Live

filter

outcome:blocked OR outcome:approval_required

window

last 24h · 4,318 events

sources

claude-code · langgraph · mcp

tool_call_blockedblocked

shell.exec → prod-west-2 (policy:no_prod_shell)

src: claude-code:agent-7f

approval_requiredapproved

tool_use:postgres_write → main DB

src: langgraph:graph-12

server_approvedlogged

scope:repo:clawforge granted by admin@platform

src: mcp:github-issues

MCP governance console

MCP servers governed like production dependencies

The operator surface for the MCP catalog, allow-list, and approval queue. Enforcement runs in AGT's MCPGateway where present, ClawForge interception elsewhere.

Live

Approved3 servers

github-issues

repo:read · issues:write

8d ago

linear

issues:read · comments:write

3d ago

postgres-read

schema:public · select-only

12d ago

Pending approval2 servers

slack

channels:read · chat:write

agent-7f

stripe-mcp

customers:read

agent-2c

Incident response

A visible kill-switch posture across the fleet

Move from anomaly to containment with a visible posture, heartbeat-bounded propagation, and a fail-secure local fallback.

Armed

Emergency controls

Kill switch armed · product sandbox

Heartbeat-bounded

trigger

audit anomaly: 14× tool_blocked in 90s

scope

claude-code · product sandbox (12 agents)

operator

alex@platform · runbook IR-024

Propagationstep 3 of 4

Anomaly detected by audit signalstep 1

Operator armed kill switch via consolestep 2

Heartbeat propagation in progressstep 3

Local fail-secure if heartbeat lapsesstep 4

How it works

A layered architecture, vendor-neutral by design.

ClawForge meets each runtime where it lives — local enforcement where supported, MCP proxying where it isn't, and an append-only audit pipeline either way.

Layer 01Agents

Mixed runtimes — what your enterprise actually runs.

Claude CodeOpenAI AgentsLangGraphOpenClawMCP serversCustom enterprise agents

Layer 02Adapters & interception

Where ClawForge meets each runtime. Local enforcement where supported, proxy where not.

HooksMCP proxyAGT integrationSDK adapters

Layer 03Governance runtime

Substrate that enforces policy at agent-edge. Standalone or on top of Microsoft AGT.

ClawForge engineMicrosoft AGT compatibilitySandboxingIdentity & scopes

Layer 04Control plane

Operator surface. Vendor-neutral, self-hosted, append-only.

PolicyApprovalsAudit & evidenceIncidentsAdmin consoleMCP catalog & approvals

Vendor-neutral governance

Multi-runtime visibility

Local enforcement where supported

Append-only audit pipeline

Self-hosted-first deployment

Microsoft AGT compatibility

AGT is the enforcement substrate. ClawForge is the operations layer above it.

AGT enforces policy on every tool call at the runtime layer — including MCP traffic via its own MCPGateway. ClawForge does not duplicate that. It's the operator console, approval workflow, policy distribution, and cross-runtime audit federation that turns a fleet of AGT deployments into one operable thing.

Substrate · runtime

What AGT enforces

Sub-millisecond per-tool-call policy enforcement
MCPGateway and MCPSecurityScanner for MCP traffic
Adapters for 20+ runtimes (LangChain, AutoGen, CrewAI, Semantic Kernel, OpenAI Agents SDK, Google ADK)
Append-only, hash-chained audit log per deployment
Four-tier privilege ring model and kill switches
OWASP Agentic Top 10 coverage at the runtime layer

Operations layer · console

What ClawForge operates

Operator console across many AGT deployments and non-AGT runtimes
Approval queue, routing, SLA, and approver audit — the destination AGT's human-approval hook calls into
MCP catalog, allow-list, and pending-approval surface above AGT's gateway
Cross-runtime audit federation (AGT logs + Claude Code, OpenClaw, custom agents)
Policy authoring, versioning, and fleet-wide distribution
Incident response with mixed-runtime kill-switch posture
Evidence packaging for security, legal, and compliance

Open source

Open source by design.
Vendor-neutral by intent.

ClawForge is MIT licensed, inspectable, self-hosted, and forkable. The control plane runs in your environment, on your storage, governing whichever agent runtimes you already use. No runtime lock-in, no proprietary policy format.

Star on GitHub Read the Docs

License & postureREADME.md

license MIT

deployment self-hosted-first

runtime-lock none

policy-format open · versioned

audit-store customer-hosted Postgres

contributors community-driven

Who it is for

Built for the teams operating AI agents at production scale.

Platform engineering

Standardize agent rollout, policy, and runtime governance across teams without rebuilding operator tooling per runtime.

What they get

Audit query across runtimes
Policy publish + propagation
One operator on call instead of N

Security & compliance

Approval workflows, queryable audit evidence, and operational containment — for AI agents and the MCP servers they reach.

AI platform teams

Govern custom AGT and LangGraph agents alongside Claude Code and OpenAI Agents from one operational surface.

Operate it like infrastructure

Operate AI agents like production infrastructure.

Open, vendor-neutral, multi-agent operations for enterprise AI systems. Run it where your team already manages risk.

Book a Demo Read the Docs

The control plane for AI agents at work.

AI agents are spreading faster than the operator model.

Fragmented runtimes

Untrusted MCP servers

Shadow AI workflows

No queryable evidence

No containment path

Everything flows through policy, approval, audit, and response.

Multi-agent fleet inventory

Centralized policy engine

MCP governance console

Approval workflows

Audit & evidence pipeline

Fail-secure kill switch

AGT-compatible policy layer

Risk signals & anomaly detection

One operational surface across multiple agent ecosystems.

A layered architecture, vendor-neutral by design.

AGT is the enforcement substrate. ClawForge is the operations layer above it.

What AGT enforces

What ClawForge operates

Open source by design.Vendor-neutral by intent.

Built for the teams operating AI agents at production scale.

Platform engineering

Security & compliance

AI platform teams

Operate AI agents like production infrastructure.

Open source by design.
Vendor-neutral by intent.