AI AGENT PLATFORM / 05

xFrontier

Governed, local-first multi-agent orchestration — OpenClaw-class capability on an enforceable, auditable runtime where every agent action is sandboxed, scoped, and provable.

Two capabilities set it apart: a brain-inspired cortical-columns memory and a zero-trust runtime where every agent action is sandboxed, scoped, and provable.

xFrontier is an open-source (AGPL-3.0) multi-agent orchestration platform that runs locally by default — from a laptop to hardened Docker to Kubernetes, air-gap capable — with enforcement wired into the runtime rather than bolted on. Agents execute inside auto-detected sandboxes under signed capability tokens and policy gates, sensitive data is masked by built-in DLP, and every event is signed and replayable. A purpose-built, multi-tier memory system — short-term working memory, semantic long-term recall, and a knowledge graph — gives agents governed, structured memory rather than a bolted-on vector store. It is a uniquely built runtime, not a fork or a wrapper: ergonomics teams expect from modern agent platforms, on infrastructure organizations can govern, isolate, and audit.

Open source · Released under the GNU AGPL-3.0

/01Two Unique Capabilities
/01

Cortical Columns Memory

Brain-inspired memory, not a vector store bolted onto a prompt. Many scope-aware memory columns each capture context and consolidate into a shared world-graph — so agents recall structured knowledge, and only what they are authorized to.

  • Tiered: Redis working memory · pgvector long-term recall · Neo4j world-graph
  • Consolidation and hybrid retrieval under explicit ranking and token budgets
  • Every memory is scope-bound, with authorization enforced on each recall
/02

Zero-Trust Runtime

Enforcement wired into the runtime, not bolted on. Every agent runs inside an auto-detected sandbox, acts under signed capability tokens and policy gates, and emits a signed, replayable event for every action.

  • Three-tier sandbox: kernel/seccomp · hardened Docker · gVisor/Kata
  • Signed Biscuit capability tokens, Open Policy Agent gates, and inline DLP
  • Cryptographically signed, replayable event chain — provable after the fact
/02How It Works
01

What It Is

xFrontier is a governed runtime for building, deploying, and operating AI agent workflows — the enforceable alternative to convenience-first open-source agent platforms. Where those projects optimize for scale and ease at the cost of governance, xFrontier is built from first principles around local-first execution, enforced security, and data-centric control. It is open source under the GNU Affero General Public License v3.0-or-later, runs on your own hardware with data staying local by default, and treats isolation, policy, and audit as runtime guarantees rather than optional add-ons. The result is OpenClaw-class multi-agent ergonomics on a runtime an enterprise can actually stand behind: every agent, every tool call, and every handoff happens inside a boundary you define and can prove after the fact.

02

How It Works

xFrontier is organized as four cooperating layers. Orchestration runs on LangGraph with PostgreSQL checkpointing, so multi-agent workflows are durable and resume from the last committed step rather than restarting. A guardrails layer built on the Microsoft Agent Framework intercepts prompt rendering, function invocation, and outputs — applying DLP and policy gates inline. Agent execution uses role-based agents that hand off work through signed agent-to-agent (A2A) envelopes with replay protection, invoking tools through the Model Context Protocol under per-agent allowlists and budgets. Underneath, the infrastructure layer wires in HashiCorp Vault for secrets, Open Policy Agent for policy, Envoy as the egress boundary, NATS for messaging, Biscuit for capability tokens, and Presidio for PII detection. The same codebase carries this stack from a local dev machine to a production cluster without re-platforming.

/03Zero-Trust Runtime

Enforcement in xFrontier is wired in, not advisory. Agent code runs inside a three-tier hybrid sandbox that auto-detects the strongest isolation available — kernel-level bubblewrap/seccomp on Linux and seatbelt on macOS (no Docker required, ~1ms startup), hardened Docker with full capability drop and read-only rootfs, or gVisor/Kata via Kubernetes RuntimeClass. Every agent invocation carries a signed Biscuit capability token that encodes its allowed tools and tool-call budget, verified before execution and attenuable on handoff. Open Policy Agent decisions gate tool calls and route access, and a Presidio-backed DLP pipeline masks PII with sanitized error responses. Every event is written to a cryptographically signed chain that supports full replay, and the skills registry is signed and provenance-checked so only vetted capabilities reach the runtime.

/ GOVERNED AGENT RUNTIMELOCAL-FIRST · ENFORCED · AUDITABLE/ RUN xf-7a3c · multi-agent workflowhost: on-prem · air-gap capable · models: localSTATUS: ENFORCING ✓every tool call gated · every step signed/ AGENTS · A2A SIGNEDPLANNERAGT-01decomposes task✓ sigCODERAGT-02writes, runs tools✓ sigREVIEWERAGT-03checks output✓ sigOPSAGT-04deploys, monitors✓ sigA2A: capability attenuated/ ENFORCEMENT GATEPOLICY ENFORCEMENT POINT01 CAP TOKENbiscuit verified02 POLICY · OPArules evaluated03 DLPmask, redact, boundVERDICT BEFORE EXECUTION✓ ALLOW◐ TRANSFORM · DLP applied✗ DENYno cap · policy block · stop✗ shell.rm prod blocked/ TIERED MEMORYSCOPE-AWARE STOREauthz on recallSHORT-TERMsession cacherunrd · wrLONG-TERMsemantic vectorstenantrd · wrKNOWLEDGE GRAPHworld graphglobalrd · wrread, write within granted scopeKUBERNETESk8s capable · gVisor/KataLOCAL-FIRSTair-gap · your hardware/ SIGNED EVENT LOG · APPEND-ONLYHASH-CHAINED · REPLAYABLEtamper breaks chain#1042fs.write signed ALLOW#1041mem.read signed ALLOW#1040http.post masked TRANSFORM#1039shell.rm blocked DENY#1038a2a handoff signed ALLOW/ TOOL CALLS · VERDICTSfs.write src/apiAGT-02 · cap=ok · opa=ok · scope=runmem.read graphAGT-01 · cap=ok · scope=sessionhttp.post partnerAGT-02 · dlp=mask PII · egress boundshell.rm prodAGT-04 · cap=missing · opa=block
/04Cortical Columns Memory

Memory in xFrontier is modeled on the brain's cortical columns — many small, uniform memory units that each capture context and vote into a shared world-model, rather than a single vector store bolted onto a prompt. It is tiered: short-term working memory lives in a Redis session cache with an optional write-ahead log; long-term memory is held in PostgreSQL with pgvector for semantic recall; and a Neo4j world-graph projects topics, relationships, and evidence links so agents reason over structured knowledge rather than nearest-neighbor text alone. A consolidation pipeline summarizes raw events into durable knowledge and suppresses duplicates, while hybrid retrieval blends column, long-term, and graph context under explicit ranking and token budgets. Critically, every memory is scope-aware — bound to a run, session, user, tenant, agent, workflow, or global scope — and authorization is enforced on recall, so an agent never retrieves memory it is not entitled to. Most frameworks treat memory as an afterthought; xFrontier treats it as governed, brain-inspired infrastructure.

/05Capabilities

Multi-Agent Orchestration

LangGraph-based workflows with PostgreSQL checkpointing for durable, resumable execution and structured agent-to-agent handoffs.

Enforced Isolation

Three-tier hybrid sandbox (kernel, hardened Docker, gVisor/Kata) that auto-detects the strongest available isolation with no manual configuration.

Capability-Token Governance

Signed Biscuit capability tokens with per-agent tool allowlists and call budgets, verified on every invocation and gated by Open Policy Agent.

Auditable by Design

Cryptographically signed, replayable event chains plus human-in-the-loop approval gates for sensitive operations.

Cortical Columns Memory

A brain-inspired, scope-aware memory stack — Redis short-term columns, pgvector long-term recall, and a Neo4j world-graph — with consolidation and hybrid retrieval under token budgets.

Local Model Bridge

Run capable agents on local models via an Ollama OpenAI-compatible endpoint — no API keys, no cloud inference, fully air-gap capable.

/06Local-First & Open Source

xFrontier is local-first by default: data stays on your network unless you explicitly configure otherwise, and the platform can run fully disconnected for air-gapped operation. It bridges to local models through an Ollama OpenAI-compatible endpoint with a curated allowlist, so teams can run capable agents with no API keys and no cloud inference. Because it is released under AGPL-3.0, organizations can inspect, self-host, and extend the entire stack — there is no opaque control plane to trust. Deployment scales along a single continuum: a lightweight local profile for development, a secure local profile with the full gateway, policy, and sandbox stack and OIDC operator authentication, and a hosted Kubernetes profile via Helm with gVisor or Kata isolation for enterprise rollout.

Open Source · AGPL-3.0

Inspect, self-host, and extend the entire stack. There is no opaque control plane to trust.

View on GitHub
/07Use Cases & Alignment

Use Cases

  • Governed software-engineering agent teams
  • DevOps automation on internal networks
  • Air-gapped and on-premises agentic workflows
  • Approval-gated sensitive operations
  • Long-running, resumable agent jobs

Aligned With

xFrontier maps governance and audit guarantees to the frameworks enterprises are held to.

NIST AI RMFNIST 800-207OWASP LLM Top 10SOC 2 Type II

Run Agents You Can Govern

Tell us about your agent workflows and environment, and our team will show you how xFrontier sandboxes, scopes, and audits every action.

Trouble with the form? info@lattix.io · Book a call