AI AGENT PLATFORM / 05
xFrontier
Governed, local-first multi-agent orchestration — OpenClaw-class capability on an enforceable, auditable runtime where every agent action is sandboxed, scoped, and provable.
Two capabilities set it apart: a brain-inspired cortical-columns memory and a zero-trust runtime where every agent action is sandboxed, scoped, and provable.
xFrontier is an open-source (AGPL-3.0) multi-agent orchestration platform that runs locally by default — from a laptop to hardened Docker to Kubernetes, air-gap capable — with enforcement wired into the runtime rather than bolted on. Agents execute inside auto-detected sandboxes under signed capability tokens and policy gates, sensitive data is masked by built-in DLP, and every event is signed and replayable. A purpose-built, multi-tier memory system — short-term working memory, semantic long-term recall, and a knowledge graph — gives agents governed, structured memory rather than a bolted-on vector store. It is a uniquely built runtime, not a fork or a wrapper: ergonomics teams expect from modern agent platforms, on infrastructure organizations can govern, isolate, and audit.
Open source · Released under the GNU AGPL-3.0
Cortical Columns Memory
Brain-inspired memory, not a vector store bolted onto a prompt. Many scope-aware memory columns each capture context and consolidate into a shared world-graph — so agents recall structured knowledge, and only what they are authorized to.
- Tiered: Redis working memory · pgvector long-term recall · Neo4j world-graph
- Consolidation and hybrid retrieval under explicit ranking and token budgets
- Every memory is scope-bound, with authorization enforced on each recall
Zero-Trust Runtime
Enforcement wired into the runtime, not bolted on. Every agent runs inside an auto-detected sandbox, acts under signed capability tokens and policy gates, and emits a signed, replayable event for every action.
- Three-tier sandbox: kernel/seccomp · hardened Docker · gVisor/Kata
- Signed Biscuit capability tokens, Open Policy Agent gates, and inline DLP
- Cryptographically signed, replayable event chain — provable after the fact
What It Is
xFrontier is a governed runtime for building, deploying, and operating AI agent workflows — the enforceable alternative to convenience-first open-source agent platforms. Where those projects optimize for scale and ease at the cost of governance, xFrontier is built from first principles around local-first execution, enforced security, and data-centric control. It is open source under the GNU Affero General Public License v3.0-or-later, runs on your own hardware with data staying local by default, and treats isolation, policy, and audit as runtime guarantees rather than optional add-ons. The result is OpenClaw-class multi-agent ergonomics on a runtime an enterprise can actually stand behind: every agent, every tool call, and every handoff happens inside a boundary you define and can prove after the fact.
How It Works
xFrontier is organized as four cooperating layers. Orchestration runs on LangGraph with PostgreSQL checkpointing, so multi-agent workflows are durable and resume from the last committed step rather than restarting. A guardrails layer built on the Microsoft Agent Framework intercepts prompt rendering, function invocation, and outputs — applying DLP and policy gates inline. Agent execution uses role-based agents that hand off work through signed agent-to-agent (A2A) envelopes with replay protection, invoking tools through the Model Context Protocol under per-agent allowlists and budgets. Underneath, the infrastructure layer wires in HashiCorp Vault for secrets, Open Policy Agent for policy, Envoy as the egress boundary, NATS for messaging, Biscuit for capability tokens, and Presidio for PII detection. The same codebase carries this stack from a local dev machine to a production cluster without re-platforming.
Enforcement in xFrontier is wired in, not advisory. Agent code runs inside a three-tier hybrid sandbox that auto-detects the strongest isolation available — kernel-level bubblewrap/seccomp on Linux and seatbelt on macOS (no Docker required, ~1ms startup), hardened Docker with full capability drop and read-only rootfs, or gVisor/Kata via Kubernetes RuntimeClass. Every agent invocation carries a signed Biscuit capability token that encodes its allowed tools and tool-call budget, verified before execution and attenuable on handoff. Open Policy Agent decisions gate tool calls and route access, and a Presidio-backed DLP pipeline masks PII with sanitized error responses. Every event is written to a cryptographically signed chain that supports full replay, and the skills registry is signed and provenance-checked so only vetted capabilities reach the runtime.
Memory in xFrontier is modeled on the brain's cortical columns — many small, uniform memory units that each capture context and vote into a shared world-model, rather than a single vector store bolted onto a prompt. It is tiered: short-term working memory lives in a Redis session cache with an optional write-ahead log; long-term memory is held in PostgreSQL with pgvector for semantic recall; and a Neo4j world-graph projects topics, relationships, and evidence links so agents reason over structured knowledge rather than nearest-neighbor text alone. A consolidation pipeline summarizes raw events into durable knowledge and suppresses duplicates, while hybrid retrieval blends column, long-term, and graph context under explicit ranking and token budgets. Critically, every memory is scope-aware — bound to a run, session, user, tenant, agent, workflow, or global scope — and authorization is enforced on recall, so an agent never retrieves memory it is not entitled to. Most frameworks treat memory as an afterthought; xFrontier treats it as governed, brain-inspired infrastructure.
xFrontier is local-first by default: data stays on your network unless you explicitly configure otherwise, and the platform can run fully disconnected for air-gapped operation. It bridges to local models through an Ollama OpenAI-compatible endpoint with a curated allowlist, so teams can run capable agents with no API keys and no cloud inference. Because it is released under AGPL-3.0, organizations can inspect, self-host, and extend the entire stack — there is no opaque control plane to trust. Deployment scales along a single continuum: a lightweight local profile for development, a secure local profile with the full gateway, policy, and sandbox stack and OIDC operator authentication, and a hosted Kubernetes profile via Helm with gVisor or Kata isolation for enterprise rollout.
Open Source · AGPL-3.0
Inspect, self-host, and extend the entire stack. There is no opaque control plane to trust.
View on GitHubUse Cases
- Governed software-engineering agent teams
- DevOps automation on internal networks
- Air-gapped and on-premises agentic workflows
- Approval-gated sensitive operations
- Long-running, resumable agent jobs
Aligned With
xFrontier maps governance and audit guarantees to the frameworks enterprises are held to.
Run Agents You Can Govern
Tell us about your agent workflows and environment, and our team will show you how xFrontier sandboxes, scopes, and audits every action.
Trouble with the form? info@lattix.io · Book a call