Augment Research Foundry Ships ARF:
The Agent Watchdog the Industry Didn't Know It Needed

SAN FRANCISCO, CA Augment Research Foundry today released ARF the Agent Rule Framework a local HTTP proxy and governance engine for AI coding agents. ARF sits transparently between AI coding CLIs such as Claude Code, Codex CLI, and Gemini CLI and their respective model APIs, providing cryptographic auditability, declarative TOML-based governance, real-time terminal monitoring, and OS-level sandbox isolation. The initial release is available today on GitHub and crates.io.

The release marks the culmination of a research effort into what it means to trust an AI agent with consequential work. The answer the Foundry arrived at: you don't trust it. You govern it. You record everything it does. You build a fence around it. And you keep a watchdog running at all times.

"We kept hearing that AI agents were ready for production," said the Augment Research Foundry. "So we asked: production by whose standard? The tools existed to run agents. The infrastructure to govern them to know what they decided, why, under what constraints, with whose approval that didn't exist. So we built it."

The Problem: Agents Act Without a Record

AI coding agents like Claude Code and Codex CLI have become genuinely productive tools. They write code, run tests, modify files, call APIs, and commit to git repositories. But the existing tooling treats every agent action as a black box: the developer sees what changed in git, not what the agent decided or why it decided it.

This is insufficient for any serious use of agents in regulated industries, in enterprises with compliance requirements, in teams where multiple agents work in parallel, or in any context where "the agent did it" is not an acceptable audit trail. Git shows diffs. ARF shows decisions.

ARF addresses this by intercepting every message every request to the model API, every completion returned and recording it in a SHA-256 hash-chained, Ed25519-signed proof bundle. The result is not a log file but a cryptographic proof: tamper-evident, attributable, and verifiable by any party with the public key.

The Architecture: A Proxy That Speaks Every Protocol

ARF operates as a local HTTP proxy. The only configuration required on the agent side is a single environment variable: ANTHROPIC_BASE_URL=http://localhost:4554. Claude Code, Codex CLI, Gemini CLI, and any other HTTP-based AI coding agent will route their API traffic through ARF without modification.

ARF's translation layer converts between Anthropic's SSE wire format, OpenAI Chat Completions, and Gemini's JSON protocol through a Canonical Intermediate Representation. This enables cross-runner, cross-engine operation: run Claude against OpenAI's backend, or Codex against Anthropic's. The Adaptive Runtime Framework adapts to whatever combination the operator chooses.

Governance is declared in TOML and enforced at the proxy layer before any message reaches the model. Rules can auto-approve read-only operations, require human sign-off on file writes or shell commands, block content matching configurable regex patterns, enforce token budgets, and trip circuit breakers automatically when error rates or policy violations exceed thresholds.

Three Profiles. One Fence.

ARF ships with three governance profiles out of the box. Strict mode enforces maximum oversight: every tool call requires explicit human approval, token budgets are tight, and circuit breakers are hair-trigger. Standard mode balances productivity and oversight: reads auto-approve, writes require approval, and the 100k token budget is generous enough for realistic sessions. Minimal mode is for personal workstations and experimentation: most operations auto-approve, but the audit trail and cryptographic signing remain active because you still want to know what happened, even if you're not watching every step.

All three profiles run through the same proxy, the same proof chain, and the same terminal dashboard. Profile selection is a one-line change in arf.toml.

The TUI: The Agent Watchdog Has Eyes

ARF includes a rich terminal dashboard the Agent Rendering Framework that displays live proxy traffic, governance decisions, circuit breaker states, session health grades, and the growing proof chain. Approval prompts surface directly in the TUI; the operator presses y or n, and the decision is recorded with their identity and a timestamp. The diff viewer shows exactly what the agent proposes to write before the write executes.

The TUI is designed for operators who are doing something else while the agents work it's meant to be glanceable. Circuit breaker status is visible at a glance. Health grades (A through F, computed over a rolling window) summarize agent behavior without requiring the operator to review individual requests. A dead man's switch can auto-trip all breakers if no human interaction is detected within a configurable window.

"Proof, Not Logs"

ARF's tagline for its audit capability is "proof, not logs." A log file is a text file that can be edited. A proof bundle is a SHA-256 hash chain where every record includes the hash of the previous record, signed with an Ed25519 key. To alter any record, you'd need to recompute every subsequent hash and forge the signature. With proper key management, this is infeasible.

For concurrent multi-agent sessions, ARF uses a Merkle DAG: each parallel branch maintains its own hash chain, and merge events become DAG nodes with multiple parent hashes. The root of the merged DAG commits to the complete history of all branches in a single value. Compliance export bundles generated with arf provenance export are self-contained archives that any ARF instance can verify without access to the original session.

"Every agent decision is a choice made on your behalf. You have the right to know exactly what that choice was, what information the agent had when it made it, and what constraints it was operating under. ARF makes that possible after the fact, for any session, forever."
- Augment Research Foundry

Built in Rust.

ARF is written in Rust. The core proxy, governance engine, credential vault, TUI, and orchestration system are documented and available at github.com/arf-io/arf.

The credential vault uses XChaCha20-Poly1305 encryption with Argon2id key derivation, Shamir Secret Sharing for vault recovery, and optionally a 3-LLM quorum approval protocol for critical credentials. No API keys are ever written to disk in plaintext.

The initial release supports Claude Code, Codex CLI, Gemini CLI, Ollama, DeepSeek, and Qwen as runners, and Anthropic, OpenAI, Google Gemini, and any OAI-compatible local model as engines. Support for additional runners and engines is in active development.

Availability

ARF is available now. Install via cargo install arf or download pre-built binaries for macOS (arm64, x86_64) and Linux (x86_64, arm64) from the GitHub releases page. Documentation is available at arf.io/docs. The repository is at github.com/arf-io/arf.

It's the agent watchdog. And it's watching.