Governing OpenFang Agents with TapPass
Zero-code AI governance for OpenFang. one line change, full compliance.
Overview
Section titled “Overview”OpenFang is an open-source Agent OS that orchestrates AI agents with tools, memory, and multi-agent messaging. TapPass adds enterprise governance: PII detection, prompt injection blocking, secret scanning, rate limiting, and audit trails.
Together, they form a compliant agent runtime: OpenFang handles execution, TapPass handles compliance.
Integration (Zero Code)
Section titled “Integration (Zero Code)”Change one line in any OpenFang agent’s agent.toml:
[model]provider = "openai"model = "gpt-4o-mini"base_url = "http://tappass.internal:9620/v1" # ← This is all you needapi_key_env = "TAPPASS_API_KEY" # ← TapPass API key, not OpenAIThat’s it. Every LLM call now flows through TapPass’s 7-step governance pipeline.
What Gets Enforced
Section titled “What Gets Enforced”| Step | What It Does | Example |
|---|---|---|
validate_input | Blocks oversized/malformed requests | 50KB limit, null bytes |
detect_pii | Redacts PII before it reaches the LLM | SSN, email, CC, IBAN, phone |
detect_secrets | Blocks API keys and credentials | AWS keys, GitHub tokens |
detect_injection | Blocks prompt injection attempts | ”Ignore all instructions…” |
call_llm | Makes the governed LLM call | Rate-limited, circuit-broken |
scan_output | Redacts PII/secrets in LLM responses | Generated customer records |
detect_unicode | Blocks homoglyph/bidi attacks | Unicode evasion attempts |
PII Detection: 24 Obfuscation Techniques Defeated
Section titled “PII Detection: 24 Obfuscation Techniques Defeated”TapPass catches PII even when agents or users try to obfuscate it:
- Separators:
234.56.7890,234/56/7890,234|56|7890 - Unicode dashes:
234–56–7890(em dash, en dash, minus sign, 7 more) - Fullwidth:
234-56-7890 - Email obfuscation:
john[at]gmail[dot]com,john@gmail.com - URL encoding:
john%40gmail.com - Leetspeak:
j0hn@gm4il.c0m - Whitespace bombs:
2 3 4 - 5 6 - 7 8 9 0 - And 17 more techniques (see Red Team Report)
Deployment Options
Section titled “Deployment Options”Option A: Local (Development)
Section titled “Option A: Local (Development)”# Start TapPasscd auth-guard && .venv/bin/uvicorn tappass.api.main:app --port 9620
# Start OPAopa run --server --addr :8181 policies/rego/
# OpenFang agents auto-route through TapPass via agent.tomlopenfang run assistantOption B: Docker Compose (Production)
Section titled “Option B: Docker Compose (Production)”docker compose -f docker-compose.openfang.yml up -d# Includes: TapPass + OPA + Caddy TLS# OpenFang agents connect to: https://tappass.yourdomain.com/v1Option C: Kubernetes
Section titled “Option C: Kubernetes”# Add to OpenFang agent deployment:env: - name: OPENFANG_MODEL_BASE_URL value: "http://tappass-service.governance.svc:9620/v1" - name: TAPPASS_API_KEY valueFrom: secretKeyRef: name: tappass-credentials key: api-keyMonitoring
Section titled “Monitoring”Every governed request produces an audit trail:
{ "agent_id": "assistant", "model": "gpt-4o-mini", "steps": [ {"step": "detect_pii", "detected": true, "action": "redact", "types": ["SSN"]}, {"step": "detect_injection", "detected": false}, {"step": "scan_output", "detected": false} ], "blocked": false, "duration_ms": 1240}Set up alerts for governance events:
export TAPPASS_ALERT_WEBHOOK_URL=https://hooks.slack.com/services/T.../B.../xxxexport TAPPASS_ALERT_WEBHOOK_TYPE=slackSecurity Properties
Section titled “Security Properties”| Property | Status |
|---|---|
| Fail-closed (OPA down → block all) | ✅ |
| Streaming PII redaction | ✅ |
| 6 message roles scanned | ✅ |
| Multimodal content support | ✅ |
| Rate limiting per agent | ✅ |
| Zero crashes from malformed input | ✅ (25/25 fuzz tests) |
| 100% PII detection under concurrent load | ✅ |