Ship AI agents to production with confidence

Audit every deployment. Control who deploys where. Gate promotions with approvals. Inject secrets safely. Enterprise governance for your AI agent fleet.

Get Started Talk to Us
$npm install @openforge-ai/enterprise
The Problem

Three questions every team asks

As your AI agent fleet grows, visibility and control become non-negotiable.

Who changed the agent?

Every deploy, rollback, and config change recorded with actor, timestamp, and config hash. Immutable append-only audit log.

AuditTrail records everything.

Who approved this deploy?

Not everyone should push to production. Role-based access control with environment restrictions. Admin bypass for emergencies.

RbacManager controls access.

Are secrets leaking into config?

API keys in forge.yaml is a security incident. Resolve secrets from environment variables at deploy time. Nothing hardcoded.

SecretsManager resolves at runtime.
Features

Enterprise governance, built in

Four modules that give your team visibility, control, and compliance.

Audit Trail Immutable

Immutable, append-only JSONL log at .forge/audit.jsonl. Auto-generated UUIDs and timestamps. Query by action, environment, agent, or any field.

audit-example.tstypescript
import { AuditTrail } from "@openforge-ai/enterprise"; const audit = new AuditTrail({ stateDir: ".forge" }); // Record a deployment const entry = await audit.record({ action: "deploy", actor: "alice@acme.com", environment: "production", agentName: "support-triage", configHash: "84ef0d1ddb5f...", }); // Query the log const prodDeploys = await audit.query({ action: "deploy", environment: "production", });

RBAC Role-Based

Define roles with granular permissions and environment restrictions. Assign users to roles. Check permissions before every deploy. Admin permission bypasses all environment restrictions. Unassigned users fall back to a configurable default role.

rbac-example.tstypescript
import { RbacManager } from "@openforge-ai/enterprise"; const rbac = new RbacManager({ policy: { roles: [ { name: "developer", permissions: ["read", "deploy"], environments: ["dev", "staging"] }, { name: "operator", permissions: ["read", "deploy", "rollback"] }, { name: "admin", permissions: ["read", "deploy", "rollback", "admin"] }, ], defaultRole: "developer", }, }); await rbac.assignRole("alice@acme.com", "operator"); const allowed = await rbac.checkPermission("alice@acme.com", "deploy", "production"); // true — operator has no environment restriction

Gated Promotions Approval Required

Require approvals before promoting agents between environments. Define who can approve. Unauthorized approvers are rejected. Track request status from pending through approved.

promotion-example.tstypescript
import { PromotionManager } from "@openforge-ai/enterprise"; const promotions = new PromotionManager({ rules: [{ from: "staging", to: "production", requireApproval: true, approvers: ["alice@acme.com", "bob@acme.com"], requireTests: true, requireAudit: true, }], }); const request = await promotions.requestPromotion({ agentName: "support-triage", fromEnv: "staging", toEnv: "production", configHash: "84ef0d1ddb5f...", requestedBy: "charlie@acme.com", }); // request.status === "pending" await promotions.approvePromotion(request.id, "alice@acme.com"); // request.status === "approved"

Secrets Management Zero Hardcoded Keys

Resolve secrets from environment variables at deploy time. Never hardcode API keys in forge.yaml or state files. Provider-aware config for future cloud vault integration (Vault, AWS SSM, GCP, Azure).

secrets-example.tstypescript
import { SecretsManager } from "@openforge-ai/enterprise"; const secrets = new SecretsManager({ provider: "aws-ssm", region: "us-east-1", }); const apiKey = await secrets.resolve("BRAVE_API_KEY"); const all = await secrets.resolveAll(["BRAVE_API_KEY", "DATABASE_URL"]);
How It Works

Three steps to governed deployments

Drop enterprise governance into your existing Forge workflow.

01

Install

npm install @openforge-ai/enterprise alongside the CLI. Works with your existing forge.yaml.

02

Configure

Define roles, promotion rules, and secrets provider in your deploy script. No config file changes required.

03

Deploy with governance

Every deploy is audited, access-controlled, and promotion-gated. Full visibility from day one.

OSS vs Enterprise

Open core, enterprise governance

The OSS core handles everything individual developers need. Enterprise adds governance for production fleets.

Feature OSS (MIT) Enterprise
Config parsing + validation
Deploy / diff / rollback
Multi-environment overrides
MCP server management
Multi-provider support
Immutable audit trail
Role-based access control
Gated environment promotion
Secrets management
CI/CD integration guides
Priority support
CI/CD Integration

Works with your existing pipeline

RBAC checks, audit logging, and secrets injection in any CI system. Here's GitHub Actions.

.github/workflows/deploy-agent.ymlyaml
name: Deploy Agent on: push: branches: [main] jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 20 - run: npm ci - name: Check permissions run: node scripts/check-rbac.js ${{ github.actor }} deploy production - name: Deploy with audit run: node scripts/deploy-with-audit.js --env production env: BRAVE_API_KEY: ${{ secrets.BRAVE_API_KEY }}
Pricing

Simple, transparent pricing

No per-seat fees. No usage tiers. One price for your whole team.

Open Source
Free
forever
  • forge.yaml config + validation
  • Deploy / diff / rollback
  • Multi-environment overrides
  • MCP server management
  • Multi-provider support
  • Community support
View on GitHub
Recommended
Enterprise
$299
per team / year
  • Everything in OSS, plus:
  • Immutable audit trail
  • Role-based access control
  • Gated environment promotions
  • Secrets management
  • CI/CD integration guides
  • Integration support from our team
  • Unlimited users
  • Priority support
Buy Enterprise — $299/yr

Ready to govern your AI agents?

$299/year per team. Unlimited users. Integration support included.

Buy Enterprise Talk to Us First