·7 min read·v0.0.0
OpenFang Architecture
The Agent Operating System — 14 Rust crates, 137K LOC, 16 security layers, single ~32MB binary with true kernel architecture.
agent-osrustkernelmulti-agentwasmmcpsecuritysqlite
View repository →UI / Desktop
Kernel / Core
Storage / Memory
Adapters / Channels
Runtime / Agents
Skills / Hands
CLI / Tools
External / Infra
System Layers
Interface Layer
>openfang-cliClap + Ratatui TUI
Wopenfang-desktopTauri 2.0 + WebView
@openfang-apiAxum 0.8 · 140+ endpoints
~OpenAI-compat API/v1/chat/completions
Orchestration Layer (Kernel)
Kopenfang-kernelCentral coordinator
WWorkflowEngineDAG execution
SSchedulerQuota + cron
RAuthManagerRBAC + capabilities
MMeteringEngineCost tracking (USD)
TTriggerEngineEvent pattern matching
HHeartbeatHealth monitor
Execution Layer
Aopenfang-runtimeAgent loop + 53 tools
LLLM DriversAnthropic / Gemini / OpenAI-compat
XWASM SandboxWasmtime dual-metered
PMCP ClientJSON-RPC 2.0 stdio/SSE
$A2A ProtocolAgentCard + task mgmt
Capability Layer
*openfang-skills60 bundled + FangHub
!openfang-hands7 autonomous Hands
#openfang-extensions25 MCP templates + vault
^openfang-migrateOpenClaw / LangChain import
Transport Layer
<>openfang-channels40 messaging adapters
~AgentRouterMessage routing
&BridgeManagerLifecycle + rate limiter
Popenfang-wireOFP P2P + HMAC-SHA256
Persistence Layer
Dopenfang-memorySQLite substrate (schema v5)
VVector EmbeddingsSemantic search
GKnowledge GraphEntities + relations
CCanonical SessionsCross-channel memory
Foundation Layer
Topenfang-typesCore types + Ed25519 + taint
CModelCatalog51 models / 27 providers
ZZeroize + TaintSecret lifecycle tracking
Core Flow — Agent Message Lifecycle
1
Message arrives — Via channel adapter (Telegram, Discord, etc.), REST API, WebSocket, or CLI openfang chat
↓
2
RBAC + Channel policy — AuthManager resolves identity, checks user role; ChannelBridgeHandle enforces DM/group policy
↓
3
Quota check — AgentScheduler verifies token-per-hour limit not exceeded; MeteringEngine tracks cost
↓
4
Module dispatch — Kernel routes to builtin:chat (LLM loop), wasm: (WASM sandbox), or python: (subprocess sandbox)
↓
5
Agent loop init — Load session + canonical context, resolve LLM driver, gather tools (capability-filtered + skills + MCP), run session_repair
↓
6
LLM iteration — Send to provider via LlmDriver, execute tool calls through tool_runner with LoopGuard protection, repeat until done
↓
7
Post-processing — Auto-compact session if threshold exceeded, compute cost_usd, record usage event, write MerkleAuditTrail entry
↓
8
Response delivery — Format output (Markdown/TelegramHTML/SlackMrkdwn), route back through channel adapter or stream via SSE/WebSocket
Security Model — 16 Defense-in-Depth Layers
Execution Security (8 layers)
WASM Dual-Metered Sandbox — fuel + epoch metering with watchdog kill
Subprocess Sandbox — env_clear() + selective var passthrough
LoopGuard — SHA256 tool loop detection, circuit breaker at 30 calls
Session Repair — 7-phase message history validation
Max Continuations = 3 — prevents infinite "continue" loops
Inter-Agent Depth = 5 — blocks recursive agent chains
Tool Timeout = 60s — universal tokio timeout on all tools
SSRF Protection — blocks private IPs, cloud metadata, DNS rebinding
Identity + Integrity (8 layers)
Ed25519 Manifest Signing — cryptographic agent identity
Merkle Hash-Chain Audit — tamper-evident action log
Taint Tracking — info flow labels from source to sink
Capability Gates — RBAC + per-agent tool permissions
OFP Mutual Auth — HMAC-SHA256 nonce + constant-time verify
Secret Zeroization — Zeroizing<String> auto-wipe
GCRA Rate Limiter — cost-aware per-IP token bucket
Prompt Injection Scanner — detects override + exfil patterns
Key Subsystem — openfang-kernel (Central Coordinator)
crates/openfang-kernel/src/ ├── kernel.rs ← OpenFangKernel: assembles all subsystems, 18-step boot sequence ├── registry.rs ← AgentRegistry: DashMap concurrent agent store ├── scheduler.rs ← AgentScheduler: per-agent quota tracking, hourly window reset ├── workflow.rs ← WorkflowEngine: DAG registration + execution (cap 200 runs) ├── triggers.rs ← TriggerEngine: event pattern matching + dispatch ├── capabilities.rs ← CapabilityManager: grants, inheritance validation ├── auth.rs ← AuthManager: RBAC + channel identity resolution ├── metering.rs ← MeteringEngine: cost catalog (20+ model families) ├── event_bus.rs ← EventBus: async broadcast channel for lifecycle events ├── supervisor.rs ← Supervisor: health monitoring, panic/restart counters ├── background.rs ← BackgroundExecutor: continuous + periodic agent loops ├── heartbeat.rs ← HeartbeatMonitor: agent health checks ├── approval.rs ← Approval gates for sensitive Hand actions ├── wizard.rs ← SetupWizard: first-run provider configuration └── cron.rs ← Cron scheduler for proactive agent schedules
Data Model — SQLite Memory Substrate (Schema v5)
agents
agent_id (uuid), name, manifest (json), state, parent_id, created_at
sessions
session_id, agent_id, messages (json), token_count, created_at, updated_at
memory_kv
agent_id, key, value (json), confidence, decay_rate, updated_at
embeddings
id, agent_id, content, vector (blob), metadata (json), created_at
knowledge_entities
id, agent_id, name, entity_type, properties (json), created_at
knowledge_relations
source_id, target_id, relation_type, properties (json), weight
task_board
task_id, title, description, assignee, status (pending/claimed/done), result
usage_events
id, agent_id, model, provider, input_tokens, output_tokens, cost_usd
canonical_sessions
user_id, summary (text), context, channel_history, compacted_at
Package / Directory Map
openfang/ ├── crates/openfang-kernel/ Orchestration: workflows, RBAC, metering, scheduler, supervisor ├── crates/openfang-runtime/ Agent loop, 3 LLM drivers, 53 tools, WASM sandbox, MCP, A2A ├── crates/openfang-api/ Axum HTTP server: 140+ REST/WS/SSE endpoints, OpenAI-compat ├── crates/openfang-channels/ 40 messaging adapters: Telegram, Discord, Slack, WhatsApp, ... ├── crates/openfang-memory/ SQLite substrate: KV, vectors, knowledge graph, sessions ├── crates/openfang-types/ Core types, taint tracking, Ed25519 signing, model catalog ├── crates/openfang-skills/ 60 bundled skills, SKILL.md parser, FangHub + ClawHub ├── crates/openfang-hands/ 7 autonomous Hands (Clip, Lead, Collector, Predictor, ...) ├── crates/openfang-extensions/ 25 MCP templates, AES-256-GCM vault, OAuth2 PKCE ├── crates/openfang-wire/ OFP P2P protocol, HMAC-SHA256 mutual authentication ├── crates/openfang-cli/ CLI: init, start, chat, agent, workflow, skill, mcp, migrate ├── crates/openfang-desktop/ Tauri 2.0: WebView, system tray, notifications, shortcuts ├── crates/openfang-migrate/ Migration engine: OpenClaw, LangChain, AutoGPT importers ├── xtask/ Build automation (cargo xtask pattern) ├── agents/ 30 pre-built agent templates (researcher, coder, analyst, ...) ├── packages/whatsapp-gateway/ Node.js WhatsApp Web bridge (QR code pairing) ├── docs/ Architecture, security, API reference, getting started └── deploy/ systemd service, Dockerfile, docker-compose
The Key Insight
OpenFang is not an agent framework — it is an Agent Operating System with a true kernel architecture. The kernel assembles 14 subsystems (registry, scheduler, workflow engine, capability manager, metering, RBAC) into a single coordinator, while Hands — autonomous capability packages that run on schedules without human prompting — represent the shift from chatbot-driven agents to agents that genuinely work for you, 24/7, secured by 16 independent defense-in-depth layers.