1
Initialize
Creates ~/.foreman/ — the SQLite audit db, an Ed25519 identity keypair, and a starter policy.yaml.
$ foreman init ✓ created ~/.foreman/ db · identity.key · policy.yaml
2
Launch the gateway
Boots the Ink TUI gateway. This is the window you keep open — your live dashboard and approval prompt.
$ foreman start
First time? Run the wizard instead: — a 5-minute walkthrough for API keys, agents, MCP config, and policy.
3
Wire an agent
Point any MCP client at Foreman. Here's Claude Code — add the server to its config:
~/.config/claude-code/mcp.json
{ "mcpServers": { "foreman": { "command": "foreman", "args": ["mcp-stdio"] } } }
Or wrap any subprocess agent so its tool calls get mediated:
$ foreman wrap --name my-agent -- my-agent-binary start
4
Watch it work
Tail the audit log live, list registered agents, and review the active policy.
$ foreman log tail --follow # live request stream $ foreman agent list # registered agents $ foreman policy show # active rules
Run the 5-minute demo
Boot banner → idle dashboard → ⚠ approval modal → inspect → remember → audit log. The whole story, scripted.
$ cd examples/phishing-scenario $ ./run-demo.sh