A Trusted Runtime for Autonomous Agents
Plan → Approve → Execute → Replay
Fangio is a local-first runtime that makes AI agent actions observable, governable, and replayable, turning agent behavior into something developers can actually trust.
As agents become capable of executing real system tasks, the industry is rapidly asking:
“Can agents be trusted?”
Fangio answers that question.
Today, most agent frameworks optimize for autonomy.
Few optimize for:
- execution safety
- auditability
- deterministic replay
- human approval
- capability governance
Fangio introduces a runtime layer that enforces these properties by design.
The model plans.
The runtime decides.
Tool execution happens on the user’s machine.
Sensitive artifacts (logs, filesystem data, repo contents) never leave the runtime.
LLMs are treated as planners, not operators.
Every generated plan is:
- schema validated
- tool-restricted
- risk classified
- approval gated
Each run produces a complete audit timeline that can be replayed without calling the model again.
User Goal
↓
Planner (LLM)
↓
Structured Plan (JSON)
↓
Runtime Validation (zod)
↓
Approval Gate
↓
Tool Execution
↓
Audit Event Stream
↓
Replay Timeline
Agents must output strict JSON with no free-form reasoning controlling execution.
Tools are explicitly registered and risk-tiered.
Example:
| Tool | Risk |
|---|---|
| docker.ps | low |
| http.probe | low |
| filesystem.search | low |
| docker.restart | medium |
| shell.run | high |
High-risk tools are blocked unless explicitly approved.
Fangio surfaces agent intent before execution, enabling human-in-the-loop governance.
Example:
Restart container "api-prod"
Risk: Medium
Reason: Memory usage sustained at 96%
Every step emits structured events:
- plan created
- step approved
- tool started
- output received
- step completed
This creates full operational transparency.
Runs are persisted and can be replayed deterministically with no model required.
This introduces auditability typically missing from agent systems.
fangio/
├── apps/
│ ├── api → Fastify agent runtime
│ └── web → React dashboard
│
├── packages/
│ ├── schema → zod safety contracts
│ ├── tools → capability registry
│ └── planner → LLM boundary
│
└── runs/ → persisted audit logs
- Full TypeScript
- Fastify
- React + Vite
- zod
- execa
- Server-Sent Events (SSE)
No database required. Fangio is intentionally lightweight and local-first.
Goal:
Diagnose why a dockerized API is slow.
Fangio will:
✅ generate a structured diagnostic plan
✅ classify tool risk
✅ request approval for remediation
✅ execute tools locally
✅ stream outputs
✅ persist the run
✅ replay the timeline
- Node 18+
- pnpm
- Docker (optional but recommended)
pnpm installpnpm devAPI:
http://localhost:3001
Web UI:
http://localhost:5173
Recommended split:
apps/apion Azure Container Apps (Docker image)apps/webon Azure Static Web Apps (or Web App fallback)
This repo includes deployment workflows:
.github/workflows/deploy-api-containerapps.yml(recommended API path).github/workflows/deploy-api-appservice.yml(legacy fallback).github/workflows/deploy-web-static.yml.github/workflows/deploy-web-appservice.yml(fallback when Static Web Apps is blocked by subscription policy)
- Get your deployed web URL (used for
CORS_ORIGINS), for example:https://fangio-web-123.azurewebsites.nethttps://<name>.azurestaticapps.net
- Run:
pnpm azure:setup:ca -- \
--cors-origin https://<your-web-host> \
--set-github-secrets \
--create-github-credentialsThis command:
- creates or reuses resource group
- creates ACR (Basic)
- creates Container Apps environment
- creates or reuses API Container App with external ingress
- configures
NODE_ENV,FANGIO_DATA_DIR,CORS_ORIGINS - assigns managed identity +
AcrPullrole - writes required GitHub Actions secrets
AZURE_CREDENTIALS(service principal JSON used byazure/login)AZURE_RESOURCE_GROUPAZURE_CONTAINER_REGISTRY_NAMEAZURE_CONTAINER_REGISTRY_LOGIN_SERVERAZURE_API_CONTAINER_APP_NAMEVITE_API_URL
Push to main or run manually:
.github/workflows/deploy-api-containerapps.yml
The workflow:
- builds image from
apps/api/Dockerfile - pushes to ACR using
az acr build - updates Container App to new image revision
- Static Web Apps mode: run
.github/workflows/deploy-web-static.yml - App Service web mode: run
.github/workflows/deploy-web-appservice.yml
Share your web URL with testers. The web app calls VITE_API_URL, and the API accepts only CORS_ORIGINS.
Quick health check for Container Apps API:
curl https://<your-api-fqdn>/healthFangio includes a validator to spot high-risk adoption gaps before production rollout:
- channel parity drift (playground vs activity protocol vs Copilot Studio)
- MCP schema drift (
custom_MCPvsmcp) - region/network readiness risks
- trace correlation field completeness in replay logs
cp foundry.doctor.example.json foundry.doctor.json
pnpm doctor:foundry
pnpm doctor:foundry -- --json
pnpm doctor:foundry -- --strictFANGIO_REQUIRE_PRIVATE_NETWORK=true
FANGIO_FOUNDRY_REGION_RISK_DENYLIST=westeurope
FANGIO_DATA_DIR=.fangioThe command exits with code 1 when any check fails.
In --strict mode (or FANGIO_DOCTOR_STRICT=true), warnings also fail the run for CI gating.
Fangio uses GitHub Models as its default LLM provider. This means you can power Fangio with AI models directly from GitHub with no separate API key needed.
- Create a GitHub Personal Access Token at github.com/settings/tokens
- Set it in your
.envfile:
GITHUB_TOKEN=ghp_your_token_here
- That's it! Fangio will automatically use GitHub Models at
https://models.github.ai/inference
You can use any model available in GitHub Models:
LLM_MODEL=openai/gpt-4o-mini # Default - fast and cost-effective
LLM_MODEL=openai/gpt-4o # More capable
This repository includes .prompt.md files in .github/prompts/ that you can test directly in the GitHub Models playground:
- Enable Models on this repository (Settings → Models → Enabled)
- Go to the Models tab
- Select a prompt file and experiment with different models
Fangio works with any OpenAI-compatible API. To use a different provider:
LLM_API_KEY=sk-your-key
LLM_BASE_URL=https://api.openai.com/v1
LLM_MODEL=gpt-4o-mini
Fangio supports two modes:
Uses an LLM to generate plans.
LLM_API_KEY=your_key_here
If no key is present, Fangio falls back to deterministic canned plans, ensuring reliable demos even offline.
Create a new execution plan from a user goal.
Request:
{
"goal": "Diagnose why my dockerized API is slow"
}Response:
{
"planId": "plan-1234567890",
"plan": {
"planId": "plan-1234567890",
"goal": "Diagnose why my dockerized API is slow",
"steps": [
{
"id": "step-1",
"tool": "docker.ps",
"args": {},
"risk": "low",
"description": "List all running containers",
"approved": true
}
],
"createdAt": "2024-01-01T00:00:00.000Z"
}
}Approve medium/high-risk steps before execution.
Request:
{
"planId": "plan-1234567890",
"stepIds": ["step-2", "step-3"]
}Response:
{
"ok": true
}Execute an approved plan.
Request:
{
"planId": "plan-1234567890"
}Response:
{
"ok": true
}Returns 400 if not all steps are approved.
Server-Sent Events (SSE) stream of execution events.
Stream Format:
data: {"planId":"plan-123","type":"step.started","stepId":"step-1","timestamp":"2024-01-01T00:00:00.000Z"}
data: {"planId":"plan-123","type":"step.output","stepId":"step-1","data":{"stdout":"..."},"timestamp":"2024-01-01T00:00:01.000Z"}
Event Types:
plan.created- Plan was createdstep.approved- Step was approvedstep.started- Step execution startedstep.output- Step produced outputstep.error- Step encountered an errorstep.finished- Step execution finishedexecution.finished- All steps completed
Get the complete event log for a plan (for replay).
Response:
{
"events": [
{
"planId": "plan-123",
"type": "plan.created",
"timestamp": "2024-01-01T00:00:00.000Z"
}
]
}All available tools with their risk classifications:
| Tool | Risk | Description | Arguments |
|---|---|---|---|
docker.ps |
low | List all running Docker containers | None |
docker.stats |
low | Get resource usage statistics for containers | None |
docker.logs |
low | Get the last 100 lines of container logs | container (string) |
docker.restart |
medium | Restart a Docker container | container (string) |
git.status |
low | Get Git repository status | None |
filesystem.search |
low | Search for files matching a pattern | path (string), pattern (string) |
http.probe |
low | Probe an HTTP endpoint for status and response time | url (string) |
- Low risk - Auto-approved, executed immediately
- Medium risk - Requires explicit approval before execution
- High risk - Blocked unless explicitly approved (not currently in catalog)
Fangio is intentionally not:
- another chatbot
- an autonomous black box
- a prompt wrapper
Instead, it treats agents as production infrastructure that must be observable and controllable.
- sandboxed tool execution
- policy engines
- multi-agent governance
- cryptographic execution signatures
- SOC2-aligned audit trails
Named after Juan Manuel Fangio, one of the most precise drivers in Formula 1 history, this project reflects the same philosophy:
Power is meaningless without control.
MIT