FASS Control Plane

Documentation

FASS Platform Reference

FASS is a runtime platform that securely executes and manages autonomous agents at scale. Click any card below or use the left nav to jump to any section.

Getting Started

Quick Start

From zero to a running, authority-gated agent in under 5 minutes.

Step 1 — Install FASS

bash

curl -fsSL https://fass.systems/install.sh | bash

Step 2 — Authenticate

bash

fass login
# Or with an API key directly:
fass login --token fk_live_xxxxxxxxxxxx

Step 3 — List your agents

bash

fass agents
# NAME                   STATUS     VERSION
# fass-atlas-core        ● running  v1.0.0
# fass-authority-server  ● running  v1.0.0

Step 4 — Issue an authority token

bash

fass token issue --agent fass-scan-agent --ttl 3600
# ✓ Token issued: tok_8xK2mN9pQr
# Use: Authorization: Bearer <token>

Step 5 — Run your first audit

bash

fass audit https://yoursite.com --deep
# Scans APIs, dependencies, config drift, SSL
# Run: fass repair --all to auto-fix issues

For Everyone

FASS for Normal Users

You do not need to write code to use FASS. Think of it as a personal AI team — agents that handle tasks for you, supervised by a system that keeps everything safe and auditable.

Organize Your Files

Connect Google Drive. FASS automatically discovers, classifies, and organizes your files using AI — no manual tagging needed.

01Go to Ingest Pipeline in the sidebar

02Click Connect Google Drive

03Click Run Discovery — FASS does the rest

Talk to Francis

Francis is your Telegram-based AI assistant. Send a message, get things done — from scheduling to research to running FASS commands.

01Open Telegram and search @FassBot

02Send /start and link your FASS account

03Type any task in plain English

Automate Your Workflow

Describe what you want to automate in plain English. FASS translates it into an agent task with a scoped authority token — no code required.

01Go to the Overview dashboard

02Click New Task and describe your goal

03FASS assigns the right agent automatically

Monitor Everything

Every action your agents take is logged in plain language in the Audit Log. You always know what happened, when, and why.

01Click Audit Log in the sidebar

02Filter by agent, date, or event type

03Export to CSV for records

Built-in AI

Meet Francis & Forge

FASS ships with two native AI personalities. Both are model-agnostic — you choose which LLM powers them. They operate under the same authority envelope system as all other agents.

🤝

Francis

Telegram Work Bot · Personal Assistant

Francis lives in Telegram. He is your always-on work companion — communicate with your projects, run FASS commands, get summaries, and delegate tasks in plain English from your phone. Designed for normal users: no code, no dashboards, just conversation.

→Runs on Telegram — zero setup for end users

→Executes FASS commands on your behalf

→Summarizes audit logs and agent activity

→Answers questions about your project in natural language

→Model-agnostic: OpenAI, Gemini, Claude, or any OpenAI-compatible API

⚙️

Forge

Manus Architecture Bot · Dev Scaling Agent

Forge is the developer power tool. Built on the Manus architecture, Forge handles complex engineering tasks: scaffolding projects, auditing codebases, managing deployments, and scaling infrastructure. Designed for developers who want a senior engineer on demand.

→Scaffolds full-stack projects from a single prompt

→Runs fass audit + repair autonomously

→Manages Vercel and Cloudflare deployments

→Monitors and alerts on system health

→Model-agnostic: swap the underlying LLM at any time

Model Configuration

Choose Your LLM

FASS is fully model-agnostic. Click any model below to assign it to an agent. Every model runs inside an authority envelope — the agent permissions are independent of which model powers it.

GPT-4.1

OpenAI

Pro

Gemini 2.5 Flash

Google

Free

Claude 3.5 Sonnet

Anthropic

Pro

Llama 3.3 70B

Meta (self-host)

Enterprise

Mistral Large

Mistral AI

Pro

DeepSeek R1

DeepSeek

Free

Assign GPT-4.1 to an agent

bash

fass config set --agent francis --model "gpt-4.1"

Developer

CLI Reference

Every fass command with flags and copy-ready examples. Install: curl -fsSL https://fass.systems/install.sh | bash

fass login

Authenticate with the FASS Control Plane

fass login [--token <api-key>] [--env <environment>]

Flags

--token

Use an API key directly instead of browser OAuth

--env

Target environment: production (default), staging, local

Example

fass login

$ fass login ✓ Opening browser for authentication... ✓ Authenticated as user@example.com ✓ Control Plane: https://control.fass.systems

Developer

API Reference

All REST endpoints. Base URL: https://control.fass.systems. Auth: Authorization: Bearer <token>

Method

Endpoint

Auth

Description

GET

/api/health

None

Service health check and version info

GET

/api/runtime

API Key

Runtime status, uptime, and agent fleet summary

POST

/api/auth/token

API Key

Issue a new RSA-SHA256 authority token for an agent

POST

/api/auth/verify

API Key

Verify a token signature and return its claims

DELETE

/api/auth/token/:id

Token

Immediately revoke an authority token by ID

POST

/api/witness

Token

Log a SHA-256 witness hash event to the audit trail

GET

/api/authority/logs

Token

Retrieve paginated authority event logs

GET

/api/audit

Token

Query audit log events with filters and date range

GET

/api/agents

Token

List all registered agents with status and metadata

POST

/api/agents/register

Token

Register a new agent with the fleet

DELETE

/api/agents/:name

Token

Deregister and decommission an agent

GET

/api/versions

Token

List all service versions across the FASS stack

GET

/api/ingest/drive

Token

List and search files from connected Google Drive

POST

/api/ingest/trigger

Token

Trigger a full ingest discovery and classify pipeline

Example: Issue an authority token

typescript

const res = await fetch('https://control.fass.systems/api/auth/token', {
  method: 'POST',
  headers: { 'X-FASS-Key': process.env.FASS_API_KEY },
  body: JSON.stringify({
    agent: 'fass-scan-agent',
    scope: ['read', 'execute'],
    ttl: 3600,
  }),
});
const { token } = await res.json();
// Use: Authorization: Bearer <token.bearer>

Core Concepts

Authority Envelopes

Every agent action in FASS is wrapped in an authority envelope — a cryptographically signed token that defines exactly what the agent is permitted to do, on what resource, and for how long. No envelope means no execution. Enforced at the perimeter.

Field

Type

Description

agent_id

string

The unique identifier of the agent this token is issued to

scope

string[]

Array of permitted actions: read, write, execute, witness

resource

string

The specific resource or namespace the agent may access

ttl

number

Token lifetime in seconds. Default 3600. Max 86400.

issued_at

timestamp

Unix timestamp of token issuance

expires_at

timestamp

Unix timestamp of token expiry

signature

string

RSA-SHA256 signature over the token payload

witness_hash

string

SHA-256 hash of the issuance event, stored in audit log

json — example token payload

{
  "agent_id": "fass-scan-agent",
  "scope": ["read", "execute"],
  "resource": "project/my-app",
  "ttl": 3600,
  "issued_at": 1741100000,
  "expires_at": 1741103600,
  "signature": "sha256:a3f9c2d8...",
  "witness_hash": "sha256:7b2e1f4a..."
}

Core Concepts

Promise Theory: How Agents Coordinate

FASS agents do not receive orders — they make promises. Based on Promise Theory (Burgess and Bergstra), each agent independently declares what it can do and commits to doing it. This eliminates central coordination bottlenecks and makes the system resilient by design.

🎯

Step 01

Objective Declared

The user or orchestrator declares an objective — a high-level goal with no prescribed execution path.

🤝

Step 02

Agents Make Promises

Each agent independently evaluates the objective and makes a promise: 'I can handle this subtask.' No central coordinator assigns work.

🔐

Step 03

Authority Envelope Issued

The Authority System issues a signed token scoped to the specific task. The agent cannot act outside its envelope.

⚡

Step 04

Independent Execution

Agents execute their promised subtasks in parallel, writing results to the shared state store. They never block each other.

📋

Step 05

Witness Logged

Every significant action is hashed and logged to the immutable audit trail. The system can reconstruct exactly what happened and when.

✅

Step 06

Objective Fulfilled

The orchestrator aggregates results. If any agent fails its promise, the system retries or reassigns — without human intervention.

Infrastructure

System Architecture

FASS separates the control plane from the data plane. The control plane handles auth, config, and policy. The data plane handles all execution. This prevents the control layer from becoming a bottleneck at scale.

Control Plane

→Next.js UI (Vercel Edge)

→REST API (20+ routes)

→Agent Registry

→Authority System

→Audit Log (Supabase)

Data Plane

→Agent Workers (Cloudflare)

→Task Queue (Redis Streams)

→Execution Runtime

→Ingest Pipeline

→Witness Logger

Gateway Layer

→fass-root Worker (CF)

→fass.systems routing

→www to apex redirect

→/install.sh endpoint

→/health endpoint

Storage Layer

→PostgreSQL (Supabase)

→Redis (task queue)

→Object Storage (R2)

→KV Store (CF KV)

→Audit log (immutable)

Infrastructure

Deployment

FASS deploys to Vercel (control plane) and Cloudflare Workers (gateway). Both are triggered automatically on push to main.

Deploy to Vercel

bash

fass deploy --target vercel
# or: git push origin main (auto-deploys via GitHub)

Deploy a Cloudflare Worker

bash

cd your-worker-dir
npx wrangler deploy
# Routes defined in wrangler.toml

Required environment variables

bash

FASS_API_KEY=fk_live_xxxxxxxxxxxx
SUPABASE_URL=https://xxx.supabase.co
SUPABASE_ANON_KEY=eyJhbGci...
GOOGLE_CLIENT_ID=xxx.apps.googleusercontent.com
GOOGLE_REFRESH_TOKEN=1//xxx
STRIPE_SECRET_KEY=sk_live_xxx

Infrastructure

Security Model

FASS is built on a zero-trust security model. Every request is authenticated, every action is authorized by an envelope, and every event is witnessed.

RSA-SHA256 Token Signing

All authority tokens are signed with RSA-SHA256. Tokens cannot be forged or tampered with without detection.

Immutable Audit Trail

Every significant event is SHA-256 hashed and written to an append-only audit table. Records cannot be deleted.

Scope-Limited Envelopes

Tokens are scoped to specific agents, resources, and actions. An agent cannot act outside its envelope.

LWE Post-Quantum Encryption

Data at rest is encrypted with LWE + AES-256-GCM, providing post-quantum resistance.

Cloudflare WAF

All traffic passes through Cloudflare WAF with custom rules for rate limiting, bot protection, and DDoS mitigation.

Zero-Trust API Gateway

Every API call requires a valid API key or authority token. There are no unauthenticated write endpoints.