github fronalabs/frona v2026.5.0
on GitHub

latest releases: v2026.6.1, v2026.6.0, v2026.5.5...
one month ago

The first public release of Frona, a self-hosted personal AI agent platform built around a single Rust engine, a single policy language, and per-principal sandboxing.

You deploy it on your own infrastructure, point it at the LLM provider of your choice, and create autonomous agents that browse the web, run code, build apps, make phone calls, talk to messaging channels, delegate to each other, and remember context across conversations, all with policy-gated access to your files, network, and credentials.

Get started

Security model

  • Per-principal sandboxing. Every actor (agent, MCP server, deployed app, channel) is its own principal with its own policies. CLI tool calls, MCP servers, and apps run in sandboxed Linux processes with policy-driven syscall, filesystem, and network filtering, spawned and reaped on demand. No Docker container per agent and no daemon to manage.
  • One policy engine for tools and isolation. Tool authorization, file path access, network destinations, and port binds are all written in the same Cedar-based policy language and evaluated at one decision point.
  • Credential vault. Agents request secrets at the moment they're needed and you approve or deny in real time. 1Password, Bitwarden, HashiCorp Vault, KeePass, and Keeper are supported. Credentials never enter agent memory or LLM provider traffic.
  • Isolated browser profiles. Each user (and each credential context) gets its own browser state. Sessions and cookies are not shared across users.
  • Dual LLM dispatch for inbound messages. Untrusted channel inbounds can be routed to a quarantined LLM with a restricted tool registry, so a hostile message can't talk the agent into running tools or leaking data on its behalf.
  • Self-hosted by design. Your data lives on your servers. You pick the LLM provider; traffic goes directly from your instance to it.

Agents

  • Built-in agents at install time: Assistant, Researcher, Developer, Receptionist. Custom agents are first-class.
  • Agent-to-agent delegation with structured handoff and result return.
  • Persistent memory with automatic compaction and deduplication. User-scoped facts are shared across an owner's agents; agent-scoped facts stay private.
  • Spaces group related conversations and feed summarized cross-chat context into new ones.
  • Skills package reusable instructions. Install built-in skills, share across agents, or scope to one.

Tools

  • Browser automation via Browserless with persistent profiles.
  • Web search via SearXNG, Tavily, or Brave Search.
  • Code execution: sandboxed shell, Python, and Node.js with per-principal filesystem, network, and resource caps.
  • App deployment: agents build and deploy web apps and services with an approval gate before anything goes live, including auto-hibernation of idle apps and supervised restart.
  • Voice calls: outbound phone via Twilio with speech recognition and DTMF navigation.
  • Scheduling and heartbeats for cron-driven tasks and ongoing checklists.
  • Notifications surface task completion, app deployments, and credential approvals into a top-bar feed.

Channels and signals

  • Channels connect an agent to messaging providers so the same agent (same memory, same tools) follows you outside the web UI. Telegram and SMS at launch; pairing flows lock channels to your devices by default.
  • Signals let an agent pause and wait for a matching inbound (a 2FA code, a reply, a class of message) and resume automatically. Continuous-mode signals act as structured monitors.
  • Per-Space SSE delivery and policy-gated receive_message / receive_signal actions.

MCP

  • Install Model Context Protocol servers from the public registry in one click. See the MCP guide.
  • Bridge mode advertises a single mcpctl CLI to the LLM instead of exposing every MCP tool individually, saving thousands of tokens per turn on agents with many servers connected.
  • Each MCP server is its own sandboxed principal with its own filesystem, network, and resource policy.

Identity and access

  • Local accounts with Argon2 password hashing and JWT sessions (cookie, header, or query param).
  • OpenID Connect SSO for Google, Keycloak, and other OIDC providers.
  • Ownership checks on every user-owned resource.

Platform and runtime

  • Single rootless OCI container runs the API server, embedded database, scheduler, and tool execution. No per-agent containers, even at scale.
  • Embedded SurrealDB with RocksDB storage; UUIDv7 record keys for monotonic ordering.
  • Real-time streaming of token, tool-call, and tool-result events over Server-Sent Events.
  • Docker Compose and Kubernetes deployment examples included.

Providers at launch

  • LLM: Anthropic, OpenAI, Google Gemini, DeepSeek, Mistral, Cohere, xAI (Grok), Groq, OpenRouter, Together, Perplexity, Hyperbolic, Moonshot, Hugging Face, Mira, Galadriel, Ollama (local).
  • Search: SearXNG (self-hosted), Tavily, Brave Search.
  • Voice: Twilio.
  • Channels: Telegram, SMS.

License

Frona is released under the Business Source License 1.1. You can use, modify, and self-host it freely; the only restriction is that you may not use it to provide an AI agent platform as a service to third parties. The license converts to Apache 2.0 on 2029-02-28.

Check out latest releases or
releases around fronalabs/frona v2026.5.0

Don't miss a new frona release

NewReleases is sending notifications on new releases.

Get notifications