Enforgate
Start free
Browse documentation

What is open-source vs. hosted in Enforgate?

The enforcement core — the gateway and policy engine — is open source under MIT. The cloud control plane and dashboard run on enforgate.io, with a free tier that covers most individual and small-team use.

The open-source core

The following packages are MIT-licensed and available on GitHub:

  • Gateway (apps/gateway) — the Hono HTTP API that enforces policy on every tool call. Self-hostable with a single Docker image.
  • Policy engine (packages/policy) — pure TypeScript: glob matching, parameter conditions, priority ordering, default-deny. No network, no DB.
  • Database schema (packages/db) — Drizzle schema + migration history. Bring your own Postgres.
  • Crypto helpers (packages/crypto) — AES-256-GCM field encryption and Ed25519 identity verification. Used by the gateway and dashboard alike.
  • SDK (packages/sdk) — the TypeScript client for check() and guard(). Also available as @enforgate/sdk on npm (coming soon).

Self-hosting the gateway

The gateway is the only component required to enforce policy on tool calls. You can run it yourself against your own Postgres and Redis:

# 1. Clone and configure
git clone https://github.com/Enforgate/app.git
cp .env.example .env   # set DATABASE_URL + ENCRYPTION_KEY

# 2. Apply migrations
npm run db:migrate

# 3a. Run locally (Node 22)
npm run dev:gateway

# 3b. Or via Docker Compose (gateway + postgres + redis)
docker compose --profile gateway up -d

The self-hosted gateway gives you the full enforcement stack: policy evaluation, human-in-the-loop approvals, MCP proxy, and the audit log.

The hosted control plane

enforgate.io layers a managed experience on top of the open-source core:

  • Self-serve dashboard — create API keys, write policies, review the live audit feed.
  • Organizations & teams — multiple members with role-gated access (admin / developer / approver).
  • Approval inbox — review and resolve held tool calls from the dashboard or Slack/Teams.
  • White-label branding — serve approval notifications from your own domain and identity.
  • Compliance exports — SIEM-ready audit log export (coming), OpenTelemetry traces (coming).
  • Managed Postgres + Redis — zero ops, automatic migrations, backups.

The cloud plan is free up to 1,000 guarded calls per month, then $29/mo for Pro (50K calls) and $199/mo for Scale (1M calls). You can run the gateway self-hosted and point it at your own DB while still using the hosted dashboard — or run everything yourself and never touch enforgate.io.

What stays proprietary

The dashboard application (apps/dashboard), the billing integration (packages/billing), the notification senders (packages/notify), and the platform-admin control plane live in the same monorepo but are not separately licensed for redistribution as a competing SaaS. The enforcement core (gateway + policy) is the part that matters most for security and auditability, and that is the part that is fully open.

Contributing

The gateway, policy engine, SDK, and crypto helpers accept contributions under the MIT license. The best entry points are packages/policy/src/evaluate.ts (the rule engine) and apps/gateway/src/mcp-proxy.ts (the MCP enforcement layer). Open an issue or PR on GitHub.