Self-hosted · Apache 2.0

Approve AI workloads after you’ve seen them run—not after reading a ticket.

Foyre is your organization’s front door for new AI systems. Collect the right answers up front, score risk with clear rules, and—when you’re ready—give each request its own isolated Kubernetes environment (vcluster) so teams deploy real workloads, click ready for review, and reviewers inspect what’s actually in the cluster.

You stay in control of production: intake is structured, repeatable, and grounded in something tangible—not a slide deck.

Get the code on GitHub See how it works

AI moves fast. Your intake process probably doesn’t.

Chatbots, RAG, agents, and inference APIs show up from every direction. Generic tickets weren’t built for model egress, vector stores, or agent side effects—so platform and security teams hear about the risky parts late, every review looks different, and work slips outside the process you thought you had.

The pattern
Surprises after the fact

External APIs, regulated data, and cluster behavior surface once teams are already invested—harder to steer calmly.
The pattern
Reviews without proof

A written description isn’t a deployment. Without something running, reviewers guess at networking, images, and config.
The pattern
Shadow paths

When the official door feels slow or vague, teams route around it—and you lose one place to see what’s in flight.

From request to decision—in four clear steps

Foyre keeps the workflow small on purpose: submit, classify, optionally validate in a real cluster, then approve or reject. Validation is optional per environment, but it’s what turns “we promise” into “we deployed it—come look.”

1
Submit the intake

One structured form captures workload type, data sensitivity, APIs, vector DBs, agents, GPUs, and egress—only what applies to that request.
2
See the risk, in plain language

Deterministic Python rules label each request low, medium, high, or unknown—with reasons your reviewers can read. No mystery scores and no ML black box.
3
Where Foyre differs

Prove it in an isolated cluster

On your host Kubernetes, requesters spin up a dedicated virtual cluster, download a scoped kubeconfig, and ship with kubectl or Helm. When it’s running, they mark the request ready for review. Foyre orchestrates the sandbox—your org runs the workloads.
4
Decide with context

Reviewers read answers, risk notes, and comments—and inspect what’s live. Approve, reject, or send back. Every step lands in the history with who did it.

Requester

Intake +risk score

Isolatedvcluster

Approvedor rejected

What you get

Everything below ships in the open-source project—focused on intake, evidence, and review, not feature sprawl.

Validation clusters per request

Give requesters a dedicated place to deploy before anyone talks production. Scoped credentials, your cluster, your rules—reviewers meet the real app.

Smart intake forms

Drafts, validation on submit, and fields that appear only when relevant—so teams aren’t punished with blank paperwork.

Risk scoring you can explain

Examples teams recognize: regulated data plus an external model API rates higher; agents acting for users rates higher; gaps in answers surface as unknown until someone fills them in.

Roles that match how you work

Requesters, reviewers, architects, and admins share one simple status flow—from draft to submitted, ready for review, under review, then approved or rejected.

History you’ll actually use

Comments, status changes, risk runs, and validation lifecycle events stay on the request—lightweight traceability without pretending to be a full compliance suite.

Security-minded defaults

Bcrypt-backed passwords, rotation for admin-created accounts, Fernet-encrypted kubeconfigs at rest, SQLite out of the box with a path to Postgres when you need it.

Who Foyre is for

Mid-sized and larger organizations that already take AI seriously—and want one disciplined door before production.

You’ll get the most value if…

Platform or IT is rolling out internal AI services and needs a repeatable queue—not another heavyweight ITSM clone.
Security or architecture wants to read manifests, exec into pods, and confirm networking—not approve from a paragraph in Confluence.
Engineering leadership needs a single place to answer “what AI systems are proposed, and where are they in review?”

What we’re honest about

Foyre is internal tooling you self-host—not a consumer app and not a hosted SaaS. Today you sign in with local accounts (LDAP, AD, and OIDC are future extension points, not shipped yet). There are no native integrations for ServiceNow, Jira, Slack, email, or Teams; plan to bridge those yourself if you need them.

Each deployment is aimed at one organization. Backup and DR are whatever you already practice for SQLite or Postgres.

Your infrastructure. Your data.

Apache 2.0 means you can run, inspect, and adapt Foyre without a vendor in the middle. Intake data, credentials, and validation clusters stay inside the boundaries you already trust.

Open the GitHub repository

Quick start

You’ll need Python 3.11+ and Node.js 18+. Kubernetes is optional: skip it to try intake and review locally; add a host cluster when you want validation environments.

Clone, install, configure

git clone https://github.com/foyre/foyre.git
cd foyre
make install
make env

Set APP_SECRET_KEY in backend/.env to a Fernet key (encrypts kubeconfigs at rest):

python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

Create the first admin

make seed

Credentials live in backend/.env—change them before you share a network.

Run locally (two terminals)

# Terminal A — API (e.g. http://localhost:8000)
make run

# Terminal B — UI dev server (e.g. http://localhost:5173)
make front-install
make front

Questions we hear often

Is Foyre a fit for our organization? If you want a self-hosted intake lane for AI-facing systems, can attach Kubernetes for sandboxes, and value reviewers seeing real deployments—Foyre is built for you. If you need multitenant SaaS, turnkey SSO, or deep ITSM connectors on day one, you’ll want to wait or integrate those yourself.: If you want a self-hosted intake lane for AI-facing systems, can attach Kubernetes for sandboxes, and value reviewers seeing real deployments—Foyre is built for you. If you need multitenant SaaS, turnkey SSO, or deep ITSM connectors on day one, you’ll want to wait or integrate those yourself.
Any integrations with ServiceNow, Jira, Slack, or email? Not built in today. Foyre is the workflow of record; hook your notification or ticketing stack externally if you need pings in those channels.: Not built in today. Foyre is the workflow of record; hook your notification or ticketing stack externally if you need pings in those channels.
Why vcluster? You get a dedicated Kubernetes API per request on infrastructure you already operate—fast isolation without handing everyone a shared namespace and hoping for the best.: You get a dedicated Kubernetes API per request on infrastructure you already operate—fast isolation without handing everyone a shared namespace and hoping for the best.
How do you handle credentials? Passwords are bcrypt-hashed. Host and per-request kubeconfigs are encrypted at rest with Fernet using APP_SECRET_KEY. Requester kubeconfigs are shown once when minted—handle them like any other secret.: Passwords are bcrypt-hashed. Host and per-request kubeconfigs are encrypted at rest with Fernet using APP_SECRET_KEY. Requester kubeconfigs are shown once when minted—handle them like any other secret.

Contact

Questions about Foyre, partnerships, or press—reach us at the address below.

hello@foyre.ai