Open Refinery
Open source · self-hosted · v2.1

An open factory to
shine light into the dark.

The self-hosted platform layer that governs AI-driven software work — so every change is authorized, owned, provenanced, and audited. Lights-out automation you can actually trust, because you can see it.

Only SECRET_KEY in the env SQLite built-in React dashboard bundled MIT licensed

The problem

AI ships code faster than teams can govern it. The "dark factory" runs lights-out — and that's exactly the danger: opaque, un-owned, unaccountable.

Who authorized this?

Agents and pipelines act, but nothing records who owned the change, under what policy, or with which inputs.

Automation you can't audit

No oversight dial, no approval trail, no way to prove — after the fact — that a lights-out run was safe.

Standards that drift

Charters and harness configs claim behavior the code doesn't actually enforce — imitation surfaces that read as governed but aren't.

No safe way to change the rules

Governance itself has no workflow, and no way to test whether a change actually helped.

The platform layer

Open Refinery sits between your harnesses (agents, scripts, CI) and your targets (repos, models, MCP servers, APIs). It governs how work reaches those targets — and records everything.

authorize quota · secrets · filter act record audit

The orchestrator is a deterministic queue, not an agent: cheap, reproducible, and auditable. The agent's judgment stays inside a step; sequencing stays plain software.

  • Identity, admin-configurable roles, and authorization on every action
  • A human-oversight dial per process (manual → fully dark)
  • Immutable provenance and a complete, attributed audit trail
  • Quotas, content filtering, and structured output at the call site
  • Proactive enforcementstrict whitelist mode + a pre-action authorize gate
  • First-class rollbacks — revert a whole deployment, not just the code
  • Self-hosted, single-tenant — pip install + one command

What it does

One governed loop, end to end — from a work item on a board to a real model call.

Policy governance

Authored artifacts — rule / skill / command / agent — with deny-overrides and a strict lock a lower layer can't override.

Per-layer approval workflows

Changes to governance itself walk an accept / deny / feedback chain that auto-escalates up the role ladder.

Pack marketplace

Enable curated canon — TDD, ATDD, spec-driven, code review, CI/CD, observability, tech-debt — as standards and ready-made processes.

Real target backends

Anthropic, OpenAI, MCP, and generic API targets — connect by API key or OAuth, with routing, failover, and windowed rate quotas.

Proactive enforcement

An audit or strict (whitelist / default-deny) mode, plus a pre-action /authorize gate — verify identity + intent before a tool, command, or host-egress action. Per-namespace whitelists; every refusal audited.

First-class rollbacks

Revert a work item to a known-good prior stage and get a structured reverse plan that unwinds the whole deployment — code, DB migrations, config, env, libraries, data, services, secret refs, infra, DNS. The harness applies it and reports back.

Teams, cost & concurrency

Group users into teams; a usage ledger meters units per governed invoke and rolls up cost by team; a team's live in-flight concurrency cap is enforced at the invoke seam.

Routing policy & traffic graph

Resolve routes on region / compliance / cost inputs — an unmet requirement blocks the call, it isn't silently downgraded. A cross-agent traffic graph shows who sends how much to which target.

Live runtime

Background jobs, scheduled ingest, and a WebSocket live channel — job status, new audit events, and per-run live logs stream to the dashboard, no polling.

Coding-agent auth

Give Claude Code (and other harnesses) a governed identity — via OAuth device flow or a token. Every action the agent takes is authorized and audited under its role, exactly like a person.

Guided setup

A first-run wizard takes the first admin from sign-up to a running factory: connect your tools, import a repo, adopt standards, and shape the first process from your own tracker's columns — then ship a work item.

Connect your tools

GitHub, GitLab, GitHub Issues, Jira, Linear — code hosts and issue trackers, by OAuth or token. Trackers expose their columns for workflow discovery so processes match your board.

Coverage & drift

Ingest a repo's charter/harness/code, then surface coverage, drift, and imitation surfaces with 0–100 health scores.

Governance analysis

Flag the poison: dead rules, contradictions, redundancy, and prompt injection — per role level, with insights.

Evals & experiments

State a hypothesis, run before/after evals, and get a real significance verdict — control vs. treatment.

Oversight & approvals

Inline sign-off or an async queue with chained approvals — an ordered role chain, a distinct signer per slot.

Debt audits & health

Score factory / harness / charter debt, track it over time, and get concrete "what to try next" insights.

Webhooks & audit trail

HMAC-signed event fan-out and a complete, queryable, attributed audit trail — with metrics derived from it.

Integrations

GitHub, GitLab, Jira, Linear — import repos and sync work items, connect by token or OAuth, credentials encrypted at rest.

Visibility-first dashboard + API docs

A React dashboard ships in the wheel — an overview that surfaces what needs attention, a work board, and a right-hand detail/action drawer. Self-hosted API docs with live "Try it out" at /api-docs.

Get started

Python 3.11+. SQLite ships with Python — nothing else to install. Only SECRET_KEY is required in the environment; everything else is UI-managed and encrypted in the database.

# install + run — server and dashboard on :8000
pip install open-refinery
open-refinery serve

# open http://your-host:8000 — the dashboard walks you through
# creating the first admin, then signing you in.