Uninstall & Exit
How to completely remove TameFlare from your infrastructure. This guide covers stopping services, extracting data, removing files, and restoring agents to direct API access.
Step 1: Stop services
# If running via pnpm dev
# Ctrl+C in the terminal, or:
kill $(lsof -ti:3000) # Control plane
kill $(lsof -ti:9443) # Gateway
# If running via Docker Compose
docker compose down
# If running via systemd
sudo systemctl stop TameFlare-web TameFlare-gatewayStep 2: Remove proxy from agents
Agents wrapped with tf run use HTTP_PROXY / HTTPS_PROXY environment variables. Once the gateway is stopped, agents will fail to connect.
To restore direct API access:
- Stop the agent
- Remove the
tf runwrapper — run the agent directly:python my_agent.pyinstead ofnpx tf run --name "Bot" python my_agent.py - Restore API keys to the agent's environment (they were in the credential vault)
If your agent uses SDK mode (Mode B), remove the TameFlare SDK calls from your code:
# Before (with TameFlare SDK)
result = TameFlare.request_action({"type": "github.pr.create", ...})
if result.decision == "allow":
github.create_pr(...)
# After (without TameFlare)
github.create_pr(...)Step 3: Extract credentials from vault
Before deleting TameFlare, extract any API keys stored in the credential vault:
# List configured connectors
npx tf connector list
# Note: TameFlare does not have a "show credential" command for security reasons.
# You'll need to re-create API keys from the original services (GitHub, Stripe, etc.)Step 4: Export data (optional)
Before deleting, you may want to export:
Audit log
# Via dashboard: Audit Log → Export CSV
# Via API:
curl -H "Cookie: session=YOUR_SESSION" \
http://localhost:3000/api/dashboard/audit-export > audit-log.csvConfiguration (policies + agents)
curl -H "Cookie: session=YOUR_SESSION" \
http://localhost:3000/api/dashboard/export > config-backup.jsonTraffic logs
# Copy the gateway database for offline analysis
cp .TameFlare/gateway.db traffic-archive.db
# Query with sqlite3
sqlite3 traffic-archive.db "SELECT * FROM traffic_log ORDER BY created_at DESC LIMIT 100;"Step 5: Delete files
# Remove the TameFlare directory
rm -rf /path/to/agent-firewall
# Or remove just the runtime data (keep the code)
rm -rf .TameFlare/ # Gateway data, credentials, CA keys
rm -f apps/web/local.db # Control plane database
rm -f apps/web/local.db-wal # SQLite WAL file
rm -f apps/web/local.db-shm # SQLite shared memory
rm -f apps/web/.env.local # Environment variablesDocker cleanup
docker compose down -v # Remove containers + volumes
docker rmi $(docker images -q agent-firewall*) # Remove imagesStep 6: Remove system trust (if configured)
If you added the TameFlare CA certificate to your system trust store:
# macOS
sudo security delete-certificate -c "TameFlare CA" /Library/Keychains/System.keychain
# Linux (Ubuntu/Debian)
sudo rm /usr/local/share/ca-certificates/TameFlare-ca.crt
sudo update-ca-certificates
# Windows
# Remove from certmgr.msc → Trusted Root Certification AuthoritiesData deletion (GDPR)
TameFlare stores the following personal data:
| Data | Location | How to delete |
|---|---|---|
| User email + password hash | local.db → users table | Delete the database file |
| Agent names | local.db → agents table | Delete the database file |
| Audit events (may contain user actions) | local.db → audit_events table | Delete the database file or run cleanup with AUDIT_RETENTION_DAYS=0 |
| Traffic logs (URLs, agent names) | .TameFlare/gateway.db | Delete the gateway database |
| Waitlist emails | local.db → waitlist table | Delete the database file |
Deleting the SQLite files removes all data permanently. There is no cloud backup unless you configured Turso.
Verification
After uninstalling, verify TameFlare is fully removed:
# Check no processes running
lsof -i:3000 # Should return nothing
lsof -i:9443 # Should return nothing
# Check no proxy env vars set
echo $HTTP_PROXY # Should be empty
echo $HTTPS_PROXY # Should be empty
# Check agents connect directly
curl -I https://api.github.com # Should succeed without proxyVendor lock-in assessment
What's TameFlare-specific
| Component | Lock-in risk | Details |
|---|---|---|
| Policies (JSON) | Low | TameFlare-specific schema, but the concepts (conditions, decisions, scoping) are standard. Policies can be exported as JSON and adapted to other systems. |
| Proxy mode (Mode A) | Very low | Agents use standard HTTP_PROXY/HTTPS_PROXY env vars. Remove the proxy, agents connect directly. Zero code changes required. |
| SDK mode (Mode B) | Medium | TameFlare SDK calls are in your agent code. Removing TameFlare requires removing SDK calls and replacing with direct API calls. |
| Credential vault | Low | Credentials are stored encrypted. You cannot extract them, but you can regenerate API keys from the original services. |
| Audit data | Low | Exportable as CSV. Standard fields (timestamp, event type, actor, details). |
| Dashboard | None | The dashboard is a read-only view. No data is locked in the UI. |
Removal path by integration mode
Mode A (proxy) — easiest removal:
- Stop the gateway
- Remove
tf runwrapper from agent launch commands - Restore API keys directly to agents
- Done — no code changes needed
Mode B (SDK) — requires code changes:
- Remove TameFlare SDK import and client initialization
- Replace
TameFlare.request_action()calls with direct API calls - Remove decision handling (
if result.decision == "allow") - Done — agent now calls APIs directly without policy checks
Transferable concepts
Even if you stop using TameFlare, the following concepts transfer to any governance system:
- Action-based policy model — define what agents can and cannot do
- Risk scoring — classify actions by risk level
- Approval workflows — require human approval for high-risk actions
- Audit logging — record every action for compliance
- Kill switch — emergency stop for all agent activity
Next steps
If you're considering reinstalling later, keep a backup of:
config-backup.json(policies + agents)audit-log.csv(audit history).env.local(configuration — contains secrets, store securely)