The AI Agent Control Plane.
Enforce policy, require approval, and retain decision evidence for actions routed through Cordum.
Safety Kernel: Pre-Execution Governance.
The policy decision point for governed submissions. A denied submission is not dispatched.
- Inline PolicyDecision before dispatch
- Human GatesApproval required for risky work
- Constraint LogicBudgets, deny-paths, limits
- Policy SimulationTest rules before they go live
rules:
- name: prod-write-approval
match:
risk_tags: [prod, write]
decision: REQUIRE_APPROVAL
reason: "Production write detected"
- name: kubectl-constraints
match:
capability: kubectl
decision: ALLOW_WITH_CONSTRAINTS
constraints:
deny_paths: ["/kube-system/*"]
max_runtime: 300sname: triage
steps:
collect:
type: worker
topic: job.sre.collect
approval:
type: approval
depends_on: [collect]
remediate:
type: worker
topic: job.sre.patch
depends_on: [approval]Workflow Engine: DAG Orchestration.
Coordinate complex multi-agent sequences with explicit dependencies, retries, and failure semantics.
- DAG ExecutionParallel step orchestration
- Schema ValidationI/O contract enforcement
- Saga RollbackAutomatic undo on failure
- Run TimelineAppend-only audit records
Scheduler: Intelligent Routing.
The scheduler that knows when to stop. Least-loaded worker selection with capability-based routing and overload protection.
- Least-LoadedOptimal worker scoring
- Capability FilterRoute to specialized tools
- BackpressureAvoid worker exhaustion
- ReconcilerDetect and mark stale jobs
Backbone: Customer-Managed Infrastructure.
Go services with NATS and Redis dependencies plus documented deployment controls. Validate availability, capacity, and security in your environment.
- At-least-once delivery with NATS JetStream
- Per-job locks for strict idempotency
- Dead Letter Queue (DLQ) for failed actions
- Prometheus-native metrics and structured logs
Packs: Extensibility Reimagined.
Apply declarative configuration overlays for workflows, schemas, and policy without changing the core control plane. Deploy worker binaries separately.
- Declarative pack.yaml for metadata and topics
- Bundle schemas, workflows, and policy overlays
- Verify pack integrity before installation
- Soft uninstall preserves data while disabling routing
Enterprise Governance
Licensed identity, role, audit-export, and contracted support entitlements for customer-managed deployments.
Common questions
Answers about the Cordum control plane.
What is the Cordum Safety Kernel?+
The Safety Kernel evaluates governed job and action submissions before dispatch. It checks policy bundles, returns Allow, Deny, Require Approval, or Allow with Constraints decisions, and records decision metadata through configured audit paths.
How does Cordum differ from agent frameworks like LangChain or CrewAI?+
Agent frameworks handle task execution and LLM orchestration. Cordum adds a control plane for policy decisions, approval gates, and decision evidence. Published adapters cover selected frameworks, and custom integrations can use the CAP protocol directly.
Is Cordum open source?+
Cordum is source-available under the BUSL-1.1 license. Available features and commercial rights depend on the selected tier and license terms; see the current pricing and licensing pages for details.
What protocols does Cordum support?+
Cordum uses the Cordum Agent Protocol (CAP v2) as its wire format and supports MCP (Model Context Protocol) in both standalone stdio and gateway HTTP/SSE modes.
Can Cordum run on-premises?+
Yes. Cordum is designed for self-hosted deployment. Run it locally with Docker Compose or deploy to any Kubernetes cluster. There is no mandatory cloud dependency.
Build your rollout playbook with these AI agent governance and security guides.
Ready to add policy to your agents?
Follow the documented quickstart and validate the stack locally in your environment.