Skip to main content

Cordum Enterprise

The standalone cordum-enterprise repo was retired on 2026-04-23. All enterprise features now ship in the core cordum repo, gated by license entitlements. There is no separate enterprise binary, repo, or product — the single control plane unlocks enterprise capabilities when a valid license is present.

Enterprise features are delivered by the core cordum control plane and unlock when a signed license entitlement is present. The core repo is licensed under BUSL-1.1.

Current enterprise features (all in core)

These ship in the core repo and activate behind license entitlements:

  • License enforcement across all services (no separate binary)
  • Multi-tenant API keys + advanced RBAC
  • User/password authentication with bcrypt-secured credentials
  • SSO via SAML and OIDC
  • SCIM 2.0 provisioning
  • Audit export to SIEM backends (webhook, syslog, Datadog, CloudWatch)
  • Legal hold and velocity-rule policy fragments

License loading, validation, and tier enforcement live in core (core/licensing/). The core licensing system uses Ed25519 signature verification and enforces three tiers (Community/Team/Enterprise) with entitlement limits across all services (gateway rate limits, scheduler concurrency, workflow steps, safety kernel policy bundles, audit retention). Licenses degrade gracefully to Community tier on expiry.

License issuance is handled by the cordum-tools license generator; the core control plane validates and enforces the resulting signed license.

Configuration variables (set in core):

  • CORDUM_LICENSE_FILE — path to the signed license file
  • CORDUM_LICENSE_TOKEN — inline license token (alternative to file)
  • CORDUM_LICENSE_PUBLIC_KEY — Ed25519 public key for signature verification

Authentication

The platform supports multiple authentication methods:

API Key Authentication (default)

  • Set via CORDUM_API_KEY or CORDUM_API_KEYS
  • Used for programmatic access (scripts, CI/CD, workers)
  • Sent via X-API-Key header

User/Password Authentication

  • Enable with CORDUM_USER_AUTH_ENABLED=true
  • Users stored in Redis with bcrypt-hashed passwords
  • Supports login via username or email
  • Admin can create users via POST /api/v1/users
  • Users can change password via POST /api/v1/auth/password

SSO/SAML (Enterprise)

  • Integrates with identity providers (Okta, Azure AD, etc.)
  • Marked with "Enterprise" badge in dashboard
  • Configure via SAML environment variables

Planned enterprise extensions

  • Air-gapped deployment guide
  • FIPS 140-2 compliance mode
  • Dedicated support tooling

Licensing model

  • Core (cordum): Business Source License 1.1 (free for self-hosted use; no competing hosted/managed offering). Enterprise capabilities are gated by a commercial license entitlement applied to this same core platform.
  • Protocol/SDK (cap): Apache-2.0.

Where to look

  • Enterprise features and configuration: cordum/docs/enterprise.md
  • License tooling (issuance): cordum-tools/docs/license_tool.md
  • Licensing code: cordum/core/licensing/