Cordum Enterprise
The standalone
cordum-enterpriserepo was retired on 2026-04-23. All enterprise features now ship in the corecordumrepo, gated by license entitlements. There is no separate enterprise binary, repo, or product — the single control plane unlocks enterprise capabilities when a valid license is present.
Enterprise features are delivered by the core cordum control plane and unlock
when a signed license entitlement is present. The core repo is licensed under
BUSL-1.1.
Current enterprise features (all in core)
These ship in the core repo and activate behind license entitlements:
- License enforcement across all services (no separate binary)
- Multi-tenant API keys + advanced RBAC
- User/password authentication with bcrypt-secured credentials
- SSO via SAML and OIDC
- SCIM 2.0 provisioning
- Audit export to SIEM backends (webhook, syslog, Datadog, CloudWatch)
- Legal hold and velocity-rule policy fragments
License loading, validation, and tier enforcement live in core
(core/licensing/). The core licensing system uses Ed25519 signature
verification and enforces three tiers (Community/Team/Enterprise) with
entitlement limits across all services (gateway rate limits, scheduler
concurrency, workflow steps, safety kernel policy bundles, audit retention).
Licenses degrade gracefully to Community tier on expiry.
License issuance is handled by the cordum-tools license generator; the
core control plane validates and enforces the resulting signed license.
Configuration variables (set in core):
CORDUM_LICENSE_FILE— path to the signed license fileCORDUM_LICENSE_TOKEN— inline license token (alternative to file)CORDUM_LICENSE_PUBLIC_KEY— Ed25519 public key for signature verification
Authentication
The platform supports multiple authentication methods:
API Key Authentication (default)
- Set via
CORDUM_API_KEYorCORDUM_API_KEYS - Used for programmatic access (scripts, CI/CD, workers)
- Sent via
X-API-Keyheader
User/Password Authentication
- Enable with
CORDUM_USER_AUTH_ENABLED=true - Users stored in Redis with bcrypt-hashed passwords
- Supports login via username or email
- Admin can create users via
POST /api/v1/users - Users can change password via
POST /api/v1/auth/password
SSO/SAML (Enterprise)
- Integrates with identity providers (Okta, Azure AD, etc.)
- Marked with "Enterprise" badge in dashboard
- Configure via SAML environment variables
Planned enterprise extensions
- Air-gapped deployment guide
- FIPS 140-2 compliance mode
- Dedicated support tooling
Licensing model
- Core (
cordum): Business Source License 1.1 (free for self-hosted use; no competing hosted/managed offering). Enterprise capabilities are gated by a commercial license entitlement applied to this same core platform. - Protocol/SDK (
cap): Apache-2.0.
Where to look
- Enterprise features and configuration:
cordum/docs/enterprise.md - License tooling (issuance):
cordum-tools/docs/license_tool.md - Licensing code:
cordum/core/licensing/