Skip to main content

Enterprise

Security, compliance, and scale for production deployments.

Why Enterprise Teams Choose CorvidAgent

🏢

Self-Hosted

Runs on your infrastructure. Your code never leaves your network. Full control over data residency and compliance.

👥

Multi-Tenant

Isolated environments for different teams, projects, or clients. Tenant-scoped data, API keys, and RBAC roles.

📜

Audit Trail

Every action logged. Optionally recorded on-chain via Algorand — verifiable by anyone, deletable by no one.

📦

Container Sandboxing

Agent code execution in isolated Docker containers. No host access, no breakouts, no surprises.

🌐

API-First

~300 REST endpoints, OpenAPI spec, Swagger UI, WebSocket streaming, and A2A protocol interoperability.

Deployment Flexibility

Docker, Kubernetes (Helm + raw manifests), systemd, or macOS LaunchAgent. Your infrastructure, your choice.

Architecture Overview

system architecture 
                    +--------------------------+
                    |   Angular 21 Dashboard   |
                    +------------+-------------+
                                 |
                            HTTP / WebSocket
                                 |
+--------------------------------+--------------------------------+
|                     Bun Server (port 3000)                      |
|                                                                 |
|  Process Manager | Council Engine | Scheduler | Work Tasks      |
|  Telegram Bridge | Discord Bridge | Slack     | Voice (TTS/STT) |
|  Workflow Engine | A2A Protocol   | MCP Tools | Sandbox         |
|                                                                 |
|  +-----------------------------------------------------------+  |
|  |                    SQLite (WAL mode)                       |  |
|  |  16 migrations | FTS5 search | 90+ tables | foreign keys  |  |
|  +-----------------------------------------------------------+  |
+----------------------------------------------------------------+

Single binary, single database file, no external dependencies beyond the AI provider.

Multi-Tenant Setup

.env 
# Enable tenant isolation
MULTI_TENANT=true
API_KEY=your-admin-api-key
ANTHROPIC_API_KEY=sk-ant-...
register tenant 
$ curl -X POST https://corvid.yourcompany.com/api/tenants/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Frontend Team",
    "slug": "frontend",
    "ownerEmail": "lead@yourcompany.com",
    "plan": "pro"
  }'

 Returns a tenant-specific API key
# All subsequent requests are scoped to that tenant's data

What’s Isolated Per Tenant

Data

Agents, sessions, projects, work tasks, memory, and conversation history — fully isolated per tenant.

Configuration

Schedules, workflow executions, API keys, and RBAC roles — scoped and enforced at the database layer.

Plans & RBAC

Tenant Plans

Free

2 agents, 1 concurrent session. Basic tools — perfect for evaluation.

Starter

5 agents, 3 concurrent sessions. Adds GitHub integration and schedules.

Pro

20 agents, 10 concurrent sessions. Councils, workflows, and voice.

Enterprise

Unlimited agents and sessions. Custom limits, priority support, SLA.

Role-Based Access Control

Owner

Full access. Manage members, billing, tenant settings, and all operational controls.

Operator

Create and manage agents, sessions, schedules, and work tasks. Day-to-day operations.

Viewer

Read-only access to dashboards, logs, and session history. Ideal for stakeholders.

Security Features

🔑

Authentication

API key auth with timing-safe comparison. Admin keys for elevated operations. Zero-downtime key rotation with 24-hour grace period.

🔒

Encryption

Wallet keys encrypted at rest with AES-256-GCM. Mnemonics never logged or exposed via API. Protected file enforcement.

🛡

Input Validation

Zod schemas on all API inputs. Parameterized SQL queries. Six-category prompt injection scanner. Bash command validation.

🚧

Rate Limiting

Sliding-window per IP and per endpoint. Auth-tier-based multipliers. HTTP 429 with Retry-After headers.

🌐

Network Security

Explicit CORS origin allowlists. TLS via reverse proxy (Nginx/Caddy configs included). Non-root Docker execution.

Operational Modes

autonomous, supervised (queue for approval), or paused. Protected paths require explicit approval. Daily spending caps.

Deployment Options

Docker (recommended)

docker 
$ docker compose -f deploy/docker-compose.yml up -d

 Multi-stage build
 Non-root user
 Health checks included
 Database persisted via named volume

Kubernetes (Helm)

helm 
$ helm install corvid-agent \
  deploy/helm/corvid-agent \
  --set env.ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  --set env.API_KEY=$API_KEY \
  --set env.MULTI_TENANT=true

 Production-ready Helm chart

Kubernetes (raw manifests)

kubectl 
$ kubectl apply -f deploy/k8s/

systemd (bare metal)

systemd 
$ sudo cp deploy/corvid-agent.service \
  /etc/systemd/system/
$ sudo systemctl enable --now corvid-agent

Monitoring & Health

health checks 
# Liveness (is the process running?)
$ curl /health/live
{"status": "ok"}

# Readiness (can it handle requests?)
$ curl /health/ready
{"status": "ok"}

# Self-test (full diagnostics)
$ curl -X POST /api/selftest/run \
  -H "Authorization: Bearer $API_KEY"
{"passed": true, "checks": 42}
OpenTelemetry 
# .env — connect to any OTLP backend
OTEL_EXPORTER_OTLP_ENDPOINT=\
  https://otel-collector:4318
OTEL_SERVICE_NAME=corvid-agent-prod

# Compatible backends:
 Jaeger
 Grafana Tempo
 Datadog
 Any OTLP-compatible collector

Image Verification & SBOM

Docker images are signed with Cosign (keyless, Sigstore/Fulcio) and include SPDX SBOM attestations.

cosign verify 
# Verify image signature
$ cosign verify \
  --certificate-identity-regexp \
    "https://github.com/CorvidLabs/corvid-agent" \
  --certificate-oidc-issuer \
    "https://token.actions.githubusercontent.com" \
  ghcr.io/corvidlabs/corvid-agent:latest

 Signature verified

# Verify and extract SBOM
$ cosign verify-attestation \
  --type spdxjson \
  --certificate-identity-regexp \
    "https://github.com/CorvidLabs/corvid-agent" \
  --certificate-oidc-issuer \
    "https://token.actions.githubusercontent.com" \
  ghcr.io/corvidlabs/corvid-agent:latest

 SBOM attestation verified

Database Management

backups 
# Manual backup
$ curl -X POST /api/backup \
  -H "Authorization: Bearer $ADMIN_API_KEY"

# Automated (cron, every 6 hours)
0 */6 * * * curl -s -X POST \
  http://localhost:3000/api/backup \
  -H "Authorization: Bearer $ADMIN_API_KEY"

# Configurable retention
BACKUP_MAX_KEEP=10
migrations 
# Migrations run automatically on startup
# Manual commands available:

$ bun run migrate:status
 16 migrations applied

$ bun run migrate:up
 Applied pending migrations

$ bun run migrate:down
 Rolled back last migration

On-Chain Audit Trail

Immutable, Tamper-Proof Records

For organizations that need verifiable compliance records, CorvidAgent can record agent decisions, council deliberations, and inter-agent messages as Algorand transactions — verifiable by anyone, deletable by no one.

.env 
# Enable on-chain audit trail
ALGOCHAT_MNEMONIC=your 25 word mnemonic
ALGORAND_NETWORK=mainnet

# What gets recorded on-chain:
 Agent decisions and actions
 Council deliberations and votes
 Inter-agent messages (AlgoChat)
 Governance-annotated file changes

Quick Evaluation

Try Locally (5 minutes)

install 
$ curl -fsSL https://raw.githubusercontent.com/\
CorvidLabs/corvid-agent/main/scripts/install.sh \
| bash

 Zero configuration required
# Explore the dashboard, create an agent, run a session

Production (30 minutes)

deploy 
$ git clone https://github.com/\
CorvidLabs/corvid-agent.git
$ cd corvid-agent
$ cp .env.example .env
# Configure .env with your keys
$ docker compose \
  -f deploy/docker-compose.yml up -d

 Production-ready in 30 minutes

Related Docs

Self-Hosting Guide →

Detailed deployment instructions, reverse proxy, and infrastructure setup.

Security Model →

Defense-in-depth security, threat model, and injection detection.

API Reference →

~300 REST endpoints, WebSocket protocol, and OpenAPI spec.