Open core & enterprise

What is implemented, and where it runs.

Cullis is pre-1.0 and not yet validated in production. Treat everything below as an early MVP, not a finished product. The open-core build is what you can pull and run today under FSL-1.1 + Apache-2.0. The enterprise capabilities are implemented as license-gated plugins, but the enterprise build is not yet released as a packaged product. Neither side has been validated in a real deployment. This page exists so the boundary is explicit instead of something you have to infer from the code.

Open core

runs from the public image, no license
  • Per-agent cryptographic identity x509 leaf + SPIFFE ID per agent process, mTLS (RFC 8705) + DPoP (RFC 9449), thumbprint pinning, explicit rotation. The caller is the agent itself, not a shared service account.
  • Policy enforcement (PDP) Per-principal capabilities and a policy decision point that fires before the LLM API or MCP tool runs. OPA-compatible Rego bundles or a built-in rule set.
  • Tamper-evident audit chain Append-only, hash-chained events with Merkle batch sealing and optional RFC 3161 TSA anchoring. Verifiable externally, without trusting Cullis or your IT team.
  • Embedded AI gateway Native per-provider adapters (Anthropic and OpenAI SDKs, raw HTTP for Ollama on-prem). LLM-agnostic, no third-party gateway in the critical path.
  • MCP reverse-proxy Aggregates MCP tool servers behind the same identity, capability gate, and audit chain.

Enterprise build

implemented, license-gated, not yet released
  • SAML 2.0 SSO Federate dashboard sign-in with a corporate IdP (Okta, Azure AD, Keycloak, OneLogin).
  • SCIM 2.0 provisioning Automated user lifecycle (provision / deprovision / group sync) from the corporate IdP.
  • Multi-admin RBAC + four-eyes More than one admin, with a configurable second-admin approval gate on sensitive actions (enrollment, CA rotation, license import).
  • Cloud KMS (AWS / Azure / GCP) Custody of the org CA private key in a managed cloud KMS instead of Vault or filesystem.
  • Audit archive Long-term retention and archival of the audit chain to an external sink.
  • Audit export to Datadog Stream audit events to Datadog for SIEM / monitoring.
  • LLM Guardian Inline content inspection hook on the message path (plug in a detector such as a guardrail provider).