The only open-source agent platform with signed audit bundles, deterministic replay, per-session hash chains, and threshold signing — all in a single self-hosted binary. SOX, HIPAA, FINRA, and 21 CFR Part 11 ready.
Free under AGPL 3.0 for organizations under $5M ARR or deployments up to 10,000 concurrent agents. Commercial license available for larger deployments or proprietary use.
In regulated industries, every action must be attributable, tamper-evident, and reproducible. But every AI agent framework ships with none of that. You're left bolting on signing, audit logging, key management, and compliance tooling — each from a different vendor, each requiring its own BAA.
Most agent frameworks treat memory as a separate subsystem — a vector store bolted on, queried at the edge. Cosmictron treats memory as a first-class part of the runtime, event-sourced into the same signed log as every other action the agent takes. That difference is why banks are picking it up.
Retrieval doesn't stop at the top-k semantic matches. Activation spreads through the memory graph — if a memory is retrieved, related memories are surfaced with decaying weight. This is how human recall actually works, and it recovers context that flat vector search misses.
Every memory write is an event in the same signed, hash-chained audit log as every other action the agent takes. You can prove exactly which memories existed when a decision was made, and export the memory trail alongside the session bundle.
Short-term memories are consolidated into longer-term semantic memories on a background loop. The reflector compresses redundant traces, detects communities (related memory clusters), and promotes the signal. No manual curation required.
Memory is scoped to tenants and sessions at the runtime layer — not bolted on at the query layer where one bad filter means a catastrophic cross-tenant leak. The same isolation guarantees that apply to the event log apply to memory.
Memories inherit legal hold, PII encryption, and selective redaction from the core platform. A bank can guarantee that an agent's memory of a customer interaction will be redacted for external auditors and preserved under hold — without adding a separate system.
Because memory operations are events, replaying a session replays its memory state. The agent that made yesterday's decision can be interrogated today with the exact memories it had at the time. Critical for post-incident review in regulated industries.
| Capability | Cosmictron (native) | Pinecone / Weaviate (vector DB) | LangChain + Vector DB (bolt-on) | CrewAI + Vector DB (bolt-on) |
|---|---|---|---|---|
| Native memory layer Others delegate to Pinecone / Weaviate / Chroma | ✓ | — | — | — |
| Spreading activation retrieval | ✓ | — | — | — |
| Event-sourced memory writes | ✓ | — | — | — |
| Signed, hash-chained memory audit trail | ✓ | — | — | — |
| Per-tenant isolation at runtime Partial = query-layer filtering only | ✓ | ◐ | ◐ | — |
| Automatic consolidation & reflection | ✓ | — | — | — |
| PII encryption on memory records | ✓ | — | — | — |
| Legal hold on specific memories | ✓ | — | — | — |
| Deterministic replay with memory state | ✓ | — | — | — |
When a regulator asks "what did this agent know when it made this decision?", a bolted-on vector DB gives you an approximate answer — you query it now and hope the index hasn't drifted. Cosmictron gives you the provable answer — replay the session and you see the exact memory state at the moment of the decision, cryptographically signed. Same substrate. Same audit trail. No reconciliation.
Durable sessions, supervisor handoff, parent-child delegation, and A2A messaging. Agents coordinate across process boundaries with cryptographic accountability at every hop.
LLM I/O and tool results captured verbatim. Clock, RNG, and A2A calls are virtualized so any session can be replayed bit-for-bit. The same input + same state = same output — provable.
Agents span multiple Cosmictron deployments over HTTP/2 + CBOR + Ed25519 auth. Distributed audit bundles export across nodes with cross-node merge.
CBOR sequences with per-event and bundle-level Ed25519 signatures. Self-verifying exports. Selective redaction via per-field commitment scheme lets auditors verify redacted bundles without seeing the data.
Merkle-style chain proves no events were deleted or reordered. Combined with RFC 3161 cryptographic timestamping, this satisfies 21 CFR Part 11, GxP, and SOX Section 404 evidence requirements.
Session retention override for HIPAA/21 CFR Part 11 compliance. Memory-bounded CBOR sequence export handles arbitrarily large bundles without loading the full dataset into RAM.
Every event is cryptographically attributable. Keys follow a lifecycle: Active → Retired → Revoked, with emergency rotation support. FROST threshold signatures (t-of-n) enforce multi-party control for SOX and PCI-DSS.
Sensitive fields encrypted with AES-256-GCM. Access gated by a pii:read capability — no capability, no plaintext. Works with legal hold to keep encrypted records even after deletion requests.
Periodic anchors to an external TSA bind audit events to wall-clock time accepted by pharma GxP regulators. Independent of Cosmictron infrastructure — verifiable with any RFC 3161-compliant tool.
Removes the last trust boundary in threshold signing. Each share holder generates their own polynomial share locally — no single party ever sees the full signing key, not even momentarily. True multi-party custody for regulated deployments.
7-page React/TanStack Start app: approval queues, orchestration trees, session explorer, agent registry, event browser, bundle export wizard, and settings. Ships with the binary.
Capability-based agent discovery with version pinning and contract verification at publish time. Install, pin, and verify third-party agents without leaving the platform.
Orchestration engine, audit infrastructure, key management, admin UI, and marketplace — all in one self-hosted binary. No sidecar services. No external dependencies for the compliance stack.
Tag sessions with required regions and route agent workloads to nodes in specific jurisdictions — GDPR, data residency, and cross-border compliance by design.
#[table(name = "agent_events")]
pub struct AgentEvent {
#[primary_key] #[auto_inc]
pub id: u64,
pub session_id: SessionId,
pub agent_id: Identity,
pub kind: EventKind,
pub payload: Bytes,
pub timestamp: u64,
}
// Every insert: CBOR-serialized + Ed25519-signed
// automatically. No extra code.#[reducer]
fn run_tool(ctx: &ReducerContext, tool: ToolCall) {
// LLM I/O and tool results captured verbatim.
// Clock + RNG virtualized for deterministic replay.
// Hash chain updated. Signature appended.
// pii:read gate enforced if payload has PII fields.
db::insert(AgentEvent {
session_id: ctx.session_id,
agent_id: ctx.sender,
kind: EventKind::ToolCall,
payload: tool.serialize(),
timestamp: ctx.timestamp,
});
}# Stream a signed CBOR audit bundle for a session.
# Memory-bounded — works for any bundle size.
bundle = await cosmictron.export_bundle(
session_id=session_id,
verify_chain=True, # reject if hash chain broken
rfc3161_anchor=True, # include TSA timestamp proof
)
# Bundle is self-verifying. No Cosmictron needed
# to audit it later. Hand it to an examiner.Every code example on the left is real. It's what teams build when they try to retrofit compliance onto an existing agent framework. The right side is Cosmictron.
# You wire all of this yourself
import cbor2, hashlib
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
_signing_key = Ed25519PrivateKey.generate()
_chain_hash = bytes(32) # genesis
def write_event(session_id, kind, payload):
global _chain_hash
event = {
"session": session_id,
"kind": kind,
"payload": payload,
"prev_hash": _chain_hash,
}
encoded = cbor2.dumps(event)
sig = _signing_key.sign(encoded)
_chain_hash = hashlib.sha256(
_chain_hash + encoded
).digest()
# Now persist to Postgres — separately.
# Key rotation? Threshold signing? Out of scope.
# RFC 3161 anchor? Another integration.
db.execute("INSERT INTO audit ...")Plus: key storage, rotation policy, chain reconstruction on restart, separate export pipeline...
#[reducer]
fn run_tool(
ctx: &ReducerContext,
tool: ToolCall,
) {
db::insert(AgentEvent {
session_id: ctx.session_id,
kind: EventKind::ToolCall,
payload: tool.serialize(),
timestamp: ctx.timestamp,
});
}
// Ed25519-signed. CBOR-serialized.
// Hash chain updated. Automatic.
// Zero extra code.# With LangChain / CrewAI:
# You can log inputs and outputs,
# but you cannot guarantee replay
# produces the same result.
#
# datetime.now() in your tool?
# Different result on replay.
# random.choice() in your agent?
# Different result on replay.
# A2A call to another agent?
# Non-deterministic.
#
# For 21 CFR Part 11, you need to
# prove: same input + same state =
# same output. No existing framework
# makes this possible without
# replacing its entire runtime.# Replay any session bit-for-bit.
# Clock, RNG, and A2A are virtualized.
result = await cosmictron.replay(
session_id=session_id,
verify_hash_chain=True,
)
# Sandbox guarantees same output.
# GxP evidence: this is a validated
# system — provably.# You pull from:
# 1. Application DB (agent logs)
# 2. Signing service (signatures)
# 3. Key store (public keys)
# 4. TSA provider (timestamps)
# 5. Distributed nodes (if multi-node)
# 6. Your own export pipeline
#
# Then: correlate timestamps,
# merge signatures, hope nothing
# was lost in a restart.
#
# The examiner needs your
# infrastructure running to
# verify anything.# One call. Memory-bounded streaming.
# Works for arbitrarily large sessions.
bundle = await cosmictron.export_bundle(
session_id=session_id,
verify_chain=True,
rfc3161_anchor=True,
include_public_keys=True,
)
# Self-verifying CBOR sequence.
# No Cosmictron needed to audit.
# Hand to examiner. Done.Durable sessions, supervisor handoff, parent-child delegation, and A2A messaging with cryptographic accountability at every hop. No framework tax.
Every agent session persists automatically. Cross-session recall is a SQL query. No external DB, no cache layer, no serialization code.
Every event is signed at write time. A Merkle-style hash chain proves no events were deleted or reordered. Self-verifying export bundles need no external validator.
Keys follow an Active → Retired → Revoked lifecycle with emergency rotation support. FROST t-of-n threshold signing enforces multi-party control for SOX and PCI-DSS — no HSM required.
Periodic RFC 3161 anchors bind audit events to wall-clock time accepted by pharma GxP regulators. Verifiable with any standard RFC 3161 tool.
Approval queues, orchestration trees, session explorer, agent registry, event browser, bundle export wizard, and settings — no build required.
One binary. Zero compliance glue.
Four-eyes approval, maker-checker separation, signed access log, and hash chain satisfy SOX Section 404. Per-event signing and tenant isolation meet FINRA audit requirements. Export cryptographically verifiable bundles for examiners.
Legal hold prevents session deletion during active investigations. PII capture gate encrypts sensitive fields with AES-256-GCM behind a pii:read capability. Full audit trail with signed events proves chain of custody for PHI.
Hash chain + RFC 3161 cryptographic timestamping + deterministic replay constitutes validated system evidence. Same input + same state = same output, provably. GxP qualification packages export directly from the admin dashboard.
Multi-party orchestration, cross-node deployment, threshold signing, and streaming audit export scale to enterprise agent workloads. Self-hosted — your data never leaves your infrastructure.
Other frameworks build agents. Cosmictron builds agents with a compliance story.
| Feature | Cosmictron | LangChain | CrewAI | Temporal | OpenAI Assistants |
|---|---|---|---|---|---|
| Self-hosted | ✓ | ✓ | ✓ | ✓ | — |
| Open source | ✓ | ✓ | ✓ | ✓ | — |
| Stateful sessions | ✓ | — | — | ✓ | ✓ |
| Signed events | ✓ | — | — | — | — |
| Hash chain | ✓ | — | — | — | — |
| Deterministic replay | ✓ | — | — | — | — |
| RFC 3161 timestamping | ✓ | — | — | — | — |
| Threshold signing | ✓ | — | — | — | — |
| PII encryption | ✓ | — | — | — | — |
| SOX/HIPAA/GxP evidence | ✓ | — | — | — | — |
| Cross-node orchestration | ✓ | — | — | ✓ | — |
| Admin dashboard | ✓ | — | — | ✓ | ✓ |
| Marketplace | ✓ | — | — | — | — |
LangChain/LangGraph and CrewAI are Python frameworks — great for building agents, not for proving what agents did. Temporal is a workflow engine with no LLM-native replay or signing. OpenAI Assistants is a managed service — no self-host, limited audit export. Cosmictron is the only option purpose-built for compliance-grade agent auditability.
One binary replaces an entire infrastructure stack. Building a production agent system with LangChain or CrewAI typically requires assembling a state database, vector store, message queue, WebSocket server, session manager, event log, and custom memory layer. Cosmictron includes all of these out of the box.
| Capability | Purpose | Cosmictron | LangChain | CrewAI | AutoGen | OpenAI Assistants | Temporal |
|---|---|---|---|---|---|---|---|
| Real-time WebSocket subscriptions | Stream agent state to clients | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Sub-10ms event delivery | Low-latency updates | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Built-in persistent memory | No external vector DB | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Automatic session state | No external state store | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Event sourcing | Replay history | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Incremental views (DBSP) | Efficient query updates | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Durable conversation history | Survive restarts | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Session pause/resume | Long-running workflows | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Agent-to-agent messaging | Multi-agent coordination | ✓ | ✗ | ✓ | ✓ | ✗ | ✗ |
| Voice/media pipeline | Real-time voice agents | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Telephony ingress | Phone calls without external provider | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
LangChain, CrewAI, AutoGen, and similar frameworks require assembling Redis + PostgreSQL + Pinecone/Weaviate + RabbitMQ/Kafka + a WebSocket server + custom state machines to match what Cosmictron ships in a single binary.
Benchmarked on a single node. No caching tricks. Reproducible.
Cosmictron is free and open source under AGPL 3.0 for any organization with under $5M in annual revenue, or any deployment of up to 10,000 concurrent agent sessions. Qualify on either threshold and you pay nothing — even if you exceed the other.
Above both thresholds, or if you need to keep your code proprietary or embed Cosmictron in a commercial product, a commercial license removes all AGPL copyleft requirements and includes access to support SLAs and private forks.
Managed hosting, agent deployment, built-in observability. Join the waitlist.
No spam. Just one email when we launch.