KDCube.cloud — the managed runtime roadmap
The open-source runtime already delivers the governance, economics, and streaming primitives that generic PaaS cannot. KDCube.cloud packages the same runtime as a zero-ops managed service. Below are the target gaps we are closing next, in priority order.
Priority roadmap
- Generally Available cloud service — KDCube.cloud as a GA managed SaaS, positioned as the zero-ops path for teams that want the open-source runtime without operating the infrastructure.
- Hosted control plane with one-click region selection (EU / US) and tenant pinning for data residency.
- Per-tenant BYOK vault for OpenAI / Anthropic / Bedrock / Gemini keys, with rotation, per-tenant attribution, and zero-egress audit of every provider call.
- SOC 2 Type II + HIPAA BAA inheritance — enterprise-ready compliance that rolls down from the platform to customer workloads.
- Bundle marketplace — one-click install of vetted agent bundles, with signed provenance and pinned-version upgrades.
- Preview environments per PR for bundles — Vercel-parity review flow for agent changes.
- GPU-backed inference lane (optional) for self-hosted models, with the same policy gate and economics applied as to external providers.
- Active-active multi-region with tenant-level residency pinning and automatic failover.
- Policy DSL for declarative rules — human-readable action scope definitions per agent role, enforced pre-execution.
- Deterministic pre-execution enforcement — verifiable allow / deny decision before any tool call fires.
- Workflow invariants — required approval / notification steps enforced; skip prevention.
- Cross-agent approval gates — human-in-the-loop or secondary-agent confirmation on sensitive actions.
- ReAct v3 runtime (experimental) — advanced multi-tool orchestration, improved context management, and next-generation streaming.
- Knowledge Space namespaces (
ks:logical paths) — index bundle knowledge with semantic search; resolve file-based, DB, or graph knowledge without changing the ReAct protocol. - KDCube VM CLI (Colima / WSL2 / Multipass) — run KDCube in isolated VMs with CLI-managed lifecycle; keep secrets and data off your host.
The open-source KDCube runtime stays MIT-licensed forever. KDCube.cloud is the zero-ops path for teams that want the same controls without running the infrastructure themselves.
Upcoming enterprise features
Capabilities grouped by what usually unblocks enterprise procurement. Every item here is on the roadmap — priority is driven by customer demand. If one of these is a dealbreaker for your rollout, tell us and we will route it to the top.
Enterprise identity & access
SAML 2.0 + SCIM 2.0
Okta / Microsoft Entra ID / Ping integration with JIT user provisioning and group-to-role sync. Complements the existing Cognito and delegated-auth paths.
Break-glass admin access
Time-bounded privilege grants with full session recording — every keystroke and event captured for forensic review.
Audit, logging & compliance
Tamper-evident audit log
Hash-chained turn snapshots plus optional WORM S3 export. Satisfies SOC 2 CC7.2 and HIPAA §164.312(c) integrity requirements.
SIEM forwarders
One-way sinks to Splunk HEC, Datadog, and syslog CEF/LEEF. Decision logs and audit events delivered on the same channel your SOC already watches.
Compliance artifact bundle
DPA, BAA, sub-processor list, pen-test summary, and SOC 2 evidence packet delivered on NDA. No back-and-forth with vendor security.
Right-to-erasure workflow
GDPR Art. 17 subject deletion that purges timeline, artifacts, source pool, embeddings, and cached prompts — with a signed proof-of-erasure record.
Data protection & deployment
In-pipeline DLP
PII / PHI detection and redaction on prompts and outputs, with per-tenant rules (allow / redact / block). Pluggable classifiers, Presidio-compatible.
mTLS & PrivateLink
Mutual TLS between platform services and VPC endpoint / PrivateLink support for regulated deployments.
Air-gapped install + SBOM + SLSA
Signed OCI bundles, offline install manifest, CycloneDX SBOM, and SLSA provenance attestations on every release.
Sovereign cloud packs
AWS GovCloud, Azure Government, and Bleu (France) deployment templates with the same control surface as commercial.
Governance, ops & FinOps
Admin console
Web UI for budgets, user roles, bundle lifecycle, secret rotation, and policy diffs — so your CISO can operate the platform without a terminal.
Model governance
Per-tenant model allowlist, version pinning, and a prompt-template registry with versioning and approval workflow.
Bundle signing + staged promotion
Sigstore-signed bundles and a dev → staging → prod pipeline with required approvals, canary traffic splits, and one-click rollback.
Human-in-the-loop approval routing
Slack / Microsoft Teams / email routing for tool calls that exceed a spend or write-scope threshold. Builds on the cross-agent approval gate primitive.
Red-team & adversarial eval harness
Golden-set regression on model upgrades; jailbreak, grounding, and output-safety scoring enforced pre-promotion.
OpenTelemetry-native traces
Distributed tracing across gateway, executor, and tool calls. Tenant-scoped Grafana dashboards ship with the Helm chart.
Chargeback / cost-allocation tags
Cost-center labels flow through the economics engine to show-back invoicing and finance exports (NetSuite, SAP, CSV).
Per-tool circuit breakers
Trip on a single tool's error rate or grounding score — not just system-level breakers. Isolates one bad integration without failing the whole agent.
Priority is driven by customer demand. The next section is the fastest way to move an item up.
Request a feature or move one up the list
Tell us what capability would unblock your enterprise rollout. Every request goes to the founding team and gets read the same day. Include your use case, the regulatory driver (if any), and the timeline you are working against.