Centaur

A durable workflow engine where the agent never holds an API key — secrets live behind an in-flight proxy firewall. By paradigmxyz + Tempo. GitHub · 722★ · open-sourced 2026-05-21

The Orthogonal Component: Durable Replay + Credential Firewall

Centaur's orthogonal contribution is two halves of one idea: make the agent run replayable, and make it credential-free. The durable workflow engine is inspired by Absurd. Each step is wrapped:

ctx.step("fetch_pr", fn)      # checkpointed; cached steps return instantly on replay
ctx.sleep(...)                # durable timer
ctx.sleep_until(...)          # durable wake at a wall-clock time
ctx.wait_for_event(...)       # park until an external event lands
ctx.run_agent(...)            # nested agent invocation, also checkpointed

Replay re-executes the workflow top-to-bottom. Steps that already completed return their cached result without re-running — so a crashed or evicted run resumes exactly where it stopped, and a reconnecting client replays the missed deltas off a replayable event stream.

The other half is the iron-proxy credential firewall. The agent never holds API keys. Outbound calls route through a proxy that injects the secret in-flight and scans the response for leaks. This is a different cut from Muaddib's host/guest split — there the key stays on the host because the SDK runs there; here the key is injected at the network edge and the agent only ever issues a credential-free request.

Kernel / Userspace Split

Centaur draws an OS-style line: a small, auditable core (API, the credential firewall, secrets) versus a wide-open userspace (tools, skills, workflows). The trust surface that matters — where keys live and where requests are gated — is kept small and reviewable; everything an org wants to customize lives in the loose layer above.

Isolation: One Slack Thread = One Sandbox Pod

Each Slack thread maps to its own Kubernetes sandbox pod. Compute isolation is per-conversation rather than per-channel or per-user, so two threads never share a workspace or a running process. The pod is the disposable unit; durable state never lives there.

Multi-Harness Adapter

Centaur runs multiple coding harnesses — Amp, Claude Code, Codex/Pi-Mono — behind one normalised Anthropic NDJSON protocol. The workflow engine drives whichever harness an org configures without the rest of the system knowing which one is underneath.

Overlay Model

Company-specific extensions arrive as a Docker image mounted on top of the core services. The core stays generic and auditable; orgs layer their own tools and config over it without forking the kernel.

State: Stateless Services, 7-Table Postgres

All services are stateless. Every piece of durable state — runtime assignments, message requests, attachments, execution requests, the execution event stream, the final-delivery outbox, sandbox sessions — lives in Postgres across 7 core tables:

agent_runtime_assignments
agent_message_requests
attachments
agent_execution_requests
agent_execution_events
agent_final_delivery_outbox
sandbox_sessions

Because nothing is held in process memory, any service instance can pick up any run, and the replayable agent_execution_events stream is what lets a reconnecting client replay missed deltas — the same table that backs durable replay also backs live reconnection.

Validated Usefulness

• In production at both Paradigm and Tempo since January 2026 — open-sourced 2026-05-21, so the design predates its public release by ~5 months of internal use.
• Repo: paradigmxyz/centaur — Python 88.4%, TypeScript 9.0%. 722 stars, 119 forks.

References

• Repository: paradigmxyz/centaur (722★, 119 forks)
• Durable-workflow inspiration: Absurd (ctx.step checkpoint/replay model)
• Built by: Paradigm + Tempo — in production since Jan 2026, open-sourced 2026-05-21

See Also

• Systems Compared — all systems side by side
• Muaddib — the other credential-boundary design (host/guest split vs proxy firewall)