Deployment
Deploy Edictum
Two paths to production. Start with local runtime rules. Add the optional reference stack when you need fleet visibility, approvals, and audit trails.
Core Library
Zero Infrastructure
- pip install edictum[yaml]
- 3 lines of code
- Rulesets + Workflow Gates
- Zero runtime dependencies
- Works offline, no server needed
Best for: single agent, local development, CI/CD pipelines
pip install edictum[yaml]Reference stack
Optional API/app stack
- API/app reference stack for approvals, audit logs, and fleet visibility
- API keys + SSE hot-reload for connected agents
- Self-host when shared team visibility is needed
- Design partners start from concrete production workflows
Best for: team visibility, approvals, and audit trails
Discuss design partner fitArchitecture
Data flow
Agent
AI Agent
Enforcement
Edictum Library
Execution
Tool
Operations
Edictum reference stack API
PostgreSQL
Redis
App / Slack / Telegram
Quick start
Get started in three steps
pip install edictum[yaml]apiVersion: edictum/v1
kind: Ruleset
metadata:
name: quickstart
defaults:
mode: enforce
rules:
- id: block-sensitive-reads
type: pre
tool: read_file
when:
args.path:
contains: ".env"
then:
action: block
message: "Sensitive file '{args.path}' blocked."from edictum import Edictum
guard = Edictum.from_yaml("rules.yaml")
# Use with Python, TypeScript, or Go adaptersWant fleet visibility?
The API/app reference stack can ingest decision logs, route approvals, and show fleet state. Design partners should start with a concrete production-agent workflow.
Discuss design partner fitGraceful degradation.
Never silent failure.
| Scenario | Behavior | Agent Impact |
|---|---|---|
| Reference stack unreachable | Fall back to local cache | None if cached |
| Local cache empty | Fall back to embedded YAML | Reduced coverage |
| No rules loaded | Block-all (fail-closed) | All calls blocked |
| Redis down | Postgres-only mode | SSE delayed |
| Postgres down | Local-only enforcement | No persistence |
| Malformed ruleset pushed | Reject, keep previous | No impact |
| Invalid ruleset version | Reject + alert | No impact |
| Network partition | Local enforcement continues | Full coverage |
Observability
Built-in telemetry
OpenTelemetry
Every decision emits a span with tool name, decision, rule ID, and latency.
Grafana
OTel examples and Grafana assets live in the edictum-demo repo.
Health check
GET /health returns status, version, uptime, db, and redis.
Structured logs
JSON format, configurable log level.
Notifications
Telegram, Slack, Discord, and webhook channels for alerts. Telegram callbacks are interactive today.
Approval callbacks
Telegram approval callbacks post decisions back to the API when EDICTUM_BASE_URL is a public HTTPS URL.
Agent Setup
Agent connection variables
| Variable | Required | Description |
|---|---|---|
EDICTUM_URL | Yes | Reference stack base URL for a self-hosted API/app stack |
EDICTUM_API_KEY | Yes | Agent API key issued by the reference stack |
EDICTUM_AGENT_ID | Yes | Stable agent identity used for audit, approvals, and drift |
EDICTUM_ENV | No | Environment label sent with audit and ruleset subscriptions |
EDICTUM_LOG_LEVEL | No | Local SDK logging level (default: info) |
EDICTUM_ALLOW_INSECURE | No | Development-only override for local HTTP testing |
Hosting
Current options
OSS runtime
Start with the SDKs and Gate runtime. Enforcement stays local to the agent process.
Reference stack
Self-host the API/app reference stack for decision logs, approvals, ruleset versions, and replay.
Design partner pilot
For teams already running production agents that need controlled actions and audit evidence.