Cryptocurrency investment firms Paradigm and Tempo jointly open-sourced Centaur on May 21. This is a self-hosted, multi-person collaborative AI Agent runtime framework that has been widely used across multiple departments within Paradigm—such as cross-investment and engineering—since January. Centaur operates in the form of “shared virtual employees” and can be invoked via Slack threads or APIs.
Security architecture: Iron Proxy injects credentials at the network layer
Centaur’s core security design is that “the Agent never holds API keys.” All credentials are centralized and stored in an isolated key manager. Between each sandbox container and the external network, an Iron Proxy firewall is deployed. When the Agent sends requests to external APIs, the firewall identifies the target host, extracts the corresponding credentials from the key manager, injects them into the outbound request headers, and forwards the request. The Agent can only see the API responses and never obtains the raw key values. All outbound requests are recorded by the firewall, and LLM API responses are scanned in real time to detect leaks and obscure them.
Service architecture: Slackbot, FastAPI, Postgres, and sandbox containers
Centaur uses a stateless service architecture, with all state persisted to Postgres, so restarting any service does not lose context. Core components include: a Slackbot (a Next.js webhook listener), a FastAPI control plane (to manage Agent session lifecycles and tool endpoints), and a dedicated sandbox container for each Slack thread (preloaded with Node.js, Python, Rust, and Git, with access restricted to the internal network). The workflow engine records task progress using Postgres checkpoints at the step level. After a crash, it precisely restores from the last completed step, without re-running completed work. The design inspiration comes from Absurd’s Postgres-driven architecture.
Extension mechanism: open interfaces for tools, skills, and workflows
Centaur’s extension mechanism consists of three parts. Tools are Python-based; once placed in the tools/ directory, they are automatically discovered by the API and REST endpoints are generated, supporting hot reload. Tools declare the API hosts and credentials they need in pyproject.toml so they can work with firewall-based injection. Skills are .agents/skills/*/SKILL.md files; after adding them, each Agent session automatically inherits them. Workflows are Python files under the workflows/ directory, supporting cron scheduling, API triggering, and workflow composition. Enterprises can mount Docker images via an Overlay approach to provide company-specific tools and skills. Centaur performs daily self-reflection to automatically improve skills and tools without modifying the core code.
Common questions
How does Centaur ensure API keys are not stolen by the Agent?
All API keys are stored in an isolated key manager, and the Agent does not hold keys in environment variables, on disk, or in memory. The Iron Proxy firewall injects credentials at the network layer. Network policies force all outbound traffic to pass through the firewall, and all outbound requests are logged and scanned. Even if the Agent is subjected to an immediate injection attack, the attacker cannot extract the key values.
How does Centaur’s workflow engine implement crash recovery?
The workflow engine persists the execution status of each step to Postgres checkpoints. If the system crashes during execution, the engine precisely recovers from the last completed step, without re-running and without losing intermediate results. Waiting times between steps (such as a 24-hour sleep) generate no resource overhead. When the engine expires, it automatically wakes up the workflow.
What parts are currently open-sourced, and what are the future plans?
The open-sourced content includes the core service code (API, firewall, key manager) and the extension template repository. Centaur’s architecture deliberately separates the core from the user space (tools, skills, workflows). The official says that future plans include further strengthening user-space capabilities, but no specific feature roadmap or timeline has been announced yet.
