Skip to main content

Alexandria EE

Alexandria EE is the Enterprise Edition of the Alexandria LLM orchestration platform. It sits in front of any OpenAI-compatible inference endpoint and enforces multi-layer access control, audit, and tenancy guarantees that commercial wrappers don't provide.

What's in EE

  • OIDC / SAML federation — enterprise SSO with JIT provisioning, plugged into the existing JWT / RBAC layer
  • SCIM 2.0 — automated user and group lifecycle from your identity provider
  • Multi-tenancy — per-tenant isolation with tenant-scoped permission ceilings, WebAuthn, and audit chain
  • Postgres storagepgx/v5 canonical store; Rust orchestrator reads and writes over gRPC
  • Vault KV v2 secrets backendSecretsBackend trait implementation
  • WebAuthn / FIDO2 — passkey authentication for admin users
  • Memcached tool cache — gated on the memcached_cache entitlement
  • Changeset tracking — config-diff with rollback
  • Vector index — FAISS-backed gRPC sidecar for embedding and semantic search

Deployment shapes

Alexandria EE ships in two intentionally non-equivalent product tiers.

ShapeTargetTier
HelmKubernetes (GKE, EKS, AKS, on-prem)Higher — full feature set, compliance-friendly
QuadletSingle Linux host (VM, bare metal)Lower — core API on systemd; no SSO, no SCIM, no multi-tenancy

See Deployment Shapes for the full feature matrix.

Architecture in one diagram

CLI / Web UI / SDK


   Go API (api-go/)              ← chi router, JWT, RBAC, MCP bridge

   ┌────┴────┐
   │         │
gRPC       Postgres              ← canonical store (Go-side migrations)


Rust Orchestrator (alexandria)   ← QueryPipeline, BackendClient, WorkflowExecutor


   Inference Backend (any)       ← OpenAI / llama.cpp / Claude / vLLM / custom

Go owns persistence, HTTP, middleware, auth, and MCP. Rust owns orchestration, the LLM streaming pipeline, and tool dispatch. The gRPC boundary between them is stable and intentional.

Where to go next