Enterprise Orchestra is two things: a desktop application that runs on the operator's own machine, and a small daemon that gets installed on each managed server. Between them sits a relay that you control. The whole thing is designed so that no part of the stack — not even the relay we run — can read the work being done.
The control plane. Holds your tenant passphrases, your Anthropic key, the workflow definitions, the live canvas. Tenants are mutually-encrypted SQLite databases on your own disk. Switching tenants doesn't stop the others — autonomous workflows keep running for every unlocked tenant whenever the desktop is alive.
One per managed server. Installs via a one-time SSH password that's immediately discarded. After enrollment it dials out — never accepts inbound. It executes signed commands, streams telemetry, and refuses anything not signed by the registered desktop. Quarantine via one click in the operator console.
The relay between desktop and agent. Sees opaque ciphertext, never plaintext. Operator team accesses it with hardware keys only. Hosts the audit metadata, manages install approvals, powers support sessions with explicit per-call consent tokens. Self-hosted by us; can be self-hosted by you on the Firm tier.
Plain language, in the chat panel of the desktop. "Every night at 3 AM, dump the Postgres on prod-db-2 to /backups, and alert me if any backup is older than 25 hours."
A directed graph of typed nodes: exec, file, claude, approval-gate, sleep, branch, notify. Each node names the exact server it runs on and the exact command. Destructive nodes require explicit approval gates.
Drag, delete, add nodes. Edit prompts and commands directly. The estimated cost of running the workflow is shown before you click Run. Cost ceilings can pause execution mid-flight.
Each node dispatches to the right agent over the encrypted channel. Output streams back into the canvas live. Errors are visual states; clicking them re-engages Claude with the failure context to propose a fix.
State transitions, command bodies, exit codes, costs, operator identity, approval decisions. Hash-chained. Exportable as signed JSON for the next compliance review.
Every tenant is a separately-encrypted island. The passphrase that unlocks tenant A cannot decrypt tenant B's database — they were derived from different secrets through Argon2id with different salts. Even if your laptop is stolen while tenant A is unlocked, tenant B remains sealed.
The desktop UI never displays data from two tenants at once. A color-coded accent band runs across the top of every screen showing which tenant is active, calibrated to be impossible to miss. Mistakes that other platforms make through tab-confusion are physically prevented here.
Operator (you)
└── Install (one binary)
├── Tenant: Acme Corp passphrase A
│ ├── Department: Finance Ops
│ │ ├── Server: prod-db
│ │ └── Workflow: nightly-rec
│ └── Department: DevOps
│ ├── Server: api-eu
│ └── Workflow: deploy-tag
│
└── Tenant: Northwind passphrase B
└── Department: Support
└── Server: zoho-bridge
└── Workflow: reply-route
Every tenant, every server, every department in one force-directed graph. Live edges show traffic. Servers light up red the instant the agent stops responding.
Each running workflow is a graph on the canvas. Nodes change color as they progress: queued, running (sienna), succeeded (moss), failed (crimson). Clicking a failed node opens the failure record.
Last 24 hours of workflow runs stacked, so you can see patterns: which workflows overlap, which always run long, which client has the noisiest pipeline.
Pull a slider backwards to reconstruct any tenant's state at any past second. For postmortems. For "what was running at 3:14 AM when the alert fired."
Live ps-like view of what each agent is doing, with resources. Drill from the topology graph to a specific process on a specific server in two clicks.
Multi-server tail, color-coded per source, with regex filter. The view you'd build yourself for an incident, ready before the incident.
Most enterprise software demos are slide decks. Ours is a real workflow, deployed live, against a real server of yours, on a 30-minute call. No commitment, no follow-up sales sequence.
Book a call