SCALE: 1:1 | REV: 0.5.6
SHEET 1 OF 1
Hortator
Agents that spawn agents — with guardrails
A Kubernetes operator for autonomous AI agent hierarchies
Agents that spawn agents — with guardrails
A Kubernetes operator for autonomous AI agent hierarchies
Hortator is a Kubernetes operator that manages the full lifecycle of autonomous AI agents. Agents run in isolated Pods, spawn sub-agents at runtime, and report results up a hierarchy — all with budget enforcement, security boundaries, and health monitoring built in.
Framework-agnostic. Build your agents with LangGraph, CrewAI, AutoGen, or plain Python. Hortator doesn't make your agents smarter — it stops them from blowing up your cluster and your budget.
# Agent decides it needs help — spawns a sub-agent at runtime
$ hortator spawn \
--prompt "Review auth module for SQL injection vulnerabilities" \
--role security-reviewer \
--cap shell,web-fetch \
--wait
# Sub-agent spawned as isolated K8s Pod, results flow back via /inbox
✓ Task auth-review-7x8k2 completed in 47s
# Full CLI for lifecycle management
$ hortator tree auth-review-7x8k2
$ hortator result auth-review-7x8k2
$ hortator logs auth-review-7x8k2
Named after the officer on Roman galleys who set the rowing rhythm. The task tree emerges from the work — it's not predetermined like a CI/CD pipeline.
Decomposes complex problems. Spawns centurions.
Delegates to legionaries. Collects and synthesizes results.
Executes a single focused task. Writes results and exits.
/outbox/ → Operator copies to parent's /inbox/ → Parent resumes with new context Agents never talk directly. The operator brokers all communication via structured filesystem conventions.
Static DAGs — the entire workflow is defined upfront. Every step, dependency, and branch is known before the pipeline runs.
Dynamic spawning — agents decide during execution what sub-tasks to create. The task tree emerges from the work.
Use Argo when you know the workflow ahead of time. Use Hortator when AI agents make runtime decisions.
Each agent gets its own Pod with NetworkPolicies generated from capabilities. Children inherit parent permissions and cannot escalate. Namespace restrictions via label selectors.
Token and cost limits per task with three-phase wind-down: warning at 80%, soft ceiling with grace window, then auto-checkpoint. Partial results are always preserved — no work is lost.
Behavioral analysis catches looping agents — low tool diversity, repeated prompts, stale state. Auto-kill or escalate to a supervisor. Per-role thresholds.
Task hierarchy maps directly to distributed traces. See the full agent tree in Jaeger, Tempo, or Datadog. Plus Prometheus metrics out of the box.
Three-phase PVC lifecycle: ephemeral (auto-cleanup via TTL) → promoted (agent marks important results) → retained (long-term institutional memory with tag-based discovery).
Exponential backoff with ±25% jitter prevents thundering herds. Automatic classification of transient vs. logical failures — only retries what makes sense.
Pre-warmed, generic pods sit idle and get claimed instantly when tasks arrive. Sub-second task assignment instead of waiting for image pulls and container startup. Opt-in with background replenishment.
Content-addressable deduplication using SHA-256(prompt+role). If the same task was completed before, return the cached result instantly. In-memory LRU with TTL. Opt-out per task via annotation.
Use the CLI inside pods, or integrate Hortator into your existing agent framework via the OpenAI-compatible API gateway.
pip install hortator npm install @hortator/sdk OpenAI-compatible API gateway —
use any OpenAI client library to interact with Hortator. Model field maps to AgentRole
(model: "hortator/research-agent").
SSE streaming, bearer auth, aggregate token usage across sub-agents.
Deliver files to agents on spawn. Mount reference documents for retrieval-augmented generation workflows.
Structured extraction + summarization fallback. Graceful degradation when windows fill up — "agent reincarnation."
Static, LiteLLM, or tier-aware routing. Works with Ollama, vLLM, and any OpenAI-compatible endpoint.
Per-task reasoning depth hints (low/medium/high). Match cognitive effort to task complexity.
Reusable behavioral archetypes — rules, anti-patterns, default tools. Namespace or cluster-scoped.
spawn, status, logs, result, cancel, list, tree, retain, budget-remaining, progress. JSON output for scripting.
Comprehensive values.yaml. Three-tier override: Helm defaults → AgentRole → AgentTask. GitOps-friendly.
First-class K8s ecosystem support. Unit-tested controller, gateway, pod builder, policy engine, warm pool, and result cache.
Configure the operator, define roles and policies, set budgets and security boundaries.
Spawn sub-agents, check status, get results — through the CLI or native SDKs. Never touch YAML.
Kubernetes 1.28+, Helm 3.x, and an LLM API key. That's it.
# Install the operator
$ helm install hortator oci://ghcr.io/hortator-ai/hortator/charts/hortator \
--namespace hortator-system --create-namespace \
--set models.default.endpoint=https://api.anthropic.com/v1 \
--set models.default.name=claude-sonnet-4-20250514
# Create a namespace and API key secret
$ kubectl create namespace hortator-demo
$ kubectl create secret generic anthropic-api-key \
--namespace hortator-demo \
--from-literal=api-key=sk-ant-...
# Run your first task
$ kubectl apply -f examples/quickstart/hello-world.yaml
# Watch it work
$ kubectl get agenttasks -n hortator-demo -w
$ kubectl logs -n hortator-demo -l hortator.ai/task=hello-world -c agent
When your security team asks "what happens if the AI leaks customer data?" — you'll have an answer. Enterprise adds the controls that make AI adoption possible in healthcare, finance, defense, and government.
Everything below ships in the OSS core today. Enterprise adds dedicated support, SLA, and advanced integrations for regulated environments. Start with open source — upgrade when compliance demands it.
Namespace-scoped governance constraints that individual tasks cannot override. Control allowed capabilities, max tier, budget ceilings, permitted images, egress allowlists, and concurrent task limits.
Self-hosted data loss prevention powered by Microsoft Presidio (MIT). Deployed as a centralized service in the hortator-system namespace — agents call it via internal endpoint, no sidecar overhead per pod.
Authoritative cost tracking across the full agent hierarchy via LiteLLM proxy. Route between cloud and local models based on cost, availability, or task complexity. Centralized key management and rate limiting.
OSS includes self-reported budget tracking per task. Enterprise adds authoritative cross-hierarchy tracking.
OTel-based audit events for every tool call, model request, and agent spawn — exported as CEF via OTel Collector. Task hierarchy maps to distributed traces for full lineage.
Start with open source. Add enterprise controls when compliance demands it.
| Feature | OSS MIT | Enterprise Contact us |
|---|---|---|
| Operator + AgentTask / AgentRole CRDs | ||
| CLI + Helm chart + SDKs (Python, TypeScript) | ||
| Tribune / Centurion / Legionary hierarchy | ||
| NetworkPolicies + RBAC + capability inheritance | ||
| Budget enforcement + stuck detection | ||
| Warm pod pool + result cache | ||
| OTel traces + Prometheus metrics | ||
| OpenAI-compatible API gateway | ||
| AgentPolicy CRD (namespace governance) | — | |
| Presidio PII detection (centralized service) | — | |
| LiteLLM proxy (authoritative budget + routing) | — | |
| SIEM-ready audit logs (CEF export) | basic OTel | CEF + SIEM |
| Support | community | SLA |
Or just run the OSS version — it's pretty good too.