The policy point belongs in the VM
Wrappers, charts and webhooks can only select behaviour the runtime already exposes. Production-evidence and compliance requirements that fall outside that set have to be built into the runtime itself. That is what Eliya does, across four phases.
Observability by Design
Heap dump on OOM, native memory tracking, crash log path, and JFR one flag away, all configured by default via -XX:EliyaProfile=Production. Continuous 24-hour recording and unified GC logging land in Phase 2, putting the last day of execution profile on disk before failure. Performance impact: ~1–2% steady-state.
Local-Only Diagnostics
All diagnostic capture and (Phase 2) analysis runs on your infrastructure. No SaaS dependencies, no telemetry, no phone-home. Runs alongside whatever APM you're already using; Eliya provides forensic data APM tools structurally cannot.
Conservative Engineering
Eliya tracks the upstream OpenJDK source tree (openjdk/jdk25u) exactly, preserving API semantics. The upstream OpenJDK 25 source passes the Java SE 25 TCK; an independent TCK run of the Eliya binary itself is a Phase 2 deliverable. It is a hardened build, not a diverging fork.
Operational Cadence
Security requires velocity. Eliya ships quarterly Critical Patch Updates within two weeks of each upstream OpenJDK release. Critical CVEs target one-week turnaround. GPLv2 with Classpath Exception, same licence as upstream.
Eliya for your industry
The premise is the same in every regulated sector: some production-evidence and compliance requirements cannot be set from outside the runtime. What differs is the requirement each industry hits first.
Telecom
Carrier-grade incident evidence across BSS and OSS, kept inside the operator perimeter.
Financial services
A heap dump of a payment service is at-rest cardholder data (PCI DSS 3.5.1), a dump-writer problem inside the VM.
Healthcare
Heap dumps and logs can hold PHI at rest; diagnostic capture stays local, never a SaaS.
Government
Protected crash-path logs, attestable flag origin, and data sovereignty.
What's actually different from upstream OpenJDK 25
Here's what Eliya changes vs. a vanilla OpenJDK 25 build, and what stays exactly upstream.
What Eliya gives you
- One opt-in flag,
-XX:EliyaProfile=Production, turns your JVM into a forensic recorder. Every run leaves audit-grade diagnostic data (JFR, heap dump on OOM, GC logs, native-memory accounting, crash artifacts) on disk in a predictable per-service path. ~1-2% steady-state overhead. - A diagnostic CLI on every install:
asymm eliya infoandasymm eliya doctorfor fast triage. Diagnostic directory pre-created and writable by the running user. - Quarterly upstream sync within two weeks of every OpenJDK CPU; one-week target for out-of-cycle critical CVEs.
- TCK posture: the upstream OpenJDK 25 source passes the Java SE 25 TCK; an independent TCK run of the Eliya binary is a Phase 2 deliverable.
- Compliance-conscious by design: local execution only, no SaaS dependencies, no telemetry, no phone-home. Diagnostic data stays on your hardware.
- Coexists with your existing APM. JVM forensic capture (HPROF heap dumps, JFR recordings, structured thread dumps) that APM tools structurally cannot produce. Runs alongside Datadog, New Relic, Dynatrace, AppDynamics, and Elastic APM without conflict. See JVM forensics vs APM for the architectural distinction.
- Phased roadmap with named deliverables: FIPS 140-3 variant (Bouncy Castle FIPS, CMVP cert #4943) and bundled diagnostic tooling (Eclipse MAT headless, async-profiler) in Phase 2; Asymm Forensics cross-correlation platform in Phase 3; compliance-aligned profiles (PCI DSS, HIPAA, SOX, FedRAMP, GDPR, ISO 27001, SOC 2) plus combined profiles for industries spanning multiple frameworks (Healthcare-Payment, Financial-SaaS, Federal-Defense) demand-gated for Phase 4. Full trajectory: roadmap.
What stays exactly upstream
- GC selection: JDK 25 ergonomics decide; Eliya does not pick a collector or set
MaxGCPauseMillis. - JIT, class loader, module system: identical bytes, identical behaviour.
java.securityin the standard build is bit-identical to upstream JDK 25. SSLv3 / TLS 1.0 / TLS 1.1 disabled, weak ciphers blocked, NIST-aligned key sizes: these are upstream defaults. Eliya does not duplicate them as “hardening” because performative duplication is dishonest. The file is bit-identical to upstream, verifiable withdiff. Compliance-aligned profiles (PCI DSS, HIPAA, SOX) are a Phase 4 deliverable, demand-gated by customer signal.- SunJCE provider order in the standard build. The Phase 2 FIPS variant is a separate artifact (
eliya-25-fips.tar.gz) with Bouncy Castle FIPS pre-installed; FIPS is not a configuration toggle on the standard build. - Java APIs, standard library, runtime semantics: built from the same source tree (
openjdk/jdk25u). If your application runs on upstream OpenJDK 25, it runs on Eliya unchanged. - GPLv2 with Classpath Exception, same licence as upstream OpenJDK.
Full enumeration with exact flag values and patch locations: Differences from upstream OpenJDK 25
Install and activate observability
Install paths for every deployment shape. Docker image (multi-arch) is ready now; tar.gz, DEB, and RPM packages download from GitHub Releases today; the hosted apt/yum repositories target Q4 2026; SDKman for developer machines is in submission (target Q2 2026).
# Run on Docker (multi-arch image)
# Download directly from GitHub Releases (bare-metal Linux)
# Developer machines: SDKman registration in progress (target Q2 2026)
sdk install java 25.0.3-eliya # Activate operational-readiness defaults (Phase 1)
Full installation guide: User guide · Verify your download: Verification
Phase roadmap
Four phases. Phase 1 ships today; Phase 2 (target H2 2026) and Phase 3 are planned; Phase 4 compliance profiles are demand-gated, shipping when customer signups indicate concrete need. Signups are a demand signal that helps set priority. Full trajectory and demand-gating mechanics: roadmap page.
| Phase | What ships | When | Status | Get notified |
|---|---|---|---|---|
| Phase 1 | Observability defaults via -XX:EliyaProfile=Production, Linux x64 + aarch64 binaries, Docker multi-arch images, FreeBSD Research Preview (planned, late 2026), asymm CLI Phase 1 surface | Now | Available | |
| Phase 2 | Bundled diagnostic tools (Eclipse MAT headless, async-profiler), FIPS variant build (Bouncy Castle FIPS, CMVP cert #4943), .deb / .rpm packages, hosted apt/yum repositories, macOS aarch64 binary (demand-gated), expanded asymm eliya CLI surface | Target H2 2026 | Planned | Notify me about Phase 2 deliverables |
| Phase 3 | Asymm Forensics: JVM diagnostic forensics platform with cross-correlation analysis (JFR + heap + thread + GC + crash artifacts analysed together), ML-based pattern detection, compliance reporting (PCI DSS, HIPAA, SOX), and Dial-aware analysis. Windows x64 ships alongside. | Target 2027 (post-Series A) | Planned | Notify me about Asymm Forensics |
| Phase 4 | Compliance-aligned profile values (EliyaProfile=PCIDSS, =HIPAA, =SOX, =FedRAMP, =GDPR, =ISO27001, =SOC2) plus combined profiles for industries spanning multiple frameworks (Healthcare-Payment for PCI DSS + HIPAA, Financial-SaaS for SOC 2 + ISO 27001, Federal-Defense for FedRAMP + CMMC) | Demand-gated | Demand-gated | Notify me about compliance profiles |
Pick your starting point
Start where your role does.