End-to-End Agent Workflow
One walkthrough showing how AgentIQ Identity, AgentIQ Policy, Mirror VectaX, Gateway, Code Prism, and DiscoveR fit together
This walkthrough shows the composed path reviewers asked for: agent identity, runtime policy, protected application flows, code security, and red-team validation.
The flow
The application or orchestrator obtains subject context, registers or selects the agent from the registry, and requests a short-lived scoped token.
Prompts, tool calls, retrieval results, and outputs pass through policy checks in shadow mode or enforce mode.
The runtime checks connector readiness, MCP server health, tool inventory, and skill attachments before external actions are available to the agent.
The agent uses Gateway-backed inference, memory, vectors, FPE, PRE, RBAC, or FHE workflows without treating all data as ordinary plaintext traffic.
DiscoveR scans MCP/tool paths, prompt injection, retrieval abuse, and code-security patterns; Governance records the smoke and release evidence.
Example composition
AgentIQ Identity: issue a scoped token
AgentIQ: protect the workflow
Mirror VectaX: retrieve and answer
Agent Extensions: check tools and skills
DiscoveR and Governance: validate the resulting assistant
Registry and security model
Use Mirror Builder should generate agent.md and skill.md from the same source of truth:
| Surface | Owner | Output |
|---|---|---|
| Agent registry | AgentIQ Identity | agent id, owner, scopes, delegated token contract |
| Connector registry | Agent Extensions | configured connectors, OAuth status, tool readiness |
| MCP registry | Agent Extensions | ChatGPT/Claude/IDE tool registration bundle and server health |
| Runtime registry | Gateway | provider, end-to-end encrypted, plain, confidential, local/offline SDK, and FHE lanes |
| Policy and guardrails | AgentIQ Policy Engine | input, output, tool, code-agent, and connector policies |
| Scans and evidence | DiscoveR + Governance | MCP security scans, code-security scans, red-team results, release evidence |
The customer-facing entry point remains Gateway and the hosted /mapi SDK facade. Product services can exist behind it, but agent builders should not expose separate customer gateways for Memory, VDB, MCP, or runtime lanes.
Where to branch next
- AgentIQ Identity SDK and API
- Agent Extensions SDK and API
- AgentIQ Policy Engine SDK and API
- Mirror VectaX Surface Examples
- DiscoveR SDK and API
- Runtime Lane Proof
Use this composed path when you need the full agent stack. If you only need one layer, start from the product-specific docs instead.