Platform Production Onboarding
Portal install, service credentials, key generation, MCP connectors, runtime lanes, and agent.md / skill.md handoff
This page is the production setup checklist for a new Mirror integration.
Gateway is the single hosted entry point. Agent Security (AgentIQ Identity and Policy Engine), Assurance (Discover, Governance, and Security Intelligence), VectaX Memory/VDB, Code Security (CodePrism), MCP, and connectors all inherit the same service credential, entitlement, telemetry, and audit contract.
1. Install From The Mirror Portal
Mirror SDK artifacts are private packages. Do not install production SDKs from public npm or PyPI. Use the exact version shown in Portal. Do not hard-code package versions in customer handoffs.
2. Create Service Credential
Service credentials are machine identity for hosted calls. They are not encryption keys. For new SDK users, prefer the SDK bundle download from create or rotate; it gives the SDK the URLs, credential id, license file references, and first-display secret in one local handoff.
Portal path:
- Open
Platform Access -> Service Credentials. - Create a credential for the project.
- Select the product profile: Gateway, VectaX/Memory, Agent Security, Assurance, Code Security, or key-management profile.
- Reveal
client_idandclient_secretonce. - Download the SDK bundle during create or rotate when a local SDK/agent needs the secret.
- Use the SDK bundle for normal clients, or exchange the credential manually only for raw HTTP automation.
The service-credential.json in the SDK bundle should be self-contained:
Existing credential row downloads are refresh bundles and should not reveal client_secret. Use create or rotate when a new local secret handoff is required.
Hosted routes derive tenant and project from the credential. Do not send caller-provided tenant headers in production integrations.
Before handing the bundle to an application team, run the same local verification path the SDK expects:
3. Generate Keys
Key Management is the user-owned crypto surface.
Portal path:
- Open
Platform Access -> Key Management. - Generate the needed key family.
- Keep private key material in the browser, local SDK keystore, or customer KMS.
- Export only public/evaluation/search/session material to Gateway when the selected workflow requires it.
- Export KMS handoff metadata when operations owns wrapping or escrow.
| Key family | Custody message |
|---|---|
| Encrypted compute | Private keys remain customer-owned. Gateway receives only explicit public/evaluation/bootstrap material. |
| PRE | Customer owns private keys. Gateway may receive transform grants and public keys. |
| FPE | Use local key custody or customer KMS references for production. |
| Vector/search | Customer or Gateway-managed key reference, scoped to service credential and collection. |
| Session/CEK | Wrapped/session material only, never broad long-lived raw secrets. |
4. Configure MCP And Connectors
MCP is a projection of Gateway tools. It is not a second product gateway.
Portal path:
- Open
Gateway -> Connectors. - Configure connector OAuth/config for Microsoft Graph/O365, ServiceNow, Memory, VDB, or tenant-specific adapters.
- Check readiness and evidence.
- Generate ChatGPT or Claude registration only after readiness passes.
- Let Gateway enforce service credential, AgentIQ Identity, Policy Engine, and audit context for all tool calls.
Useful checks:
5. Expose Memory And VDB Through Gateway
Memory and VDB are platform capabilities behind Gateway. Do not expose a second customer-facing memory gateway.
Hosted Memory/VDB use the same service credential and bearer token as Gateway chat:
Point get/delete and payload update are backend-native operations. Expose them only when the tenant backend enables them. The release smoke treats collection create, point upsert, vector search, text search, and collection delete as the public VDB contract.
Direct Memory/VDB SDKs remain valid for local/offline bundle internals, but production customer integrations should start with the hosted Gateway-backed facade.
The current release smoke treats these as the customer-facing Memory/VDB contract: collection list/create, point upsert, vector search, text search, Memory observe, and Memory recall. Backend-native point get/delete and payload update may be enabled by the tenant backend, but do not require customers to call direct Memory or VDB service URLs.
6. Select Runtime Lane
Runtime lanes are execution attributes, not separate products.
| Lane | Use |
|---|---|
provider_plain | external provider plaintext path |
plain | managed plain baseline path |
protected | managed end-to-end encrypted runtime path |
confidential | confidential-compute protected deployment |
fhe_local | local/customer-controlled end-to-end encrypted compute flow |
sdk_local | offline SDK execution |
Use the Gateway runtime registry and release gates before routing a workflow to a model. Prefer the routing catalog for model and lane discovery:
Provider-specific model endpoints remain supplemental live-inventory checks. Instruction-tuned chat models must be validated through chat/messages prompt rendering, not raw completion prompts.
7. Export agent.md And skill.md
Use Mirror Builder should produce both files for handoff.
agent.md describes:
- agent owner and identity
- service credential profile and scopes
- connectors/tools used
- runtime lane and model release gate
- guardrail and policy stages
- Discover and Governance evidence expectations
skill.md describes:
- Portal install command
- required environment variables
- SDK usage snippet
- MCP registration payload when needed
- key-generation requirements
- smoke command before use
Use these files when handing a workflow to ChatGPT, Claude, IDE agents, internal agent builders, or customer SecEng.
8. Observability, Usage, And Cost
All product surfaces emit the same mirror.telemetry.v1 shape through Gateway or the hosted /mapi telemetry facade.
Required fields for usage and cost views:
productSurface:gateway,vectax,identity,policy,discover,governance,codeprism,sdk,portal,lms, orcompliance-ingestertelemetryLane:trace,usage,audit,security-event,passive-analysis, orcostruntimeLane:provider_plain,plain,protected,confidential,fhe_local, orsdk_localinputTokens,outputTokens,totalTokensfor LLM/model operationsbillingUnit,billingQuantity, andestimatedCostUsdfor cost rollupsserviceCredentialIdin attributes for tenant-scoped filtering
Smoke events intentionally set estimatedCostUsd=0 and billingUnit=smoke_event. Real cost appears only when a live provider/runtime response includes usage data or the product emits a billable unit with a configured pricing map. If the Portal cost widget is empty, first check whether non-zero estimatedCostUsd events exist for the selected service credential and timeframe.
Useful checks:
9. Run Full Smoke
From the Mirror SDK workspace:
Full optional customer-facing coverage adds Portal, LMS, Memory/VDB, Governance evidence ingestion, Compliance ingester, and local SDK tests. It still uses the hosted /mapi surface; it does not require a direct runtime access.
Local SDK tests are on by default. Set MIRROR_SKIP_LOCAL_SDK_TESTS=1 only when validating a remote deployment from a machine without the SDK build environment.
Ops-only runtime-lane proof is separate. Keep direct runtime URLs, host identifiers, and infrastructure-specific evidence in internal release handoff documents, not customer-facing docs.
Governance Evidence
Platform services can submit normalized evidence through:
Supported sources are gateway, agentiq, policyengine, compliance-ingester, runtime-lane, discover, connector, sdk, and portal.