Documents are loading...

Getting Started

Runtime Lane Proof

How to prove runtime lanes through one Gateway and SDK contract

Mirror exposes runtime lanes as execution choices behind Gateway. They are not separate customer gateways.

The proof target is one service credential, one hosted /mapi surface, one Gateway registry, and the runtime lanes enabled for your tenant.

Required lanes

LanePurposeProof
provider-plainProvider-backed model access through Gatewayhealth, model list, chat completion, usage telemetry
protectedEncrypted/end-to-end encrypted runtime through Gatewayhealth, release-enabled model list, chat/messages validation, evidence summary
plainPlain baseline runtime through Gatewayhealth, model list, chat completion parity
confidentialConfidential-compute protected deployment when enabledattestation or evidence summary, model list, chat completion
fhe-localCustomer-controlled local FHE flow when enabledlocal key proof, encrypted payload proof, local decrypt proof

Implementation sources

LaneImplementation sourceCustomer entry point
Provider laneMirror-managed provider adapterGateway /mapi, SDK, Portal, MCP, or CodePrism local agent
End-to-end encrypted laneMirror-managed encrypted runtimeGateway /mapi, SDK, Portal, MCP
Plain laneMirror-managed baseline runtimeGateway /mapi, SDK, Portal, MCP
Local/FHE laneCustomer-controlled SDK/runtimeSDK and customer environment

Do not expose any implementation source as a second customer gateway. Evidence is owned by the Gateway lane and correlated into Observability and Governance.

Gateway registry checks

Use these hosted checks first:

GET /mapi/v1/gateway/registry/runtime-lanes
GET /mapi/v1/gateway/registry/runtime-models
GET /mapi/v1/gateway/registry/guardrails
GET /mapi/v1/gateway/mcp/summary/evidence?serviceCredentialId=<id>

The registry should show:

  • lane id from the platform registry
  • protection mode
  • deployment target
  • release-enabled model list
  • guardrail model mapping
  • evidence availability

Customer-Facing Proof

Use hosted SDK calls for customer-facing proof. Direct runtime URLs are for operations only.

Expected proof:

  • service credential is valid and scoped
  • registry returns release-enabled models for the selected lane
  • SDK call returns a model response
  • Observability shows the trace under the same service credential
  • Governance evidence can be ingested when the workflow requires a release record
import { Mirror } from '@mirror/sdk';
 
// new Mirror() reads MIRROR_SERVICE_CREDENTIAL_FILE from env; the service credential
// binds every hosted call to the tenant + entitlements minted in the portal.
const client = new Mirror();
 
const catalog = await client.routing.catalog({
  surface: 'gateway',
  includeLiveModels: false,
});
 
const reply = await client.chat.completions.create({
  model: 'gemma-4-e2b-it',
  runtime: 'protected',
  messages: [{ role: 'user', content: 'Return exactly: MIRROR_OK' }],
});

Instruction-tuned chat models must be validated through the chat/messages path. Raw completion prompts are not a valid release gate for chat checkpoints.

Governance handoff

After lane proof, ingest evidence:

POST /mapi/v1/governance/evidence/ingest

Use source=runtime-lane and include:

  • lane id
  • model id
  • health result
  • model-list result
  • chat smoke result
  • attestation or evidence summary when available
  • deployment reference, but not private keys, host credentials, bearer tokens, or raw secrets

Non-goals

  • Do not create a second customer-facing Gateway for runtime lanes.
  • Do not route production users directly to runtime host ports.
  • Do not validate instruction/chat models with raw completion prompts.
  • Do not expose internal deployment topology in customer docs, SDK output, or Portal copy.

On this page