Agent Mesh Topology
Active agents
23
Denied calls
142
24h
Latency
18ms
p99
Deterministic Permissions
| Agent | Scope | Decision |
|---|---|---|
| Orchestrator | read:crm | Allow |
| Research | write:erp | Deny |
Short-lived Tokens
SPIFFE-style identity per agent invocation.
OPA Policy Sets
Rego v2Signed bundlesGitOps
Threat Detections
- Blocked lateral tool hop agent-7 → agent-2
- Rate limit on embedding exfil attempt
Workload Identity
SVC-agent-orch
mTLS valid
Decision Logs
Every tool call recorded with policy version hash.
Mesh config
Default deny · break-glass requires dual approval