← Hub

🛰️ Mission Engineering Hub

Agent Gateway v1.0

🏗️ System Architecture

Core Components

  • mission-hub-uiWeb console + chat (this page)
  • orchestrator8-step workflow engine (Temporal-style)
  • policy-engineRBAC, env rules, change windows
  • agent-gatewayAuthenticated REST API for all agents
  • agents/8 independently deployable agent services
  • observabilityPrometheus, Loki, Tempo, Grafana
  • secretsVault + OIDC (Keycloak/Entra ID) + K8s RBAC

Tech Stack

  • RuntimeKubernetes (prod + non-prod clusters)
  • CI/CDGitHub Actions → Argo CD (GitOps)
  • MessagingNATS / Kafka (inter-agent events)
  • DBsPostgres (hub meta), Oracle, SQL Server
  • AuthOIDC, mTLS between services, SPIFFE/SPIRE
  • SecurityVault, Trivy/Grype, OPA/Gatekeeper, Falco

🔄 "Build & Deploy" Workflow

8-step orchestration. Each step has retry policy, timeout, and compensation on failure.

  • Loading…

📅 Production Rollout Phases

Phase 1 — Non-prod only
Hub, orchestrator, agent-gateway, agent-dev, agent-devsecops, agent-docs
Phase 2 — Infra & Security
agent-k8s-infra, agent-security (read-only), observability hardening
Phase 3 — DB & Higher Autonomy
agent-db, limited auto-remediation, controlled prod actions
Phase 4 — Full Mission Integration
All mission systems, accreditation pipelines, leadership dashboards

📤 Submit Task to Agent Gateway

📋 Response

Submit a task to see the response here.

📂 Recent Workflows

Loading…

🔐 Policy Dry-Run

Check whether a task would be allowed before submitting.

📜 Audit Log

Loading…

🤖 Mission Hub Agents

Loading…

☸️ Kubernetes Manifests

All manifests are in platform/k8s/. Apply with: 

kubectl apply -f platform/k8s/namespace-and-netpol.yaml
kubectl apply -f platform/k8s/agent-deployments.yaml
kubectl apply -f platform/k8s/agent-policies-configmap.yaml

Network Topology

  • Namespacemission-hub (PodSecurity: restricted)
  • Default ruleDeny all ingress + egress
  • Agent ingressOnly from agent-gateway pod
  • Agent egressObservability namespace, Vault namespace, DNS
  • GitOpsArgo CD — auto-sync for non-prod, manual for prod

🔒 Security Controls

  • IdentityOIDC (Keycloak/Entra ID) — short-lived tokens
  • mTLSAll inter-service traffic; SPIFFE/SPIRE optional
  • K8s RBACPer-ServiceAccount; least privilege
  • Supply chainCosign image signing + SBOM (Syft/CycloneDX)
  • SAST/scanTrivy/Grype — block on CRITICAL findings
  • RuntimeFalco anomaly detection
  • PolicyOPA/Gatekeeper — Conftest in CI
  • AuditEvery step: who, which agent, inputs/outputs, approvals
Connecting to agent-gateway… © 2008-2026 Barbrick Design | Contact