GOVERNED AGENTIC MESH. ONE FRONT DOOR FOR EVERY AGENT.

When a security lead asks which agents can call which MCP servers today, an ad-hoc mesh cannot answer. Configs scatter across repos, YAML files, and deployment scripts. The agent registry loads every enabled agent from the services config at startup and serves them over two stable routes. GET /api/v1/agents/registry returns agents. GET /api/v1/mcp/registry returns MCP servers. One query, one list, auditable in seconds.

Each agent in the registry exposes an AgentCard. An AgentCard is the A2A (agent-to-agent) protocol's machine-readable profile. It lists capabilities, declared security schemes, transport protocols, and the OAuth scopes the agent will demand before it answers. The registry also advertises the well-known discovery URL /.well-known/agent-cards, so an outside A2A client discovers the mesh the same way an internal one does. There is no second, undocumented discovery surface.

For an engineer auditing the surface, the agent list, the MCP server list, and the AgentCard contents all resolve to the same config the binary booted from. An agent that is not in the registry is not reachable over A2A. The mesh boundary is the same as the config boundary.

Once agents can call each other, a stolen token or a misconfigured client becomes a way to skip the governance pipeline your tool calls already run through. A2A traffic on systemprompt.io uses JSON-RPC 2.0, a small schema-validated request and response envelope. Typed methods cover message send, streaming message, task query, and task cancel. Every request hits the same JWT validation path before any agent logic runs.

The governance bind lives in the A2A auth module. It calls the same JWT provider that every other request uses, decodes the claims, and then checks that the token carries the a2a audience. A token issued for browser login or MCP tool calls is rejected here. A session cookie lifted from a dashboard cannot be replayed as an agent-to-agent call. The check lives next to the handler, not in a separate proxy that an attacker could route around.

For the team building multi-agent workflows, messaging, streaming, task status, and cancellation are defined by a published protocol and backed by typed JSON-RPC errors (parse error, invalid request, method not found, invalid params, internal error). No homegrown coordination primitive to maintain. Every transit is logged against a verified identity. Staff engineers can verify the audience check in source at the line reference below.

A compromised service account that can silently talk to every agent is the kind of finding that ends a SOC 2 renewal. On the mesh, each A2A token is a JWT scoped to a single user with the a2a audience, issued with a one-hour expiry. The short lifetime is a deliberate trade-off, long enough for a multi-step workflow to complete, short enough that a leaked token is a minor incident rather than a standing backdoor.

At request time the validator pulls the JWT provider from the shared OAuth state, verifies the signature, decodes claims, confirms the a2a audience, and then (when a user provider is configured) checks that the user still exists and is active. A deactivated employee's agent token stops working on the next call, with no cache to invalidate. The claims expose has_permission, has_role, and has_audience helpers, so handlers make authorization decisions from the token itself rather than a round-trip to the database.

For a CISO asking whether user isolation can be proven in an audit, every authenticated A2A call carries the username and user_type in the traced claims. The validation module emits a structured tracing event on every successful authentication. The same JWT secret minimum (32 characters, enforced at startup) that protects browser sessions protects mesh traffic.

Giving an agent raw database access is how audit findings happen. Giving it a thin REST API is how integration work never ends. The mesh lets agents reach domain state through registered MCP tools. Every call carries a declared name, a JSON schema for inputs, and a permission check before execution. The tool layer is where the governance pipeline already lives. Agent access and human-driven tool use share one policy surface rather than two.

When an agent invokes a tool, the A2A handler resolves the call through the same tool executor the MCP surface uses. That means input validation against the tool's declared schema, per-user permission enforcement, and an audit row written before the response returns. The behaviour that proves this lives in the agent domain's MCP integration module, named in the reference below.

For a CTO weighing build-vs-buy, building this in-house means writing a per-tool permission layer, a typed request and response envelope, an audit writer, and a discovery surface. The mesh ships all four in one binary. Staff engineers verify the tool executor path in source, CISOs read the audit rows, and product teams wire agents without re-implementing any of it.

External MCP clients that connect over side channels are the classic governance hole. They work, they skip the audit log, and nobody knows about them until a post-incident review. On the mesh, external clients (Claude Desktop, ChatGPT, any MCP-compatible client) authenticate through the same JWT path that internal agents use. The registry that lists your internal agents is the registry they discover against. There is one front door, and it is audited.

Transport is streamable HTTP, the transport modern MCP clients speak natively. Point the client at the mesh, complete the OAuth flow, and its calls start landing in the same JWT audience check and tool executor path described above. An external client cannot do anything an internal agent with the same claims could not also do. The policy you wrote for internal traffic covers external traffic for free.

For a CISO, every external connection is a user-scoped token with the a2a audience, traced through the same validation emit and logged through the same audit writer. For a CTO, the internal and external surfaces share one codebase. A governance change to one applies to the other without parallel work.