Watchlight AI Beacon Platform Overview

Version 1.0 | January 2026

---

Introduction

Watchlight AI Beacon is an enterprise platform for securing, discovering, and governing AI agent ecosystems. As organizations deploy autonomous AI agents across critical business processes, Beacon provides the infrastructure to ensure these agents operate within approved boundaries, maintain clear accountability, and comply with emerging AI governance requirements.

The platform addresses three fundamental questions that every organization deploying AI agents must answer:

1. Authorization: Is this agent permitted to take this action, and why?
2. Discovery: What AI capabilities are running in our environment?
3. Registry: Where is the authoritative source of truth for AI services?

---

Platform Architecture

---

Core Components

1. WL-APDP (Agentic Policy Decision Point)

Purpose: High-performance authorization engine that evaluates whether AI agents are permitted to execute specific actions based on declared intent, active goals, and organizational policy.

Key Capabilities:

Capability	Description
Intent-Based Access Control	Requires agents to declare why they are taking each action, not just what they want to access
Goal Management	Time-boxed, action-limited business objectives that scope all agent activity
Delegation Chains	Cryptographically-verifiable trust paths from human users to AI agents
Intelligent Policy Selection	20-30x performance improvement through automatic filtering of applicable policies
Cedar Policy Engine	Full Cedar 4.5.1 compliance for fine-grained authorization rules

Authorization Flow:

1. Agent declares intent → "Why am I taking this action?"
2. Goal validation      → "Is there an active, approved objective?"
3. Delegation check     → "Who authorized this agent to act?"
4. Policy evaluation    → "Do organizational rules permit this?"
5. Decision returned    → Allow/Deny with full audit context

Benefits:

• Complete Audit Trail: Every action is logged with the declared intent, associated goal, and delegation chain
• Scope Containment: Goals enforce hard limits on actions, duration, and permitted intent categories
• Human Accountability: Delegation chains trace every agent action back to a human approval
• Compliance Ready: Architecture designed for EU AI Act, NIST AI RMF, and industry frameworks
• Sub-millisecond Latency: Built in Rust for production-grade performance

API Surface:

Endpoint	Purpose
POST /authorize	Evaluate authorization request
GET/POST /policies	Manage Cedar policies
POST /policies/analyze	Analyze policy selection for debugging
GET /intents, GET /goals	Manage intent and goal lifecycle
GET /delegations	Manage delegation chains

---

2. WL-Discover (Discovery Scanner)

Purpose: Automated discovery daemon that scans for Model Context Protocol (MCP) servers running in the environment and registers them with the centralized registry.

Key Capabilities:

Capability	Description
Port Scanning	Configurable port range scanning for MCP server detection
Protocol Probing	MCP handshake validation to confirm server capabilities
Attestation Generation	Cryptographic attestations of discovered server metadata
Daemon Mode	Continuous discovery with configurable scan intervals
Local Caching	Persistent cache of discovered servers for offline operation

Discovery Flow:

1. Scan configured port ranges
2. TCP connection attempt
3. MCP protocol probe (initialize handshake)
4. Metadata collection (name, version, capabilities)
5. Attestation generation
6. Registration to Registry
7. Periodic heartbeats to maintain lease

Benefits:

• Automatic Inventory: Discovers MCP servers without manual configuration
• Continuous Monitoring: Daemon mode ensures real-time visibility of new services
• Trust Foundation: Attestations provide cryptographic proof of server identity
• Resilient Operation: Local cache ensures operation during registry unavailability

CLI Commands:

wl-discover scan          # Single discovery scan
wl-discover run           # Start daemon mode
wl-discover status        # Show cached servers
wl-discover print-config  # Display configuration

---

3. Registry (Centralized Service Catalog)

Purpose: Centralized backend service that maintains the authoritative registry of MCP servers, discovery scanners, and AI agents across the organization.

Key Capabilities:

Capability	Description
Server Registration	Upsert MCP servers with full metadata and capabilities
Lease-Based TTL	Automatic expiration of stale registrations
Capability Tracking	Index of tools and resources exposed by each server
Trust State Management	Lifecycle states: unverified, trusted, quarantined, revoked
Scanner Authentication	API key + scanner ID authentication for registration
Cursor Pagination	Efficient querying across large server populations

Data Model:

Scanners
   │
   └──▶ Servers (registered by scanners)
           │
           └──▶ Capabilities (tools & resources)

Trust States:

State	Description
unverified	Newly discovered, pending review
trusted	Approved for use by agents
quarantined	Temporarily suspended for investigation
revoked	Permanently blocked from use

Benefits:

• Single Source of Truth: Authoritative registry for all MCP infrastructure
• Automatic Cleanup: Lease-based TTL removes stale servers automatically
• Trust Governance: Security teams control which servers agents can access
• Capability Visibility: Understand what tools and resources are available

API Surface:

Endpoint	Purpose
POST /v1/servers/register	Register/update server (authenticated)
POST /v1/servers/heartbeat	Maintain server lease (authenticated)
GET /v1/servers	List all servers (public)
GET /v1/servers/{id}	Get server details (public)
PATCH /v1/servers/{id}/trust	Update trust state (authenticated)

---

4. Beacon Dashboard (Unified Management Interface)

Purpose: Web-based dashboard providing unified visibility and management across all Beacon platform components.

Key Capabilities:

Capability	Description
Policy Management	Create, edit, and test Cedar authorization policies
Server Monitoring	Real-time view of registered MCP servers and their status
Agent Visibility	Track active agents, their goals, and action history
Trust Management	Review and update server trust states
Audit Logs	Searchable history of authorization decisions
Compliance Reports	Generate reports for auditors and regulators

Benefits:

• Unified View: Single pane of glass for the entire AI infrastructure
• Self-Service Policy Authoring: AI-assisted policy generation and testing
• Operational Visibility: Real-time health and status monitoring
• Governance Workflows: Approval workflows for goals and trust changes

---

5. Python SDK & Framework Integrations

Purpose: Client libraries and integration examples for popular AI agent frameworks.

Supported Frameworks:

Framework	Integration
LangGraph	LangGraph authorized agents example
CrewAI	CrewAI authorized agents example
Python SDK	WL-APDP Python client

Integration Pattern:

from wl_apdp import AuthorizationClient, Goal, Intent

# Initialize client
client = AuthorizationClient(url="http://localhost:8081")

# Create a goal for the workflow
goal = client.create_goal(
    description="Analyze customer feedback for Q4 report",
    category="ResearchAnalysis",
    max_actions=100,
    requires_approval=True
)

# Authorize each tool call with intent
result = client.authorize(
    principal="Agent::researcher",
    action="Action::execute",
    resource="Tool::database_query",
    context={
        "intent_category": "DataAnalysis",
        "intent_objective": "Query sentiment scores",
        "goal_id": goal.id,
        "goal_status": "Active",
        "goal_action_count": 5,
        "goal_max_actions": 100,
    }
)

if result.decision == "Allow":
    # Execute the tool
    pass

Benefits:

• Framework Agnostic: Works with any agent framework via REST API
• Minimal Integration: Wrap existing tools with authorization checks
• Production Examples: Complete working examples for LangGraph and CrewAI

---

Key Differentiators

Intent-Based Authorization

Traditional authorization asks: "What can this identity access?"

Beacon asks: "Why is this agent taking this action, and does it align with approved objectives?"

Every authorization request includes:

• Intent: The declared purpose for this specific action
• Goal: The business objective this action serves
• Delegation Chain: The trust path from human to agent

Intelligent Policy Selection

Beacon's policy engine doesn't evaluate all policies for every request. Instead, it:

1. Extracts metadata from policies (principal patterns, action patterns, context requirements)
2. Filters to only applicable policies based on the request
3. Sorts by complexity to evaluate simpler policies first
4. Achieves 20-30x faster evaluation compared to naive approaches

Lease-Based Service Discovery

MCP servers don't stay registered forever. The lease-based model ensures:

• Stale servers automatically expire
• Active servers must heartbeat to maintain registration
• Security teams can quarantine or revoke servers immediately

Human-in-the-Loop Governance

Goals can require human approval before activation, ensuring:

• Humans review AI objectives before execution begins
• Clear accountability for AI actions
• Compliance with human oversight requirements

---

Deployment Architecture

Development Environment

# Start WL-APDP (authorization)
cd wl-apdp && cargo run --release          # Port 8081

# Start Registry (service catalog)
cd wl-registry
make setup && make run                      # Port 8080

# Start WL-Discover (scanner)
cd wl-discover
cargo run -- --config config.example.toml run

# Start Dashboards
cd wl-apdp/frontend && npm run dev          # Port 3000
cd beacon-dashboard && npm run dev          # Port 5173

Production Deployment

Beacon supports containerized deployment:

# Docker Compose (simplified)
services:
  wl-apdp:
    image: watchlight/wl-apdp:latest
    ports: ["8081:8081"]

  wl-registry:
    image: watchlight/wl-registry:latest
    ports: ["8080:8080"]
    environment:
      - DATABASE_URL=postgres://...

  wl-discover:
    image: watchlight/wl-discover:latest
    environment:
      - REGISTRY_URL=http://wl-registry:8080
      - AGENT_ID=scanner-001

Kubernetes deployment is supported via Helm charts.

---

Security Model

Authentication

Component	Authentication Method
WL-APDP API	JWT/OIDC (Auth0, Okta, Azure AD)
Registry	API Key + Scanner ID
Dashboards	OIDC with configurable IdP

Authorization

All authorization decisions flow through WL-APDP using Cedar policies. The platform enforces:

• Principal Validation: Agents must be registered and active
• Intent Validation: Actions must declare a valid intent category
• Goal Validation: Actions must be associated with an active, unexpired goal
• Delegation Validation: Agent must have valid delegation from a human user
• Policy Evaluation: Cedar policies define fine-grained access rules

Trust Model

Human User (IdP-authenticated)
    │
    └──▶ Delegation Grant (time-limited, scope-limited)
            │
            └──▶ Orchestrator Agent
                    │
                    └──▶ Worker Agents (scope cannot exceed parent)

---

Compliance & Governance

Beacon's architecture supports compliance with:

Framework	Relevant Capabilities
EU AI Act	Human oversight, explainability, risk management
NIST AI RMF	Governance, transparency, accountability
SOC 2	Access control, audit logging, monitoring
ISO 27001	Information security controls

Built-in Compliance Features:

• Complete audit trail of every authorization decision
• Intent justification for every AI action
• Human approval workflows for sensitive objectives
• Delegation chains tracing accountability to humans
• Goal action limits preventing runaway automation

---

Getting Started

Prerequisites

• Rust 1.75+
• Node.js 18+
• Python 3.10+
• Docker and Docker Compose
• PostgreSQL 16 (or use provided Docker container)

Quick Start

# Clone the repository
git clone https://github.com/watchlight-ai-beacon/watchlight-beacon.git
cd watchlight-beacon

# Start WL-APDP authorization server
cd wl-apdp && cargo run --release

# In another terminal, run the LangGraph example
cd examples/langgraph-authorized-agents
pip install -r requirements.txt
python seed_data.py --verify
python main.py --verbose

---

Summary

Watchlight AI Beacon provides the foundational infrastructure for secure, governed AI agent deployments:

Component	Function	Key Benefit
WL-APDP	Authorization decisions	Know why every agent action was taken
WL-Discover	Service discovery	Automatic visibility of AI capabilities
Registry	Service catalog	Single source of truth for AI infrastructure
Beacon Dashboard	Management interface	Unified control and monitoring
Python SDK	Framework integration	Drop-in authorization for any agent

Together, these components ensure that AI agents operate within approved boundaries, maintain clear accountability, and provide the explainability that regulators, security teams, and business leaders demand.

---

Watchlight AI — Securing the Agentic Future

For more information, visit the project documentation or contact the Watchlight team.