零信任智能体身份管道
零信任 AI 智能体身份架构,包含 JWT 验证、受限 OBO 令牌交换、SPIFFE/SVID 工作负载身份以及 MCP 工具授权。
完整 FlowZap 代码
User { # User
n1: circle label:"Start"
n2: rectangle label:"Send request + user JWT"
n3: rectangle label:"Receive approval"
n4: circle label:"End"
n1.handle(right) -> n2.handle(left)
n2.handle(bottom) -> AgentPlatform.n5.handle(top) [label="User JWT"]
n3.handle(right) -> n4.handle(left)
}
AgentPlatform { # Agent Platform
n5: rectangle label:"Validate JWT + agent ID"
n6: rectangle label:"Exchange for scoped OBO token"
n7: rectangle label:"Receive tool result"
n8: rectangle label:"Return approval"
n5.handle(right) -> n6.handle(left)
n6.handle(bottom) -> MCPTool.n9.handle(top) [label="Scoped OBO token"]
n7.handle(right) -> n8.handle(left)
n8.handle(top) -> User.n3.handle(bottom) [label="Approved"]
}
MCPTool { # MCP Tool
n9: rectangle label:"Validate scoped token"
n10: rectangle label:"Check SPIFFE SVID"
n11: rectangle label:"Execute tool call"
n12: rectangle label:"Return tool result"
n9.handle(right) -> n10.handle(left)
n10.handle(right) -> n11.handle(left)
n11.handle(right) -> n12.handle(left)
n12.handle(top) -> AgentPlatform.n7.handle(bottom) [label="Result"]
}
相关模板
AI原生单智能体架构
单智能体AI架构,其中一个智能体处理所有事务:解析请求、推理、通过MCP调用工具、生成响应。这是原型和简单自动化的默认架构——易于调试,但很快达到上下文窗口限制且难以并行化。适合快速交付的MVP和独立开发者。
Claw Code Harness 架构
Claw Code harness 架构图,展示用户循环、Python 编排层、Rust 运行时以及 LLM 提供商、文件系统和 MCP 服务器等外部系统。