Enterprise teams duplicate AI automations because reusable skills are hard to govern, validate, audit, and safely expose to agents.

Enterprise MCP Skill Hub is a locally runnable FastAPI and MCP-compatible skill layer where approved AI capabilities are registered by manifest, discovered dynamically, invoked with schema validation, and monitored with audit and usage telemetry.

Enterprise MCP Skill Hub

Enterprise MCP Skill Hub (enterprise-mcp-skill-hub / emcp-hub) is a locally runnable reference implementation of a governed reusable skill layer for enterprise agents. It exposes approved skills through FastAPI and an MCP-compatible adapter with tools, resources, and prompts.

The default mode is deterministic mock LLM execution, so a fresh clone works without paid API keys. OpenAI and Azure OpenAI providers are available behind the BaseLLMProvider interface for teams that want to wire in hosted models later.

What It Includes

• FastAPI admin API for skill registration, validation, promotion, enable/disable, invocation, versions, agent runs, audit, metrics, and health.

• MCP-compatible discovery and invocation for tools, resources, and prompts.

• Six built-in skills: summarize_document, extract_entities, translate_text, classify_request, generate_action_items, and search_knowledge_base.

• Manifest-first governance with JSON-schema-shaped input/output schemas and a draft -> validated -> promoted -> disabled lifecycle.

• Draft, disabled, and schema-invalid skills are excluded from MCP tool discovery; the demo agent only selects promoted/enabled tools.

• Local policy simulator for role, environment, data sensitivity, skill tags/provider, and allow/deny invocation decisions.

• Workflow templates that compose promoted skills into reusable support, RFP, and meeting agent flows with per-step policy decisions and traces.

• Workflow review queue for submitting templates, validating skill/policy readiness, approving or rejecting composition, and exporting local review evidence.

• Release preview and governed release notes export for promoted skills and approved workflow templates, including diffs, risk flags, MCP impact, conformance status, regression commands, and interviewer talking points.

• Enterprise Audit Query / Attestation console for filtering local audit, invocation, governance, workflow, and release evidence, then exporting a procurement-ready Compliance Attestation Pack.

• Skill Usage Forecast + Capacity Guardrails for deterministic local/mock demand planning, per-skill token/latency/cost estimates, quota recommendations, rollout risks, and capacity plan export before broad agent enablement.

• Cross-Agent Skill Dependency Map + Blast Radius Analyzer for graphing promoted skills, MCP tools/prompts/resources, workflows, release evidence, audit history, and capacity impact before owners change a skill, prompt, resource, or workflow template.

• Skill Incident Drill + Recovery Runbook for deterministic local reliability scenarios covering schema breakage, disabled skill invocation, policy denial spikes, latency/capacity breaches, and workflow dependency failures.

• Tenant Policy Sandbox + Data Sensitivity Simulator for healthcare, fintech, public sector, and internal demo tenants, returning allowed, blocked, and review-required MCP skills/workflows plus guardrails and exportable evidence.

• Skill Marketplace Governance + Tenant Rollout Approval Pack for reviewed marketplace listings, tenant eligibility, blocked/review-required rollout decisions, disabled-skill blocks, version comparison notes, MCP exposure state, reviewer checklist, and ignored data/marketplace_packs/ artifacts.

• Skill Usage Analytics + Cost Chargeback Pack for usage by skill, tenant/environment, agent, status, MCP exposure, latency bands, token/cost estimates, budget warnings, anomaly flags, disabled-skill blocked events, reviewer controls, and ignored data/usage_packs/ artifacts.

• Enterprise Readiness Scorecard + Portfolio Demo Pack that rolls governance, conformance, release, audit/attestation, capacity, dependency blast radius, incident drill, tenant sandbox, and demo agent behavior into one executive artifact.

• API Smoke Matrix + Local Launch Checklist for quickly verifying auth/health, skills, MCP surfaces, governance, workflows, releases, capacity, tenant policy, usage analytics, incidents, and enterprise readiness in interviews or README walkthroughs.

• Release Candidate Quality Gate + GitHub Publish Pack for deterministic local release gate scoring, endpoint/MCP/artifact inventory, verification commands, recruiter notes, and ignored data/release_packs/ Markdown/JSON artifacts.

• Local CI Doctor + Dependency/Secrets Audit Pack for deterministic checks across pytest, ruff, eval, conformance, demo, MCP commands, GitHub Actions, Docker Compose, .env.example, docs, ignored artifacts, dependency manifests, local/mock posture, and a suspicious secret scan under ignored data/audit_packs/.

• Reviewer Quickstart + Recruiter Walkthrough Pack for GitHub reviewers: exact setup commands, one-command demo, endpoint order, MCP command proof tour, artifact proof map, expected outputs, troubleshooting, role-specific notes, and ignored data/reviewer_packs/ Markdown/JSON artifacts.

• Artifact Inventory + README Checklist Pack for exposing generated MCP proof artifacts, producer endpoints/commands, ignored status, freshness notes, README badge ideas, and a deterministic reviewer proof checklist under ignored data/artifact_indexes/.

• API Contract Snapshot + MCP Reviewer Collection Pack for fresh-clone verification of OpenAPI route count, X-API-Key protection, docs/api coverage, dashboard smoke alignment, generated artifact endpoints, demo flow endpoints, MCP tools/resources/prompts, sample commands, and ignored data/api_contracts/ Markdown/JSON artifacts.

• Dashboard Smoke Script + UI Verification Pack for deterministic Streamlit source wiring checks, expected views/endpoints, generated artifact tabs, MCP proof surfaces, screenshot placeholders, and ignored data/ui_verification/ Markdown/JSON artifacts.

• GitHub Push Readiness + Branch Hygiene Pack for local-only git repo, branch, worktree, generated artifact, workflow, README final handoff, .env.example, commit grouping, and MCP publish checks under ignored data/git_packs/.

• Runtime Demo Server Pack for fresh-clone FastAPI, Streamlit, and MCP CLI runtime readiness: exact start/stop commands, expected ports, env defaults, dependency checks, read-only port checks, health/smoke URLs, screenshot placeholders, troubleshooting, and ignored data/runtime_packs/ Markdown/JSON artifacts.

• Portfolio README Consistency Auditor + Final Handoff Pack for checking README/docs/API/demo/MCP claims against implemented endpoints, MCP tools/resources/prompts, scripts, generated artifacts, local/mock limits, and optional Azure/OpenAI notes, then writing ignored data/final_handoff/ Markdown/JSON artifacts.

• Optional enforced invocation for FastAPI and MCP calls, with denied attempts captured in audit and metrics.

• Trace IDs, audit events, invocation history, deterministic replay, latency/token/cost metrics, policy simulation, golden eval scorecards, conformance reports, per-skill governance reports, security evidence bundles, local JSON snapshots, and API-key auth.

• Streamlit admin console for catalog, validation, promotion, invocation, policy simulation, tenant policy sandbox, Skill Marketplace, Skill Usage Analytics, enterprise readiness, Portfolio Pack, Reviewer Quickstart, Artifact Inventory, launch checklist, CI Doctor / Audit Pack, UI Verification, Git Readiness, Final Handoff, Release Pack, workflow composition, workflow review queue, demo agent, eval lab, conformance/replay, security evidence/audit, audit query/attestation, release preview/release notes, capacity forecast/guardrails, dependency map/blast radius, skill incident drill/runbook, MCP inspector, governance reports, metrics, and audit.

• Sample policy/product resources, workflow templates, sample skill manifests, tests, eval smoke command, Docker Compose, and GitHub Actions CI.

Related MCP server: SkillPort

Quick Start

cd C:\Users\Devan\Documents\emcp-hub
python -m pip install -r requirements-dev.txt
python -m pytest -q
python -m ruff check app tests dashboard
python -m app.evals.run_eval
python -m app.evals.run_eval --validate-only
python -m app.evals.run_conformance
python scripts\dashboard_smoke.py
python scripts\runtime_check.py
python -m app.demo
python -m uvicorn app.main:app --reload --port 8000

Get a demo token:

curl -X POST http://localhost:8000/auth/demo-token

Use the returned X-API-Key value for protected endpoints.

Run the API smoke matrix after the server starts:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/ops/smoke-matrix -Headers $headers
Invoke-RestMethod http://localhost:8000/ops/launch-checklist -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/release/quality-gate -Headers $headers
Invoke-RestMethod http://localhost:8000/release/publish-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/ops/ci-doctor -Headers $headers
Invoke-RestMethod http://localhost:8000/ops/audit-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/reviewer/quickstart -Headers $headers
Invoke-RestMethod http://localhost:8000/reviewer/walkthrough-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/artifacts/inventory -Headers $headers
Invoke-RestMethod http://localhost:8000/artifacts/readme-checklist -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/ui/dashboard-smoke -Headers $headers
Invoke-RestMethod http://localhost:8000/ui/verification-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/git/readiness -Headers $headers
Invoke-RestMethod http://localhost:8000/git/push-plan -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/runtime/demo-readiness -Headers $headers
Invoke-RestMethod http://localhost:8000/runtime/demo-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/marketplace/catalog -Headers $headers
Invoke-RestMethod http://localhost:8000/marketplace/rollout-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/usage/analytics -Headers $headers
Invoke-RestMethod http://localhost:8000/usage/chargeback-pack -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/handoff/final-audit -Headers $headers
Invoke-RestMethod http://localhost:8000/handoff/final-pack -Method POST -Headers $headers

Run the local demo agent:

python -m app.demo

Run the dashboard:

python -m streamlit run dashboard/streamlit_app.py

Run both API and dashboard:

docker compose up --build

MCP-Compatible Inspector

python -m app.mcp_server tools
python -m app.mcp_server resources
python -m app.mcp_server prompts
python -m app.mcp_server call --name summarize_document --arguments "{\"text\":\"Atlas Labs needs governed AI skills.\"}"
python -m app.mcp_server call --name search_knowledge_base --arguments "{\"query\":\"confidential policy\",\"limit\":2}" --role agent --data-sensitivity confidential --enforce-policy

The adapter intentionally uses protocol-shaped payloads even when the official MCP SDK is not installed. See docs/mcp.md.

Reviewer Quickstart

Generate the fastest GitHub reviewer path:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/reviewer/quickstart -Headers $headers
Invoke-RestMethod http://localhost:8000/reviewer/walkthrough-pack -Method POST -Headers $headers

GET /reviewer/quickstart returns exact setup commands, the one-command demo, verification commands, endpoint walkthrough order, MCP command walkthrough, artifact proof map, expected outputs, troubleshooting, and role-specific reviewer notes. POST /reviewer/walkthrough-pack writes walkthrough_pack_latest.json and .md under ignored data/reviewer_packs/ with a recruiter-friendly story, engineer deep-dive path, command checklist, API/MCP proof tour, artifacts to inspect, limitations, and a GitHub README blurb. The Streamlit dashboard has a Reviewer Quickstart view, and python -m app.demo prints reviewer quickstart status/count plus the Walkthrough Pack path.

Artifact Inventory And README Checklist

Expose the generated artifact surface before a GitHub reviewer starts clicking around:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/artifacts/inventory -Headers $headers
Invoke-RestMethod http://localhost:8000/artifacts/readme-checklist -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\artifact_indexes -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /artifacts/inventory returns artifact directories, latest local files, producer endpoints/commands, .gitignore status, reviewer purpose, and freshness notes for portfolio demo, release packs, audit packs, reviewer packs, API Contract Reviewer Collection, launch checklists, conformance/security/governance outputs, and related MCP evidence. POST /artifacts/readme-checklist writes readme_checklist_latest.json and .md under ignored data/artifact_indexes/ with Artifact Inventory rows, README Checklist badge/checklist suggestions, local commands, a reviewer proof checklist, and cleanup/regeneration notes. The Streamlit dashboard has an Artifact Inventory view, and python -m app.demo prints artifact inventory count plus the README Checklist path.

API Contract And Reviewer Collection

Generate a fresh-clone API Contract snapshot and MCP Reviewer Collection:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/api/contract-audit -Headers $headers
Invoke-RestMethod http://localhost:8000/api/reviewer-collection -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\api_contracts -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /api/contract-audit returns structured OpenAPI route count, protected endpoint count, docs/api coverage, dashboard smoke alignment, generated artifact endpoint coverage, demo flow endpoint coverage, MCP inventory and coverage, missing-docs warnings, duplicate/deprecated route warnings, local-only limitations, and verification commands. POST /api/reviewer-collection writes reviewer_collection_latest.json and .md under ignored data/api_contracts/ with grouped endpoint inventory, MCP tool/resource/prompt inventory, sample PowerShell and curl commands with X-API-Key, demo-token flow, MCP CLI commands, expected status codes, auth notes, generated artifact endpoints, one-command verification order, and recruiter/engineer explanations. The Streamlit dashboard has an API Contract view, and python -m app.demo prints the contract audit status plus Reviewer Collection path.

Dashboard Smoke And UI Verification

Validate dashboard reviewer surfaces without launching a browser:

python scripts\dashboard_smoke.py
$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/ui/dashboard-smoke -Headers $headers
Invoke-RestMethod http://localhost:8000/ui/verification-pack -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\ui_verification -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /ui/dashboard-smoke returns structured Dashboard Smoke checks for expected Streamlit views, endpoint references, generated artifact tabs, local run commands, MCP proof surfaces, and limitations. POST /ui/verification-pack writes ui_verification_pack_latest.json and .md under ignored data/ui_verification/ with the dashboard smoke results, Streamlit run command, reviewer checklist, screenshot placeholders, troubleshooting, and limitations. The Streamlit dashboard has a UI Verification view, and python -m app.demo prints dashboard smoke status plus the UI Verification Pack path.

GitHub Push Readiness And Branch Hygiene

Prepare the local branch for reviewer-safe publishing without staging, committing, pushing, or calling GitHub:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/git/readiness -Headers $headers
Invoke-RestMethod http://localhost:8000/git/push-plan `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"github-reviewer"}'
Get-ChildItem -Recurse -File data\git_packs -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /git/readiness returns structured local git and publish checks for repo detection, current branch, tracked/untracked/modified/ignored summaries, generated artifact directories that should stay ignored, source/doc/test/dashboard files changed, suspicious large/generated files, GitHub Actions workflow presence, README final handoff mention, .env.example, dirty-worktree guidance, recommended commit groups, and MCP-specific publish notes.

POST /git/push-plan writes git_push_plan_latest.json and git_push_plan_latest.md under ignored data/git_packs/. The GitHub Push Readiness + Branch Hygiene Pack includes exact non-destructive review commands, suggested commit grouping, do-not-commit generated artifact notes, pre-push verification checklist, MCP command verification, repo limitations, and a recruiter/GitHub README publish blurb. The Streamlit dashboard has a Git Readiness view, and python -m app.demo prints git readiness status plus the push plan path.

Runtime Demo Server Pack

Verify and package the local demo runtime before opening multiple terminals:

python scripts\runtime_check.py
$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/runtime/demo-readiness -Headers $headers
Invoke-RestMethod http://localhost:8000/runtime/demo-pack -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\runtime_packs -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /runtime/demo-readiness returns exact local start commands, manual stop guidance, expected FastAPI/Streamlit ports, env defaults, dependency checks, read-only port checks, health/smoke URLs, MCP CLI verification order, troubleshooting, and limitations. POST /runtime/demo-pack writes runtime_demo_pack_latest.json and .md under ignored data/runtime_packs/ with the full demo flow, screenshot checklist placeholders, and recruiter/engineer explanations. The Streamlit dashboard has a Runtime Demo view, python scripts\runtime_check.py prints the same readiness contract without needing a running server, and python -m app.demo prints runtime readiness plus the Runtime Demo Pack path.

Final Handoff

Run the final README Consistency audit before handing the repo to a reviewer:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/handoff/final-audit -Headers $headers
Invoke-RestMethod http://localhost:8000/handoff/final-pack `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"final-handoff-reviewer"}'
Get-ChildItem -Recurse -File data\final_handoff -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /handoff/final-audit returns structured checks for README endpoint/MCP mentions, docs/api coverage, architecture/evaluation coverage, demo output claims, scripts present, dashboard smoke script present, generated artifact directory docs, MCP tools/resources/prompts clarity, local/mock limitation clarity, and Azure/OpenAI optional notes.

POST /handoff/final-pack writes final_handoff_pack_latest.json and final_handoff_pack_latest.md under ignored data/final_handoff/. The Final Handoff Pack includes final audit results, exact clone/run commands, end-to-end verification order, endpoint inventory summary, MCP inventory summary, artifact inventory summary, dashboard smoke summary, eval/conformance proof summary, and a recruiter-facing final README blurb. The Streamlit dashboard has a Final Handoff view, and python -m app.demo prints final audit status/score plus the Final Handoff Pack path. This is local/mock evidence; no Azure or OpenAI credentials are required for acceptance.

Project Layout

• app/ - FastAPI app, domain models, registries, validators, providers, MCP adapter, demo, evals.

• dashboard/ - Streamlit admin console.

• sample_data/ - sample resources, workflow templates, tickets, meeting notes, expected outputs, and YAML skill manifests.

• tests/ - pytest coverage for acceptance criteria.

• docs/ - architecture, API, MCP, manifests, evaluation, and Azure notes.

• typescript-bridge/ - optional Zod-to-MCP JSON schema concept.

Governance Snapshot

Generate an interviewer-friendly readiness report and save a local JSON snapshot of skills, versions, invocations, metrics, audit events, and the report:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/governance/report -Headers $headers
Invoke-RestMethod http://localhost:8000/snapshots/local -Method POST -Headers $headers

The governance report includes one row per skill with id, version, enabled flag, lifecycle status, schema validity, last invocation, invocation/failure counts, provider, tags, risk flags, MCP exposure status, and policy access by role.

Security Evidence Bundle

Export security-review artifacts for a governance or procurement board:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/security/review-summary -Headers $headers
Invoke-RestMethod http://localhost:8000/evidence/export -Method POST -Headers $headers

The export writes security_evidence_latest.json and security_evidence_latest.md under ignored local folder data/evidence/. It includes governance and conformance reports, policy simulation summary, promoted skills, disabled/draft exclusions, recent audit events, invocation summary, denied policy attempts, MCP tools/resources/prompts exposure, and recommended next controls.

Audit Query / Attestation

Query reviewer evidence locally:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/audit/query `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"action":"skill.invoked","status":"succeeded","query":"audit"}'

The query response includes matched events, counts by action/status, related invocations, related release/workflow evidence, trace/correlation ids, and warnings for missing evidence in fresh clones.

Export a Compliance Attestation Pack:

Invoke-RestMethod http://localhost:8000/compliance/attestation `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"security-reviewer"}'

The export writes compliance_attestation_latest.json and compliance_attestation_latest.md under ignored local folder data/attestations/. It includes governance controls, enabled/promoted skill list, MCP tools/resources/prompts, conformance status, release readiness, recent audit summary, policy simulation examples, exclusions, local verification commands, JD skills demonstrated, and five interviewer talking points. The one-command demo prints attestation readiness and the exported attestation path.

Release Preview And Release Notes

Preview the release diff before platform owners ship promoted skills or approved workflow templates:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/releases/preview -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/releases/export -Method POST -Headers $headers

If no prior release snapshot exists, the service uses a deterministic generated baseline so a fresh clone still shows a meaningful preview. Export writes release_notes_latest.json, release_notes_latest.md, and current_snapshot.json under ignored local folder data/releases/.

The release notes include release readiness, added/changed/removed skills, added/changed/removed workflow templates, risk flags, conformance summary, governance events, MCP tools/resources/prompts affected, local verification commands, JD skills demonstrated, and five interviewer talking points. Draft, disabled, validated-only, in-review, and rejected artifacts are excluded from release readiness.

Capacity Forecast And Guardrails

Forecast local/mock demand before enabling agents broadly:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/capacity/forecast `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"forecast_days":30,"traffic_multiplier":1.0}'
Invoke-RestMethod http://localhost:8000/capacity/guardrails -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/capacity/plan-export -Method POST -Headers $headers

The forecast uses invocation history, enabled/promoted skills, approved workflow templates, release/audit evidence, and mock traffic assumptions. It returns per-skill forecasted invocations, estimated tokens, latency p95, local planning cost, top workflows driving demand, bottleneck/risk flags, recommended rate limits, MCP tools affected, exclusions, and readiness status.

Guardrails validate or default max invocations/minute, max tokens/day, max latency p95, per-skill quotas, fallback behavior, and policy actions. Plan export writes capacity_plan_latest.json and capacity_plan_latest.md under ignored local folder data/capacity/ with risks, rollout stages, local verification commands, JD skills demonstrated, and five interviewer talking points. The one-command demo prints capacity readiness and the exported capacity plan path.

Dependency Map And Blast Radius

Map dependencies before changing a skill, prompt, resource, or workflow template:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/dependencies/map -Headers $headers
Invoke-RestMethod http://localhost:8000/dependencies/blast-radius `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"skill_id":"search_knowledge_base"}'
Invoke-RestMethod http://localhost:8000/dependencies/report -Method POST -Headers $headers

GET /dependencies/map returns graph nodes, edges, counts by node type, high-centrality skills, orphaned prompts/resources, disabled/draft exclusions, and readiness. POST /dependencies/blast-radius returns impacted skills, workflows, prompts, resources, likely agents/tool calls, capacity impact, tests to run, risk flags, and rollout action. Report export writes dependency_report_latest.json and dependency_report_latest.md under ignored local folder data/dependencies/. The one-command demo prints dependency readiness and the exported dependency report path.

Skill Incident Drill And Recovery Runbook

Run a local reliability drill and export an operator runbook:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/incidents/drill `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"scenario":"latency_capacity_breach"}'
Invoke-RestMethod http://localhost:8000/incidents/runbook `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"scenario":"latency_capacity_breach","actor":"incident-commander"}'

Supported scenarios are schema_breakage, disabled_skill_invoked, policy_denial_spike, latency_capacity_breach, and workflow_dependency_failure. The drill returns affected skills/workflows/prompts/resources, simulated symptoms, severity, containment actions, rollback/canary steps, eval and conformance commands, audit evidence, capacity/dependency links, MCP capabilities affected, exclusions, and readiness. Runbook export writes JSON and Markdown under ignored data/incident_runbooks/. The one-command demo prints incident drill severity/readiness and the exported runbook path.

Tenant Policy Sandbox

Simulate enterprise tenant governance across role, environment, and sensitivity:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/tenants/policy-simulate `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"tenant":"healthcare","role":"reviewer","environment":"production","data_sensitivity":"confidential"}'
Invoke-RestMethod http://localhost:8000/tenants/sandbox-export -Method POST -Headers $headers

Fake tenants are healthcare, fintech, public_sector, and internal_demo. The simulator returns allowed, blocked, and review-required skills and workflows, policy reasons, impacted MCP tools/resources/prompts, recommended tenant guardrails, warnings, readiness status, and disabled/draft exclusions. Export writes tenant_policy_sandbox_latest.json and tenant_policy_sandbox_latest.md under ignored local folder data/tenant_sandboxes/ with the tenant policy matrix, scenario results, blocked/review actions, MCP impact, local verification commands, JD skills demonstrated, and five interviewer talking points. The one-command demo prints tenant sandbox readiness and the exported tenant sandbox path.

Skill Marketplace Governance And Tenant Rollout

Generate governed Skill Marketplace listings and a Tenant Rollout approval pack:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/marketplace/catalog -Headers $headers
Invoke-RestMethod http://localhost:8000/marketplace/rollout-pack -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\marketplace_packs -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /marketplace/catalog returns approved/promoted/draft/disabled skill listings with versions, tenant eligibility for internal ops, regulated healthcare, fintech/confidential, and public-sector restricted scenarios, risk level, required review state, usage signals, MCP exposure state, disabled-skill blocks, blocked/review-required rollout rows, and coverage summary. POST /marketplace/rollout-pack writes rollout_approval_pack_latest.json and .md under ignored data/marketplace_packs/ with rollout recommendations, tenant policy decisions, disabled-skill blocks, version comparison notes, reviewer checklist, local proof commands, and limitations. The Streamlit dashboard has a Skill Marketplace view, and python -m app.demo prints Skill Marketplace readiness plus the Tenant Rollout approval pack path.

Skill Usage Analytics And Cost Chargeback

Generate enterprise operating controls for usage, budget, anomaly, and chargeback review:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/usage/analytics -Headers $headers
Invoke-RestMethod http://localhost:8000/usage/chargeback-pack -Method POST -Headers $headers
Get-ChildItem -Recurse -File data\usage_packs -ErrorAction SilentlyContinue | Select-Object FullName,Length,LastWriteTime

GET /usage/analytics returns deterministic local usage by skill, tenant/environment, agent, status, MCP exposure, latency band, token/cost estimate, budget status, anomaly flag, disabled-skill blocked event, and coverage summary. POST /usage/chargeback-pack writes chargeback_pack_latest.json and .md under ignored data/usage_packs/ with usage tables, cost allocation, budget/anomaly flags, recommended controls, reviewer checklist, local proof commands, and limitations. The Streamlit dashboard has a Skill Usage Analytics view, and python -m app.demo prints usage readiness plus the Cost Chargeback Pack path.

Enterprise Readiness And Portfolio Demo Pack

Generate the executive scorecard and portfolio demo artifacts:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/enterprise/readiness-scorecard -Headers $headers
Invoke-RestMethod http://localhost:8000/enterprise/portfolio-demo-pack -Method POST -Headers $headers

GET /enterprise/readiness-scorecard returns category scores, readiness status, risks, recommended actions, artifact links, MCP capability counts, and verification commands. POST /enterprise/portfolio-demo-pack writes portfolio_demo_pack_latest.json and portfolio_demo_pack_latest.md under ignored local folder data/portfolio_demo/.

The portfolio demo pack includes the scorecard, architecture talking points, local demo commands, endpoint map, artifacts list, JD skills demonstrated, and five interviewer talking points. The Streamlit dashboard has an Enterprise Readiness view, and python -m app.demo prints enterprise readiness plus the portfolio demo pack path.

Portfolio Evidence Index And Interview Pack

Generate recruiter-ready proof that the repo demonstrates governed MCP and agentic platform engineering:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/portfolio/evidence-index -Headers $headers
Invoke-RestMethod http://localhost:8000/portfolio/interview-pack -Method POST -Headers $headers

GET /portfolio/evidence-index returns a deterministic Portfolio Evidence score, JD coverage list, proof matrix, MCP capability counts, artifact inventory, verification commands, and local-only summary. It maps MCP tools/resources/prompts, FastAPI admin API, skill manifests, schema validation, governance, audit logs, enable/disable/versioning, workflow templates, conformance evals, release preview, capacity guardrails, tenant policy sandbox, incident runbook, enterprise readiness, smoke matrix, and launch checklist to concrete endpoints, files, and commands.

POST /portfolio/interview-pack writes interview_pack_latest.json and interview_pack_latest.md under ignored local folder data/portfolio_packs/. The Interview Pack includes a 3-minute demo script, 8-10 technical talking points, architecture walk-through, governance/failure-mode story, local verification commands, metrics/eval summary, artifact inventory, and resume/GitHub README bullets. The Streamlit dashboard has a Portfolio Pack view, and python -m app.demo prints evidence score/count plus the interview pack path.

API Smoke Matrix And Launch Checklist

Generate a local smoke matrix and launch checklist for interview demos:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/ops/smoke-matrix -Headers $headers
Invoke-RestMethod http://localhost:8000/ops/launch-checklist `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"launch-reviewer"}'

GET /ops/smoke-matrix returns endpoint checks, expected statuses, sample commands, artifact expectations, and a smoke readiness summary across auth/health, skills, MCP tools/resources/prompts, governance, workflows, releases, capacity, tenant policy, marketplace, incidents, and enterprise readiness. POST /ops/launch-checklist writes launch_checklist_latest.json and launch_checklist_latest.md under ignored data/launch_checklists/.

The Launch Checklist includes install/run commands, the API smoke matrix, demo command, eval commands, artifact paths, troubleshooting notes, JD skills demonstrated, and five interviewer talking points. The Streamlit dashboard has a Launch Checklist view, and python -m app.demo prints smoke readiness plus the checklist path.

Local CI Doctor And Audit Pack

Run the publish-safety audit before sharing the repo:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/ops/ci-doctor -Headers $headers
Invoke-RestMethod http://localhost:8000/ops/audit-pack `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"ci-doctor"}'

GET /ops/ci-doctor returns structured checks for pytest, ruff, eval/conformance, demo, MCP inspector commands, GitHub Actions workflow presence, Docker Compose presence, .env.example, README sections, docs presence, generated artifact ignores, dependency files, local/mock provider notes, and a suspicious secret scan summary.

POST /ops/audit-pack writes audit_pack_latest.json and audit_pack_latest.md under ignored data/audit_packs/. The Audit Pack includes CI Doctor results, dependency inventory, secret scan summary, local verification commands, a publish-safety checklist, remediation notes, recruiter/interviewer explanation, and limitations. The Streamlit dashboard has a CI Doctor / Audit Pack view, and python -m app.demo prints CI Doctor status/score plus the Audit Pack path.

Release Candidate Quality Gate And Publish Pack

Generate the final local release gate and GitHub-ready Publish Pack:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/release/quality-gate -Headers $headers
Invoke-RestMethod http://localhost:8000/release/publish-pack `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"release-publisher"}'

GET /release/quality-gate returns a structured Release Candidate gate with status, score, blockers, warnings, verification checklist, CI/docs/test/eval/demo/MCP coverage, artifact coverage, local-only runtime notes, endpoint inventory, MCP capability inventory, and publish readiness.

POST /release/publish-pack writes publish_pack_latest.json and publish_pack_latest.md under ignored data/release_packs/. The Publish Pack includes release summary, setup and demo commands, verification commands, expected outputs, endpoint inventory, MCP capability inventory, artifact inventory, screenshot/manual verification placeholders, GitHub repo checklist, commit/push readiness notes, recruiter review notes, and known limitations. The Streamlit dashboard has a Release Pack view, and python -m app.demo prints release gate status/score plus the publish pack path.

Conformance And Replay

Run a local contract conformance suite for every promoted skill:

python -m app.evals.run_conformance
Invoke-RestMethod http://localhost:8000/conformance/report -Headers $headers

The report validates promoted manifests, runs deterministic sample invocations, checks output schemas, confirms policy simulation and MCP exposure, and records prompt/resource references where relevant.

Replay a prior invocation from local history:

$invocations = Invoke-RestMethod http://localhost:8000/invocations -Headers $headers
Invoke-RestMethod "http://localhost:8000/invocations/$($invocations[0].id)/replay" -Method POST -Headers $headers

Replay returns the original input/output, replay output, same_output, and drift notes. Policy-denied invocations are replayed through the same enforced policy gate and stay denied without running the skill handler.

Policy Simulator

Use the simulator to explain why a role can or cannot invoke a skill:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/policy/simulate `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"skill_id":"search_knowledge_base","role":"agent","environment":"local","data_sensitivity":"confidential","requested_action":"invoke"}'

Policy enforcement is opt-in for local compatibility. Add policy_context.enforce=true in the request body or send headers such as X-Policy-Enforce: true, X-Policy-Role: reviewer, and X-Data-Sensitivity: confidential.

Workflow Templates

Reusable workflow templates live in sample_data/workflow_templates.json and compose promoted skills into repeatable agent flows:

• support_triage

• rfp_answer_pack

• meeting_to_actions

List and simulate templates through the API:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/workflows/templates -Headers $headers
Invoke-RestMethod http://localhost:8000/workflows/meeting_to_actions/simulate `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"input_text":"Action: Priya Shah to follow up by 2026-06-15.","role":"agent","data_sensitivity":"internal","environment":"local"}'

The simulator runs only promoted/enabled skills, records each step policy decision, stops deterministically on denied or unavailable steps, and returns selected skills, step outputs, trace entries, final output, and blocked steps.

Workflow Review Queue

Submitted templates are stored locally under ignored folder data/workflow_reviews/. Draft and rejected templates appear in GET /workflows/reviews but are excluded from GET /workflows/templates and simulation until approved.

$body = @{
  id = "reviewed_support_pack"
  name = "Reviewed Support Pack"
  description = "Classify and summarize a support request after workflow review approval."
  ordered_skill_ids = @("classify_request", "summarize_document")
  required_role = "agent"
  default_sensitivity = "internal"
  expected_outputs = @("category", "summary")
} | ConvertTo-Json

Invoke-RestMethod http://localhost:8000/workflows/templates/submit -Method POST -Headers $headers -ContentType "application/json" -Body $body
Invoke-RestMethod http://localhost:8000/workflows/reviews -Headers $headers
Invoke-RestMethod http://localhost:8000/workflows/reviewed_support_pack/approve -Method POST -Headers $headers -ContentType "application/json" -Body '{"actor":"platform-reviewer","note":"Approved for local use."}'
Invoke-RestMethod http://localhost:8000/workflows/reviewed_support_pack/review-evidence -Method POST -Headers $headers

Review evidence writes Markdown and JSON under data/workflow_reviews/ with the template, validation, dry-run simulation, approval/rejection state, policy warnings, and audit events.

Promotion Workflow

New manifests can be registered as draft or validated skills for local review. Promote a valid skill before MCP clients or the demo agent can discover it:

$headers = @{ "X-API-Key" = "dev-local-token" }
Invoke-RestMethod http://localhost:8000/skills/draft_support_summary/promote `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"actor":"platform-admin"}'

Promotion validates the manifest, sets status=promoted, keeps enabled=true, exposes the skill as an MCP tool, and records skill.promoted in the audit log.

Evaluation And Policy Lab

The project now includes two reviewer-friendly controls:

• Golden evals: scored behavior checks from sample_data/evals/golden_cases.json.

• Conformance suite: per-promoted-skill contract, policy, MCP exposure, and sample-output checks.

• Policy simulation: role, environment, sensitivity, and action rules that can block enforced invocations.

• Workflow simulation: template-level composition checks showing reusable governed agent flows.

• Release preview: catalog diff and release readiness checks for promoted skills and approved workflow templates.

• Release gate: deterministic Release Candidate checks and Publish Pack artifacts for GitHub review.

• CI Doctor: deterministic local audit checks and Audit Pack artifacts for dependency review, ignored artifacts, local/mock posture, and secret scan review before publishing.

Invoke-RestMethod http://localhost:8000/evals/golden -Method POST -Headers $headers
Invoke-RestMethod http://localhost:8000/policy/simulate `
  -Method POST `
  -Headers $headers `
  -ContentType "application/json" `
  -Body '{"skill_id":"classify_request","role":"viewer","environment":"local","data_sensitivity":"confidential","requested_action":"invoke"}'

Environment

Copy .env.example to .env if you want to override defaults. Local mode needs no external key.

API_KEY=dev-local-token
LLM_PROVIDER=mock

Optional provider modes:

• LLM_PROVIDER=openai with OPENAI_API_KEY.

• LLM_PROVIDER=azure_openai with AZURE_OPENAI_API_KEY, AZURE_OPENAI_ENDPOINT, and AZURE_OPENAI_DEPLOYMENT.