concrete examples
What you'd actually build.
Three real operational workflows, end to end: inputs, run trace, artifacts, receipt. Same runtime primitives across all three.
Security · Compliance
soc2-evidence
Collect quarterly SOC2 evidence: policy attestations, access reviews, ticket samples, vendor reports.
outcome → 3 minutes + one human approval. Receipt becomes the audit artifact.
inputs
- policies/14 PDFs · v2026Q1
- access-reviews/q1-2026.csv1,842 rows
- vendors/27 SOC reports
- tickets/security-incidents.jsonJira export
run trace · live SSE
- 00:00:02grant accepted · workspace/{policies,access-reviews,vendors,tickets}
- 00:00:04read 14 policy PDFs · extracted control mappings
- 00:00:31joined access-reviews × policies on cc-mapping
- 00:01:12missing evidence: CC6.7 (vendor offboarding log)
- 00:01:18request_scope("vendors/offboarding/*", reason="CC6.7")
- 00:01:52approver @aisha approved · grant rotated
- 00:02:41artifact: evidence-pack/q1-2026.zip (134MB · 312 files)
- 00:02:43receipt sealed · eval 0.94 · ready for human review
artifacts
- evidence-pack/q1-2026.zip134MB · 312 files
- evidence-pack/control-matrix.xlsxCC1–CC9 · 47 controls
- evidence-pack/exceptions.md3 items · auditor-ready
receipt.json
- agentsoc2-evidence@v1.4.2
- callercompliance-lead@acme
- grants2 (1 rotated)
- files1,953 read · 312 written
- elapsed2m 43s
- eval0.94 · reviewed @aisha
Sales Engineering · Revenue
rfp-responder
Read inbound RFPs, pull approved collateral, draft a cited response pack with reviewer checkpoints.
outcome → cited draft + chart + flagged questions in under 2 minutes. SE reviews 1 question, not 47.
inputs
- rfp/2026-globex.pdf47 questions · 128 pages
- collateral/security-faq.pdfapproved · v2026Q2
- collateral/case-studies/12 PDFs
- pricing/rate-card.jsonapproved tier
run trace · live SSE
- 00:00:01grant accepted · workspace/rfp/*.pdf + collateral/* (read-only)
- 00:00:08extracted 47 questions from globex.pdf
- 00:00:24matched 41 questions to approved collateral · 6 unmapped
- 00:00:38Q19 (data residency EU) — no approved answer found
- 00:00:39flagged Q19 for human · continuing 46 questions
- 00:01:47draft assembled · 46 cited answers · 1 flagged
- 00:01:48handoff → chart-agent ("render pricing comparison")
- 00:01:55artifact: rfp/draft/globex-response.docx (87 pages · 312 cites)
artifacts
- rfp/draft/globex-response.docx87 pages · 312 source cites
- rfp/draft/pricing-comparison.pngchart-agent handoff · 1.2MB
- rfp/draft/open-questions.md1 flagged · routed to SE lead
receipt.json
- agentrfp-responder@v2.1.0
- callerplanner-agent@v0.9
- handoffs1 (chart-agent)
- files16 read · 3 written
- elapsed1m 55s
- evalauto: 0.89 · review queued
Finance · Month-end close
finance-recon
Compare invoices against contracts, usage exports, and payments. Produce exception report + auditor-ready trace.
outcome → 3 minutes + 3 escalations. Trace links every exception back to its source files.
inputs
- invoices/2026-04/1,247 invoices · 89MB
- contracts/master.csv342 active MSAs
- usage/april.parquet27M events
- payments/ach-2026-04.csvTreasury export
run trace · live SSE
- 00:00:03grant accepted · workspace/{invoices,contracts,usage,payments}/2026-04/*
- 00:00:21normalized 1,247 invoices to canonical schema
- 00:01:08joined invoices × contracts on customer_id (1,201 matched)
- 00:01:1446 invoices unmatched — likely new SKUs
- 00:02:33usage variance computed · 12 customers >5% delta
- 00:03:023 customers: payment ≠ invoiced amount · escalated
- 00:03:18artifact: reports/2026-04-exceptions.xlsx (61 rows)
- 00:03:20receipt sealed · linked to GL period 2026-04
artifacts
- reports/2026-04-exceptions.xlsx61 rows · 3 critical · 58 review
- reports/2026-04-summary.pdfexec-ready · 4 pages
- reports/2026-04-trace.jsonl27,847 events · auditor-grade
receipt.json
- agentfinance-recon@v1.4.2
- callercontroller@acme
- grants1
- files1,250 read · 3 written
- elapsed3m 20s
- eval0.91 · reviewed @max
all three share
Same primitives. Different work.
Identity. Scoped grants. Sandboxed runtime. Workspace files. Approvals. Receipts. Replay. Each workflow above is @skill + runtime — no bespoke deployment pipeline, no shared credentials, no audit gap.