Skip to main content
Workflows

How Merideon Works in Practice

Real workflows from day-to-day operations — deploying agents automatically, enforcing DNS policies, responding to alerts, and managing your network edge.

Workflow 1

Onboarding a New AI Agent

From first registration to active, credentialed, policy-governed network participant — in minutes.

1
Agent submits registrationAgent operator submits identity — name, model, version, team, declared capabilities. Enters Pending queue.
2
Security Office reviewsAdmin reviews identity and capabilities in the Pending Approvals queue. Approve or reject with a single action.
3
Badge issued automaticallyOn approval, a cryptographically signed badge is generated. Agent presents badge at governed resources.
4
Policy applied at the edgeAgent's DNS policy pushes to the Edge Router. Andrew applies it to BIND9 RPZ. Agent is now governed at the network level — kernel-enforced.
5
Ongoing governanceInterviews assess behavior, alerts flag anomalies, policies can be updated anytime. Revoke the badge instantly if needed.
Typical time from registration to active: under 5 minutes
Security Office · Pending Approvals
DataSync Agent v2.1
ETL Pipeline · claude-haiku · submitted 3m ago
Pending
Declared capabilities
Read NAS files Write to database HTTP outbound
✓ Badge issued — MRD-0025
Policy pushed to Andrew Router · Agent active
Security Office → Edge Router · Policy Push
AnalyticsBot — DNS policy
Mode: Enforce · Type: Allowlist
PUSHED
DataSync — DNS policy
Mode: Enforce · Type: Open + Denylist
PUSHED
MonitorAgent — DNS policy
Mode: Learning · baseline building
LEARNING
NewAgent — DNS policy
Mode: Observe · no enforcement yet
OBSERVE
✓ 2 enforce policies synced to BIND9 RPZ · 1.4s · Audit logged
Workflow 2

Pushing a Policy Update

Author security policies in the Security Office and enforce them at the network edge in under 2 seconds — no CLI, no SSH, no config files.

1
Open Policies in Security OfficeToggle rules on/off, set rate limits, define allowlists and blocklists for agents or agent groups.
2
Click “Push to Andrew”The SO sends the DNS policy to Andrew on the Edge Router over the secure internal channel.
3
Andrew updates BIND9 RPZ and nftablesDNS RPZ rules reload. Agent's allowed and blocked domains are now enforced at the kernel level. Every rule application is logged.
4
Confirmation in both appliancesThe SO shows push confirmation with “Andrew Synced ✓”. AI-Router Events feed shows the application event. Audit logs on both ends. All connected Edge Routers update in parallel.
Workflow 3

Responding to a Security Alert

An agent triggers an alert. Here's how the platform handles it — from detection to resolution.

!
Alert fires automaticallySO continuous monitoring detects AnalyticsBot attempting to reach an unauthorized endpoint. Critical alert created.
1
Admin reviews the alertAlert appears in SO Dashboard (red badge count), Alerts view, and Andrew Events feed. Full context visible.
2
Ask Andrew for diagnosticsOpen Andrew Chat: "Show me AnalyticsBot traffic for the last hour." Andrew pulls live network data and presents it.
3
Push quarantine policy or revoke badgeOption A: restrict the agent's network access via policy push. Option B: revoke the badge entirely — instant block at edge.
Resolve and logMark the alert resolved. Everything — detection, diagnosis, action, resolution — is in the immutable audit log.
🚨 Critical Alert 2m ago
Unauthorized endpoint access attempt
Agent AnalyticsBot (MRD-0003) attempted to reach api.external-service.com:443 — outside declared capabilities.
Andrew Chat · Diagnostic
Andrew
AnalyticsBot made 14 outbound attempts to api.external-service.com in the last hour. All were blocked by the existing firewall policy. No data exfiltration occurred. First attempt at 19:31 UTC — 37 minutes after badge was issued.
✓ Quarantine policy pushed · Badge suspended · Alert resolved
Workflow 4

Deploying an AI Agent Automatically

The Security Office's deployment pipeline provisions a fully configured agent from scratch — system setup, identity, registration, badge, and first interview — in under 15 minutes.

1
Select deployment wizardChoose SSH (dedicated VM) or Docker (existing host). Pick a personality template and select your Anthropic API key from Vault.
2
Pre-flight check passesSO tests SSH connectivity, disk space, and package availability. Green light before a single command runs.
3
17-step pipeline runsSystem packages, Node.js, OpenClaw, identity files (SOUL.md, AGENTS.md), TLS certs, nginx, interview API, systemd services — all automated. Live terminal in the SO.
4
SO registers, badges, interviewsAgent auto-registers, badge is issued, first behavioral interview runs with GPT-4.1 as judge. Agent is marked LIVE on pass.
Policy pushed, agent governedInitial DNS policy (Observe mode) pushed to Edge Router. Agent is live, registered, credentialed, and monitored from the first second.
Zero to LIVE in under 15 minutes — fully automated
Deployment Pipeline · Live Terminal
[✓] [1/17] Connecting to server… Connected
[✓] [2/17] Installing system packages… Done
[✓] [3/17] Installing Node.js 20… Done
[✓] [4/17] Creating openclaw user… Done
[✓] [5/17] Installing OpenClaw… Done
[✓] [6/17] Writing identity files… Done SOUL.md AGENTS.md IDENTITY.md
[✓] [7/17] Writing config files… Done
[✓] [8/17] Generating TLS certificate… Done
[✓] [9/17] Configuring nginx… Done
[✓] [10/17] Deploying Interview API… Done
[✓] [11/17] Installing services… Done
[✓] [12/17] Starting services… Done
[✓] [13/17] Health check… Agent responding
[✓] [14/17] Registering with SO… Registered
[✓] [15/17] Issuing badge… MRD-0031 issued
[✓] [16/17] Running first interview… PASS (score: 91/100)
[✓] [17/17] Marking LIVE… DEPLOYMENT COMPLETE
✓ Agent live at https://192.168.10.131 · Badge MRD-0031 · Interview PASS
DNS policy (Observe) pushed to Edge Router · Workspace monitoring active

Ready to see it in your environment?

Deploy Merideon and run your first workflow the same day.