Get from zero to an enforced policy in three steps: install a Beacon, connect it to your tenant, and apply a first Lyra policy. The commands below are illustrative — the CLI names and flags are indicative of the shipping product and may change.
1. Install a Beacon
Beacon is a signed local daemon for Windows, macOS, and Linux. Install it and verify the signature before it runs:
# Illustrative — install and start the signed endpoint agent
curl -fsSL https://get.alyria.ai/beacon | sh
beacon verify # checks the binary signature and version
beacon status # inventory of local AI tooling + CVE posture
beacon status reports the AI CLIs and tools it found, their versions, whether any are down-level, and
any known CVE exposure — before a single agent request is proxied.
2. Connect your tenant
A tenant exposes one MCP endpoint for all of your agents and pulls policy down to each Beacon. Connect with an enrollment token issued from Observatory:
# Illustrative — enroll this endpoint into your tenant's mesh
beacon connect \
--tenant acme \
--enroll-token "$ALYRIA_ENROLL_TOKEN" \
--mcp https://acme.mesh.alyria.ai
The token is single-use and short-lived. Enrollment establishes the Beacon's device identity; no standing credentials are stored on the endpoint.
3. Ship your first policy
Lyra policies are capability-brokered. Start by denying any MCP tool that has not been explicitly granted, then apply it to the fleet:
package alyria.lyra
# Deny any tool call that isn't a brokered capability
deny[msg] {
tool := input.mcp.tool
not capability.granted[tool]
msg := sprintf("tool %q is not brokered", [tool])
}
# Illustrative — validate and roll out to enrolled Beacons
beacon policy apply ./deny-ungranted.rego
beacon policy test --input ./samples/mcp-call.json
Beacon enforces the policy locally and deterministically, offline, with no round-trip to the cloud. Decisions stream to Spectra and surface in Observatory.
Next steps
- Read the Beacon agent reference for the three enforcement planes.
- Learn the Lyra policy model and capability brokering.
- Set up Umbra for agent secrets under your keys.