ContextWeaver — Buy a Ticket: End-to-End with Policy Enforcement

First, Let's Understand What's Happening

💬 You type one sentence:

"Book a flight from Boston to New York and charge my Amex"

That's it. You don't click through screens. You don't open a travel website. You don't open your credit card app. You don't write an email. You just say what you want.

🤖 The AI does 4 things automatically:

📋

1. Checks the rules

"Am I allowed to buy this?"

✈️

2. Searches flights

Finds options within your budget

💳

3. Charges your card

Pays with your Amex via Stripe

📧

4. Emails confirmation

Sends receipt + calendar invite

📋 But wait — who sets "the rules"?

In any company, different people have different spending limits. Your company probably has rules like:

🏢

Company Rules

"Max $5,000/month on travel"
"Economy class only"

Applies to everyone

👥

Team Rules

"Engineering: max $500/flight"
"Sales: max $2,000/flight"

Applies to your team

👤

Your Preferences

"I prefer Delta airlines"
"I like aisle seats"

Applies to only you

A manager uploads these rules from any data source — documents, web pages, wikis, databases, or even pasted text. Each source is chunked, vectorized, and indexed for semantic search. No coding required. The AI searches these indexes before every action and enforces them automatically.

📚 What is "RAG"? (The simplest explanation)

RAG stands for Retrieval-Augmented Generation. Sounds fancy. Here's what it really means:

📄

Step 1: Store

Manager uploads "travel-policy.pdf"
System reads and remembers it

🔍

Step 2: Search

Before any purchase, AI asks:
"Any rules about flights?"

🛑

Step 3: Enforce

Finds: "Max $500 for engineers"
Blocks anything over $500

Think of it like a smart filing cabinet. Your company's rules are filed away. Before the AI does anything, it opens the cabinet, reads the relevant rules, and follows them.

The magic: the rules come from any data source — documents, web pages, wikis, databases, blob storage. Each source is chunked, embedded into vectors, and stored in searchable AI indexes. Change the source, and the AI's behavior changes instantly. No developers needed. No code deployments.

🔒 What about passwords and API keys?

The AI needs to log into Stripe to charge your card, and into Gmail to send your email. But different people have different accounts. How does it know which one to use?

👤 Your keys

Personal Gmail, etc.

→ not found? →

👥 Team keys

Sales Stripe acct, etc.

→ not found? →

🏢 Company keys

Default Stripe, etc.

It checks your personal vault first. If you haven't set up your own key, it checks your team's. If your team hasn't set one up either, it uses the company default. Like a waterfall — it flows down until it finds what it needs.

🎯 Putting it all together

When you say "Book a flight and charge my Amex", here's what happens in about 5 seconds:

The AI reads your company's rules — finds your budget limit ($500), required class (economy), your preferences (Delta, aisle seat)
Searches flights that fit those rules — only shows you economy flights under $500 on Delta
Grabs the right Stripe key — your personal? your team's? company default? (waterfall)
Finds your Amex card — looks up your saved cards in Stripe, picks the Amex
Charges it — $189 to your Amex for Delta BOS→JFK
Sends you an email — confirmation + adds it to your Google Calendar

One sentence in. Flight booked, card charged, email sent, calendar updated. Rules followed. No screens. No forms.

The Complete Architecture (Technical View)

Every box below is a real component running in ContextWeaver. Follow the arrows to see how a single sentence becomes a booked flight.

🧠 AI Hub (User Interface)

User types: "Book a flight BOS to NYC and charge my Amex"

Authenticated as alice@acme.com • Group: Engineering • Role: developer

↓

🤖 Agent (LLM Orchestrator)

Sees 33 tools from all plugins. LLM decides which tools to call and in what order.

1. Search policies (RAG) 2. Search flights (Travel) 3. Charge card (Payments) 4. Send email (Email)

↓

🔌 MCP Server (Tool Execution Engine)

Single FastMCP instance hosting all plugin tools. Receives tool calls from Agent via Streamable HTTP.

Extracts _user_email=alice@acme.com from every request → per-user credential resolution

↓

Travel Plugin

4 tools

travel-proxy-discover

travel-proxy-call

travel-proxy-list

travel-proxy-status

Payments Plugin

10 tools

payments-charge ⬅ used here

payments-list-cards

payments-add-card

+ 7 more tools

Email Plugin

13 tools

email-send ⬅ used here

email-calendar-create

+ 11 more tools

↓

cw-travel-proxy

shared

Upstream MCP server URL + auth token

cw-payments

shared

Stripe API key (org default, group/user override)

cw-email

per-user

Each user’s own Gmail/Outlook credentials

↓

Vault (Credentials)

🏢 cw-org-cw-payments-secret-key → Org Stripe key

👥 cw-grp-engineering-cw-payments-secret-key → Eng Stripe key

👤 cw-pvt-alice-cw-email-app-password → Alice’s Gmail

Cascade: User → Group → Org (first found wins)

RAG Indexes (Policies)

🏢 cw-payments-policy-org → "Max $5000/month"

👥 cw-payments-policy-engineering → "Max $500/purchase"

👤 prefs-alice → "Prefer Amex, aisle seat"

Merge: All tiers apply. Org/Group = hard limits. User = preferences.

Step-by-Step Call Flow

Step 1 Agent searches for policies (RAG)

Before doing anything, the agent checks: "Are there rules about purchasing?"

search_all(query="travel purchase policy flight booking")

✅ [ORG_POLICY] "Company travel policy: Max $5,000/month, economy class only"

✅ [GROUP_POLICY] "Engineering: Max $500/flight, pre-approval for international"

✅ [USER_PREFERENCE] "Alice prefers Amex card, aisle seat, Delta airlines"

Step 2 Agent searches flights (Travel Plugin)

Searches with policy constraints applied: economy, under $500, prefer Delta

travel-proxy-call(tool="search_flights", args={from:"BOS", to:"NYC", class:"economy"})

→ Connector resolves: Alice’s vault → Engineering vault → Org vault for travel API key
→ Returns 3 Delta flights under $500

Step 3 Agent validates against policy

Flight: Delta DL 2847, BOS→JFK, $189 economy

✅ $189 < $500 group limit

✅ Economy class (org policy)

✅ Domestic (no pre-approval needed)

✅ Delta (user preference)

Step 4 Agent charges Amex (Payments Plugin)

payments-charge(amount=189, card="amex", description="Delta DL2847 BOS-JFK")

→ Connector resolves Stripe key: Alice’s vault (none) → Engineering vault (none) → Org vault ✅
→ Finds Alice’s Stripe Customer ID from private vault
→ Looks up saved cards, finds AMEX ****1005
→ Charges $189 to Amex via Stripe API

Step 5 Agent sends confirmation (Email Plugin)

email-send(to="alice@acme.com", subject="Flight Booked: BOS→JFK", body="...")
email-calendar-create(title="Flight BOS→JFK", date="2026-05-01 08:00")

→ Connector resolves: Alice’s private vault (per-user lock) ✅
→ Uses Alice’s Gmail OAuth token to send & create calendar event

Same Request, Different Users — Different Outcomes

Three people say the same thing. ContextWeaver enforces different policies for each.

"Book a flight BOS to NYC and charge my Visa"

👤 Alice Engineering • Developer • Budget: $500/flight

Policy found: Engineering max $500/flight
Flight: JetBlue B6-517, $149 economy ✅ Under limit
Stripe key: Org default (no personal/group override)
Card: Visa ****4242 (Alice’s saved card)
Result: ✅ Booked & charged $149

👤 Bob Sales • Account Exec • Budget: $2,000/flight

Policy found: Sales max $2,000/flight, business class OK
Flight: Delta DL-2847, $489 business ✅ Under limit, business allowed
Stripe key: Sales group Stripe account (group override)
Card: Visa ****8888 (Bob’s saved card)
Result: ✅ Booked & charged $489 to Sales Stripe

👤 Carol Engineering • Intern • Budget: $200/flight

Policy found: Engineering max $500/flight + Intern policy: max $200
Flight: Spirit NK-407, $89 economy ✅
But also found: JetBlue B6-517, $149 ✅ Under $200
Card: No Visa on file ⚠️
Result: ⚠️ "No Visa card found. Add one via Stripe Checkout: [link]"

👤 Dave Engineering • Developer • Tries: "Book first class $1,200"

Policy found: Engineering max $500 + Org: economy only
Result: ❌ BLOCKED — "$1,200 exceeds your group limit of $500. First class violates org economy-only policy. Request manager approval."

How Credentials Cascade

👤 User Vault

Personal override

→

👥 Group Vault

Team override

→

🏢 Org Vault

Company default

Connector	Alice (Eng)	Bob (Sales)	Carol (Eng/Intern)
Stripe Key	🏢 Org key (no override)	👥 Sales group key	🏢 Org key (no override)
Travel API	🏢 Org key	🏢 Org key	🏢 Org key
Email/Gmail	👤 Alice’s Gmail	👤 Bob’s Outlook	👤 Carol’s Gmail
Policy (RAG)	Org + Eng rules + prefs	Org + Sales rules + prefs	Org + Eng + Intern rules

Deep Dive: Every Network Call (For the Curious)

Here is exactly what happens on the wire when Alice types "Book a flight BOS to NYC and charge my Amex". Every HTTP call, every vault lookup, every database query — in order.

🔐 Phase 1: Authentication (before anything happens)

1	Browser → Keycloak	`POST /realms/contextweaver/protocol/openid-connect/token`	Alice logs in via SSO (OIDC). Gets JWT access token.
2	Browser → Cerebro App	`GET /api/user/identity` + `Authorization: Bearer eyJ...`	App validates JWT, extracts: email=`alice@acme.com`, groups=`[engineering]`, roles=`[developer]`
3	Cerebro App → MCP Engine	`POST /api/set-user` + `{"email":"alice@acme.com","groups":["engineering"]}`	Syncs user identity to the MCP engine so tool calls know who is calling

🔌 Phase 2: Tool Discovery

4	Agent → MCP Engine	`POST /mcp` (Streamable HTTP) + `X-User-Email: alice@acme.com` `{"method":"tools/list"}`	Discovers all 33 tools from 4 plugins. Returns tool names, descriptions, parameter schemas.
5	Agent → MCP Engine	`{"method":"resources/list"}`	Discovers available knowledge indexes for RAG search
6	Agent → Engine Dashboard	`GET /api/plugins`	Fetches `system_prompt` from each plugin manifest — policy enforcement instructions injected into LLM context

🧠 Phase 3: LLM Decides + Policy Check (RAG)

7	Agent → Azure OpenAI	`POST /openai/deployments/gpt-4o/chat/completions` System prompt includes: 33 tool definitions + policy enforcement rules + available indexes	LLM reads the prompt, decides: "I should check policies first, then search flights"
8	LLM returns tool call	`{"tool":"search_all","args":{"query":"travel flight purchase policy"}}`	LLM tells Agent to search knowledge indexes for policies
9	Agent → MCP Engine	`POST /mcp` + `{"method":"tools/call","params":{"name":"search_all","arguments":{"query":"travel flight purchase policy","_user_email":"alice@acme.com"}}}`	Agent injects `_user_email` into every tool call for per-user resolution
10	MCP Engine → Azure AI Search	`POST /indexes/cw-payments-policy-org/docs/search` `POST /indexes/cw-payments-policy-engineering/docs/search` `POST /indexes/prefs-a1b2c3d4e5f6/docs/search`	Vector search across 3 scoped indexes. Results tagged: `[ORG_POLICY]`, `[GROUP_POLICY]`, `[USER_PREFERENCE]`
11	Results returned to LLM	ORG: "Max $5000/mo, economy only" • GROUP: "Engineering max $500/flight" • USER: "Prefer Delta, Amex, aisle"	LLM now knows: must be economy, under $500, prefer Delta

✈️ Phase 4: Flight Search

12	Agent → MCP Engine	`tools/call: travel-proxy-call(tool="search_flights", args={from:"BOS",to:"NYC",class:"economy"})`	LLM constrained search to economy (org policy)
13	MCP Engine → Vault	`vault.read("cw-pvt-{alice-hash}-cw-travel-proxy-upstream-url")` → miss `vault.read("cw-grp-engineering-cw-travel-proxy-upstream-url")` → miss `vault.read("cw-org-cw-travel-proxy-upstream-url")` → hit!	Credential cascade: tries user, then group, then org. Finds org-level travel API config.
14	MCP Engine → Travel API	`POST https://travel-api.example.com/mcp` + Bearer token from vault	Calls upstream travel MCP server with resolved credentials

💳 Phase 5: Payment (Stripe)

15	Agent → MCP Engine	`tools/call: payments-charge(amount=189, card="amex", description="Delta DL2847 BOS-JFK")`	LLM validated: $189 < $500 group limit ✅
16	MCP Engine → Vault	`vault.read("cw-pvt-{alice}-cw-payments-secret-key")` → miss `vault.read("cw-grp-engineering-cw-payments-secret-key")` → miss `vault.read("cw-org-cw-payments-secret-key")` → hit! `sk_test_...`	Resolves Stripe API key via cascade
17	MCP Engine → Vault (private)	`vault.read("cw-pvt-{alice}-cw-payments-stripe-customer-id")` → `cus_abc123`	Gets Alice’s personal Stripe Customer ID (created on first charge)
18	MCP Engine → Stripe API	`GET https://api.stripe.com/v1/payment_methods?customer=cus_abc123&type=card`	Lists Alice’s saved cards, finds AMEX ****1005
19	MCP Engine → Stripe API	`POST https://api.stripe.com/v1/payment_intents` `amount=18900, currency=usd, customer=cus_abc123, payment_method=pm_xxx, confirm=true`	Creates and confirms the payment. $189 charged to Amex.

📧 Phase 6: Email & Calendar

20	MCP Engine → Vault	`vault.read("cw-pvt-{alice}-cw-email-access-token")` → hit! (Google OAuth)	Email connector is `locked: "user"` — only checks private vault, no cascade
21	MCP Engine → Google OAuth	`POST https://oauth2.googleapis.com/token` (refresh_token → new access_token)	Access tokens expire hourly. Refresh before use.
22	MCP Engine → Gmail SMTP	`SMTP smtp.gmail.com:587` + XOAUTH2 auth To: alice@acme.com • Subject: "Flight Booked: BOS→JFK"	Sends confirmation email from Alice’s own Gmail account
23	MCP Engine → Google Calendar API	`POST https://www.googleapis.com/calendar/v3/calendars/primary/events` `{"summary":"Flight BOS→JFK","start":"2026-05-01T08:00:00"}`	Creates calendar event on Alice’s Google Calendar

✅ Phase 7: Final Response

24	Agent → Azure OpenAI	LLM sees all 4 tool results, generates natural language summary	Final LLM call to compose the response
25	Agent → Browser (SSE)	Streams response token-by-token to the chat UI	User sees the answer appear in real-time

🤖 Agent Response:

Done! Here’s your booking summary:

✈️ Delta DL-2847 — BOS → JFK, May 1, 2026 at 8:00 AM
💳 $189.00 charged to your Amex ****1005 (Payment: pi_3xyz...)
📧 Confirmation sent to alice@acme.com
📅 Added to your Google Calendar

Policies applied: Engineering flight limit ($500 max), economy class (org policy), Delta preference (your settings).

Total calls: 25 • Auth: 3 • Discovery: 3 • LLM: 3 • RAG search: 3 • Vault lookups: ~12 • External APIs: 5 (Travel + Stripe ×2 + Gmail + Calendar) • Time: ~5 seconds

What Makes This Different

Capability	Traditional Apps	Other AI Platforms	ContextWeaver
User says one sentence	❌ Click through 5 screens	⚠️ Chat but can’t act	✅ Searches, books, charges, emails
Multi-system orchestration	❌ Separate apps	⚠️ Hardcoded integrations	✅ LLM chains tools from any plugin
Per-user credentials	✅ Each user logs in	❌ Shared API keys	✅ Vault cascade: user → group → org
Policy enforcement	✅ Code-enforced rules	❌ No policy awareness	✅ RAG-based: org + group + user tiers
Same request, different users	✅ Role-based access	❌ Same result for everyone	✅ Different policies, credentials, outcomes
Add new capability	❌ Months of development	⚠️ API integration work	✅ No-code: drag connector + attach to plugin
Card data security	✅ PCI compliance	❌ Often stores tokens	✅ Stripe Checkout — card data never touches CW
Policy updates	❌ Code changes + deploy	❌ Prompt engineering	✅ Ingest from any data source — instant policy enforcement via vectorized RAG

"But Is It Safe?" — Security & Trust FAQ

These are the most common concerns people have. Here's how ContextWeaver addresses each one.

💰 "The AI has access to so much financial data. How are pass codes protected?"

Short answer: The AI never sees your passwords, card numbers, or API keys.

What the AI NEVER sees

Credit card numbers (stored only in Stripe)
CVV codes (never stored anywhere)
Stripe API keys (resolved at runtime, not in prompts)
Gmail passwords or OAuth tokens
Any vault secret values

What actually happens

LLM says: "call payments-charge"
Engine resolves Stripe key from vault at runtime
Engine calls Stripe API directly
Key is in memory for milliseconds, never logged
LLM only sees: "$189 charged to AMEX ****1005"

Think of it this way: the AI is like a personal assistant who knows your name but not your PIN. It tells the bank what to do, but the bank handles the actual money. The assistant never touches cash.

💳 "Payment gateways — how safe are they? Can they be hacked?"

Short answer: We use Stripe, which is PCI DSS Level 1 certified — the highest security standard in the payments industry.

🏦

Stripe Handles Cards

Card numbers go directly to Stripe's servers via their hosted Checkout page. ContextWeaver never sees, transmits, or stores card numbers.

🔒

We Only Store a Reference

Our vault stores cus_abc123 (a Stripe customer ID) — not a card number. Even if someone accessed our vault, they'd get an ID that means nothing outside Stripe.

🛡️

Same as Amazon/Uber

This is the exact same security model used by Amazon, Uber, Shopify, and millions of other businesses. Stripe handles $1 trillion+ annually.

If a hacker breached ContextWeaver, what would they get? Encrypted vault entries containing Stripe customer IDs (useless without Stripe's API key) and policy documents (your travel rules — not financial data). No card numbers. No bank accounts. No passwords.

🗄️ "What about the personal vault? Where is that data stored?"

Short answer: The vault uses industry-standard secret managers — the same ones that protect bank infrastructure.

Vault Backend	Where Data Lives	Encryption	Who Uses It
Azure Key Vault	Microsoft Azure data center (your region)	AES-256 + HSM hardware	Banks, governments, Fortune 500
HashiCorp Vault	Your own servers or cloud	AES-256-GCM, Shamir sealing	Stripe itself, NASA, Adobe
AWS Secrets Manager	Amazon AWS data center	AWS KMS encryption	Netflix, Airbnb, Capital One
Local File (dev only)	Your machine (development/demo)	Not for production	Local testing only

In production, your vault is never on the same server as the AI. The AI requests a secret, uses it for one API call, then discards it. The secret is never written to disk, never included in logs, and never sent to the LLM.

🌐 "It depends on how third parties handle data. How do you ensure that?"

Short answer: We only use third parties that are independently audited and certified.

✅ What we verify about every third party

• SOC 2 Type II certified (security audit)
• GDPR compliant (data protection)
• PCI DSS certified (if handling payments)
• Data residency options (choose your region)
• Encryption at rest and in transit

📊 Data flow summary

• Your policies/rules: Stored in Azure AI Search (your subscription, your region)
• Your credentials: Azure Key Vault (your subscription)
• Card data: Stripe (never in our systems)
• Emails: Your Gmail/Outlook (your account)
• LLM prompts: Azure OpenAI (your deployment, your data boundary)

Key principle: ContextWeaver is a conductor, not a warehouse. It orchestrates actions between systems you already trust (Stripe, Gmail, Azure) but never stores your actual financial or personal data itself. Your data stays where it already is — in the systems designed to protect it.

🔄 "What about pass codes when multi-tasking with just one instruction?"

Short answer: Each action uses its own isolated credential lookup. Nothing is shared between steps.

# User says ONE sentence, but internally:

Step 1: search_all() → no credentials needed (public RAG index)
Step 2: travel-search() → resolves travel API key from vault (used, then discarded)
Step 3: payments-charge() → resolves Stripe key from vault (used, then discarded)
Step 4: email-send() → resolves Gmail token from vault (used, then discarded)

# Each step is independent. Step 3 cannot see Step 4's Gmail token.
# The LLM never sees ANY of these credentials.

Even though you gave one instruction, each tool call is a separate, isolated execution. The Stripe key used in Step 3 is resolved fresh from the vault, used for that one API call, and immediately discarded. It's never passed to the email step, never stored in memory, and never sent back to the AI. Think of each step as a separate locked room — they can't see into each other.

🔒 Security in One Picture

🧠 AI (LLM)

Sees: tool names
Never sees: credentials

🔌 Engine

Resolves credentials
Uses & discards instantly

🗄️ Vault

Encrypted storage
Azure KV / HashiCorp

💳 Stripe

Card data lives here
PCI Level 1 certified

Your financial data never enters ContextWeaver. It stays in Stripe, Gmail, and your vault — systems designed and audited to protect it.

The Bigger Picture: A Lego System for Any Service

🧱 Every connector is a building block. Snap them together to build anything.

The travel example above used 3 connectors (Travel + Payments + Email). But ContextWeaver isn't a travel app — it's a platform for building any service by combining connectors like Lego blocks:

🏢

B2B Enterprise

Jira + GitHub + ADO + K8s + Datadog
= DevOps automation

🛒

B2C Commerce

Shopify + Stripe + Email + SMS
= AI shopping assistant

🏥

Healthcare

EHR + Lab + Pharmacy + Calendar
= Patient care coordinator

💰

FinTech

Banking API + Stripe + Plaid + Email
= AI financial advisor

🔌 Three ways to add any system to the platform:

🔧

Build New

Write a connector with tools.py
Direct API integration
e.g., Stripe, Gmail, GitHub

🔄

Proxy Existing MCP

Point to any MCP server
Inherit all its tools instantly
e.g., Expedia MCP, Amadeus MCP

➕

Extend & Combine

Attach N connectors to 1 plugin
Mix-and-match capabilities
e.g., DevOps plugin uses Jira+GitHub+K8s

🔒 Enterprise-grade security at every level — B2B and B2C

🏢 B2B Enterprise

• Hierarchical policies (Org > Group > User)
• SSO with RBAC (manager/developer/viewer)
• Vault-backed credentials (Azure KV, HashiCorp)
• Audit trail for every action
• On-prem deployment option

👤 B2C Consumer

• PCI-compliant payments (Stripe Checkout)
• Card data never touches the platform
• Per-user credential isolation
• OAuth for Gmail, Calendar, social logins
• GDPR-compliant data handling

🧱 Build. Proxy. Extend. Combine. — Unlimited Possibilities.

Every popular application can become a connector. Every connector can be combined with others.
The result: any service imaginable — travel, DevOps, healthcare, finance, HR, logistics — built from the same secure, policy-aware platform.

The Bottom Line

One sentence. Three connectors. Policy-aware. Per-user credentials.
The AI searched flights, checked your budget, charged your card, and emailed your confirmation.
No screens. No forms. No code changes.

And this is just one combination. With enough connectors — built, proxied, or extended —
ContextWeaver becomes a Lego system for building any AI-powered service,
for B2B enterprise or B2C consumer, with enterprise-grade security built in.

Back to About DevOps Scenario More Scenarios

"Buy a Ticket BOS → NYC, Charge My Amex"