For coding agents

Paste one prompt into Claude Code, Cursor, or any other coding agent. Iqrar walks itself into your repo, wraps every AI agent it finds, and gives you instant self-reporting observability — plus jurisdiction-aware regulation hooks where they're available.

What this gives you

Two things, after one paste:

Instant self-reporting observability for every AI agent in your codebase. Each wrapped agent streams metadata — latency, model, token usage, error rate — to a live dashboard from the moment it runs. No instrumentation code, no per-call boilerplate, one wrap call at the construction site. This is the primary win today.
Jurisdiction-aware regulation visibility. The agent runtime loads a Foundation-signed rule bundle modelling the regulations of the country your company operates in — so your agents become aware of obligations like POPIA personal-data rules in South Africa, or UAE AI Act risk-tier requirements in the UAE, as they run.

We are not yet live with the regulators themselves. Authority co-signature on these bundles is on the roadmap, being built on the Iqrar Foundation platform separately from this SDK. Until that ships, regulation visibility is a useful and growing secondary surface — your agents already know what POPIA, FICA, or the UAE AI Act expect of them — but observability is the main reason to integrate today.

The prompt is self-sufficient — every API spec, capability table, SDK config, and the exact wire format of the metadata that leaves your machine are inlined in the prompt itself. There are no external doc fetches required, so the flow works even when a coding-agent harness blocks WebFetch.

Have a coding agent do this for you

One click — pastes the full self-contained onboarding flow into your coding agent.

Supported jurisdictions

Code	Jurisdiction	Status
`AE`	United Arab Emirates	Foundation-signed bundle modelling UAE AI Act 2026. Authority co-signature on roadmap.
`ZA`	South Africa	Foundation-signed stitched IFWG bundle covering POPIA / FSCA / NCR / FICA. Per-authority bundles in flight.
`EU`	European Union	Rules loaded, bundle signature pending. Runtime hooks not yet enforced.
`DEMO`	Anything else	Full observability today; regulation hooks no-op until your jurisdiction's bundle ships.

None of these bundles are co-signed by the authorities themselves yet — that's the roadmap, being built on the Iqrar Foundation platform separately from this SDK. What you get today is a Foundation-signed bundle that models each authority's published regulations, so the agents become aware of what the law expects of them as they run. If your jurisdiction isn't on this list, you still get the full observability surface — and we'd like to know which one to prioritise. The prompt asks; your answer flows back to us through the audit chain.

What leaves your machine at runtime

The wrap() call captures metadata only per agent invocation. It does not capture, log, or transmit prompt text, completion text, tool inputs, tool outputs, user data, or source-file contents. Each completed invocation POSTs an event like:

{
  "type": "agent.invocation.complete",
  "ts": 1746728400000,
  "agent_id": "agent_a1b2c3",
  "rule_hash": "sha256:b91…e0",
  "payload": {
    "args_count": 2,
    "duration_ms": 847,
    "model": "claude-sonnet-4-6",
    "prompt_tokens": 1240,
    "completion_tokens": 312,
    "total_tokens": 1552
  }
}

That's the entire wire payload. Token counts are extracted from the model-response object the agent already produced — only the counts leave; the response itself stays local. The build-time repo scan POSTs file paths and detected framework labels only — not source contents — and only after the developer approves.

The SDK is MIT-licensed and ships its full source in the tarball. The prompt walks the agent through verifying the SHA-256, extracting the tarball, and reading the wrap() implementation before installing — so the metadata-only claim above is verifiable in code, not just text.

What happens when you run it

Q&A — three questions, ~30 seconds. Captured as the first events in your audit chain.
Onboarding session opens — you get a view_url immediately. Open it in another tab and watch the chain build.
Repo scan — the agent reports every framework it found, the agents within them, and the risk tier each would fall into for your jurisdiction. You see your tier before installing anything.
SDK install — one dependency, one wrap per agent, one .env line. Diff-gated.
First telemetry — start your dev server. Each agent self-registers in IQRAR_ENV=dev mode. The view_url updates live.

You write zero integration code. Your call sites don't change. Internal copilots, eval scripts, and operator pipelines are all in scope — Tier 1 covers them with no consumer-disclosure obligations.

View the prompt

The pinned, versioned source lives at . Open it to read the full contract — the API wire format, capability taxonomy, repo-scan detection rules, the metadata-only telemetry shape, and the safety guards are all there in plain text.

The version suffix bumps when the contract changes, so a coding agent that fetched v1 mid-session won't be derailed by a future v2.

Manual fallback

If you'd rather wire it up by hand or pin the prompt to a specific version:

Read
Pick a framework on the
Or call the directly

The pinned prompt URL is https://iqrar.io/prompts/onboarding-v1.txt. The version suffix bumps when the flow changes, so a coding agent running a session today won't be derailed by a future revision.