AegisAgent is an open-source, self-hostable security integrity layer and API firewall designed for autonomous AI agents and Model Context Protocol (MCP) tool execution. It acts as a zero-trust guardrail between your AI agent runtime (LangGraph, OpenAI Agents, Autogen, Custom) and external systems, preventing unauthorized actions caused by prompt injections, tool-use hijacking, and data exfiltration.
Traditional AI firewalls analyze prompts using probabilistic LLM-based text classifiers, which are prone to prompt-injection bypasses. AegisAgent introduces deterministic, cryptographic security mechanisms to secure agent actions:
| Security Vector | Generic Gateway / Scanners | AegisAgent Security Moat |
|---|---|---|
| Human-in-the-Loop (HITL) | Simple approval prompts (Vulnerable to TOCTOU / parameters modification) | Approval Integrity: Human approvals are bound to a SHA-256 hash of the frozen action parameters. SDK fails closed on parameter tampering. |
| Prompt Injection Defense | Probabilistic text scoring (Evadable, high latency) | Deterministic Trust-Provenance: Authorization gates on the source trust level of triggering content (6 tiers). Malicious inputs are blocked regardless of text shape. |
| Compliance Evidence | Text-based audit logs (Tamperable, unstructured) | Verifiable Action Receipts: Decision flows are stored in a per-tenant, tamper-evident hash chain, creating cryptographic proof for SOC 2. |
| Agent Autonomy | All-or-nothing execution | Active SOC Containment: Automated response loop detects repeated denials (deny-storms) and quarantines, freezes, or revokes agent keys in real-time. |
AegisAgent implements the Two-Plane Principle to isolate synchronous decision-making from asynchronous security monitoring, ensuring sub-75ms response latency:
graph TD
subgraph Inline Plane [Inline Decision Plane - Synchronous < 75ms]
A[Agent Runtime] -->|1. Wrap Tool| B[Aegis SDK]
B -->|2. Compute action_hash| B
B -->|3. Authorize| C[Aegis Gateway]
C -->|4. Evaluate ABAC| D[Cedar Policy Engine]
D -->|5. Permit / Deny / Approval| C
C -->|6. Decision + Receipt| B
B -->|7. Enforce Fail-Closed| B
end
subgraph Async Plane [Async SOC Monitoring Plane - Out-of-Band]
C -.->|8. Emit Security Event| E[Event Bus]
E --> F[Detection Engine]
F --> G[Correlation Engine]
G -->|9. Alerts & Timeline| H[SOC Console]
G -->|10. Active Containment| I[Response Engine]
I -->|11. Freeze / Revoke / Quarantine| C
end
Every decision flows through the Inline Plane to enforce permissions, while the Async SOC Plane processes security telemetry out-of-band to detect exfiltration, deny-storms, and anomalies without delaying agent execution.
git clone https://github.com/lavkushry/AegisAgent.git
cd AegisAgent
docker compose up --buildgit clone https://github.com/lavkushry/AegisAgent.git
cd AegisAgent
cargo build --releasepip install aegisagentExperience AegisAgent's security gate preventing a simulated prompt-injection attack in under 5 minutes:
git clone https://github.com/lavkushry/AegisAgent.git
cd AegisAgentdocker compose up --buildEnsure the gateway is healthy in another terminal:
curl http://127.0.0.1:8080/health
# {"status":"healthy","version":"0.1.0","db":"up"}Initialize configurations, mock GitHub actions, and demo keys:
bash scripts/seed-demo.shThis demo simulates a malicious external user trying to hijack a coding agent to merge a PR. AegisAgent detects the untrusted external provenance and blocks it deterministically:
python3 examples/github-attack-demo.pyOutput: AegisAgent blocked the malicious merge attempt (untrusted external provenance)
Retrieve the tamper-evident audit record generated for the blocked action:
curl -H "Authorization: Bearer tenant_123" http://127.0.0.1:8080/v1/audit/eventsAegisAgent provides unified, multi-language SDK support. Every SDK implements aegis-jcs-1 JSON canonicalization and performs fail-closed verification:
- Python (Reference SDK): sdk-python/ β Supports async clients,
@protect_tooldecorators, CLI utilities, and evidence packaging. - TypeScript / Node.js: sdk-typescript/ β Fully typed, zero-dependency canonicalization wrapper.
- Go: sdk-go/ β Idiomatic Go client with context-based cancellation and management routing.
AegisAgent is built in Rust for raw speed and security, featuring rigorous unit, integration, and cross-language compatibility tests:
# Setup development environment (formatting, linters, pre-commit hooks)
make setup
# Run the complete test suite (Rust, Python, TS, Go)
make checkDetailed strategies, reassessments, and technical specifications:
- Market Gap Reassessment β Rationale behind the security integrity positioning.
- Technical Architecture Design β Cryptographic details, database models, and API contracts.
- Agent SOC Design Specification β Asynchronous detection rules and containment playbooks.
- Verifiable Receipt Specification β Hash-chain specifications for SOC 2 audits.
- Feature Parity & PR History β Detailed changelogs and ticket history.
Contributions are welcome! Please read CONTRIBUTING.md to understand development conventions.
If you discover a security vulnerability, please do not open a public issue. Follow our SECURITY.md guidelines to privately disclose the issue to our security team.
AegisAgent is open-source and licensed under the MIT License.