Open-source · MIT · v0.1.0

The runtime safety layer for AI agents.

Every tool call — classified, gated, audited. Zero code change.

Self-host Download Free · MIT · Docker / Helm Hosted Sign up free We run it · 1k checks/mo · no card

Same code either way. Watch the 90-second tour → · Compare the two paths

live cockpit.aegis.dev / acme · decisions last 24h · 14,829 calls

12:47:09 support-bot › send_email to: alice@acme.dev allow email-allowlist
12:47:02 orchestrator › db_query DROP TABLE users block sql-injection
12:46:58 crew-research › http_post https://3rwk.unknown-host pending anomaly · 0.83
12:46:41 support-bot › search_kb "refund policy 30d" allow —
12:46:30 coding-asst › file_write /etc/passwd block file-access
12:46:11 finance-bot › transfer amount: $47,200 pending high-value-tx

Works with the agents you already ship — incl. LangGraph, AutoGen, Mastra

What you see

Every tool call, in one view.

One dashboard surfaces every agent decision, every block, every anomaly — across every workflow you ship.

Cockpit — overview dashboard with 24h activity curve, branded agent feed, and recent traces

cockpit.aegis.dev / acme

14,829

tool calls / 24h

99.4%

allow rate

pending review

blocked

time agent tool decision policy

12:47:09 support-bot send_email allow email-allowlist

12:47:02 orchestrator db_query block sql-injection

12:46:58 crew-research http_post pending anomaly · 0.83

12:46:41 support-bot search_kb allow —

12:46:30 coding-asst file_write block file-access

What it does

From pre-deploy scan → runtime block → forensic audit.

Pre-deploy scan

Read your repo before it ships.

Point AEGIS at any agent codebase. Tree-sitter AST across Python / JS / TS finds every tool call, every framework, every credential — and proposes a starting policy before the first deploy.

aegis scan ./acme-agent

✓ Analyzed 24 files (Python + TS) 1.4s
✓ Detected framework LangGraph 0.2.4 0.3s
✓ Found 7 tools · 3 HIGH-risk 0.6s
✓ Mapped workflow · 3 agents, 12 edges 0.4s
● Proposing starter policy bundle… 0.8s

Plain English → Policy

Describe what to block. We write the rule.

No DSL to learn. Type one sentence — "block emails to personal addresses during checkout" — and AEGIS emits a grammar-constrained policy your gateway can enforce instantly. Auditable, reversible, version-controlled.

Describe the rule

Block emails to personal addresses during checkout flow. Allow ops@acme.io but flag anything to gmail, outlook, or icloud.

↓ ✨ Generate

rule: "block-personal-email-in-checkout"
when:
  - tool.name == "send_email"
  - context.workflow == "checkout"
recipient:
  deny: ["@gmail.com", "@outlook.com"]
  allow: ["@acme.io"]
action: BLOCK

Runtime block

Every tool call, classified in < 50ms.

The same gateway that serves your agents enforces every policy. Allow, escalate, block — decided before the call ever leaves your network. PII redacted, anomalies surfaced, every decision cryptographically chained.

Forensic audit

Violations grouped by policy, by risk.

Every block lands in a Merkle-chained log. Group by policy to find the rule that's actually firing. Filter by CRITICAL / HIGH / MEDIUM / LOW. Hand the same pack to your auditor that you'd hand to an incident responder.

Cockpit — violations grouped by policy with risk levels

Agent registry

Know which agents are alive — and who owns them.

Every agent registers once and stays accountable: status, owner, scope, secret rotation, last-seen environment. One place to suspend a misbehaving agent, rotate a key, or grant a new scope.

Coverage

Know what's protected — and what's still bare.

Pull up a per-agent coverage report at any time: which tools are policy-gated, which categories have only audit coverage, which CVE detectors are subscribed. No mystery gaps when the auditor asks "what's enforced?"

Cockpit — policy coverage report by agent and tool category

5-minute integration

Two env vars. No SDK rewrite.

Before

import openai
client = openai.OpenAI(
  api_key="sk-xxxx"
)

After (env only)

OPENAI_BASE_URL=https://gateway.aegis.dev/openai/v1
AEGIS_API_KEY=aeg_xxx

# code unchanged

vs. the category

What others don't ship.

Capability	AEGIS	Others
Cryptographic audit (Merkle + witness)	RFC 6962, built-in	none
Sequence-aware anomaly	n-gram LM, per-agent	single-call only
Multi-agent collusion	burst / relay / cycle	single-agent only
Workflow → per-node policy	5 frameworks	none
Counterfactual explainer	verified by re-validation	partial
AST scan rules	tree-sitter + YAML	regex only
GenAI OTel semconv	full	proprietary
SCIM + SAML + OIDC	all three	one or the other
Policy effectiveness scoring	P/R/F1 + retire signal	none
License	MIT	closed

Block your first hallucinated tool call this afternoon.

Self-host Download Free · MIT · Docker / Helm Hosted Sign up free We run it · 1k checks/mo · no card