Skip to content

    ● Aegis: Technical Architecture

    How Aegis
    works.

    Aegis is built on two planes — a data plane that enforces at the workload, and a control plane that governs the fleet — solving identity, attestation, and authorization with no compromises on performance or auditability.

    One control plane. Every workload enforced.

    The Policy Server is the single signing authority for the fleet. The Aegis SDK runs in-process at every workload — no sidecar, no network hop for policy evaluation — gating REST, Shell, and MCP calls at the trust boundary before anything leaves.

    Aegis architecture: control plane and data planeA Policy Server acts as the single control-plane authority, provisioning identity and signed policy to a fleet of workloads. Each workload runs the Aegis SDK in-process, gating its REST, Shell, and MCP calls at the trust boundary before anything leaves. An enterprise vault feeds credentials through the Policy Server, which the SDK injects per call — the agent never holds a long-lived token.BROKERS SECRETSSPIRE ID +SIGNED WASM POLICYSPIRE ID +SIGNED WASM POLICY↑ HASH-CHAINED AUDIT↑ HASH-CHAINED AUDIT
    Enterprise Vaultyour existing secrets store
    Policy ServerControl plane · one authority
    WORKLOAD

    Aegis SDK

    in-process · no sidecar · credential injected, never held

    TRUST BOUNDARY
    REST / HTTPchecked here
    Shellchecked here
    MCPchecked here
    WORKLOAD

    Aegis SDK

    in-process · no sidecar · credential injected, never held

    TRUST BOUNDARY
    REST / HTTPchecked here
    Shellchecked here
    MCPchecked here
    … AND EVERY OTHER WORKLOAD IN THE FLEET

    Three surfaces. One policy interface.

    REST, Shell, and MCP all speak different dialects. Aegis intercepts all three with a single policy engine.

    REST / HTTP

    requests · httpx · aiohttp

    What it sees

    A CallContext — method, host, path, tool, and arguments — built for every outbound HTTP call.

    Policy decides

    Re-authorized on the same OPA schema. A call to an unapproved host is denied before it is sent.

    Shell

    tool-type aware

    What it sees

    Execution type classified as HTTP, shell, or MCP; shell commands registered straight from policy.

    Policy decides

    Pre-execution callbacks can inspect or veto before any command runs.

    MCP

    client-session wrap

    What it sees

    Tool name, schema, and arguments on every outgoing MCP call — across stdio, SSE, and HTTP transports.

    Policy decides

    Each call authorized before it leaves the agent — closing the gap to un-vetted MCP servers.

    Aegis controls secrets, not the app.

    Tokens are injected at call time, configuration is encrypted at rest, and your enterprise vault stays the source of truth.

    Credential broker · platform-controlled, per call

    1

    App makes an outbound call — any Authorization header it set is stripped.

    2

    The interceptor fetches the credential scoped to (host, path, method, tool).

    3

    The platform token is injected, decrypted in memory via a per-agent HKDF key.

    The agent never holds a long-lived API token.

    Fronts your enterprise vaults

    HashiCorp Vault
    OpenBao
    AWS Secrets Manager
    Azure Key Vault
    Google Cloud
    CyberArk Conjur
    Thales
    Infisical

    Framework adapters

    Aegis ships adapters for all major AI agent frameworks. One SDK call instruments your entire agent for policy enforcement and audit.

    LangChain
    CrewAI
    AutoGen
    Claude Tool Use
    LlamaIndex
    OpenAI Assistants
    Semantic Kernel

    Heritage Gated Tool

    Coming Soon

    An outbound-only WebSocket gateway for legacy infrastructure that can't accept a sidecar or SDK — SSH, MySQL, MSSQL, PostgreSQL, REST. No firewall changes. No target install.

    Deployment options

    Embedded

    The Aegis SDK ships with a WASM policy bundle baked into the agent container. No external calls at runtime. Ideal for single-tenant or air-gapped deployments.

    • Single binary
    • Offline-capable
    • Zero external dependencies

    Enterprise Control Plane

    The Aegis SDK connects to a centralized Policy Server with real-time push to agent fleets. Governance console, policy versioning, fleet-wide audit aggregation.

    • Centralized policy management
    • Real-time policy updates
    • Aggregated audit dashboard

    Four weeks. One agent fleet. Real policy, enforcing.

    A bounded pilot with one sponsor and no infrastructure lift — walk away with identity, attestation, and a real authorization layer in production.

    WK 0

    Setup

    Control Panel in your environment. Trust root provisioned. SPIRE Agent rolled to one fleet. No app changes yet.

    WK 1

    Identity

    One initialize() in the pilot agent. Two-layer attestation working end-to-end. Shadow mode — observe only.

    WK 2

    Policy

    Interception live across REST, Shell, MCP. Allow/deny enforced. Audit log streaming. Slack alerts on blocks.

    WK 3

    Callback

    Pre-execution callbacks wired in. App-specific rules enforced. Joint readout + rollout plan for the next two teams.

    Pilot commitment · 4 weeks · 1 sponsor · 1 fleet · no infrastructure lift