# Aegis — AI Agent Governance > Policy-based governance for AI agent tool calls. YAML policy, approval gates, audit logging. - **Type:** MCP server - **Install:** `agentstack add mcp-acacian-aegis` - **Verified:** Pending review - **Seller:** [Acacian](https://agentstack.voostack.com/s/acacian) - **Installs:** 0 - **Category:** [AI & ML](https://agentstack.voostack.com/c/ai-and-ml) - **Latest version:** 0.1.6 - **License:** MIT - **Upstream author:** [Acacian](https://github.com/Acacian) - **Source:** https://github.com/Acacian/aegis - **Website:** https://acacian.github.io/aegis/ ## Install ```sh agentstack add mcp-acacian-aegis ``` Requires the [AgentStack CLI](https://agentstack.voostack.com/docs/cli). Works with Claude Code, Cursor, and any MCP-compatible agent. ## About Agent-Aegis The governance layer for AI agents. One API, 12 frameworks, every governance primitive. Aegis is to agent governance what Redis is to data structures — one runtime that unifies prompt-injection blocking, PII masking, policy enforcement, trust delegation, and tamper-evident audit across every agent framework. No code changes. pip install agent-aegis → aegis.auto_instrument() → 12 frameworks are now governed. What is Aegis • Primitives • Frameworks • Use Cases • 30-Second Start • Research • Docs • Playground English • 한국어 --- --- ## What is Aegis Every AI agent framework reinvents the same governance primitives — and each one does it slightly differently. Aegis is the abstraction layer that unifies them. | Layer | What it does | Examples | |-------|-------------|----------| | **1. Primitives** | A universal contract for every tool call | `Action`, `ActionClaim`, `Policy`, `Result`, `DelegationChain`, `AuditEvent` | | **2. Adapters** | Auto-instrument any framework through its own hooks | LangChain callbacks, CrewAI `BeforeToolCallHook`, OpenAI Agents tracing, Google ADK `BasePlugin`, MCP transport, DSPy modules, httpx middleware, Playwright context | | **3. Governance** | Declarative primitives you compose into policy | Prompt injection / PII / leak / toxicity guardrails, RBAC, rate limit, cost budget, drift detection, anomaly scoring, trust delegation, justification gap, selection audit, Merkle audit chain | | **4. Lifecycle** | One runtime, every stage of agent ops | Scan → Instrument → Policy CI/CD → Runtime → Proxy → Audit | ```python import aegis aegis.auto_instrument() # 12 frameworks governed. No other code changes. ``` Redis is to in-memory data structures what Aegis is to agent governance: **one library, every primitive, every framework, one API**. You don't write a LangChain guardrail and a CrewAI guardrail and an OpenAI guardrail — you write one `Policy` and every framework inherits it. --- ## Primitives The contract every adapter maps into. Framework-agnostic by design. | Primitive | Purpose | Module | |-----------|---------|--------| | **`Action`** | Unified representation of any tool / LLM / HTTP / MCP call across all frameworks | `aegis.core.action` | | **`ActionClaim`** | Tripartite structure — Declared (agent-authored) / Assessed (Aegis-computed) / Chain (delegation) | `aegis.core.action_claim` | | **`Policy`** | Declarative YAML rules: match → risk → approval (`auto` / `approve` / `block`) | `aegis.core.policy` | | **`ClaimPolicy`** | Policy layer that evaluates 6-dimensional impact vectors, not just tool names | `aegis.core.claim_policy` | | **`Guardrails`** | Deterministic regex checks for injection, PII, prompt leak, toxicity — 2.65ms cold / 0.15) or block (>0.40). | Name "ActionClaim" from [COA-MAS (Carvalho)](https://arxiv.org/abs/2401.05064); 6D metric + runtime form original | | **Selection Governance** | Audits what agents *exclude*, not just what they choose. A model that "helpfully" omits risky options is exerting selection power — Aegis detects this. | [Santander et al., arXiv:2602.14606](https://arxiv.org/abs/2602.14606) | | **Monotone Trust Constraint** | Delegated agents cannot escalate their own authority. Trust levels must be non-increasing along the chain — violations auto-block. | Lattice-based access control | | **Full Lifecycle** | Scan (detect) → Instrument (protect) → Policy CI/CD (test) → Runtime (govern) → Proxy (gateway) → Audit (trace). One library, one `pip install`. | — | --- ## CLI ```bash aegis scan ./src/ # Detect ungoverned AI calls aegis score ./src/ --policy policy.yaml # Governance score (0-100) aegis init # Generate starter policy aegis validate policy.yaml # Validate syntax aegis plan current.yaml proposed.yaml # Preview policy changes aegis test policy.yaml tests.yaml # Policy regression testing aegis audit # View audit log aegis serve policy.yaml # REST API + dashboard aegis probe policy.yaml # Adversarial policy testing aegis autopolicy "block deletes" # Natural language → YAML ``` ## Research Original measurements on public agent trace datasets. Stdlib-only, reproducible in 30 seconds. - [**The Justification Gap in 14,285 Tau-Bench Tool Calls**](https://acacian.github.io/aegis/research/tripartite-action-claim/) — Formal definition of the Tripartite ActionClaim with a silent-baseline empirical study. 90.3% approve / 9.7% escalate / 0% block across four model:domain groups. Airline domain exposes ~2× the mean gap of retail. Includes soundness sketches for the three structural invariants and an honest note on the `max`-only override limitation discovered during the study. - [**Tool Distribution Drift in 1,960 Tau-Bench Trajectories**](https://acacian.github.io/aegis/research/tau-bench-tool-distribution-drift/) — Shannon entropy on tool name sequences across GPT-4o and Sonnet 3.5 New. 39.8% of scored trajectories collapse onto one or two tools by the end. Bimodal distribution, 1.7× cross-model gap. All scripts and raw data included. Run the same signal on your own trace: ```bash aegis check drift --trace path/to/trace.jsonl ``` The CLI reads only the `tool_name` field — never args, CoT, or prompts — so enterprise users can score prod traces without exfiltrating PII. ## Documentation Full documentation at **[acacian.github.io/aegis](https://acacian.github.io/aegis/)**: - [Integration guides](https://acacian.github.io/aegis/) — LangChain, CrewAI, OpenAI, MCP, and more - [Policy reference](https://acacian.github.io/aegis/) — conditions, templates, best practices - [Security features](https://acacian.github.io/aegis/) — guardrails, anomaly detection, compliance - [Architecture](ARCHITECTURE.md) — how the codebase is structured - [Interactive playground](https://acacian.github.io/aegis/playground/) — try in browser, no install ## Contributing ```bash git clone https://github.com/Acacian/aegis.git && cd aegis make dev # Install deps + hooks make test # Run tests make lint # Lint + format check ``` [Contributing Guide](CONTRIBUTING.md) • [Good First Issues](https://github.com/Acacian/aegis/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) • [](https://codespaces.new/Acacian/aegis) ## License MIT -- see [LICENSE](LICENSE) for details. Copyright (c) 2026 구동하 (Dongha Koo, [@Acacian](https://github.com/Acacian)). Created March 21, 2026. --- The governance layer for AI agents. One API, 12 frameworks, every governance primitive. If Aegis helps you, consider giving it a star -- it helps others find it too. ## Source & license This open-source MCP server is cataloged on AgentStack and links to its original source — we do not rehost the code. - **Author:** [Acacian](https://github.com/Acacian) - **Source:** [Acacian/aegis](https://github.com/Acacian/aegis) - **License:** MIT - **Homepage:** https://acacian.github.io/aegis/ Install and usage instructions live in the source repository linked above. ## Pricing - **Free** — Free ## Versions - **0.1.6** — security scan: flagged — Imported from the upstream source. ## Links - Listing page: https://agentstack.voostack.com/l/mcp-acacian-aegis - Seller: https://agentstack.voostack.com/s/acacian - Browse the marketplace: https://agentstack.voostack.com/browse --- Listed on AgentStack — the marketplace for AI agent skills and MCP servers. Every listing is security-reviewed. Creators keep 70%.