01
Instruction/data boundary
Instructions come only from you. Everything the agent reads — files, web pages, tickets — is untrusted data and is never executed, no matter what it says. Injection attempts are flagged and quoted back.
CIARUSTCODE · by Consultancy in Action
AEGIS runs the AI inside a mandatory safety kernel. Every file edit, command and network call is classified, consented, sandboxed — and written to a tamper-evident ledger you can verify later. Local-first at $0, or bring your own key to any provider.
Our guardrailed, provider-agnostic agentic coding tool, at a glance
Approach
Safety as architecture
The agent runs inside a Rust safety kernel it structurally cannot bypass — not a prompt, not a plugin.
Cost
$0 to run locally
Any local Ollama model at zero token cost, or bring your own key to any cloud provider at raw rates.
Proof
A tamper-evident ledger
Every action is hash-chained and signed, so you can verify exactly what ran — even offline.
Why AEGIS exists
It edits files, runs commands, reads secrets, calls the network and installs dependencies — on the machine where your real work lives. Every leading tool treats that risk as a UX problem: a confirmation prompt bolted onto an agent that otherwise has the full reach of your user account.
We wanted the opposite for our own client work: an agent we could point at a real repository and still prove, afterwards, exactly what it did — with destructive actions, secret exfiltration and prompt injection structurally prevented, not politely discouraged.
The model may be wrong, manipulated, or adversarially steered — and the human must remain in control regardless.
So the guardrails aren't a prompt. They're a Rust safety kernel the agent physically cannot bypass: the agent core holds no syscall capability of its own — it can only submit typed intents to the broker.
How it works
Host system
filesystem · network · processes · secrets
Aegis Layer — safety kernel
intent ↓ result ↑policy engine · sandbox broker · consent gateway · secrets firewall · audit ledger · kill switch
Agent core
reasoning loop · edit engine · provider abstraction — emits intents only
LLM
local Ollama or cloud BYOK — no direct I/O, ever
The model proposes. It can't touch anything — it emits a typed intent: read, apply_diff, run, net_fetch…
Policy classifies. Each intent lands in a tier: Auto Confirm Forbidden — from a YAML policy file you version-control.
You consent, per action. Confirm-tier intents pause with the exact diff or command. One approval never generalises.
The sandbox executes. Commands run under an OS sandbox — writes confined to the project, network denied by default, outbound payloads scanned for secrets.
The ledger remembers. Every event is appended to a hash-chained, signed ledger. Verify it any time →
Watch it work
Recorded against a local Ollama model — total model cost $0.00. The agent reads the code
(Auto tier), proposes a diff (Confirm tier — the kernel pauses for a keypress), runs the tests
inside the sandbox, then ciarustcode verify checks the session's hash chain.
The ten principles
Each principle maps to a named module in the kernel, and each is exercised by the kernel test suite — 78 tests on the safety layer alone.
01
Instructions come only from you. Everything the agent reads — files, web pages, tickets — is untrusted data and is never executed, no matter what it says. Injection attempts are flagged and quoted back.
02
The agent starts with zero capabilities. Reads and writes are bounded to the project directory; your home folder, system directories and credential stores are structurally out of reach.
03
Every action is classified Auto, Confirm, or Forbidden before it runs. Consent is per-action and per-session — one approval never generalises.
04
Commands run inside an OS sandbox (macOS Seatbelt): writes confined to the project tree, network denied by default.
05
One keystroke halts everything. A dead-man's checkpoint forces re-authorisation past a step or spend threshold. The agent cannot disable the layer.
06
Secrets live in a vault the agent core cannot read. Every outbound payload is scanned; a leaked key is blocked before it leaves the machine.
07
Refuses to knowingly produce malware, exploits, or credential harvesters — as auditable rules in the policy engine, not a black box.
08
Every intent, decision, consent, diff, command and network call is appended to a hash-chained, Ed25519-signed ledger. Tampering breaks the chain and is detectable.
09
Hard per-session and per-day spend caps, max steps, max files, max wall-clock — enforced by the broker, with a live cost meter in the UI.
10
Dependency installs require pinned versions and explicit confirmation; post-install scripts run sandboxed under the same egress rules.
Receipts, not vibes
182
tests, 0 clippy warnings
78 dedicated to the safety kernel alone
16/16
red-team bypasses fixed
31 candidates surfaced, 16 confirmed real, all fixed with regression tests
$0
to run fully local
any Ollama model; BYOK cloud keys at raw provider rates, no markup
~24k
lines of Rust, 7 crates
one auditable workspace, one binary
We attacked it the way an adversary would — shell-wrapped commands, egress host-confusion, ledger tampering, injection-laced files, autonomy runaway. 31 candidate bypasses surfaced; 16 were confirmed real; all 16 were fixed with regression tests pinning them shut.
Then we published the receipts. See how you verify a session yourself →
It gets better as you use it
AEGIS can review its own sessions and propose skills and memories — but writing them is a kernel-gated intent like any other. You approve or reject every proposal, a weekly curator consolidates the library, and the journal records the lot.
How it compares
Local-first with no API key required, and a safety layer that is mandatory and architectural rather than optional and bolted-on.
| AEGIS / CIARUSTCODE | The field, typically | |
|---|---|---|
| Safety layer | Mandatory kernel: typed intents, OS sandbox, egress + secrets firewall, hash-chained ledger, kill switch | Permission prompts bolted onto an agent with full user privilege; no audit trail |
| Local / offline | Local-first by default — any Ollama model, $0 per token, air-gap mode with signed proof | Cloud-first; local models unsupported or second-class |
| Cost | Free tool. $0 local, or BYOK at raw provider rates — no platform markup, no bill shock | $10–$200/month plans, metered credits on top |
| Prove what ran | verify / replay / usage / attest — a cryptographic record you can hand to a client or auditor | Chat scrollback, if you saved it |
| Provider lock-in | Anthropic, OpenAI, OpenRouter, Groq, Google, or any OpenAI-compatible endpoint — switch per call | One vendor's models, one vendor's pricing |
Field = the leading agentic coding tools as of mid-2026 (Claude Code, OpenAI Codex, Cursor, GitHub Copilot, Replit Agent, OpenCode). Each is excellent at what it optimises for — none ships a mandatory, architecturally-enforced guardrail layer. That is the whole point of AEGIS.
The honest trust model
We assume the model may be wrong, manipulated, or adversarially steered — and design so you stay in control regardless. The honest split: the sandbox, scope, egress firewall and ledger contain the agent; the scanners are tripwires that catch things early. Security claims you can audit, not vibes.
Any tool that tells you its injection scanner is bulletproof is selling you something. Ours is a tripwire in front of a wall — the wall is the sandbox, the scope and the egress firewall.
Questions
A guardrailed, provider-agnostic agentic coding tool built in Rust. The agent runs inside a mandatory safety kernel — the Aegis Layer — which classifies, consents, sandboxes and logs every action. There is no path from the model to your machine that bypasses it.
Yes — AEGIS is local-first. It runs any Ollama model at $0 per token, fully private, and has an air-gap mode that refuses all network egress and records signed proof that nothing left the machine. Cloud models work too, via your own API keys at raw provider rates.
Those tools bolt safety on as permission prompts around an agent that otherwise runs with your full user privilege. In AEGIS the safety layer is the architecture: the agent core has no syscall capability at all — it can only submit typed intents to a broker that enforces policy, sandboxing, a secrets firewall and a tamper-evident audit ledger.
Yes. Every intent, decision, diff, command and network call is written to an append-only, hash-chained, Ed25519-signed ledger. ciarustcode verify checks the chain, replay prints the full transcript, usage summarises cost and egress, and attest exports a portable signed proof bundle you can verify offline.
Private preview
AEGIS is in private preview while we harden it on our own client work. Leave an email and we'll send one message when early access opens — or talk to Consultancy in Action about a guarded-agent engagement now.