# AEGIS self-review commands — the audit surface

> AEGIS (CIARUSTCODE) is a guardrailed agentic coding tool by Consultancy in Action.
> The agent runs inside a mandatory Rust safety kernel; every intent, decision,
> consent, diff, command and network call is appended to a ledger that is
> **append-only, hash-chained and Ed25519-signed**. The agent cannot write to it,
> read it, or reach around it — its write scope structurally denies `.aegis/`.
>
> These four commands turn that record into answers. This file is free to share.
> More: https://consultancyinaction.tech/prove

---

## 1 · `ciarustcode verify` — is the record intact?

Re-computes the hash chain from entry #0 and checks every signature. Any edit,
deletion or reordering of any entry breaks the chain — and `verify` exits
non-zero, so you can gate CI on it.

```
$ ciarustcode verify
✓ ledger intact: 435 entries, hash chain verified (.aegis/ledger.log)
✓ signatures valid: 435/435 entries signed
  device identity: b2edec4f…08fcd0d
  ⚠ self-reported — pass --device <hex> to authenticate it
```

- `--device <hex>` pins the expected device public key, authenticating *who*
  wrote the ledger, not just that it's internally consistent.
- **When:** after any session you care about, in CI after agent jobs, before
  trusting a ledger someone hands you.

## 2 · `ciarustcode replay` — what exactly happened?

Prints the full transcript from the ledger: one timestamped JSON event per line.
Session start (with the operator's task and model), every model egress with byte
counts, every intent with the policy rule that classified it, every execution,
every consent decision, every signed checkpoint.

```
$ ciarustcode replay
── Session replay: .aegis/ledger.log (435 entries, chain OK) ──
#0  2026-06-24T22:47:57  {"event":"session_key_declared","session_pub":"e181…"}
#1  2026-06-24T22:47:57  {"event":"session_start","operator_task":"…","mode":"headless"}
#3  2026-06-24T22:48:01  {"event":"intent_proposed","verb":"read","tier":"auto",
                          "reason":"verb `read` is classified AUTO by policy"}
#4  2026-06-24T22:48:01  {"event":"intent_executed","summary":"list crates/…"}
```

- **When:** post-incident review, reviewing the agent's process like you'd
  review its code, or understanding why policy denied something.

## 3 · `ciarustcode usage` — what did it cost, where did data go?

Aggregates the ledger into totals: sessions, steps, model calls, prompt egress
(bytes → tokens), estimated cost (local models = $0), refused/denied count, a
histogram of **every network host contacted**, and intents by verb.

```
$ ciarustcode usage
CIARUSTCODE usage — .aegis/ledger.log
  integrity:      ✓ hash chain verified
  sessions:       7        steps (total):  74
  model calls:    82       prompt egress:  4212 KB (~1,078,370 tokens)
  est. cost:      $0.0000  (local models = $0)
  refused/denied: 59
  egress hosts:
      82  localhost:11434
```

- If a host you don't recognise ever appears in that list, you'll see it here
  first. Deny-by-default egress means it should never happen.
- **When:** weekly cost/egress reviews; the honest answer to "what has this
  agent been doing on this repo?"

## 4 · `ciarustcode attest` — prove it to someone else

Exports a **portable signed proof bundle**: hashes of every changed file plus
the complete egress manifest, signed with the device key. Anyone can verify it
later, offline, without access to your machine.

```
$ ciarustcode attest --out proof.json
✓ wrote signed proof bundle: proof.json (0 files, 82 egress entries, chain verified)

$ ciarustcode attest --verify proof.json
  files:   0 changed
  egress:  82 entries
  signature: VALID ✓
  chain: VERIFIED
```

- `--device <hex>` pins the expected signer — a forged-identity bundle is
  rejected outright. Pass `--ledger` to re-verify the chain claim.
- **When:** hand it to a client, auditor or regulator as evidence of exactly
  what an agent engagement did — and didn't do.

---

## The CI recipe

```bash
# Run a task headless with pre-declared consent, then gate on integrity:
ciarustcode run --headless --approve apply_diff,run_command "fix the failing test"
ciarustcode verify || exit 1          # broken chain fails the pipeline
ciarustcode attest --out proof.json   # archive the evidence with the build
```

## Why you can trust the record (threat model, short form)

1. **Hash chain** — every entry contains the previous entry's hash; any change
   breaks every hash after it.
2. **Ed25519 signatures** — per-session keys are declared and signed by a
   per-device key; signed checkpoints seal the chain tip. A rebuilt fake ledger
   fails signature verification.
3. **Kernel-side scope** — the ledger path is denied to the agent's write scope.
   The process that could lie about the record never gets a pen.

---

*AEGIS is in private preview. Early access: https://consultancyinaction.tech —
built by Consultancy in Action (https://consultancyinaction.com).*
