Aegis Overview
Deterministic action validation control plane — the write plane
Aegis is the write plane of the Pramiti platform. It validates every proposed agent action against business rules before execution, returning a deterministic verdict with a cryptographically signed attestation record. Aegis operates on the assumption that the LLM will be compromised — enforcement is external, deterministic, and at the action layer.
Architecture
Aegis consists of these components:
- Policy Decision Point — The core evaluation pipeline producing ALLOW/DENY/REWRITE/ESCALATE verdicts
- Constraint Engine — JSON predicates (auto-tier) and SHACL shapes (formal-tier) for business rules
- Target Model — Semantic classification of tools and blast radius computation
- Attestation Store — Immutable, Ed25519-signed decision records
- SIEM Integration — OCSF mapping and delivery to Splunk, Sentinel, and other SIEMs
- Connection Manager — Downstream MCP server lifecycle and schema merging
- Reasoning Engine — Pluggable evaluator registry and safe rewrite engine
- Intake — Action surface adapters for MCP, OpenAPI, and FHIR SMART
How It Works
When an agent proposes an action:
- The MCP Gate intercepts the tool call and resolves agent identity
- The Tool Classifier determines if this is a read (pass-through) or write (evaluate) action
- The Policy Engine evaluates workspace-scoped constraints against the action payload
- The Impact Engine computes blast radius (what downstream systems are affected)
- The Attestation Store records the decision with an Ed25519 signature
- The SIEM Enqueue writes delivery rows for each active SIEM destination
- The verdict is returned: ALLOW (execute), DENY (block), REWRITE (modify and execute), or ESCALATE (human review)
Dependencies
| Dependency | Required | Purpose |
|---|---|---|
| PostgreSQL | Yes | Constraints, attestations, connections, policies |
| Oxigraph | No | Not required for Aegis |
| LLM | No | Not required for Aegis |
Aegis is deliberately PostgreSQL-only to keep the security-critical path simple and auditable.
Verdicts
| Verdict | Action | When |
|---|---|---|
| ALLOW | Execute the action | All constraints pass |
| DENY | Block the action | One or more constraints fail |
| REWRITE | Modify payload, then execute | Constraints define safe transformations (cap values, mask fields) |
| ESCALATE | Queue for human review | Constraints flag the action as requiring human approval |