Policy Decision Point
ALLOW, DENY, REWRITE, ESCALATE — the core evaluation pipeline
The Policy Decision Point (PDP) is the core of Aegis. It evaluates every proposed agent action against workspace-scoped constraints and returns a deterministic verdict.
How It Works
AegisRouter (router.py)
The AegisRouter class is the top-level orchestrator:
- Parses the namespaced tool name (e.g.,
salesforce.update_contact) - Resolves the workspace and agent identity
- Calls the policy engine to evaluate constraints
- Records an attestation for every decision
- Routes allowed calls to the downstream server
Evidence classification (_classify_evidence()) determines the quality of evidence used for the decision — higher-quality evidence (steward-confirmed constraints) produces higher-confidence verdicts.
AegisPolicyEngine (policy_engine.py)
The AegisPolicyEngine evaluates workspace-scoped constraints:
The policy engine supports:
- 10 comparison operators: eq, neq, gt, gte, lt, lte, in, not_in, regex, glob
- Compound logic:
all(AND) andany(OR) combinators - Dot-notation field access:
arguments.amount,arguments.contact.email - Value references:
value_reffor dynamic constraint values - Glob matching: Tool name patterns like
salesforce.*or*.delete_*
AegisMCPGate (mcp_gate.py)
The enforcement point for MCP tool calls. Every tool call passes through the gate:
- Resolves agent identity from headers (
extract_agent_identity()) - Calls the policy engine for evaluation
- Handles REWRITE verdicts by applying safe transformations
- Records attestations via the attestation store
- Formats tiered error responses (agents get sanitized errors, not internal details)
The GateResult dataclass carries the verdict, modified arguments (for rewrites), and the attestation ID.
Architecture
Configuration
Constraints are managed via the REST API:
Technical Details
- Read actions (determined by
_is_read_action()heuristic and theToolActionClassifier) are pass-through by default - Regex evaluation has a 1-second timeout to prevent ReDoS attacks (
_eval_regex_with_timeout()) - The gate formats errors with
_format_error()which strips internal details before returning to agents - All verdicts are recorded — both ALLOW and DENY produce attestation records for audit completeness