Skip to content

Commit bc2a7fc

Browse files
authored
catalogue: io.pilot.aegis v0.1.3 (AEGIS — runtime firewall) (#346)
1 parent 261bdbb commit bc2a7fc

3 files changed

Lines changed: 128 additions & 2 deletions

File tree

Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
{
2+
"schema_version": 1,
3+
"id": "io.pilot.aegis",
4+
"display_name": "AEGIS",
5+
"tagline": "Runtime firewall for AI agents — blocks prompt injection before your agent reads it",
6+
"description_md": "# AEGIS — runtime firewall for AI agents\n\nAEGIS inspects untrusted content reaching your agent — inbox messages, tool results, web fetches, MCP responses, skill files, memory notes — and blocks **prompt injection, jailbreaks, and impersonation** before the agent ever sees it. Genuine status messages pass straight through.\n\n## How it works\n\nTwo layers. **L1** is Aho-Corasick pattern matching in pure Rust — microseconds, ~120 known attack families with homoglyph and leetspeak normalization and a sliding-window scan. **L2** is an optional local Qwen3-1.7B judge via llama.cpp — fully offline, no network. On a held-out labeled set: **90% recall, 95% precision, 92% F1**. An 880 KB binary with an HMAC-chained audit log at `~/.aegis/audit.jsonl`.\n\n## Using it\n\n- `aegis.scan \u003cpath\u003e` — one-shot scan of a file or directory.\n- `aegis.exec {\"args\":[\"scan-cmd\"],\"stdin\":...}` — the PreToolUse blocking gate (exit 0 allow / 2 block).\n- `aegis.exec {\"args\":[\"scan-result\"],\"stdin\":...}` — the PostToolUse non-blocking check (warns).\n- `aegis.status` / `aegis.targets` / `aegis.config` — audit log, protected surfaces, and configuration.\n\nThe L2 judge model (~1.8 GB) is optional — L1 patterns work without it.",
7+
"vendor": {
8+
"name": "Pilot Protocol",
9+
"url": "https://aegis.pilotprotocol.network",
10+
"contact": "apps@pilotprotocol.network",
11+
"publisher_pubkey": "ed25519:+nt58BA0gpPYuyaeG2GwfTI79j8IHP+zra5GvRQv0N0="
12+
},
13+
"homepage": "https://aegis.pilotprotocol.network",
14+
"source_url": "https://github.com/pilot-protocol/aegis",
15+
"license": "MIT",
16+
"categories": [
17+
"security",
18+
"firewall",
19+
"guardrail"
20+
],
21+
"keywords": [
22+
"security",
23+
"firewall",
24+
"prompt-injection",
25+
"jailbreak",
26+
"guardrail",
27+
"defense",
28+
"offline"
29+
],
30+
"size": {
31+
"bundle_bytes": 5351198,
32+
"installed_bytes": 9621928
33+
},
34+
"compat": {
35+
"min_pilot_version": "1.0.0",
36+
"runtimes": [
37+
"go"
38+
]
39+
},
40+
"methods": [
41+
{
42+
"name": "aegis.scan",
43+
"summary": "One-shot scan of one or more files or directories for prompt injection, jailbreaks, homoglyph/leetspeak obfuscation, and impersonation. Returns the verdict per path. This is `aegis scan \u003cpath\u003e...`."
44+
},
45+
{
46+
"name": "aegis.status",
47+
"summary": "Tail the HMAC-chained audit log of recent verdicts. This is `aegis status`."
48+
},
49+
{
50+
"name": "aegis.targets",
51+
"summary": "List the agent surfaces AEGIS is protecting (inbox, tool results, skill files, memory, ...). This is `aegis targets`."
52+
},
53+
{
54+
"name": "aegis.config",
55+
"summary": "Show the effective AEGIS configuration (rules, thresholds, watch targets). This is `aegis config`."
56+
},
57+
{
58+
"name": "aegis.version",
59+
"summary": "Print the AEGIS version. This is `aegis version`."
60+
},
61+
{
62+
"name": "aegis.exec",
63+
"summary": "Run any AEGIS subcommand with a verbatim argv — the full surface beyond the curated methods. Payload is {\"args\":[\u003csubcommand\u003e, ...]} with optional {\"stdin\":\"...\"}. This is how you use the blocking gates: the PreToolUse gate {\"args\":[\"scan-cmd\"],\"stdin\":\"{\\\"tool_input\\\":{\\\"command\\\":\\\"...\\\"}}\"} exits 0 (allow) or 2 (block); the PostToolUse gate {\"args\":[\"scan-result\"],\"stdin\":\"{...}\"} warns without blocking. Also reaches init/daemon/install-models/install-hooks."
64+
},
65+
{
66+
"name": "aegis.help",
67+
"summary": "Print the AEGIS usage and subcommand list. This is `aegis --help`."
68+
},
69+
{
70+
"name": "aegis.help",
71+
"summary": "Discovery: every method with params, kind, and latency class."
72+
}
73+
],
74+
"changelog": [
75+
{
76+
"version": "0.1.3",
77+
"notes": [
78+
"Released v0.1.3"
79+
]
80+
}
81+
],
82+
"links": [
83+
{
84+
"label": "Source",
85+
"url": "https://github.com/pilot-protocol/aegis"
86+
},
87+
{
88+
"label": "Website",
89+
"url": "https://aegis.pilotprotocol.network"
90+
}
91+
]
92+
}

catalogue/catalogue.json

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"version": 2,
3-
"updated_at": "2026-06-30T00:00:00Z",
3+
"updated_at": "2026-07-02T00:00:00Z",
44
"apps": [
55
{
66
"id": "io.pilot.wallet",
@@ -384,6 +384,40 @@
384384
"metadata_url": "https://raw.githubusercontent.com/pilot-protocol/pilotprotocol/main/catalogue/apps/io.pilot.redis/metadata.json",
385385
"metadata_sha256": "7a2737afad2fe994f5deee9810557650727d5dd43c69e0f4018ea04a4fe14961",
386386
"publisher": "ed25519:QXvscnyXJ5L/Bmy7oCo5dPC1HrEOGa7WFWBfH5ktejM="
387+
},
388+
{
389+
"id": "io.pilot.aegis",
390+
"version": "0.1.3",
391+
"description": "AEGIS 0.1.3 — a runtime firewall for AI agents (native CLI): scan files, commands, and tool results for prompt injection, jailbreaks, homoglyph/leetspeak obfuscation, and impersonation before your agent acts on them. L1 Aho-Corasick patterns plus an optional local Qwen3-1.7B judge, fully offline; an 880 KB binary. The scan-cmd/scan-result blocking gates run via aegis.exec (allow 0 / block 2); plus aegis.scan / status / targets / config.",
392+
"display_name": "AEGIS",
393+
"vendor": "Pilot Protocol",
394+
"license": "MIT",
395+
"source_url": "https://github.com/pilot-protocol/aegis",
396+
"bundle_url": "https://pub-f09f9a4ea848491198d48e329ba030e3.r2.dev/bundles/io.pilot.aegis/0.1.3/io.pilot.aegis-0.1.3-linux-amd64.tar.gz",
397+
"bundle_sha256": "ae40da40610e3d57fccb90365c7ccc45f64b7baa93b5eb7baa9b233003513eb6",
398+
"bundle_size": 5351198,
399+
"bundles": {
400+
"linux/amd64": {
401+
"bundle_url": "https://pub-f09f9a4ea848491198d48e329ba030e3.r2.dev/bundles/io.pilot.aegis/0.1.3/io.pilot.aegis-0.1.3-linux-amd64.tar.gz",
402+
"bundle_sha256": "ae40da40610e3d57fccb90365c7ccc45f64b7baa93b5eb7baa9b233003513eb6"
403+
},
404+
"linux/arm64": {
405+
"bundle_url": "https://pub-f09f9a4ea848491198d48e329ba030e3.r2.dev/bundles/io.pilot.aegis/0.1.3/io.pilot.aegis-0.1.3-linux-arm64.tar.gz",
406+
"bundle_sha256": "ad2b5c81feca75fee144b995f857b208d2cd4d772ede2e06fea6b94b02074bed"
407+
},
408+
"darwin/arm64": {
409+
"bundle_url": "https://pub-f09f9a4ea848491198d48e329ba030e3.r2.dev/bundles/io.pilot.aegis/0.1.3/io.pilot.aegis-0.1.3-darwin-arm64.tar.gz",
410+
"bundle_sha256": "e582c8e72d2024794d635fe23a1216cd83ee0fe6daabc462a84f5eddd4c1e65f"
411+
}
412+
},
413+
"categories": [
414+
"security",
415+
"firewall",
416+
"guardrail"
417+
],
418+
"metadata_url": "https://raw.githubusercontent.com/pilot-protocol/pilotprotocol/main/catalogue/apps/io.pilot.aegis/metadata.json",
419+
"metadata_sha256": "ca71da633a5608af201ba08409f4376c672d92fa6adc570c41d409d51967ffc3",
420+
"publisher": "ed25519:+nt58BA0gpPYuyaeG2GwfTI79j8IHP+zra5GvRQv0N0="
387421
}
388422
]
389423
}

catalogue/catalogue.json.sig

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
LicyGN5duHpCvoe6NzRKZzzZKKJcKjgE8Vbuv9R13vsqdHcJAzSP0LJTMlA6p3ZDRebdEJe6JRCo/7VJa8qBCQ==
1+
jRQC6FndHZ2Y3E6yUFAyqsoqfnvGlpTGjo9XgPHaumh4Dqo5B2AyUcZlpTEmh/aoQrZBjb3iuazehdJiZQnoDw==

0 commit comments

Comments
 (0)