[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81833":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":13,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":15,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":16,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":14,"starSnapshotCount":14,"syncStatus":15,"lastSyncTime":26,"discoverSource":27},81833,"aegis","mitkox\u002Faegis","mitkox","Aegis- a local zero-trust AI gate for OS and Apps packages",null,"Rust",30,10,1,0,2,6,3.12,"MIT License",false,"main",true,[],"2026-06-12 02:04:20","# Aegis\n\nAegis is a local zero-trust package operation broker. It replaces direct package changes such as `sudo apt upgrade` or `npm install lodash` with deterministic planning, local AI review, deterministic policy, and auditable signed execution plans.\n\n> Status: **0.4.0**. Planning, AI review, plan-bound deterministic policy, Ed25519-signed execution plans, constrained executor (`aegisd`), required-control preflight, structured daemon logging, and verifiable tamper-evident audit logging are implemented. Production apply is intentionally conservative: APT is the primary production path; non-APT apply requires pinned\u002Fverified evidence and is denied by default when artifacts are mutable or unverified.\n\nCommand flow:\n\n```text\nUser intent\n-> deterministic analyzer\n-> local model review\n-> deterministic policy decision\n-> signed execution plan\n-> constrained executor (aegisd)\n-> tamper-evident audit log\n```\n\n## Threat Model\n\nAegis assumes package managers, package metadata, maintainer scripts, dependency trees, and model output may all be risky inputs. The goal is to prevent accidental direct mutation, block obvious dangerous package operations, and keep privileged execution behind deterministic controls.\n\nThe local model is only a reviewer. It never receives root privileges, never executes commands, never approves execution, and never generates shell commands that Aegis executes. Deterministic Rust code parses package manager evidence, computes risk signals, and enforces policy.\n\n## Local Model Endpoint\n\nAegis expects an OpenAI-compatible local endpoint:\n\n```text\nBase URL: http:\u002F\u002Flocalhost:8000\u002Fv1\nModel: deepseek-v4-flash\nTemperature: 0\n```\n\nDefaults can be overridden for local deployments:\n\n```bash\nexport AEGIS_AI_BASE_URL=http:\u002F\u002Flocalhost:8000\u002Fv1\nexport AEGIS_AI_MODEL=deepseek-v4-flash\n```\n\nSlow local models can tune review timing without changing policy behavior:\n\n```bash\nexport AEGIS_AI_PREFILL_TOKENS_PER_SEC=330\nexport AEGIS_AI_DECODE_TOKENS_PER_SEC=17\nexport AEGIS_AI_MODEL_STARTUP_ALLOWANCE_SECS=120\nexport AEGIS_AI_REVIEW_TIMEOUT_SECS=600\n```\n\nIf `AEGIS_AI_REVIEW_TIMEOUT_SECS` is unset, Aegis estimates the review timeout\nfrom prompt size, the configured token rates, and a startup allowance. Review\nresponses are capped with `AEGIS_AI_MAX_OUTPUT_TOKENS` (default `4096`) to leave\nroom for local reasoning-token overhead while keeping reviews bounded.\nOpenAI-compatible JSON response formatting is used by default; set\n`AEGIS_AI_RESPONSE_FORMAT_JSON=0` if your local endpoint rejects that option.\n\nOne common setup is a vLLM-compatible server exposing the model name above:\n\n```bash\nvllm serve \u003Clocal-or-hf-model-path> \\\n  --host 127.0.0.1 \\\n  --port 8000 \\\n  --served-model-name deepseek-v4-flash\n```\n\nUse the model path and vLLM flags appropriate for your local installation and hardware. Aegis checks `GET http:\u002F\u002Flocalhost:8000\u002Fv1\u002Fmodels` in `aegis doctor`.\n\n## Commands\n\n### Planning (read-only)\n\n```bash\naegis doctor\naegis apt update --plan\naegis apt upgrade --plan\naegis apt install nginx --plan\naegis npm install lodash --plan\naegis pip install requests --plan\naegis docker pull ubuntu:latest --plan\naegis container pull ghcr.io\u002Forg\u002Fimage@sha256:\u003Cdigest> --plan\naegis nuget install Newtonsoft.Json --plan\naegis vscode install ms-python.python --plan\naegis go get github.com\u002Fgin-gonic\u002Fgin@v1.10.0 --plan\naegis cargo install ripgrep --plan\n```\n\n### AI Review and Policy\n\n```bash\naegis review ~\u002F.local\u002Fshare\u002Faegis\u002Fplans\u002F\u003Cplan-id>.json\naegis policy ~\u002F.local\u002Fshare\u002Faegis\u002Fplans\u002F\u003Cplan-id>.json\naegis policy ~\u002F.local\u002Fshare\u002Faegis\u002Fplans\u002F\u003Cplan-id>.json --review ~\u002F.local\u002Fshare\u002Faegis\u002Freviews\u002F\u003Cplan-id>.review.json\n```\n\n### Signed Execution Plans\n\n```bash\naegisctl keygen\naegisctl sign --plan \u003Cplan.json> --policy \u003Cpolicy.json> --key-id \u003Cid> --signer \u003Cidentity>\naegisctl sign --plan \u003Cplan.json> --policy \u003Cpolicy.json> --review \u003Creview.json> --key-id \u003Cid> --signer \u003Cidentity>\naegisctl sign --plan \u003Cplan.json> --policy \u003Cpolicy.json> --key-id \u003Cid> --signer \u003Cidentity> --snapshot-id \u003Csnapshot-id>\naegisctl sign --plan \u003Cplan.json> --policy \u003Cpolicy.json> --key-id \u003Cid> --signer \u003Cidentity> --approval-reason \u003Creason> --approval-key-id \u003Capproval-key-id> --approval-secret-key-hex \u003Chex>\naegisctl verify --execution-plan \u003Cexec-plan.json> --public-key-hex \u003Chex> --approval-public-key-hex \u003Chex>\naegisctl apply --execution-plan \u003Cexec-plan.json> --public-key-hex \u003Chex> --approval-public-key-hex \u003Chex>\naegisctl audit-path\naegisctl audit-verify\n```\n\n### Production Daemons\n\n```bash\n# Root execution gate (runs as root with systemd hardening)\naegisd --public-key-hex \u003Chex>\n\n# Unprivileged AI reviewer\naegis-reviewd\n```\n\nDaemon logs are emitted with `tracing` to stderr. Use `RUST_LOG` for filtering\nand `AEGIS_LOG_FORMAT=json` for JSON-formatted service logs:\n\n```bash\nRUST_LOG=info AEGIS_LOG_FORMAT=json aegisd --public-key-hex \u003Chex>\n```\n\n## Development\n\nPrerequisites:\n\n- Rust stable (MSRV 1.85), with `rustfmt` and `clippy`\n- Ubuntu-compatible package tools for the ecosystems you want to inspect\n- Optional local OpenAI-compatible model endpoint for `aegis review`\n\n```bash\ncargo fmt --check\ncargo clippy --all-targets --all-features -- -D warnings\ncargo test\ncargo build --release\n```\n\nOptional local hardening checks:\n\n```bash\npython3 -m pytest tools\u002Fpolicy-helper\u002Ftests\npython3 -m ruff check tools\u002Fpolicy-helper\npython3 -m mypy tools\u002Fpolicy-helper\u002Fsrc\ncargo deny check\ncargo audit\n```\n\nWorkspace layout:\n\n- `aegis-types`: shared serializable plan, policy, review, execution, approval,\n  and audit event types.\n- `aegis-security`: pure deterministic helpers for canonical JSON hashing,\n  target-shape detection, deny-plan construction, and deduplication.\n- `aegis-core`: compatibility facade re-exporting `aegis-types` and\n  `aegis-security`; new internal code should depend on the narrower crates.\n\nProduction deployment notes are in `docs\u002FPRODUCTION.md`. The public release\nchecklist is in `docs\u002FOPEN_SOURCE_RELEASE.md`.\n\n## What Planning May Run\n\nAegis uses explicit argv with `std::process::Command`; it does not use a shell.\n\n## Supported Ecosystems And Safety Model\n\n| Ecosystem | Planning behavior | Signed apply argv when policy permits |\n| --- | --- |\n| apt | dry-run with `apt-get -s`; `apt update --plan` describes intended metadata refresh without mutating | `apt-get update`, `apt-get upgrade -y -o Dpkg::Options::=--force-confold`, `apt-get install -y \u003Cvalidated-package>` |\n| npm | metadata with `npm view \u003Cpackage> --json` | `npm install --global --prefix \u002Fvar\u002Flib\u002Faegis\u002Fnpm-global --ignore-scripts --no-audit --no-fund \u003Cvalidated-package>` |\n| pip | metadata\u002Fenvironment with `python3 -m pip index versions` | `python3 -m pip install --disable-pip-version-check --no-input --target \u002Fvar\u002Flib\u002Faegis\u002Fpip-packages \u003Cvalidated-package>` |\n| Docker\u002FPodman | manifest inspect | `docker pull \u003Cvalidated-image>` or `podman --root \u002Fvar\u002Flib\u002Faegis\u002Fpodman\u002Fstorage --runroot \u002Frun\u002Faegis\u002Fpodman pull \u003Cvalidated-image>` |\n| NuGet | metadata\u002Fsearch with `dotnet nuget search` | `nuget install \u003Cvalidated-package> -OutputDirectory \u002Fvar\u002Flib\u002Faegis\u002Fnuget\u002Fpackages -NonInteractive` |\n| VS Code | extension id validation and installed-extension list | `code --install-extension \u003Cvalidated-extension> --user-data-dir \u002Fvar\u002Flib\u002Faegis\u002Fvscode\u002Fuser-data --extensions-dir \u002Fvar\u002Flib\u002Faegis\u002Fvscode\u002Fextensions` |\n| Go | module metadata in a temp cache directory | `go install \u003Cvalidated-module>@\u003Cversion>` with managed `GOPATH`, `GOBIN`, and `GOCACHE` |\n| Cargo | search with `cargo search` | `cargo install --locked --root \u002Fvar\u002Flib\u002Faegis\u002Fcargo \u003Cvalidated-crate>` |\n\nFor 0.4.0, deterministic policy denies mutable or unverified non-APT artifacts by default. Container apply requires a digest-pinned image with metadata; Go apply requires an explicit version with checksum database protections. npm, pip, NuGet, VS Code extension, and Cargo production apply remain behind stronger future evidence requirements such as version\u002Fdigest pins, provenance\u002Fsignature checks, vulnerability checks, source\u002Ftarball inspection, or SBOMs.\n\nAllowed planning subprocesses:\n\n- `apt-get -s upgrade`\n- `apt-get -s install \u003Cvalidated-package>`\n- `npm view \u003Cvalidated-package> --json`\n- `python3 -m pip index versions \u003Cvalidated-package>`\n- `python3 -m pip inspect`\n- `docker manifest inspect \u003Cvalidated-image>`\n- `podman manifest inspect \u003Cvalidated-image>`\n- `dotnet nuget search \u003Cvalidated-package>`\n- `code --list-extensions --show-versions`\n- `go env GOSUMDB GOPROXY GOPRIVATE GONOSUMDB`\n- `go list -m -json \u003Cvalidated-module>` from a temp directory under `~\u002F.cache\u002Faegis\u002Ftmp`\n- `cargo search \u003Cvalidated-crate> --limit 5`\n- read-only availability checks for `doctor`\n\nForbidden during planning:\n\n- `sudo`\n- `apt-get upgrade` without `-s`\n- `apt-get install` without `-s`\n- `npm install`\n- `pip install`\n- `docker pull`\n- `podman pull`\n- `dotnet add package`\n- `nuget install`\n- `code --install-extension`\n- `go get`\n- `cargo install`\n- npm lifecycle scripts\n- `curl | bash`\n- model-generated commands\n\nProduction apply is available only through signed execution plans:\n\n```bash\naegis \u003Cecosystem> \u003Coperation> --plan\naegis review \u003Cplan.json>\naegis policy \u003Cplan.json> [--review \u003Creview.json>]\naegisctl sign --plan \u003Cplan.json> --policy \u003Cpolicy.json> [--review \u003Creview.json>] --key-id \u003Cid> --signer \u003Cidentity>\naegisctl verify --execution-plan \u003Cexec-plan.json> --public-key-hex \u003Chex>\naegisctl apply --execution-plan \u003Cexec-plan.json> --public-key-hex \u003Chex>\n```\n\n`aegisctl sign` derives execution argv from the deterministic operation plan. The model never supplies argv, and `aegisd` validates the signed argv against the same production allowlist before execution.\nPolicy results include the exact operation-plan hash. `aegisctl sign` re-runs deterministic policy for the supplied plan and optional AI review, rejects mismatches, and embeds the operation plan, policy result, and optional AI review hash in the signed execution plan. The executor verifies those embedded hashes, signed argv target drift, expiry\u002Ffreshness, and required controls before running an allowlisted command.\n\nAI review is one-way restrictive: it can escalate deterministic policy to `RequireHuman` or `Deny`, but it cannot approve or downgrade a deterministic policy decision.\n\n`AllowWithSnapshot` requires a snapshot proof such as `--snapshot-id`. `RequireHuman` requires an independently signed approval (`--approval-secret-key-hex` \u002F `AEGIS_APPROVAL_SECRET_KEY_HEX`) using a key distinct from the execution signing key; `aegisctl verify`, `aegisctl apply`, and `aegisd` verify approvals with `--approval-public-key-hex` or `AEGIS_APPROVAL_PUBLIC_KEY_HEX`.\n\n## Audit Files\n\nGenerated plans are written to:\n\n```text\n~\u002F.local\u002Fshare\u002Faegis\u002Fplans\u002F\u003Cplan_id>.json\n```\n\nAI reviews are written to:\n\n```text\n~\u002F.local\u002Fshare\u002Faegis\u002Freviews\u002F\u003Cplan_id>.review.json\n```\n\nPolicy results are written to:\n\n```text\n~\u002F.local\u002Fshare\u002Faegis\u002Fpolicy\u002F\u003Cplan_id>.policy.json\n```\n\nTamper-evident audit events are appended to:\n\n```text\n~\u002F.local\u002Fshare\u002Faegis\u002Faudit\u002Faudit.ndjson\n```\n\nSet `AEGIS_AUDIT_LOG_DIR` to move the production audit log (for example to a root-owned `\u002Fvar\u002Flog\u002Faegis` directory). Each audit event contains a SHA-256 hash chain linking it to the previous event. Verify the chain with:\n\n```bash\naegisctl audit-verify\naegisctl audit-verify --path \u002Fvar\u002Flog\u002Faegis\u002Faudit.ndjson\n```\n\n## Advisory Policy Helper\n\nThe optional policy helper under `tools\u002Fpolicy-helper\u002F` is offline advisory\ntooling for policy maintenance. It reads signed execution plans, verifies\nexecution-plan signatures and human approval signatures against trusted public\nkeys, and produces a JSON report of recurring approval patterns and candidate\npolicy-test ideas.\n\nIt does not update deterministic policy, approve execution, generate argv, sign\nplans, or interact with `aegisd`. DSPy is used only to structure advisory\nanalysis from already-verified human feedback.\n\n```bash\npython -m aegis_policy_helper report \\\n  --execution-plan \u003Cexecution-plan.json> \\\n  --execution-public-key-hex \u003Cexecution-public-key-hex> \\\n  --approval-public-key-hex \u003Capproval-public-key-hex> \\\n  --out policy-helper-report.json \\\n  --lm openai\u002Fdeepseek-v4-flash \\\n  --api-base http:\u002F\u002Flocalhost:8000\u002Fv1 \\\n  --api-key local\n```\n\nFrom an uninstalled checkout, prefix the command with\n`PYTHONPATH=tools\u002Fpolicy-helper\u002Fsrc`.\n\nUse `--skip-dspy` to generate the deterministic sections without calling a\nmodel. Production reports require `--execution-public-key-hex`; the\n`--allow-unverified-execution-signature` flag exists only for lab fixtures.\nReports are written atomically with private file permissions when `--out` is\nused. Sandbox or lab evidence is intentionally not ingested by v1; future policy\nchanges suggested by a report must be implemented separately in deterministic\nRust policy with deny-path tests.\n\n## Open Source\n\nAegis is licensed under the MIT License. See [LICENSE](LICENSE).\n\nSecurity reports should follow [SECURITY.md](SECURITY.md). Contributions should preserve the security invariant and follow [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## Next Steps\n\n- Add richer package and artifact metadata parsers.\n- Add repository trust and snapshot integration.\n- Add rollback plan execution.\n- Add multi-platform CI matrix.\n","Aegis 是一个本地零信任包操作代理，旨在通过确定性规划、本地AI审查、确定性策略以及可审计的签名执行计划来替代直接的包更改操作如 `sudo apt upgrade` 或 `npm install lodash`。该项目采用Rust语言编写，具备Ed25519签名执行计划、受限执行器（`aegisd`）、预检控制及结构化守护进程日志等功能特性，确保即使在面对潜在风险输入时也能安全地进行软件包管理。适合于需要对操作系统或应用程序包变更过程实施严格控制与审核的企业环境或个人开发者使用。","2026-06-11 04:06:52","CREATED_QUERY"]