aegis-trust SDK · open preview

The agent only sees what its job requires. Declare a purpose and a scope. The SDK strips everything else.

aegis-trust is the trust layer for AI agents. You wrap the function that fetches your data and declare two things: the purpose the agent is acting under, and the scope of fields that purpose maps to. Every field outside that scope is removed before the value ever reaches the agent. It is local-first and fail-closed: if the boundary cannot be enforced, no data is released. The reduction is done by scope / deny_fields; purpose is declared as context and recorded, not enforced as a local authorization decision.

PythonLITE mode · no gateway · no token
from aegis_trust import shield

@shield(purpose="customer_support", scope=["name", "issue"])
def get_customer(id):
    # your real DB/API call goes here
    return {"name": "Tanaka Taro", "issue": "Login problem",
            "email": "t@example.com", "ssn": "123-45-6789"}

print(get_customer(1))
# → {'name': 'Tanaka Taro', 'issue': 'Login problem'}
# email / ssn are stripped before the agent sees them

This snippet runs as written in LITE mode. The literal record stands in for your real data source. A TypeScript / Node equivalent ships in the same package — see the SDK page.

The boundary is on the data, not the user

Most access control asks "who is allowed?" and enforces a rule about the subject. aegis-trust asks "for what purpose, and which fields does that purpose need?" and enforces the answer at the data-access boundary. When the subject is an AI agent with a thousand concurrent instances and no stable identity, controlling the data it can see is more durable than controlling the agent itself.

What the shipping SDK does today

Every item below is enforced by code in the open-preview release — not a roadmap claim.

Field-level reduction

Fields outside the declared scope are removed before the agent sees the return value. Supports nested dot-notation and deny-fields.

Fail-closed by default

If the policy cannot be applied — or, in FULL mode, the audit record cannot be durably written — the SDK returns an empty result rather than leaking data. Python and Node share this contract.

Local-first (LITE mode)

With no token and no gateway URL set, the SDK runs entirely in your process. No data is transmitted anywhere.

Audit record on every access

Each shielded access is recorded — locally in LITE mode (the public preview), or to the aegis-core gateway in FULL mode, where the server keeps a tamper-evident chain. FULL is a private-pilot path, by request.

Python and Node SDKs

Published on PyPI (pip install --pre aegis-trust) and npm (npm install aegis-trust). Check the displayed preview version for each before installing.

MIT licensed, open preview

Free to install and use. Tested across the Python and Node SDK surfaces. Pre-1.0 — see the honest limitations before adopting.

See it strip a field in 60 seconds.

Quickstart LITE / FULL modes