Skip to content
AEGIS

CIARUSTCODE · by Consultancy in Action

The coding agent that can't reach around its own guardrails.

AEGIS runs the AI inside a mandatory safety kernel. Every file edit, command and network call is classified, consented, sandboxed — and written to a tamper-evident ledger you can verify later. Local-first at $0, or bring your own key to any provider.

The AEGIS terminal UI pausing at a consent modal: 'APPROVE ACTION?' showing a coloured diff for src/calculator.py, the policy rule that classified it, a live cost meter, and approve / deny / kill-switch keys.
Real screenshot — the kernel pauses an edit for consent. The diff, the policy rule, the cost meter and the kill switch, all in one frame.

Our guardrailed, provider-agnostic agentic coding tool, at a glance

Approach

Safety as architecture

The agent runs inside a Rust safety kernel it structurally cannot bypass — not a prompt, not a plugin.

Cost

$0 to run locally

Any local Ollama model at zero token cost, or bring your own key to any cloud provider at raw rates.

Proof

A tamper-evident ledger

Every action is hash-chained and signed, so you can verify exactly what ran — even offline.

Why AEGIS exists

A coding agent is the most dangerous AI you'll ever run.

It edits files, runs commands, reads secrets, calls the network and installs dependencies — on the machine where your real work lives. Every leading tool treats that risk as a UX problem: a confirmation prompt bolted onto an agent that otherwise has the full reach of your user account.

We wanted the opposite for our own client work: an agent we could point at a real repository and still prove, afterwards, exactly what it did — with destructive actions, secret exfiltration and prompt injection structurally prevented, not politely discouraged.

The model may be wrong, manipulated, or adversarially steered — and the human must remain in control regardless.

So the guardrails aren't a prompt. They're a Rust safety kernel the agent physically cannot bypass: the agent core holds no syscall capability of its own — it can only submit typed intents to the broker.

How it works

The agent lives inside concentric rings. Every arrow crossing a ring is typed, checked and logged.

Host system

filesystem · network · processes · secrets

Aegis Layer — safety kernel

intent ↓  result ↑

policy engine · sandbox broker · consent gateway · secrets firewall · audit ledger · kill switch

Agent core

reasoning loop · edit engine · provider abstraction — emits intents only

LLM

local Ollama or cloud BYOK — no direct I/O, ever

  1. 1

    The model proposes. It can't touch anything — it emits a typed intent: read, apply_diff, run, net_fetch

  2. 2

    Policy classifies. Each intent lands in a tier: Auto Confirm Forbidden — from a YAML policy file you version-control.

  3. 3

    You consent, per action. Confirm-tier intents pause with the exact diff or command. One approval never generalises.

  4. 4

    The sandbox executes. Commands run under an OS sandbox — writes confined to the project, network denied by default, outbound payloads scanned for secrets.

  5. 5

    The ledger remembers. Every event is appended to a hash-chained, signed ledger. Verify it any time →

Watch it work

A real session, un-staged: find the bug, ask permission, fix it, prove it.

Recorded against a local Ollama model — total model cost $0.00. The agent reads the code (Auto tier), proposes a diff (Confirm tier — the kernel pauses for a keypress), runs the tests inside the sandbox, then ciarustcode verify checks the session's hash chain.

One take, real time: intent feed, consent modal with the diff, sandboxed test run, ledger verification.
The completed AEGIS session: the intent feed shows scoped reads, the confirmed diff, a checkpoint commit, the sandboxed test run and the finish summary — 4 steps, $0.0000.
The full audit trail on screen as it happens — every line is also a ledger entry.
The CIARUSTCODE native desktop app launch pad: project folder, provider and model pickers, an optional fast-model for routine turns, and an air-gap toggle — 'local-only, no data leaves the box (ledger-attested)'.
Prefer windows to terminals? The native desktop app runs the same engine — same kernel, same ledger — plus an air-gap toggle.

The ten principles

Enforced in the architecture — not promised in a system prompt.

Each principle maps to a named module in the kernel, and each is exercised by the kernel test suite — 78 tests on the safety layer alone.

01

Instruction/data boundary

Instructions come only from you. Everything the agent reads — files, web pages, tickets — is untrusted data and is never executed, no matter what it says. Injection attempts are flagged and quoted back.

02

Least privilege & scope

The agent starts with zero capabilities. Reads and writes are bounded to the project directory; your home folder, system directories and credential stores are structurally out of reach.

03

Tiered consent

Every action is classified Auto, Confirm, or Forbidden before it runs. Consent is per-action and per-session — one approval never generalises.

04

Defence-in-depth sandboxing

Commands run inside an OS sandbox (macOS Seatbelt): writes confined to the project tree, network denied by default.

05

Corrigibility & kill switch

One keystroke halts everything. A dead-man's checkpoint forces re-authorisation past a step or spend threshold. The agent cannot disable the layer.

06

Secrets firewall

Secrets live in a vault the agent core cannot read. Every outbound payload is scanned; a leaked key is blocked before it leaves the machine.

07

Content & misuse policy

Refuses to knowingly produce malware, exploits, or credential harvesters — as auditable rules in the policy engine, not a black box.

08

Tamper-evident audit ledger

Every intent, decision, consent, diff, command and network call is appended to a hash-chained, Ed25519-signed ledger. Tampering breaks the chain and is detectable.

09

Cost & autonomy governance

Hard per-session and per-day spend caps, max steps, max files, max wall-clock — enforced by the broker, with a live cost meter in the UI.

10

Supply-chain integrity

Dependency installs require pinned versions and explicit confirmation; post-install scripts run sandboxed under the same egress rules.

Receipts, not vibes

Built like the security tool it is.

182

tests, 0 clippy warnings

78 dedicated to the safety kernel alone

16/16

red-team bypasses fixed

31 candidates surfaced, 16 confirmed real, all fixed with regression tests

$0

to run fully local

any Ollama model; BYOK cloud keys at raw provider rates, no markup

~24k

lines of Rust, 7 crates

one auditable workspace, one binary

Terminal output of ciarustcode verify: 'ledger intact — hash chain verified' and 'signatures valid' across all entries, with the device identity key.
Our own development ledger, verified live while building this site.

Red-teamed against its own threat model

We attacked it the way an adversary would — shell-wrapped commands, egress host-confusion, ledger tampering, injection-laced files, autonomy runaway. 31 candidate bypasses surfaced; 16 were confirmed real; all 16 were fixed with regression tests pinning them shut.

Then we published the receipts. See how you verify a session yourself →

It gets better as you use it

A learning loop with a paper trail.

AEGIS can review its own sessions and propose skills and memories — but writing them is a kernel-gated intent like any other. You approve or reject every proposal, a weekly curator consolidates the library, and the journal records the lot.

Terminal output of ciarustcode learn status and learn log: automatic review off (manual only), learned skills and pending proposals listed.
The learning loop's control plane — consent-first, journalled, pausable.

How it compares

The two axes nobody else occupies.

Local-first with no API key required, and a safety layer that is mandatory and architectural rather than optional and bolted-on.

  AEGIS / CIARUSTCODE The field, typically
Safety layer Mandatory kernel: typed intents, OS sandbox, egress + secrets firewall, hash-chained ledger, kill switch Permission prompts bolted onto an agent with full user privilege; no audit trail
Local / offline Local-first by default — any Ollama model, $0 per token, air-gap mode with signed proof Cloud-first; local models unsupported or second-class
Cost Free tool. $0 local, or BYOK at raw provider rates — no platform markup, no bill shock $10–$200/month plans, metered credits on top
Prove what ran verify / replay / usage / attest — a cryptographic record you can hand to a client or auditor Chat scrollback, if you saved it
Provider lock-in Anthropic, OpenAI, OpenRouter, Groq, Google, or any OpenAI-compatible endpoint — switch per call One vendor's models, one vendor's pricing

Field = the leading agentic coding tools as of mid-2026 (Claude Code, OpenAI Codex, Cursor, GitHub Copilot, Replit Agent, OpenCode). Each is excellent at what it optimises for — none ships a mandatory, architecturally-enforced guardrail layer. That is the whole point of AEGIS.

The honest trust model

What actually contains the agent — and what's just a tripwire.

We assume the model may be wrong, manipulated, or adversarially steered — and design so you stay in control regardless. The honest split: the sandbox, scope, egress firewall and ledger contain the agent; the scanners are tripwires that catch things early. Security claims you can audit, not vibes.

Structural containment

  • The OS sandbox (Seatbelt) around every command
  • Deny-by-default network egress with an explicit allow-list
  • Filesystem scope — writes bounded to the project tree
  • The hash-chained, Ed25519-signed audit ledger, checked at runtime
  • The kill switch and dead-man's checkpoint in the broker

Best-effort tripwires

  • The prompt-injection scanner (pattern-based, best-effort)
  • Regex intent classifiers (red-teamed, but not a proof)
  • The model's own judgement (assumed wrong or manipulated by design)

Any tool that tells you its injection scanner is bulletproof is selling you something. Ours is a tripwire in front of a wall — the wall is the sandbox, the scope and the egress firewall.

Questions

The short answers.

What is AEGIS (CIARUSTCODE)?

A guardrailed, provider-agnostic agentic coding tool built in Rust. The agent runs inside a mandatory safety kernel — the Aegis Layer — which classifies, consents, sandboxes and logs every action. There is no path from the model to your machine that bypasses it.

Does it work offline or with local models?

Yes — AEGIS is local-first. It runs any Ollama model at $0 per token, fully private, and has an air-gap mode that refuses all network egress and records signed proof that nothing left the machine. Cloud models work too, via your own API keys at raw provider rates.

How is it different from Claude Code, Codex or Cursor?

Those tools bolt safety on as permission prompts around an agent that otherwise runs with your full user privilege. In AEGIS the safety layer is the architecture: the agent core has no syscall capability at all — it can only submit typed intents to a broker that enforces policy, sandboxing, a secrets firewall and a tamper-evident audit ledger.

Can I prove what the agent did?

Yes. Every intent, decision, diff, command and network call is written to an append-only, hash-chained, Ed25519-signed ledger. ciarustcode verify checks the chain, replay prints the full transcript, usage summarises cost and egress, and attest exports a portable signed proof bundle you can verify offline.

Private preview

Run agents you can prove things about.

AEGIS is in private preview while we harden it on our own client work. Leave an email and we'll send one message when early access opens — or talk to Consultancy in Action about a guarded-agent engagement now.

One launch email · no spam · unsubscribe in one click