ASI06 · Secure context engineering

Your agent's context is
your attack surface.

Aegis is the secure memory and context layer for AI agents. Every write is screened for injection, secrets, and tampering before it can persist or reach another agent.

Not theoretically.

$ pip install aegis-memory

Open source · Apache 2.0 · v2.6.0 · OWASP-aligned

ticket.body UNTRUSTED shared memory SINK auto_refund() ACTION ASI06 · write reachable from untrusted input · severity HIGH
Figure 1 — untrusted ticket reaches a consequential action, no human gate
The write boundary

Gate the write, and the
topology stops mattering.

Agent A's output is Agent B's instruction. Cooperative blackboard, hierarchical handoff, swarm — every multi-agent shape funnels through the same place: a write to shared memory.

Aegis puts one scope-aware guard on that boundary. Clean writes persist. Poisoned writes are rejected and never stored — so nothing downstream ever reads them.

guard.protect(store, scope="agent-shared") → returns a GuardedStore proxy. Offline. Keyless. No API call.
ticket.body · untrusted
Write boundary
store.put(scope="agent-shared") · verified ✓

The membrane lets clean content through and holds the rest.

Three ways to adopt

Start at a function call. Grow into a platform.

Level 1 Offline · keyless

guard

Wrap any store — CrewAI, LangChain, a dict — in a local write-gate. Screens every write for injection and secrets before it persists. No server, no API key.

from aegis_memory import guard
Level 2 Static analysis

aegis inspect

Scan a codebase for unsafe agent-memory flows (OWASP ASI06). Get a memory map, a risk score, and findings — where untrusted input reaches a consequential write. Local & keyless.

$ aegis inspect .
Level 3 Full context layer

Aegis server

FastAPI + PostgreSQL/pgvector. Ranked retrieval, the Context Hub, multi-agent ACLs, the ACE learning loop, and an immutable audit trail — every write signed, scanned, trust-gated.

client.load_context(agent_id=…)
Six capabilities, none optional

Security leads. Memory is a feature.

The context layer your auditor will let you ship.

01 Built-in

Content Security Pipeline

4-stage scan on every write: input validation, sensitive-data detection, prompt-injection signatures, optional LLM classification. 0.00 false-positive rate on the deterministic core.

02 HMAC-SHA256

Integrity Verification

HMAC-SHA256 signed on store, verified on demand. You know if a memory was modified after the fact.

03 OWASP 4-tier

Trust Hierarchy

Untrusted, internal, privileged, system. Agents get compromised — Aegis limits the blast radius. Untrusted content cannot reach global.

04 ACE loop

Context That Improves Itself

Generation, reflection, curation. Auto-vote on outcomes. Promote what works, flag what does not.

05 EU AI Act

Compliance & Audit

Immutable event log on every read, write, vote, and access decision. EU AI Act (Aug 2026) mandates audit trails.

06 Scoped ACL

Multi-Agent Memory

Scoped access — private, shared, global. Cross-agent query with explicit ACLs. Structured handoffs with state bundles.

v2.6.0 · The Context Hub

Four artifacts. One secure surface.

The only open-source context hub. One call loads prompts, memory, skills, and subagents — integrity-verified, trust-gated, token-budgeted.

Prompts

/prompts/*

Versioned, one active version per name

Memory

/memories/*

Secure, ranked, decayed — what we've always done

Skills

/skills/*

Anthropic Agent Skills spec, semantic activation

Subagents

/subagents/*

Delegation surface with tool + scope policy

bundle.py
from aegis_memory import AegisClient

client = AegisClient(api_key="...")

bundle = client.load_context(
    agent_id="executor",
    query="paginate the orders API",
    token_budget=8000,
)

# → ranked memories
# → active prompt version
# → matched skills + subagents
# → integrity-verified across all four

Other context hubs (LangSmith, MindStudio) are closed-source. Other memory layers (mem0, Zep, Letta) stop at memory. Aegis does both — with security as the foundation.

v2.6.0 · Memory Depth

Beyond storage. Lifecycle.

Memory-depth primitives are table stakes in 2026. What's distinct in Aegis is the audit-preserving, human-reviewable shape of each one — typed edges with explicit resolution, consolidation that soft-deprecates rather than deletes.

A

Hybrid retrieval

Every query runs dense (pgvector cosine) and sparse (PostgreSQL tsvector) channels, fused with Reciprocal Rank Fusion. Catches the exact-match cases — entity names, error codes, file paths — that pure embeddings blur.

results = client.hybrid_query(
    query="ZX7-PAGE-94 cursor pagination",
    agent_id="executor",
)
B

Contradiction detection

When two memories make incompatible claims, Aegis surfaces a typed `contradicts` edge with confidence and rationale. Explicit resolution: kept_source, kept_target, both_valid, both_invalid.

client.scan_contradictions(namespace="default")
unresolved = client.list_contradictions()
client.resolve_edge(
    edge_id=...,
    resolution="kept_source",
)
C

Semantic consolidation

Embedding-similar memories above threshold get merged via heuristic or LLM — with an audit trail. The losing memory stays queryable (is_deprecated=True, consolidated_into). No silent deletes.

plan = client.consolidate_memories(dry_run=True)
# review the plan, then apply
client.consolidate_memories(dry_run=False)
Ten lines

Production-grade context, from one import.

Content security, integrity signing, and scoped access control on every write.

context-hub.py
from aegis_memory import AegisClient

client = AegisClient(api_key="your-key")

# Load prompts + memory + skills + subagents
# Integrity-verified, trust-gated, token-budgeted.
bundle = client.load_context(
    agent_id="executor",
    query="paginate the orders API",
    token_budget=8000,
)

system_prompt = bundle.prompt.body
relevant = bundle.memories
skills = bundle.skills
delegates = bundle.subagents
We read every changelog

What your context layer is missing.

We audited the docs, repos, and changelogs of every major memory tool. These protections do not exist anywhere else.

Capability Aegis mem0 Zep Letta
Content injection detection 4-stage pipeline
Memory integrity HMAC-SHA256
Agent identity binding Cryptographic API key
Trust hierarchy 4-tier OWASP
Per-agent rate limiting Sliding window
Security audit trail Immutable event log
Sensitive-data protection Auto-detect
Unified context hub (prompts + skills + subagents)
Hybrid retrieval (dense + sparse + RRF)
Contradiction detection Typed edge + workflow Graph variant Temporal
Self-host posture First-class Available Available Available

Comparison reflects public docs / repos as of 2026-05. Memory-depth primitives are now table stakes; the difference is in how, not whether — and in the security layer underneath.

OWASP-alignedEU AI Act readyCVE-awareNIST AI agent standards

“Aegis solved the multi-agent coordination problem we'd been struggling with for months.”

Ivan Djordjevic — AI Lead, Leidos
Star the repo
Read it before you trust it

Open source. Self-hosted. Built to be audited.

Apache 2.0. Deploy anywhere. Every line of the security pipeline is in the repo.

$ pip install aegis-memory

Apache 2.0 · v2.6.0 · Self-host first