Metadata-Version: 2.4
Name: aegis-shield
Version: 0.1.0
Summary: Agent immune system — detect, contain, and recover from prompt injection and malicious behavior in AI agent networks
Author: Gaia Robotics
License: MIT
Keywords: ai,security,agents,prompt-injection,llm
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: pyyaml>=6.0
Requires-Dist: pydantic>=2.0
Provides-Extra: broker
Provides-Extra: identity
Requires-Dist: cryptography>=41.0; extra == "identity"
Provides-Extra: memory
Provides-Extra: skills
Provides-Extra: ml
Requires-Dist: llm-guard>=0.3.14; extra == "ml"
Provides-Extra: ml-behavior
Requires-Dist: scikit-learn>=1.3; extra == "ml-behavior"
Provides-Extra: pii
Requires-Dist: presidio-analyzer>=2.2; extra == "pii"
Requires-Dist: presidio-anonymizer>=2.2; extra == "pii"
Provides-Extra: yara
Requires-Dist: yara-python>=4.3; extra == "yara"
Provides-Extra: monitoring
Requires-Dist: httpx>=0.27; extra == "monitoring"
Provides-Extra: fuzzy
Requires-Dist: rapidfuzz>=3.0; extra == "fuzzy"
Provides-Extra: embeddings
Requires-Dist: sentence-transformers>=2.6; extra == "embeddings"
Provides-Extra: content-gate
Requires-Dist: transformers>=4.36; extra == "content-gate"
Requires-Dist: torch>=2.0; extra == "content-gate"
Provides-Extra: all
Requires-Dist: aegis-shield[broker,content-gate,embeddings,fuzzy,identity,memory,ml,ml-behavior,monitoring,pii,skills,yara]; extra == "all"
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0; extra == "dev"
Requires-Dist: ruff>=0.4.0; extra == "dev"
Dynamic: license-file

# AEGIS

**Agent Embedding Guard & Immune System**

Protect your agent swarm with an immune system! A drop-in security layer for LLM-powered agents, optimized for safe(r) participation in multi-agent societies. Detects prompt injections, contains compromised agents, and prevents cascading attacks across multi-agent systems so you don't end up inadvertently authoring the first chapter of a sci-fi novel.

## Quick Start

```bash
pip install -e .  (until on pypi)
```

```python
import aegis
import anthropic  # or openai, or any client with create()/generate()

client = aegis.wrap(anthropic.Anthropic())

# Use the client exactly as before - AEGIS scans automatically
response = client.messages.create(
    model="claude-sonnet-4-5-20250929",
    messages=[{"role": "user", "content": "What is 2+2?"}],
)
```

One line. No config needed. AEGIS auto-detects your provider, scans inputs for prompt injection, sanitizes outputs, and tracks agent trust - all transparently.

## What It Does

AEGIS layers eight independent defense mechanisms so that bypassing any single one doesn't mean total compromise:

| Module | Purpose |
|--------|---------|
| **Scanner** | Detects direct and indirect prompt injections via regex, heuristics, ML classifiers, and embedding-based intent-context divergence |
| **Broker** | Controls tool access with capability manifests and write budgets |
| **Identity** | Tracks agent trust tiers, verifies cryptographic attestations |
| **Behavior** | Fingerprints agent behavior and detects drift from baseline |
| **Memory** | Guards against memory poisoning with category restrictions and taint tracking |
| **Recovery** | Auto-quarantines compromised agents and rolls back to known-good state |
| **Integrity** | Detects tampering of local model files (Ollama, vLLM) via stat checks, hashing, and inotify |
| **Monitoring** | Optional reporting to a central monitoring service for network-wide visibility |

## Modes

| Mode | Behavior |
|------|----------|
| `enforce` (default) | Blocks detected threats by raising `ThreatBlockedError` |
| `observe` | Detects and logs threats, but never blocks - useful for evaluation |

```python
# Protected by default
client = aegis.wrap(my_client)

# Use observe mode to evaluate detections before enforcing
client = aegis.wrap(my_client, mode="observe")
```

## Supported Providers

| Provider | Intercepted Method |
|----------|-------------------|
| **Anthropic** | `client.messages.create()` |
| **OpenAI** | `client.chat.completions.create()` |
| **Ollama** | `client.chat()` and `client.generate()` |
| **vLLM** | `llm.generate()` and `llm.chat()` |
| **Generic** | `client.create()` or `client.generate()` |

## Optional Extras

```bash
pip install aegis-shield[identity]      # Ed25519 attestation
pip install aegis-shield[ml]            # ML-based scanning (uses LLM Guard)
pip install aegis-shield[monitoring]    # Remote monitoring service
pip install aegis-shield[all]           # Everything
```

## Documentation

You can get started with a single line of code, but there's a lot more you can do with AEGIS:

- **[Getting Started](docs/quickstart.md)** - Installation, usage, and progressive walkthrough of every feature
- **[API Reference](docs/api-reference.md)** - Complete class/method/config reference
- **[Monitor Quickstart](docs/quickstart-monitor.md)** - Set up the monitoring dashboard and connect agents
- **[Security Rationale](docs/rationale.md)** - Why AEGIS exists, attack anatomy, defense-in-depth analysis
- **[Whitepaper](https://github.com/gaiarobotics/papers/blob/main/Semantic%20Immunity%20Paper.pdf)** - outlining the risk of prompt worms in agentic networks and detailing the concept of Semantic Immunity
- **[Comparison](docs/comparison.md)** - AEGIS vs Guardrails AI vs LLM Guard
- **[Examples](examples/)** - Runnable code for every feature

## Requirements

- Python 3.10+
- No required dependencies beyond PyYAML

## License

MIT
