README.md

June 4, 2026 · View on GitHub

AEGIS

OS-level oversight for AI coding agents

Open-source monitor that shows what AI coding agents actually do on your machine — at the OS level, no agent hooks required.

AEGIS sees every AI agent on your machine — even ones that don't cooperate. It is an independent, OS-level observer that watches agent processes, file access, network activity, and behavioral anomalies in real time, regardless of how the agent was launched. Built on a JavaScript (ES modules / CommonJS) monitoring engine, with TypeScript in the renderer and shared types. Open-source, local, no telemetry — everything stays on your machine.

"Kaspersky found 512 bugs in OpenClaw. So we built an EDR to monitor it."

AEGIS Demo

Download · Report Bug · Feature Request · Contributing

What Does Aegis Monitor?

Process Monitoring — Tracks 110 known AI agent signatures with parent-child tree resolution and IDE host detection.
File System Access — Watches sensitive directories (.ssh, .aws, .gnupg, .env, cloud configs) and 27 AI agent config paths for unauthorized access.
Network Activity — Logs outbound TCP connections per agent PID with reverse DNS and known-vs-unknown API endpoint classification.
Behavioral Analysis — Applies 73 detection rules across 8 categories with rolling 10-session baselines and 4-axis anomaly scoring.
Trust Scoring — Assigns real-time risk scores with trust grades (A+ through F) using time-decay algorithms and multi-dimensional threat assessment.
Multi-Agent Dashboard — Displays all 110 agents in a bento-grid dashboard with sparklines, risk rings, activity feeds, and expandable agent cards.

Why Aegis?


512	vulnerabilities found in OpenClaw by Kaspersky — autonomous agents ship with real security risks
0	open-source EDR tools existed for AI agents before Aegis
110	AI agent signatures in the detection database, from Claude Code to AutoGPT
73	behavioral detection rules across 8 categories, with hot-reload and custom overrides
707	tests passing, 0 failures — the monitoring engine is verified on every commit
<2s	cold boot to full dashboard — lightweight enough to run alongside the agents it monitors

AI agents now have deep access to your machine — files, commands, network. Every existing AI security tool is enterprise SaaS that monitors what humans send to AI. Nobody monitors what AI agents do on local machines. Aegis is the open-source answer.

Why AEGIS is different

Most AI-agent oversight tools work by hooking inside the agent itself — a Claude Code plugin, a Cursor extension, an SDK wrapper. Sage (Gen Digital), leash, and Microsoft's Agent Governance Toolkit all live in the agent's runtime. That has a structural blind spot: they only see agents that installed their hook. An agent launched a different way — a raw python autogpt.py, a binary you didn't wrap, a tool that simply doesn't cooperate — is invisible to them.

AEGIS sits at a different layer. It is an independent, OS-level observer: it watches process, file, and network activity from outside the agents, so it catches any agent on the machine regardless of how it was started or whether it wants to be watched. Hook-based tools and AEGIS are complementary — one instruments the agents that opt in, the other sees the whole machine.

Monitor-first

AEGIS is a camera, not a guard. It observes and logs — it does not block agents at the OS level today. There are no kernel hooks and no automatic enforcement. Process control (kill / suspend / resume) is manual and user-invoked only. Active blocking is on the roadmap, not in the current release. Use AEGIS for visibility, auditing, and anomaly detection — pair it with sandboxing when you need enforcement.

What It Monitors

Layer	How
Processes	110 known AI agent signatures, parent-child tree resolution, IDE host detection
Files	Watches `.ssh`, `.aws`, `.gnupg`, `.env*`, cloud configs, 27 AI agent config dirs
Network	Outbound TCP per agent PID, reverse DNS, known API endpoints vs unknown
Behavior	Rolling 10-session baselines, 4-axis anomaly scoring (Network/FS/Process/Baseline)
Local LLMs	Ollama, LM Studio, vLLM, llama.cpp runtime detection

How It Compares

	AEGIS	Lasso / Prompt Security / PromptArmor
Runs locally	Yes	Cloud
Open source	MIT	No
Free	Yes	Enterprise
Monitors file access	Yes	No
Detects local LLMs	Yes	No

AEGIS is the only open-source, local-first AI agent monitor.

Download

From Source (all platforms)

git clone https://github.com/antropos17/Aegis.git
cd Aegis
npm install
npm start

Requires Node.js 18+ and npm 9+. Windows 10/11 recommended. macOS/Linux experimental (#37).

Try Without AI Agents

Don't have AI agents running? Demo mode lets you explore the full dashboard with simulated data — no real monitoring, no real processes.

npm run build:demo && npm start

Demo mode runs a scenario engine that cycles through four threat phases — calm → elevated → critical → reset — with up to 12 simulated AI agents (Claude Code, Copilot, Cursor, and more). File access events, network connections, anomaly scores, and risk assessments are all generated in real time so every tab and feature is fully functional.

Use it to evaluate AEGIS before deploying, demo the UI to your team, or develop new features without needing a live Windows environment.

Windows Installer

Pre-built .exe installer is coming in a future release. Track progress in Releases.

Release History

Version	Date	Highlights
v0.10.0-alpha	2026-03-09	Code cleanup, security hardening, command palette
v0.9.1-alpha	2026-03-08	Dropdown dedup, skill paths, aegis-context optimized
v0.9.0-alpha	2026-03-08	categoryIndex, prompt-craft skill, TS migration stores
v0.8.2-alpha	2026-03-08	formatBytes TS extraction, meaningful tests, branch cleanup
v0.8.1-alpha	2026-03-07	Patch release
v0.8.0-alpha	2026-03-05	Launch readiness: CSP hardened, OpenClaw integration, README overhaul
v0.7.0-alpha	2026-03-04	YAML rulesets, 68 rules, hot-reload, 568 tests
v0.5.0-alpha	2026-03-03	Fancy UI redesign, VisTimeline, AgentGraph
v0.4.0-alpha	2026-03-03	TypeScript infrastructure, perf, refactoring

Features

Detection — 110 agent signatures, parent chain resolution, config dir protection, per-agent risk scoring with trust grades (A+ through F), HTTP/User-Agent scoring, local LLM detection, false positive marking

Analysis — Behavioral baselines with rolling averages, multi-dimensional anomaly detection, AI threat assessment via Anthropic API (opt-in), printable HTML threat reports

Dashboard — Bento grid dashboard — RiskRing gauge, Sparklines, TrustBadge, agent stats, activity feed with filters, session timeline, agent cards with expandable details, protection presets (Paranoid/Strict/Balanced/Developer), dark/light theme, toast notifications, OOM protection, keyboard shortcuts (Ctrl+1-4)

Export — JSON, CSV, HTML reports, one-click ZIP archive, JSONL audit logging (daily rotation, 30-day retention)

i18n — Internationalization with English base (110+ strings), community translations welcome

CLI — --scan-json for scripting, --version, --help

YAML Rulesets

73 detection rules across 8 categories (AI config, secrets, SSH, cloud, browser, devtools, crypto, certificates)
JSON Schema validated, hot-reload without restart
Extend or override via rules/custom/ directory

Screenshots

📸 Shield — Real-time Overview

📸 Activity Feed

📸 Rules & Permissions

📸 Reports & Export

📸 Agent Statistics

📸 Settings

Architecture

┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│   Process    │    │    File     │    │   Network   │    │     LLM     │
│   Scanner    │    │   Watcher   │    │   Monitor   │    │  Detector   │
│  (tasklist)  │    │ (chokidar)  │    │ (NetTCP+DNS)│    │(Ollama/LMS) │
└──────┬───────┘    └──────┬──────┘    └──────┬──────┘    └──────┬──────┘
       │                   │                  │                  │
       └───────────┬───────┴──────────┬───────┘                  │
                   │                  │                           │
            ┌──────▼──────┐    ┌──────▼──────┐                   │
            │  Baseline   │    │   Anomaly   │◄──────────────────┘
            │   Engine    │    │  Detector   │
            │(10-session) │    │  (4-axis)   │
            └──────┬──────┘    └──────┬──────┘
                   │                  │
            ┌──────▼──────┐    ┌──────▼──────┐    ┌─────────────┐
            │    Risk     │    │   Audit     │    │     CLI     │
            │   Engine    │    │   Logger    │    │ (--scan-json│
            │(time-decay) │    │  (JSONL/30d)│    │  --version) │
            └──────┬──────┘    └──────┬──────┘    └─────────────┘
                   │                  │
            ┌──────▼──────┐    ┌──────▼──────┐
            │  Dashboard  │    │ ZIP Writer  │
            │ (Svelte IPC)│    │ (export)    │
            └─────────────┘    └─────────────┘

Stack: Electron 33, Svelte 5, Vite 7, Vitest (707 tests across 44 files). The monitoring engine is JavaScript (CommonJS); TypeScript is used in the renderer and shared types.

Agent Database

110 agents in src/shared/agent-database.json:

Coding — Claude Code, GitHub Copilot, Cursor, Windsurf, Tabnine, Amazon Q, Cody, Aider Autonomous — OpenClaw, Devin, Manus AI, OpenHands, SWE-Agent, AutoGPT, BabyAGI, CrewAI Desktop — Anthropic Computer Use, Google Gemini, Apple Intelligence, Microsoft Copilot Frameworks — LangChain, Semantic Kernel, AutoGen, MetaGPT, TaskWeaver Local LLMs — Ollama, LM Studio, vLLM, llama.cpp, LocalAI, GPT4All, Jan

Add custom agents via the UI or edit the JSON. See AGENTS.md.

Roadmap

Everything below is planned, not shipped. AEGIS today is monitor-only (see Monitor-first).

Frequently Asked Questions

What is Aegis?

Aegis is an open-source endpoint detection and response (EDR) tool purpose-built for monitoring AI agents. It tracks processes, file access, network activity, and behavioral anomalies in real time, built on Electron 33 and Svelte 5. The monitoring engine is JavaScript (ES modules / CommonJS); TypeScript is used in the renderer and shared type definitions. All data stays local — no telemetry, no cloud dependency.

Why do AI agents need monitoring?

Autonomous AI agents like OpenClaw, AutoGPT, and Devin have deep access to local files, credentials, and shell commands — yet run with minimal oversight. Kaspersky's analysis found 512 bugs in OpenClaw alone. Aegis provides the missing observability layer so you can see exactly what agents do on your machine.

How is Aegis different from traditional EDR?

Traditional EDR tools (CrowdStrike, Sentinel One) monitor human-driven threats — malware, ransomware, phishing. Aegis is built specifically for AI agent behavior: it ships with 110 agent profiles, 73 detection rules tuned for agent-specific patterns, and behavioral baselines that track how each agent's activity changes over time.

Does Aegis work with MCP tools?

Yes. Aegis monitors any AI agent process running on your machine, including tools connected via the Model Context Protocol (MCP). If an MCP-connected tool spawns processes, accesses files, or makes network calls, Aegis will detect and score that activity.

Is Aegis a replacement for sandboxing?

No. Aegis is an observability layer, not a restriction layer. Sandboxes limit what agents can do; Aegis shows you what agents are doing. They are complementary — use sandboxing for enforcement and Aegis for visibility, auditing, and anomaly detection.

What agents does Aegis support?

Aegis ships with 110 agent signatures across five categories: coding assistants (Claude Code, Copilot, Cursor), autonomous agents (OpenClaw, AutoGPT, CrewAI, Devin), desktop AI (Gemini, Apple Intelligence), frameworks (LangChain, AutoGen, MetaGPT), and local LLMs (Ollama, LM Studio, llama.cpp). You can add custom agents via the UI or JSON config.

Can I use Aegis in production?

Aegis is currently at v0.10.0-alpha and is recommended for development and testing environments. The core monitoring engine is stable with 707 tests passing, but production deployment features (auto-update, OS-level enforcement) are on the roadmap for v1.0.

Is Aegis free?

Yes. Aegis is released under the MIT license with no telemetry, no cloud requirements, and no paid tiers. The full source code is available on GitHub.