AEGIS
— docs

Scope and safety

How AEGIS keeps you inside the law and inside the engagement.

AEGIS will refuse to touch anything you haven’t authorised it to touch. This is enforced by ScopeGuard — a single chokepoint every request passes through.

scope.yaml

Every engagement is anchored on a scope.yaml:

engagement_id: ACME-2026-001
client: Acme Corp
in_scope:
  - www.acme.com
  - acme.com
  - api.acme.com
  - "*.staging.acme.com"
out_of_scope:
  - blog.acme.com
  - careers.acme.com
rules:
  rate_limit_rps: 5
  max_concurrent_tools: 4
  authorisation: confirmed
  authorisation_signed_at: 2026-03-12
  authorisation_signed_by: jane@acme.com
  expires_at: 2026-04-12
notes: |
  Pre-auth API at api.acme.com/v3 is high priority.
  No DoS, no destructive POST.  Read-only verification only.

What the guard checks

Every tool invocation, every HTTP request, every verification probe goes through:

  1. In-scope? is_in_scope(target) — exact match or wildcard match in in_scope minus anything in out_of_scope. Hard exception on miss.
  2. Rate limit. Token bucket per host, configurable via rate_limit_rps.
  3. Concurrency cap. max_concurrent_tools controls how many subprocesses can be in flight.
  4. Expiry. After expires_at, AEGIS refuses to launch new requests.
  5. Authorisation flag. authorisation: confirmed is required; AEGIS won’t run without it.

The audit log

Every tool run, every LLM call, every scope decision is written to engagement-dir/aegis.db in the audit_log table. Pull it any time:

aegis audit engagements/2026-acme

This is the record you hand to your client at the end of the engagement.

What AEGIS will not do

  • No destructive POST/PUT/DELETE unless the engagement explicitly allows it.
  • No DoS / volumetric attacks. The rate limiter is a hard ceiling.
  • No data exfiltration beyond what’s needed to verify a finding. Verification probes are designed to confirm vulnerability without pulling secrets.
  • No persistence. AEGIS does not install backdoors, schedule callbacks, or modify target state outside reversible probes.

If you need any of the above, write it into scope.yaml’s rules.allow: block with explicit authorisation, and AEGIS will require a re-confirmation prompt before each.

Working with bug bounty programs

For bounty work, set:

in_scope:
  - "*.example.com"
out_of_scope:
  - "*.example.com/admin/*"
rules:
  rate_limit_rps: 2
  bounty_program: https://hackerone.com/example
  bounty_rules: |
    No automated scanners on /api/v1
    No social engineering

The bounty_rules field is injected into the agent prompt verbatim so Claude respects program-specific constraints.