Package Exports
- @raknor/aegis
- @raknor/aegis/src/cli-governance.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@raknor/aegis) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
AEGIS — Autonomous Equilateral Governed Intelligence System
A governed Cyber Reasoning System that discovers vulnerabilities across 7 languages, proves exploitability, synthesizes patches (including LLM-assisted), and deploys fixes — all under consequence-tier governance with cryptographic provenance.
Pareidolia LLC (d/b/a Equilateral AI)
What It Does
Every step produces a hash-chained provenance entry. T3+ actions require human approval. The pipeline halts — not fails — when governance intervenes.
Supported Languages
| Language | Extensions | CWE Coverage |
|---|---|---|
| C/C++ | .c, .cpp, .h, .hpp, .cc | 120, 121, 122, 134, 190, 476, 416, 415, 78, 89 |
| Python | .py | 78, 89, 94, 502, 22, 79 |
| Java | .java | 78, 89, 502, 22, 79, 611, 90 |
| JavaScript | .js, .mjs, .cjs | 78, 94, 89, 79, 22, 502, 918, 327, 1321 |
| TypeScript | .ts, .mts, .tsx, .jsx | same as JS + type-aware |
| Go | .go | 78, 89, 22, 295, 327, 676 |
Plus: CWE-798 (hardcoded secrets), CWE-1035 (dependency vulnerabilities)
Quick Start
# Install
npm install
# Initialize config
npx aegis init
# Scan a project (Phase 1: Recon → Furies → Triage)
npx aegis run ./your-project --phase1 --no-db
# Full scan with reports
npx aegis run ./your-project --no-db --sarif --html --scan-deps --scan-secrets
# CI/CD mode (exit 1 on critical findings)
npx aegis run . --phase1 --no-db --fail-on=critical --json
# Watch mode (re-scan on file changes)
npx aegis watch ./your-project
# Start API server with dashboard
npx aegis serve --port=3000Docker
docker build -t aegis .
docker run -v $(pwd):/target aegis run /target --phase1 --sarif
docker run -p 3000:3000 aegis serve --port=3000CLI Reference
Commands
| Command | Description |
|---|---|
run <target> |
Run CRS pipeline against a target directory |
watch <target> |
Watch for changes and re-scan automatically |
serve |
Start REST API server with dashboard |
init |
Create .aegisrc.json and .aegis-suppress.json |
status |
Show system status and database stats |
verify <run-id> |
Verify provenance chain integrity |
help |
Show help message |
Options
Pipeline:
--phase1 Recon → Furies → Triage only
--no-db Run without database (in-memory)
--no-tree-sitter Use regex fallback instead of AST
Reports:
--sarif SARIF 2.1.0 report
--html HTML vulnerability report
--json Machine-readable JSON to stdout
--git-patches=DIR Git-format .patch files
--fuzz-harnesses=DIR LibFuzzer harness files
Scanning:
--scan-deps npm audit / pip audit
--scan-secrets Detect hardcoded secrets
CI/CD:
--fail-on=SEVERITY Exit 1 on critical|high|medium|low
--max-findings=N Exit 1 if count exceeds N
--github-pr=NUMBER Post PR review comments
--github-check Create GitHub check run
Baselines:
--save-baseline=PATH Save findings as baseline
--baseline=PATH Compare against baseline
Filtering:
--suppress-file=PATH Load suppression rules
--since=REF Incremental scan (git diff)GitHub Actions
# .github/workflows/aegis.yml
name: AEGIS Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: JamesFord-HappyHippo/AEGIS@main
with:
target: '.'
fail-on: 'critical'
scan-deps: 'true'
scan-secrets: 'true'Configuration
.aegisrc.json
{
"phase1": true,
"sarif": true,
"html": true,
"failOn": "critical",
"suppressFile": ".aegis-suppress.json"
}.aegis-suppress.json
{
"suppressions": [
{ "crashHash": "abc123", "reason": "False positive" },
{ "cweId": "CWE-78", "filePath": "scripts/", "reason": "Intentional" },
{ "filePath": "test/", "reason": "Test code" }
]
}Architecture
9 Pipeline Agents
| Agent | Codename | Tier | Role |
|---|---|---|---|
| Recon | Athena's Owl | T1 | AST parsing, call graph, attack surface mapping |
| Alecto | The Relentless | T2 | Memory safety (buffer overflow, UAF, double-free) |
| Megaera | The Grudging | T2 | Taint flow (source→sink, inter-procedural via call graph) |
| Tisiphone | The Avenger | T2 | Logic bugs (null deref, integer overflow, UAF) |
| Triage | The Oracle | T1 | Dedup, CVSS v3.1 scoring, severity classification |
| Exploit Proof | Prometheus | T3 | PoC generation + sandbox validation (ASan) |
| Synthesis | Hephaestus | T3 | Patch generation (template + Claude API LLM) |
| Verification | Themis | T2 | Sandbox compilation + heuristic verification |
| Deployment | Hermes | T4 | Patch application, unified diffs, rollback plans |
Governance
- ConsequenceTierGate — T1 auto-pass, T2 logged, T3-T4 hold for approval
- IntentCapsuleManager — HMAC-signed mandates with drift detection
- EarnedAuthorityEngine — Agents earn autonomy through track record
- ProvenanceStore — SHA-256 hash-chained, append-only, SLSA-compatible
Additional Scanners
- DependencyScanner — npm audit integration, CWE-1035
- SecretDetector — 16 patterns (AWS, GitHub, Slack, JWT, private keys, API keys)
Reports & Integrations
- SARIF 2.1.0 — GitHub code scanning compatible
- HTML — Self-contained dark-theme report with CVSS scores
- JSON — Machine-readable CI/CD summary
- REST API —
POST /api/scan,GET /api/findings, dashboard at/ - GitHub — PR comments, check runs, SARIF upload
Testing
# Run all 292 tests
npm test
# Self-scan AEGIS
npm run self-scannpm Scripts
| Script | Description |
|---|---|
npm run scan |
Quick Phase 1 scan of current directory |
npm run scan:ci |
CI-optimized scan with SARIF + JSON + gates |
npm run serve |
Start API server |
npm run watch |
Watch mode |
npm run self-scan |
Scan AEGIS's own code |
npm test |
Run test suite |
License
UNLICENSED — Proprietary. Pareidolia LLC (d/b/a Equilateral AI).