Your agent's context is
your attack surface.
Aegis is the secure memory and context layer for AI agents. Every write is screened for injection, secrets, and tampering before it can persist or reach another agent.
Not theoretically.
pip install aegis-memory Open source · Apache 2.0 · v2.6.0 · OWASP-aligned
Gate the write, and the
topology stops mattering.
Agent A's output is Agent B's instruction. Cooperative blackboard, hierarchical handoff, swarm — every multi-agent shape funnels through the same place: a write to shared memory.
Aegis puts one scope-aware guard on that boundary. Clean writes persist. Poisoned writes are rejected and never stored — so nothing downstream ever reads them.
The membrane lets clean content through and holds the rest.
Agents are getting compromised. Not theoretically.
Every other memory layer trusts content by default. That is the vulnerability — memory becomes the attack vector.
Zero-click exfiltration from Microsoft 365 Copilot
CVE-2025-32711 · one email · the memory layer was the vector
Agent A's output became Agent B's instruction
Peer-reviewed, COLM 2025 · 65% data-exfiltration success against multi-agent systems
One compromised integration cascaded outward
Salesforce · Google Workspace · Slack · S3 · Azure
Memory & context manipulation named a top risk
OWASP Top 10 for Agentic Applications · the standards caught up
Built by engineers who read the OWASP reports and acted on them.
Start at a function call. Grow into a platform.
guard
Wrap any store — CrewAI, LangChain, a dict — in a local write-gate. Screens every write for injection and secrets before it persists. No server, no API key.
from aegis_memory import guard aegis inspect
Scan a codebase for unsafe agent-memory flows (OWASP ASI06). Get a memory map, a risk score, and findings — where untrusted input reaches a consequential write. Local & keyless.
$ aegis inspect . Aegis server
FastAPI + PostgreSQL/pgvector. Ranked retrieval, the Context Hub, multi-agent ACLs, the ACE learning loop, and an immutable audit trail — every write signed, scanned, trust-gated.
client.load_context(agent_id=…) Security leads. Memory is a feature.
The context layer your auditor will let you ship.
Content Security Pipeline
4-stage scan on every write: input validation, sensitive-data detection, prompt-injection signatures, optional LLM classification. 0.00 false-positive rate on the deterministic core.
Integrity Verification
HMAC-SHA256 signed on store, verified on demand. You know if a memory was modified after the fact.
Trust Hierarchy
Untrusted, internal, privileged, system. Agents get compromised — Aegis limits the blast radius. Untrusted content cannot reach global.
Context That Improves Itself
Generation, reflection, curation. Auto-vote on outcomes. Promote what works, flag what does not.
Compliance & Audit
Immutable event log on every read, write, vote, and access decision. EU AI Act (Aug 2026) mandates audit trails.
Multi-Agent Memory
Scoped access — private, shared, global. Cross-agent query with explicit ACLs. Structured handoffs with state bundles.
Four artifacts. One secure surface.
The only open-source context hub. One call loads prompts, memory, skills, and subagents — integrity-verified, trust-gated, token-budgeted.
Prompts
/prompts/* Versioned, one active version per name
Memory
/memories/* Secure, ranked, decayed — what we've always done
Skills
/skills/* Anthropic Agent Skills spec, semantic activation
Subagents
/subagents/* Delegation surface with tool + scope policy
from aegis_memory import AegisClient
client = AegisClient(api_key="...")
bundle = client.load_context(
agent_id="executor",
query="paginate the orders API",
token_budget=8000,
)
# → ranked memories
# → active prompt version
# → matched skills + subagents
# → integrity-verified across all four Other context hubs (LangSmith, MindStudio) are closed-source. Other memory layers (mem0, Zep, Letta) stop at memory. Aegis does both — with security as the foundation.
Beyond storage. Lifecycle.
Memory-depth primitives are table stakes in 2026. What's distinct in Aegis is the audit-preserving, human-reviewable shape of each one — typed edges with explicit resolution, consolidation that soft-deprecates rather than deletes.
Hybrid retrieval
Every query runs dense (pgvector cosine) and sparse (PostgreSQL tsvector) channels, fused with Reciprocal Rank Fusion. Catches the exact-match cases — entity names, error codes, file paths — that pure embeddings blur.
results = client.hybrid_query(
query="ZX7-PAGE-94 cursor pagination",
agent_id="executor",
) Contradiction detection
When two memories make incompatible claims, Aegis surfaces a typed `contradicts` edge with confidence and rationale. Explicit resolution: kept_source, kept_target, both_valid, both_invalid.
client.scan_contradictions(namespace="default")
unresolved = client.list_contradictions()
client.resolve_edge(
edge_id=...,
resolution="kept_source",
) Semantic consolidation
Embedding-similar memories above threshold get merged via heuristic or LLM — with an audit trail. The losing memory stays queryable (is_deprecated=True, consolidated_into). No silent deletes.
plan = client.consolidate_memories(dry_run=True)
# review the plan, then apply
client.consolidate_memories(dry_run=False) Production-grade context, from one import.
Content security, integrity signing, and scoped access control on every write.
from aegis_memory import AegisClient
client = AegisClient(api_key="your-key")
# Load prompts + memory + skills + subagents
# Integrity-verified, trust-gated, token-budgeted.
bundle = client.load_context(
agent_id="executor",
query="paginate the orders API",
token_budget=8000,
)
system_prompt = bundle.prompt.body
relevant = bundle.memories
skills = bundle.skills
delegates = bundle.subagents What your context layer is missing.
We audited the docs, repos, and changelogs of every major memory tool. These protections do not exist anywhere else.
| Capability | Aegis | mem0 | Zep | Letta |
|---|---|---|---|---|
| Content injection detection | 4-stage pipeline | — | — | — |
| Memory integrity | HMAC-SHA256 | — | — | — |
| Agent identity binding | Cryptographic API key | — | — | — |
| Trust hierarchy | 4-tier OWASP | — | — | — |
| Per-agent rate limiting | Sliding window | — | — | — |
| Security audit trail | Immutable event log | — | — | — |
| Sensitive-data protection | Auto-detect | — | — | — |
| Unified context hub (prompts + skills + subagents) | ✓ | — | — | — |
| Hybrid retrieval (dense + sparse + RRF) | ✓ | ✓ | ✓ | ✓ |
| Contradiction detection | Typed edge + workflow | Graph variant | Temporal | — |
| Self-host posture | First-class | Available | Available | Available |
Comparison reflects public docs / repos as of 2026-05. Memory-depth primitives are now table stakes; the difference is in how, not whether — and in the security layer underneath.
Star the repo“Aegis solved the multi-agent coordination problem we'd been struggling with for months.”
Open source. Self-hosted. Built to be audited.
Apache 2.0. Deploy anywhere. Every line of the security pipeline is in the repo.
pip install aegis-memory Apache 2.0 · v2.6.0 · Self-host first