Open Source · Apache 2.0 · OWASP-aligned

Secure context engineering
for AI agents

Your agent's context is your attack surface. Act accordingly.

Content security. Integrity verification. Trust hierarchy. Context that improves itself.

$ pip install aegis-memory

context_load.py

from aegis_memory import AegisClient

client = AegisClient(api_key="...")

# Prompts + memory + skills + subagents
# integrity-verified, trust-gated, token-budgeted
bundle = client.load_context(
    agent_id="executor",
    query="paginate the orders API",
    token_budget=8000,
)

Production incidents · 2025

Agents are getting compromised. Not theoretically.

Every other context layer trusts content by default. That is the vulnerability. Memory becomes the attack vector.

CVSS 9.3

EchoLeak (CVE-2025-32711)

One email triggered zero-click data exfiltration from Microsoft 365 Copilot. The memory layer was the vector.

65% exfiltration rate

CrewAI + GPT-4o

Peer-reviewed study (COLM 2025) achieved 65% data exfiltration success against multi-agent systems. Agent A's output is Agent B's instruction.

700+ orgs affected

Drift chatbot cascade

One compromised chatbot integration cascaded into 700+ organizations via Salesforce, Google Workspace, Slack, S3, and Azure.

Published Dec 2025

OWASP Top 10 for Agents

Memory and context manipulation named a top risk category. The standards caught up with the threat.

Built by engineers who read the OWASP reports and acted on them.

OWASP-aligned EU AI Act ready CVE-aware NIST AI agent standards

"Aegis solved the multi-agent coordination problem we've been struggling with for months."

Ivan Djordjevic — AI Lead, Leidos

Security leads. Memory is a feature.

Six capabilities, none optional. The context layer your auditor will let you ship.

Built-in

Content Security Pipeline

4-stage scan on every write: input validation, sensitive data detection, prompt injection signatures, optional LLM classification.

HMAC-SHA256

Integrity Verification

HMAC-SHA256 signed on store, verified on demand. You know if a memory was modified after the fact.

OWASP-aligned

Trust Hierarchy

OWASP 4-tier model: untrusted, internal, privileged, system. Agents get compromised. Aegis limits the blast radius.

ACE Patterns

Context That Improves Itself

Full ACE loop: generation, reflection, curation. Auto-vote on outcomes. Promote what works. Flag what doesn't.

EU AI Act

Compliance & Audit

Immutable event log on every read, write, vote, and access decision. EU AI Act (Aug 2026) — audit trails mandated.

Scoped ACL

Multi-Agent Memory

Scoped access (private / shared / global). Cross-agent query with explicit ACLs. Structured handoffs with state bundles.

v2.3.0 · The Context Hub

Four artifacts. One secure surface.

Aegis is the only open-source context hub. One API call loads prompts, memory, skills, and subagents — integrity-verified, trust-gated, token-budgeted.

Prompts

/prompts/*

Versioned, with one active version per name

Memory

/memories/*

Secure, ranked, decayed — what we've always done

Skills

/skills/*

Anthropic Agent Skills spec, semantic activation

Subagents

/subagents/*

Delegation surface with tool + scope policy

bundle.py

from aegis_memory import AegisClient

client = AegisClient(api_key="...")

bundle = client.load_context(
    agent_id="executor",
    query="paginate the orders API",
    token_budget=8000,
)

# → ranked memories
# → active prompt version
# → matched skills
# → available subagents
# → integrity-verified across all four

Other context hubs (LangSmith, MindStudio) are closed-source. Other memory layers (mem0, Zep, Letta) stop at memory. Aegis does both — with security as the foundation.

v2.4.0 · Memory Depth

Beyond storage. Lifecycle.

Memory-depth primitives are table stakes in 2026. What's distinct in Aegis is the audit-preserving, human-reviewable shape of each one — typed edges with explicit resolution states, consolidation that soft-deprecates rather than deletes.

Hybrid retrieval

Every query runs dense (pgvector cosine) and sparse (PostgreSQL tsvector) channels, fused with Reciprocal Rank Fusion. Catches the exact-match cases — entity names, error codes, file paths — that pure embeddings blur.

results = client.hybrid_query(
    query="ZX7-PAGE-94 cursor pagination",
    agent_id="executor",
)

Contradiction detection

When two memories make incompatible claims, Aegis surfaces it as a typed `contradicts` edge with confidence and rationale. Explicit resolution: kept_source, kept_target, both_valid, both_invalid.

client.scan_contradictions(namespace="default")
unresolved = client.list_contradictions()
client.resolve_edge(
    edge_id=...,
    resolution="kept_source",
)

Semantic consolidation

Embedding-similar memories above threshold get merged via heuristic or LLM — with audit trail. Losing memory stays queryable (is_deprecated=True, consolidated_into). No silent deletes.

plan = client.consolidate_memories(dry_run=True)
# review plan, then apply
client.consolidate_memories(dry_run=False)

Ten lines. Production-grade context.

docker compose up -d and you're running — with content security, integrity signing, and scoped access control on every write.

context-hub.py

from aegis_memory import AegisClient

client = AegisClient(api_key="your-key")

# Load prompts + memory + skills + subagents
# Integrity-verified, trust-gated, token-budgeted.
bundle = client.load_context(
    agent_id="executor",
    query="paginate the orders API",
    token_budget=8000,
)

# Use the bundle directly with your model.
system_prompt = bundle.prompt.body
relevant = bundle.memories
skills = bundle.skills
delegates = bundle.subagents

hybrid.py

from aegis_memory import AegisClient

client = AegisClient(api_key="your-key")

# Dense (pgvector) + sparse (tsvector) + RRF fusion.
# Catches entity names, error codes, file paths
# that pure embeddings blur over.
results = client.hybrid_query(
    query="ZX7-PAGE-94 cursor pagination",
    agent_id="executor",
    top_k=10,
)

for r in results:
    print(r.content, r.score)

crewai.py

from aegis_memory.integrations import AegisCrewMemory
from crewai import Agent, Crew

# Drop-in CrewAI memory with content security,
# integrity signing, and scoped access control.
memory = AegisCrewMemory(aegis_api_key="your-key")

researcher = Agent(role="Researcher", memory=memory)
writer = Agent(role="Writer", memory=memory)

crew = Crew(
    agents=[researcher, writer],
    tasks=[...],
    memory=memory,
)

cross-agent.py

from aegis_memory import AegisClient

client = AegisClient(api_key="dev-key")

# Planner agent stores task breakdown with explicit scope.
client.add(
    content="Task: Build login. 1) Form 2) Validate 3) API",
    agent_id="planner",
    scope="agent-shared",
    shared_with_agents=["executor"],
)

# Executor queries planner's memory through the ACL.
memories = client.query_cross_agent(
    query="current task",
    requesting_agent_id="executor",
    target_agent_ids=["planner"],
)

Works with your stack

CrewAI LangChain LangGraph AutoGen

What your context layer is missing

We audited the docs, repos, and changelogs of every major memory tool. These protections do not exist anywhere else.

Capability	Aegis	mem0	Zep	Letta
Content injection detection	4-stage pipeline	—	—	—
Memory integrity	HMAC-SHA256	—	—	—
Agent identity binding	Cryptographic API key	—	—	—
Trust hierarchy	4-tier OWASP	—	—	—
Per-agent rate limiting	Sliding window	—	—	—
Security audit trail	Immutable event log	—	—	—
Sensitive data protection	Auto-detect	—	—	—
Unified context hub (prompts + skills + subagents)	✓	—	—	—
Hybrid retrieval (dense + sparse + RRF)	✓	✓	✓	✓
Contradiction detection	Typed edge + workflow	Graph variant	Temporal	—
Self-host posture	First-class	Available	Available	Available

Comparison reflects public docs / repos as of 2026-05. Memory-depth primitives are now table stakes; differences are in how, not whether.

Open source. Self-hosted. Built to be audited.

Apache 2.0. Deploy anywhere. Every line of the security pipeline is in the repo. Read it before you trust it.