Architecture Overview
Separation of cognition (model) and control (kernel).
Control Flow Architecture
User / LLM
↓ (suggests intent)
AegisAI Kernel
+ Policy Engine
← deterministic, auditable, sovereign
↓ (decides outcome)
ALLOW
WARN
CONFIRM
BLOCK
↓ (if allowed)
Tool / Action Execution
↓ (always)
🔒 Audit Trace (SHA-256)
LLM cannot execute actions. Only the Kernel can.
🔐
LLM as Transducer
The model maps natural language to typed intent — nothing more. It produces structured requests but has no capability to execute them.
👑
Kernel Sovereignty
The Kernel is the sole authority for decisions and action gating. It runs deterministic policy evaluation on every request.
📊
Graduated Outcomes
Four possible outcomes: ALLOW (proceed), WARN (proceed + log), REQUIRE_CONFIRM (wait for human), BLOCK (deny).
🔗
Cryptographic Evidence
Every decision generates a SHA-256 hash linked to the previous record. Tamper-evident, forensic replay possible.
Tool Governance ABI v1
ActionRequest
{
"tool_id": "send_payment",
"parameters": {...},
"correlation_id": "ulid",
"timestamp_utc": "ISO8601"
}ActionResult
{
"status": "BLOCKED",
"reason_code": "FINANCIAL_TX_LIMIT",
"audit_hash": "sha256:...",
"correlation_id": "ulid"
}Architectural Invariants
- HIGH severity policy violations always result in BLOCK
- Every tool call requires explicit policy authorization
- Decision traces are append-only and hash-chained
- Identical inputs produce identical policy outcomes
- LLM output is parsed, never executed directly