DEPLOYED ARCHITECTURE

Architecture

AegisAI separates stochastic proposal generation from deterministic execution control. Models can propose. Only the Kernel can adjudicate and release actions.

DEPLOYED LOGICAL FLOW

Every action proposal travels this path — no shortcuts.

Upstream model / LLM
Stochastic — same input may produce different output
↓ raw text output
LLM Adapter
Normalization → typed ProposalSpec (schema-validated)
↓ ProposalSpec
AegisAI Kernel
PolicyEngine adjudication
deterministic · auditable · stateful
↓ decision outcome
ALLOWWARNREQUIRE_CONFIRMBLOCK
↓ always — regardless of outcome
DecisionTrace
session_id · custody_hash (SHA-256) · audit_log · timestamp
↓ if AEGIS_SIGNING_KEY configured
DecisionTraceAttestation
Class A · Ed25519 signed · externally verifiable
IF ALLOW
Action dispatched downstream
IF BLOCK
Hard stop — no dispatch

Model output is never executed directly. All actions pass through Kernel adjudication.

LOGICAL LAYERS

01

Upstream Model / LLM

Any LLM or upstream text source. Its output is probabilistic — the same input may produce different outputs. The model has no execution authority. It is an unprivileged proposal source.

02

LLM Adapter (Normalization)

Receives raw model output. Normalizes it into a schema-validated ProposalSpec. The adapter is the trust boundary: after this point, the Kernel sees only typed, structured input — never raw text.

03

Kernel + PolicyEngine

The sole authority for adjudication. Evaluates each ProposalSpec against the loaded policy bundle. Produces a deterministic outcome: ALLOW, WARN, REQUIRE_CONFIRM, or BLOCK. Identical inputs always produce identical outcomes.

04

DecisionTrace + Attestation

The evidence surface. Every adjudication produces a DecisionTrace (Class B chain, SHA-256 custody_hash). When configured, an Ed25519-signed Attestation (Class A) is produced for external governance proof.

EVIDENCE ARTIFACT CHAIN

Two distinct evidence surfaces exist downstream of the Kernel. They prove different things.

PATH CORRECTNESS

E2E Trace Artifact

A single, redacted end-to-end decision trace. Proves the full path — LLM output → adapter → ProposalSpec → Kernel → DecisionTrace → Attestation — exists and is correctly wired.

artifacts/evidence/e2e_real_llm_trace.json
SCENARIO CONSISTENCY

Benchmark Run Artifact

Aggregate result over 7 canonical governance scenarios. Proves the Kernel's adjudication is consistent under a defined scenario set. Contains the evidence triple: run_id + git_commit + fixture_dir_hash.

artifacts/benchmark/benchmark_run_{id}.json
CORE-BACKED LIVE · GEMINI

Adapter-Mode Pinned Runs

Real core-backed adapter-mode traces across E1 (mock Dreamer) and E2 (Gemini). Real custody_hash, real input_event_hash, Ed25519 Class A attestation. Phase E2: Gemini generates ProposalSpec. Kernel decides.

GET /api/adapter-runs — E1 + E2 phases

DEMO DEPLOYMENT (PHASE E2 LIVE)

The demo surface runs on two real deployed services. The Gemini adapter lane is live and verified.

REPLAY LANE
Cloudflare Worker

aegisai-backend.heizungsrechner.workers.dev — bounded scenario registry, 7 adversarial cases, artifact_class: demo-replay

GEMINI ADAPTER LANE
Cloudflare Worker → Python Backend (Render)

Worker proxies to aegisai-kernel.onrender.com — GeminiLLMAdapter → real aegisai.core.Kernel, PolicyEngine.from_directory(), Ed25519 Class A attestation, artifact_class: core-backed, source: gemini

ARCHITECTURAL INVARIANTS

HIGH-severity policy violations always result in BLOCK — this is a hard invariant, not a default
LLM output is parsed into a typed schema before it reaches the Kernel. It is never executed directly.
A DecisionTrace is always produced — not conditional on decision outcome or configuration
Identical ProposalSpec + identical policy bundle → identical decision outcome (deterministic)
Class B chain (HMAC + SHA-256) never cross-contaminates the external trust plane (Class A)
The Adapter layer is the only point where unstructured model output is accepted. The Kernel never consumes raw text.
Security Model →See Evidence Artifacts →Verification Posture →