Aegize is an open-source runtime layer that sits between an AI agent and the tools it calls.
As AI agents move from answering questions to taking actions, they end up connected to shells, email, databases, cloud infrastructure, payment APIs, and other real systems. I found myself asking the same question over and over: where should the trust boundary actually live?
My conclusion was that it shouldn't live in a prompt. It should live in deterministic infrastructure.
That's what Aegize is trying to provide.
Today (v0.2, Python), it provides:
* Wrap any function with GuardedTool(...) or the @guarded_tool decorator.
* Per-agent YAML policies with allow / deny / require_approval.
* Default-deny evaluation (deny wins; unknown agents and tools are denied).
* Approval-gated and denied actions never execute.
* Audit-first execution with append-only JSONL logs.
* Signature-preserving wrappers that integrate cleanly with tool registries (including MCP).
* MIT licensed, typed, tested, with a single runtime dependency (PyYAML).
Install:
pip install aegize
What it isn't:
* Not a model.
* Not a prompt guardrail.
* Not an agent framework.
It governs the action rather than the model, so it's vendor-neutral.
It's still early. Enforcement and audit are working today, but there are plenty of things I want to build next: tamper-evident audit logs, richer approval workflows, pluggable policy backends, better observability, and additional integrations.
The feedback I'm most interested in is architectural.
If you're building agent systems today, where do you think the trust boundary should live?
Does this feel like the right abstraction, or would you approach it differently?
As AI agents move from answering questions to taking actions, they end up connected to shells, email, databases, cloud infrastructure, payment APIs, and other real systems. I found myself asking the same question over and over: where should the trust boundary actually live?
My conclusion was that it shouldn't live in a prompt. It should live in deterministic infrastructure.
That's what Aegize is trying to provide.
Today (v0.2, Python), it provides:
* Wrap any function with GuardedTool(...) or the @guarded_tool decorator. * Per-agent YAML policies with allow / deny / require_approval. * Default-deny evaluation (deny wins; unknown agents and tools are denied). * Approval-gated and denied actions never execute. * Audit-first execution with append-only JSONL logs. * Signature-preserving wrappers that integrate cleanly with tool registries (including MCP). * MIT licensed, typed, tested, with a single runtime dependency (PyYAML).
Install:
pip install aegize
What it isn't:
* Not a model. * Not a prompt guardrail. * Not an agent framework.
It governs the action rather than the model, so it's vendor-neutral.
It's still early. Enforcement and audit are working today, but there are plenty of things I want to build next: tamper-evident audit logs, richer approval workflows, pluggable policy backends, better observability, and additional integrations.
The feedback I'm most interested in is architectural.
If you're building agent systems today, where do you think the trust boundary should live?
Does this feel like the right abstraction, or would you approach it differently?
Website + interactive playground: https://aegize.com
GitHub: https://github.com/gggaswint/aegize