Skip to main content

Security

Why Memory Security Matters

In multi-agent systems, agents trust each other by default. When your researcher agent passes output to your writer agent, the writer treats that as a legitimate instruction. If you compromise one agent, you get every downstream agent automatically. The 2025 incident landscape proved this at scale:
  • EchoLeak (CVE-2025-32711, CVSS 9.3): A single crafted email triggered automatic data exfiltration from Microsoft 365 Copilot
  • CrewAI + GPT-4o: 65% exfiltration success rate in tested scenarios
  • Drift chatbot cascade: One compromised agent integration cascaded into 700+ organizations
Memory is the attack surface. Aegis implements OWASP AI Agent Security Cheat Sheet Section 3 natively.

Content Security Pipeline

Every memory write passes through a four-stage content security pipeline before persistence.

Stage 1: Input Validation

  • Content length: Max 50,000 characters (configurable via CONTENT_MAX_LENGTH)
  • Metadata depth: Max 5 levels of nesting (configurable via METADATA_MAX_DEPTH)
  • Metadata keys: Max 50 total keys (configurable via METADATA_MAX_KEYS)
  • Encoding: Null bytes and control characters rejected (except \n, \t, \r)

Stage 2: Sensitive Data Detection

Detects PII and secrets using compiled regex patterns:
  • SSN patterns (\b\d{3}-\d{2}-\d{4}\b)
  • Credit card numbers (Luhn-validated 13-19 digit sequences)
  • API keys: AWS (AKIA...), OpenAI (sk-...), GitHub (ghp_..., gho_...)
  • Email addresses
  • Password assignments (password=, secret:, etc.)

Stage 3: Prompt Injection Detection

Detects common injection patterns:
  • System prompt overrides: “ignore previous instructions”, “you are now”, “new instructions”
  • Role manipulation: “pretend you are”, “act as”, “you must now”
  • Data exfiltration triggers: “send data to”, “exfiltrate”, “forward to” with URLs

Stage 4: LLM-Based Injection Classification (Optional)

When enabled, an LLM classifier runs as an async second opinion after regex detection. Stage 4 only fires when the risk warrants the latency/cost:
  • Untrusted or unknown trust level
  • Agent-shared or global scope
  • Content that was regex-flagged but not rejected (Stage 3 flagged it)
The classifier asks a focused binary question: “Does this text contain instructions that attempt to manipulate an AI system’s behavior?” and returns a confidence score. Escalation logic:
  • Confidence >= 0.8: escalate to REJECT
  • Confidence >= threshold (default 0.7) but < 0.8: add llm_injection_flagged flag, keep existing action
  • LLM error (timeout, API failure): fall back to regex-only verdict (graceful degradation)
Configuration:

Content Policy Configuration

Each detection category has a configurable action:
  • reject: HTTP 422 returned, memory NOT stored, SECURITY_REJECTED event emitted
  • redact: Matched patterns replaced with [REDACTED:<type>], memory stored with flags
  • flag: Memory stored with content_flags populated, available for admin review
  • allow: No action, content stored normally

Memory Integrity (HMAC-SHA256)

Every new memory is signed with HMAC-SHA256 at storage time.

How It Works

Canonical message format: {project_id}:{agent_id}:{content} The HMAC is computed using AEGIS_INTEGRITY_KEY (falls back to AEGIS_API_KEY).

Verification

Returns whether the stored hash matches the recomputed hash. Legacy rows without hashes return has_hash: false.

Agent Trust Hierarchy

Four trust levels following OWASP recommendations:

Agent Identity Binding

API keys can be bound to a specific agent_id via the bound_agent_id field. When set, any request using that key must match the bound agent ID. This prevents agent ID spoofing.

Per-Agent Rate Limiting

Separate from project-level rate limiting, per-agent limits prevent a single rogue agent from exhausting the project’s quota.

Security Admin Endpoints

All require privileged or system trust level.
These five endpoints — scan, audit, flagged, verify, config — are the complete security-admin surface in the open-source distribution. There is no approve / reject / remediate workflow and no review-queue UI: flagged memories are surfaced for inspection (/security/flagged), while enforcement happens automatically at write time via the content-policy actions above (reject / redact / flag).

SDK Security Methods

Security Configuration Reference