Governing MCP Agents
Give an AI agent a governance gate it calls before it acts — and a tamper-evident record of why.
Give an AI agent a governance gate it calls before it acts — and a tamper-evident record of why.
The problem
An AI agent wired to tools makes consequential calls all day: deploy this, refactor that, allocate the resource, send the message. Most of those calls leave no record of why the agent decided to act. When something breaks — or an auditor, customer, or regulator asks — "the agent decided to" is the entire answer you have.
AEGIS gives the agent a gate to call before it acts. The gate returns a structured decision and writes a hash-chained entry you can replay later.
The pattern
The agent proposes an action. AEGIS evaluates it through six quantitative gates and returns one of PROCEED / PAUSE / HALT / ESCALATE, with per-gate scores, a confidence value, and rationale. Every evaluation appends a SHA-256 hash-chained entry — decision_id, timestamp, gate results, rationale — so the decision log is tamper-evident and replayable.
The six gates: Risk, Profit, Novelty, Complexity, Quality, Utility. They are not heuristic vibes — each is a calibrated check (Bayesian posteriors, logistic functions, hard floors). All six must pass for PROCEED.
One gate is counterintuitive: higher complexity_score means simpler. It is a simplicity metric with a hard floor at 0.5 — a change that is too complex cannot pass, and that floor cannot be raised by threshold tuning.
Connect it in one line
The local server installs from PyPI and runs over stdio. It works with no account — sandbox mode evaluates against a hosted endpoint rate-limited to roughly 10 evaluations/day per IP, which is enough to try it but not for volume.
pip install "aegis-governance[mcp]" # Python >= 3.10
claude mcp add aegis -- aegis-mcp-serverCursor / Windsurf (.cursor/mcp.json):
{
"mcpServers": {
"aegis": { "command": "aegis-mcp-server" }
}
}Set AEGIS_API_KEY in the server's environment (free Community key at portal.undercurrentholdings.com) to unlock decision history, usage reports, and risk checks. For teams that want a shared, durable audit trail, point at the hosted endpoint instead — see the MCP tools reference.
The tools your agent gets
The PyPI package exposes six tools over stdio:
| Tool | What it does |
|---|---|
aegis_evaluate_proposal | Full six-gate evaluation → PROCEED/PAUSE/HALT/ESCALATE + per-gate scores + rationale |
aegis_quick_risk_check | Fast risk screen for a single proposed change |
aegis_health | Service status |
aegis_list_decisions | Past governance decisions |
aegis_get_decision | One decision, full audit detail |
aegis_get_usage | Evaluation usage for the period |
The hosted endpoint adds threshold inspection, scoring guides, proposal records, and crypto-status — ten tools in total.
What an evaluation returns
A PROCEED decision carries its receipts: the status, a confidence value, how many gates passed, the per-gate values against their thresholds, and the rationale. The same call writes the hash-chained audit entry. You can pull any past decision back with aegis_get_decision and verify the chain independently.
That audit trail is the artifact compliance actually wants: a signed, replayable record you can map to NIST AI RMF and EU AI Act Annex IV evidence requirements, rather than a screenshot of a dashboard.
Honest caveats
- The gate engine runs server-side. The local server and the SDK are thin clients (httpx only); they do not contain the proprietary scoring logic. Sandbox mode therefore needs network access — it is "no signup," not "fully offline."
- Sandbox is rate-limited (~10/day per IP) and is for evaluation, not production traffic. Real use wants an API key.
- AEGIS governs decisions. It does not invoke models, write code, or take the action for you — it tells you whether the action clears the gates, and records that it did.
Try it without installing anything
The AEGIS Advisor walks one real decision through all six gates in the browser — no install, no signup. It is the fastest two minutes to see what the gate actually does.