Automatic audit trails and compliance reports for AI-assisted development
Project description
Aegis
Automatic audit trails and compliance reports for AI-assisted development.
Aegis is a local CLI tool that turns your AI coding agent's activity into automatic, policy-mapped audit trails and compliance reports — so your team can prove AI-assisted development follows your own written rules, without changing how you work.
Install in under 10 minutes. Works 100% offline. No accounts, no telemetry.
What It Does
| Command | What it does |
|---|---|
aegis init |
Set up .aegis/ in your repo with a default policy file |
aegis check |
Scan your current code changes against your policy rules |
aegis audit |
Read your latest Claude Code session and produce a redacted audit trail |
aegis report |
Generate a 30-day compliance report suitable for SOC 2 evidence |
aegis install-hook |
Block commits that violate blocking-severity rules |
Installation
pip install aegis-cli
Or install from source for development:
git clone https://github.com/your-org/aegis
cd aegis
pip install -e ".[dev]"
Requirements: Python 3.11+, git on your PATH.
Quick Start
# 1. From your project root (must be a git repo):
aegis init
# 2. Make some code changes, then check them:
aegis check
# 3. After a Claude Code session, generate an audit trail:
aegis audit
# 4. Generate a 7-day compliance report:
aegis report --since 7d
# 5. (Optional) Auto-block commits that violate blocking rules:
aegis install-hook
The "Constitution" — Your Policy File
After aegis init, edit .aegis/constitutions/default.yaml to define your team's rules:
name: "My Team's AI Policy"
version: 1
rules:
- id: NO_HARDCODED_SECRETS
description: "Code must not contain hardcoded API keys, passwords, or tokens"
severity: blocking # blocks commit if violated
check_type: pattern
pattern: "(?i)api_key\\s*[:=]\\s*['\"]?[A-Za-z0-9+/\\-_]{8,}"
applies_to: ["*.py", "*.js", "*.ts"]
- id: NO_DIRECT_MAIN_PUSH
description: "No direct commits to main or master branch"
severity: blocking
check_type: git_branch_guard
protected_branches: [main, master]
- id: TESTS_FOR_NEW_FUNCTIONS
description: "New functions should have corresponding test changes"
severity: warning # shown but does not block
check_type: heuristic_test_coverage
Severity levels:
blocking—aegis checkexits non-zero; the pre-commit hook blocks the commitwarning— shown in output but doesn't blockinfo— logged to report only
Check types (v1):
pattern— regex match over added diff lines; addapplies_tofile globs to scope itgit_branch_guard— checks current branch againstprotected_branchesheuristic_test_coverage— warns when new functions have no matching test file changes
CLI Reference
aegis init
aegis init # initialize .aegis/ in current directory
aegis init --force # reinitialize (overwrite existing config)
Creates:
.aegis/config.yaml— configuration file.aegis/constitutions/default.yaml— your policy file (edit this).aegis-reports/checks/— one file peraegis checkrun.aegis-reports/audits/— one file peraegis auditrun.aegis-reports/compliance/— output ofaegis report
aegis check
aegis check # check working tree vs HEAD
aegis check --range main..HEAD # check all commits on current branch vs main
aegis check --range commitA..commitB # check a specific commit range
Exit codes:
0— all checks passed (or only warnings)1— one or moreblockingrules failed
Use in CI:
# GitHub Actions example
- name: Aegis policy check
run: aegis check --range origin/main..HEAD
aegis audit
aegis audit # most recent Claude Code session
aegis audit --session <id> # specific session ID
aegis audit --session /path/to/file.jsonl # specific file
aegis audit --all # all available sessions
Aegis auto-detects Claude Code session logs at:
- Windows:
%APPDATA%\Claude\projects\**\*.jsonl - macOS/Linux:
~/.claude/projects/**/*.jsonl
If auto-detection fails, set the path in .aegis/config.yaml:
claude_code_session_path: "/custom/path/to/session/logs"
All output is automatically redacted — potential secrets are replaced with [REDACTED:<type>] before anything is written to disk.
aegis report
aegis report # last 7 days (default)
aegis report --since 30d # last 30 days
aegis report --since 2w # last 2 weeks
aegis report --since 2026-06-01 # since a specific date
aegis report --since 7d --html # also generate HTML version
The report is written to .aegis-reports/compliance/compliance-<timestamp>.md.
With --html, also writes .aegis-reports/compliance/compliance-<timestamp>.html.
The HTML report is fully self-contained (inline CSS, no JavaScript) — suitable for email attachment or printing to PDF.
aegis install-hook
aegis install-hook # install pre-commit hook
aegis install-hook --force # reinstall (overwrite existing)
Installs a git pre-commit hook at .git/hooks/pre-commit that runs aegis check before every commit. If a blocking rule fails, the commit is aborted.
To remove: delete .git/hooks/pre-commit or remove the # >>> aegis section if you have other hooks.
Configuration Reference
.aegis/config.yaml:
constitutions:
- .aegis/constitutions/default.yaml
# Add more files to combine multiple constitutions:
# - .aegis/constitutions/client-specific.yaml
claude_code_session_path: null # null = auto-detect
output:
reports_dir: .aegis-reports
Git Integration
Add reports to .gitignore (or commit them)
# Option 1: ignore everything
.aegis-reports/
# Option 2: commit compliance reports but ignore granular data
.aegis-reports/checks/
.aegis-reports/audits/
# (leave .aegis-reports/compliance/ out of .gitignore to commit reports)
Many teams commit compliance/ reports as audit evidence while ignoring the more granular checks/ and audits/ files.
Running Tests
pip install -e ".[dev]"
pytest tests/ -v
For coverage:
pytest tests/ --cov=aegis --cov-report=term-missing
GRC Compliance Value
| Framework | Controls Supported |
|---|---|
| SOC 2 Type II | CC6.1 (Logical Access), CC7.2 (Monitoring), CC9.2 (Risk Mitigation) |
| ISO 27001 | A.8.1 (Asset Management), A.12.4 (Logging), A.14.2 (Secure Development) |
| EU AI Act | Article 12 — Automated logging of AI system events |
| NIST AI RMF | GOVERN 1.1, MANAGE 2.2 |
Security
- No telemetry. Aegis never makes network requests. All data stays on your machine.
- Conservative redaction. Aegis over-redacts rather than under-redacts. If it catches something that isn't a secret, adjust your constitution.
- Redaction on every event. Session content is redacted before being stored anywhere — including in-memory objects. There is no
--skip-redactionflag.
FAQ
Does Aegis send my code anywhere? No. Everything runs locally and writes to files in your project directory.
What if the redaction catches false positives?
Adjust patterns in your constitution, or change severity to warning while you tune it. The high_entropy_value pattern (catches long base64 strings) is the most likely source of false positives.
Can I use this with Cursor, Devin, or Windsurf?
Not yet — v1 supports Claude Code session logs only. aegis check and aegis report work regardless of which agent you use (they operate on git diffs). See ROADMAP.md for the agent adapter roadmap.
Where are my reports?
In .aegis-reports/ within your project. Run aegis report to see a combined summary.
License
Apache 2.0 — see LICENSE.
Contributing
See DECISIONS.md for architecture decisions and ROADMAP.md for planned features.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aegis_compliance-0.1.0.tar.gz.
File metadata
- Download URL: aegis_compliance-0.1.0.tar.gz
- Upload date:
- Size: 43.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0792e9bfcc963db692b99336152e12f6292d6f0560da2d818ef239743f3c03d8
|
|
| MD5 |
500a942b4104ffa68d49f284503a8235
|
|
| BLAKE2b-256 |
4a9de9bfbb0f8c6e64fea968d3c3e37d549654ad3e2aeb27f6874951061d3a59
|
File details
Details for the file aegis_compliance-0.1.0-py3-none-any.whl.
File metadata
- Download URL: aegis_compliance-0.1.0-py3-none-any.whl
- Upload date:
- Size: 37.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
449d58c992dcd64b574b04e9778e58df650482d2178c24fba03efa0b51798363
|
|
| MD5 |
eadd06db5bbc12d192461321ba9275d2
|
|
| BLAKE2b-256 |
eb12d7eebade40e5345195356a07ad5e1128ad031b8fa4f7751de4226cf5fe02
|