AION Core runtime security layer for AI agent tool-call control, receipts, scanning, and approvals.
Project description
AION Core
Runtime action control, receipt, and firewall layer for AI agents.
AION Core contains the open-source infrastructure pieces behind AION: Guard, Receipts, Scan, Team Policy, and the MCP Firewall.
AI Agent -> AION Guard / MCP Firewall -> Tool/API/System
|
+-> verified JSONL receipt log
One-Command Demo
From the repo root:
$env:PYTHONPATH='src'
python -m aion_core.demo
After local install or PyPI install:
python -m pip install aion-core
aion-demo
For editable development installs:
python -m pip install -e .
Expected result:
[PASS] scan detected unprotected MCP server
[PASS] guard blocked generic shell action
[PASS] guard allowed generic safe read
[PASS] team policy required approval
[PASS] blocked destructive shell command
[PASS] blocked secret exfiltration
[PASS] allowed safe read
Receipts written to: aion-demo-output/receipts.jsonl
Approvals written to: aion-demo-output/approvals.jsonl
Receipt verification: PASS (6 receipt(s), hash-verified)
This proves the infrastructure wedge:
- generic Guard actions can be allowed or blocked
- dangerous shell action is blocked before reaching the tool
- secret exfiltration attempt is blocked before reaching the tool
- safe file-read style action is allowed
- approval-required team actions create approval records
- every decision gets a receipt
Run Guard
Check a generic action:
$env:PYTHONPATH='src'
python -m aion_core.guard_cli check --policy examples\policies\stage6-default.json --receipt-log receipts\guard.jsonl --action-type shell.command --tool shell --arguments-file examples\actions\destructive_shell_args.json --agent-id demo --owner local
Run The Firewall
Run AION in front of any stdio MCP server:
aion-mcp-firewall --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
For local development without installing:
$env:PYTHONPATH='src'
python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/aion.jsonl -- python path/to/mcp_server.py
Manual Attack Demo
Blocked dangerous command:
$env:PYTHONPATH='src'
Get-Content examples/attacks/destructive_shell.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
Allowed safe call:
$env:PYTHONPATH='src'
Get-Content examples/attacks/safe_read.json | python -m aion_core.cli --policy examples/policies/stage6-default.json --receipt-log receipts/demo.jsonl -- python examples/demo_mcp_server.py
Policy Shape
Policies are JSON so the MVP has zero runtime dependencies.
{
"default_action": "allow",
"rules": [
{
"id": "block-shell-delete",
"match": {
"tool": ["shell", "run_command"],
"argument_contains": ["rm -rf", "Remove-Item", "del /s"]
},
"action": "block",
"reason": "Destructive shell command patterns require explicit approval."
}
]
}
Supported rule matchers:
tool: exact tool names or*wildcards.argument_contains: risky strings searched inside serialized arguments.argument_regex: risky regular expressions searched inside serialized arguments.owner: optional agent owner/team identity.
Supported actions:
allowblock
Receipt Example
Every MCP tools/call decision is logged as JSONL:
{"decision":"block","tool":"shell","rule_id":"block-shell-delete","reason":"Destructive shell command patterns require explicit approval."}
Development
Run tests:
$env:PYTHONPATH='src'
python -m unittest discover -s tests
Useful docs:
- Stage status
- AION Guard
- AION Receipts
- AION Scan
- Team policy and approvals
- Stage 5 Cloud alignment
- AION Cloud control panel
- Stage 6 completion report
- Repo structure
- Stage 6 demo guide
- Install
- Real MCP integration
- Filesystem MCP example
- Architecture
- Launch checklist
- GitHub launch
- PyPI release
- Website copy
- Verification
- Demo video script
- Launch post draft
- Roadmap
Current Scope
Current core scope:
- generic Guard action checks
- MCP config and policy scanning
- stdio MCP firewall proxy
- runtime policy checks for
tools/call - MCP-compatible JSON-RPC block responses
- hash-verified JSONL audit receipts
- team approval-required policy decisions
- AION Cloud control panel summary and pending approval views
- dependency-free Python core
Next infrastructure layers:
- signed receipts
- agent identity
- cloud receipt vault
- tool risk registry
- real Slack/webhook approval delivery
- compliance exports
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aion_core-0.8.0.tar.gz.
File metadata
- Download URL: aion_core-0.8.0.tar.gz
- Upload date:
- Size: 37.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ffc7d78bbf3414f9145d6bf25b7d247d92e9aa7fbf2de02ddb8f6f331aee2d60
|
|
| MD5 |
0543a2c3d6396aebb80099aec559586e
|
|
| BLAKE2b-256 |
82bee74469e16096025318e432e416e87c9148d0be5fec8d1ae35f5ff3c1cdd8
|
File details
Details for the file aion_core-0.8.0-py3-none-any.whl.
File metadata
- Download URL: aion_core-0.8.0-py3-none-any.whl
- Upload date:
- Size: 24.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7b1409c43de009332a000d8fbe0a095151fb4e28fc5a94c72058aa307cafb5c3
|
|
| MD5 |
897582c9b5f0dc690e0e0d963ef4842f
|
|
| BLAKE2b-256 |
173ff29b14032780a6903eb27312858df4cabf44658ea9ee9f7945aa672c8cfc
|
