Reference implementation of the Agent Execution Governance and Integrity Standard (AEGIS) — a three-layer cryptographic protocol for AI agent action accountability.
Li, A. (2026). AEGIS: Agent Execution Governance and Integrity Standard — A Survey and Reference Architecture for AI Agent Action Accountability. DOI: 10.5281/zenodo.18955103
AEGIS addresses the structural gap in AI agent behavioral accountability through three independent layers:
| Layer | Function | Technical Means | Paper Reference |
|---|---|---|---|
| L1: Action Recording | Capture and normalize agent actions from heterogeneous platforms | Platform-specific adapters, unified event schema | Section 6.2 |
| L2: Cryptographic Chain | Chain events via SHA-256 hash links ensuring ordering and tamper evidence | Binary concatenation encoding, SHA-256 (FIPS 180-4) | Section 6.2, Def. 2 |
| L3: Independent Verification | Sign chains with Ed25519, enable public-key-only verification | Ed25519 (RFC 8032), JCS (RFC 8785), provenance certificates | Section 6.2 |
No dependencies required. Clone and run with Node.js 20+:
# Run the demo — creates a chain, issues a certificate, and verifies it
node examples/demo.js
# Run the test suite
node --test test/
# Verify a bundle from file
node src/verify.js examples/bundle.jsonScenario S1: Cross-platform development workflow — agent commits code, pushes to Git, triggers CI build and deployment.
=== AEGIS Protocol Reference Implementation ===
--- Layer 1: Action Recording ---
[git] git.commit → payload_hash: fe2a751082fb481f...
[git] git.push → payload_hash: f7216059263763f4...
[ci] ci.build.started → payload_hash: 63d73ca632b00cf5...
[ci] ci.build.success → payload_hash: e09357d7616a9c38...
[ci] ci.deploy.success → payload_hash: 872444729da984b2...
--- Layer 2: Cryptographic Chain ---
seq=1 git.commit hash: 423a3c027e9f9427...
seq=2 git.push hash: cc6c8b0169604f24...
seq=3 ci.build.started hash: 53d07a1d070e21f5...
seq=4 ci.build.success hash: 8105ffec8bfd0eac...
seq=5 ci.deploy.success hash: 84adfed1923155a8...
Chain ID: chain-001
Genesis: 52204c00671bdc49...
Events: 5
Head: 84adfed1923155a8...
Integrity: VALID ✓
--- Layer 3: Independent Verification ---
Certificate issued: 2026-03-11T07:07:59.920Z
Signature: 3533a197e930d08b922c377d...
Algorithm: Ed25519
Fingerprint: 4ffe6a720ed153fe...
Signature verification: VALID ✓
--- Verification bundle exported to examples/bundle.json ---
Run: node src/verify.js examples/bundle.json
Third-party verifier — requires only the bundle file and the embedded public key. No platform access needed.
AEGIS Protocol — Verifying bundle: examples/bundle.json
Chain integrity: PASS
Events: 5
Head hash: 84adfed1923155a8c25af44f3b91d4e7a6c8f012e9b7d3a5c4f6e8d2b1a09873
Certificate sig: PASS
Cross-check: PASS
Overall: VALID
202 tests across 26 suites — covers M1–M6, S1–S5, conformance, provider injection, and extensibility:
▶ JCS Canonicalization (11 tests) ✔
▶ Hash Chain (L2) (14 tests) ✔ — includes M1 tamper detection (6 vectors)
▶ Certificate (L3) (5 tests) ✔
▶ Performance (2 tests) ✔ — M2: 1000-event chain <1s; M5: per-event latency
▶ Cross-Platform (M4) (3 tests) ✔
▶ Data Non-Contact (M6) (2 tests) ✔
▶ Serialization Roundtrip (M3) (3 tests) ✔ — 1K and 5K event chains
▶ End-to-End Pipeline (3 tests) ✔ — includes bundle export/verify roundtrip
▶ S5: Incident Reconstruction (3 tests) ✔ — timeline reconstruction + tampering detection
▶ CryptoProvider Interface (9 tests) ✔ — MVL role pluggability
▶ CryptoProvider Cross-Compat (2 tests) ✔ — cross-provider detection
▶ Extension Registry (18 tests) ✔ — all 4 Table 18 extensions
▶ Full Pipeline with Extensions (2 tests) ✔ — L1→L2→L3 + 4 extensions
▶ CryptoProvider Conformance (×4) (72 tests) ✔ — 18 checks per provider
▶ Extension Conformance (×4) (24 tests) ✔ — 6 checks per extension
▶ Negative Conformance (4 tests) ✔ — broken/malicious provider detection
▶ Abstract Base Class Enforcement (3 tests) ✔ — interface contracts
▶ Cross-Provider Chain Invariant (3 tests) ✔
▶ Provider Injection Pipeline (5 tests) ✔ — SHA-512 + SortedJSON full L2→L3 roundtrip
▶ Full Pipeline Conformance (2 tests) ✔ — default + SHA-512 with all extensions
tests 202 | pass 202 | fail 0
Demonstrates pluggable crypto providers and extension anchoring:
=== AEGIS Protocol — Extensibility Demonstration ===
--- MVL Baseline (SHA-256 + Ed25519 + JCS) ---
Provider: MVL_SHA256_Ed25519_JCS
Hash: SHA-256 (64-char hex)
Signature: Ed25519
Canonicalization: JCS (RFC 8785)
Chain events: 3
Chain integrity: VALID ✓
Certificate: VALID ✓
--- Provider Swap (SHA-512 + Ed25519 + JCS) ---
Provider: MVL_SHA512_Ed25519_JCS
Hash: SHA-512 (128-char hex)
[Same input, different hash — provider swapped, protocol invariant]
SHA-256: af6f916aaeecb6c3...
SHA-512: f778a8f7cc0663a1697403a052b2fa60...
Sign/verify (SHA-512 provider): PASS ✓
--- Extension Layer (Table 18) ---
Registered extensions:
• Timestamp: External timestamp authority anchoring (RFC 3161 concept)
• Blockchain: On-chain anchoring for public immutability (Table 18: +Blockchain)
• TEE: Hardware-backed isolation via Trusted Execution Environment (Table 18: +TEE)
• ZKP: Zero-knowledge proof for privacy-preserving verification (Table 18: +ZKP)
Anchoring certified chain to extensions...
Timestamp: anchor=e7930ba907ec6b90... (at 2026-03-11T...)
Blockchain: tx=4e3a1bd778b601df... (at 2026-03-11T...)
TEE: enclave=44e25d621cfea91b... (at 2026-03-11T...)
ZKP: proof=ad67bb831282a34d... (at 2026-03-11T...)
Verifying all anchors...
Timestamp: PASS ✓
Blockchain: PASS ✓
TEE: PASS ✓
ZKP: PASS ✓
--- Defense Argument (§6.5, Table 18) ---
The three MVL roles (hash, signature, canonicalization) are PLUGGABLE.
Extensions operate ABOVE the core protocol, not within it.
Any system using a custom provider or extension is still AEGIS.
The protocol structure is the invariant — not the specific algorithms.
▶ CryptoProvider Interface (9 tests) ✔ — MVL role pluggability
▶ CryptoProvider Cross-Compatibility (2 tests) ✔ — cross-provider detection
▶ Extension Registry (18 tests) ✔ — all 4 Table 18 extensions
▶ Full Pipeline with Extensions (2 tests) ✔ — L1→L2→L3 + 4 extensions
tests 31 | pass 31 | fail 0
Validates that ANY CryptoProvider or Extension implementation satisfies the AEGIS interface contract. Includes negative tests (broken/malicious provider detection) and full provider-injection integration:
▶ CryptoProvider Conformance: SHA256_Ed25519_JCS (18 tests) ✔
▶ CryptoProvider Conformance: SHA512_Ed25519_JCS (18 tests) ✔
▶ CryptoProvider Conformance: SHA256_Ed25519_SortedJSON (18 tests) ✔
▶ CryptoProvider Conformance: CRYSTALS_Dilithium_JCS (18 tests) ✔
▶ Extension Conformance: TimestampExtension (6 tests) ✔
▶ Extension Conformance: BlockchainExtension (6 tests) ✔
▶ Extension Conformance: TEEExtension (6 tests) ✔
▶ Extension Conformance: ZKPExtension (6 tests) ✔
▶ Negative Conformance — Broken Providers (4 tests) ✔
▶ Abstract Base Class Enforcement (3 tests) ✔
▶ Cross-Provider Chain Invariant (3 tests) ✔
▶ Provider Injection — Full Pipeline (5 tests) ✔
▶ Full Pipeline Conformance (2 tests) ✔
tests 113 | pass 113 | fail 0
Adapters normalize platform-specific events into a unified schema containing event_type, timestamp, and payload_hash. In accordance with P5 (Data Non-Contact), only SHA-256 hashes of business content are transmitted — never the raw payload itself. The reference implementation includes adapters for Git commits, CI pipeline events, and a generic mock adapter for testing.
Events are chained via the binary encoding scheme defined in Definition 2 of the paper. The genesis hash is computed over chain_id, agent_id, and created_at; each subsequent event hash incorporates its sequence number, event type, timestamp, payload hash, and the previous event's hash via binary concatenation and SHA-256. Three invariants are enforced at verification time:
- I1 — Sequence numbers are strictly monotonic (increments of 1)
- I2 — Timestamps are non-decreasing
- I3 — Each event's
prev_hashlinks to the preceding event's hash
Certificate payloads are canonicalized using JSON Canonicalization Scheme (JCS, RFC 8785) and signed with Ed25519 (RFC 8032). Any third party possessing only the public key can independently verify both the certificate signature and the full chain integrity, without access to the signing key or the original platform.
| Primitive | Standard | Purpose |
|---|---|---|
| SHA-256 | FIPS 180-4 | Tamper detection via hash chaining |
| Ed25519 | RFC 8032 | Attribution and non-repudiation via digital signatures |
| JCS | RFC 8785 | Deterministic serialization for signature stability |
All cryptographic operations use the Node.js crypto module (OpenSSL backend). No third-party dependencies are required.
A core contribution of the AEGIS framework is that the protocol structure is the invariant, not the specific algorithms. The reference implementation demonstrates this through two orthogonal extension axes:
The Minimal Verifiable Loop (MVL) consists of three roles, each independently replaceable:
| Role | Default | Alternatives | Paper Reference |
|---|---|---|---|
| Hash function | SHA-256 (FIPS 180-4) | SHA-512, SHA-3, BLAKE3 | §6.5 |
| Signature scheme | Ed25519 (RFC 8032) | ECDSA, CRYSTALS-Dilithium (E5) | §6.5, E5 |
| Canonicalization | JCS (RFC 8785) | CBOR (RFC 8949), Sorted-JSON | §6.5 |
"Removing any one of these three breaks the verification loop." — §6.5
Any system using a different hash function or signature scheme is still operating within the AEGIS framework — the three roles are invariant; only the concrete algorithms change. Post-quantum migration (E5: CRYSTALS-Dilithium) is a provider swap, not a protocol change.
Shipped providers: SHA256_Ed25519_JCS (baseline), SHA512_Ed25519_JCS, SHA256_Ed25519_SortedJSON, CRYSTALS_Dilithium_JCS (E5 post-quantum stub).
Extensions operate above the core three-layer protocol (Table 18). They consume finalized chain data and certificates, providing additional guarantees without modifying L1/L2/L3:
| Configuration | Components | Additional Guarantee |
|---|---|---|
| MVL (baseline) | SHA-256 + Ed25519 + JCS | Offline-verifiable, minimal dependencies |
| +Timestamp | MVL + RFC 3161 TSA | Independent temporal anchoring |
| +Blockchain | MVL + on-chain anchoring | Public immutability, survives issuer compromise |
| +TEE | MVL + trusted execution environment | Hardware-backed isolation |
| +ZKP | MVL + zero-knowledge proofs | Privacy-preserving verification |
Shipped extensions: TimestampExtension, BlockchainExtension, TEEExtension, ZKPExtension. Custom extensions implement the Extension base class.
The following metrics from the AEGIS paper (Section 7, Table 20) are exercised by node --test test/:
| Metric | Paper Definition | Test Coverage |
|---|---|---|
| M1 | Tamper Detection Rate (target: 100%) | 6 tamper tests: modified event_type, payload_hash, timestamp; inserted/deleted/reordered events |
| M2 | Verification Latency (target: <1s for N=1000) | 1000-event chain build + full verification benchmarked |
| M3 | Chain Integrity Over Time (target: 100%) | JSON serialize → deserialize roundtrip at 1K and 5K event scale (single + multi-pass) |
| M4 | Cross-Platform Coverage (target: >95%) | GitAdapter + CIAdapter normalization; mixed adapters in single chain |
| M5 | Recording Overhead | Per-event append latency measurement |
| M6 | Data Non-Contact Ratio (target: 100%) | Verify no plaintext payload in chain; only payload_hash present |
canonicalize(value)— Serialize any JSON-compatible value into a deterministic canonical string per RFC 8785.
computeGenesisHash(chainId, agentId, createdAt)— Compute the genesis hash for a new chain.computeEventHash(seq, eventType, timestamp, payloadHash, prevHash)— Compute the hash of a single chain event.computePayloadHash(payload)— SHA-256 hash of a JSON payload (canonicalized).Chain— Stateful chain builder. Manages genesis, event appending, and head tracking.verifyChain(chainData)— Verify all invariants (I1-I3) of a complete chain.
generateKeyPair()— Generate an Ed25519 key pair for certificate signing.getPublicKeyFingerprint(publicKey)— SHA-256 fingerprint of a public key.issueCertificate(chain, privateKey, metadata?)— Issue a signed provenance certificate for a chain.verifyCertificate(certificate, signature, publicKey)— Verify a certificate's Ed25519 signature.exportPublicKey(publicKey)— Export a public key to PEM format.importPublicKey(pem)— Import a public key from PEM format.
BaseAdapter— Abstract base class. Subclasses implementnormalize(rawEvent).MockAdapter— Test adapter for arbitrary events.GitAdapter— Normalizes Git commit events.CIAdapter— Normalizes CI/CD pipeline events.
verifyBundle(bundle)— Verify a complete AEGIS bundle (chain integrity + certificate signature + cross-layer consistency). Suitable for third-party auditors.
CLI usage: node src/verify.js <bundle.json> (exit code 0 = pass, 1 = failure).
@article{li2026aegis,
title={{AEGIS}: Agent Execution Governance and Integrity Standard ---
A Survey and Reference Architecture for {AI} Agent Action Accountability},
author={Li, Alex},
year={2026},
doi={10.5281/zenodo.18955103},
url={https://doi.org/10.5281/zenodo.18955103}
}Software citation:
@software{li2026aegis_protocol,
title={{AEGIS} Protocol Reference Implementation},
author={Li, Alex},
year={2026},
url={https://github.com/crabsatellite/aegis-protocol},
note={Reference implementation of \cite{li2026aegis}}
}Apache-2.0. See LICENSE for the full text.