Skip to content
CiAConsultancy in ActionAI Operations for Real Businesses

Case study · 2026

AEGIS

Security-grade agentic coding tooling — a guardrailed Rust agent with safety built into the architecture, shipped AI-accelerated.

Our guardrailed, provider-agnostic agentic coding tool

Industry
Capability build · Developer tooling
Engagement
Spec → safety kernel → agent → two implementations
Result
Security-grade agentic coding tooling — a guardrailed Rust agent with safety built into the architecture, shipped AI-accelerated.

The challenge

A coding agent is one of the most dangerous things to hand autonomy to: it runs commands, edits files, reads secrets, makes network calls and installs dependencies. Every leading tool treats that risk as a UX problem — a confirmation prompt bolted onto an agent that otherwise has full reach of your machine.

We wanted the opposite, and for our own client work: a coding agent we could point at a real repository and still prove, afterwards, exactly what it did — with destructive actions, secret exfiltration and prompt injection structurally prevented, not politely discouraged.

And it had to stay neutral and cheap: any cloud model via bring-your-own-key with zero markup, or fully local via Ollama at zero token cost — no vendor lock-in and no per-seat platform tax.

What we built

We wrote a full build specification, then built the safety kernel first — deliberately, before the agent. AEGIS runs the model inside concentric rings: the LLM only emits intents; the Aegis Layer (policy engine, sandbox broker, consent gateway, secrets firewall, audit ledger and kill switch) authorises, sandboxes and logs every one before any effect reaches the host. The agent core holds no syscall capability of its own — only a handle to the broker.

Ten principles are enforced architecturally, not by convention: a hard instruction/data boundary (everything the agent reads is untrusted data, never commands); least-privilege capability tokens; tiered consent (Auto / Confirm / Forbidden); kernel-level sandboxing (seccomp-bpf and Landlock on Linux, Seatbelt on macOS) with deny-by-default network egress; a secrets firewall the model can't read; and a tamper-evident, hash-chained audit ledger that replays any session end to end.

We shipped it two ways. CIARUSTCODE is the native implementation — a seven-crate, ~13,000-line Rust workspace compiling toward a single auditable binary. CIACODE is the pragmatic "OpenCode Wrap Edition" — it leaves the open-source OpenCode agent unmodified and contains it from the outside with the OS, Docker, an egress proxy and the same tamper-evident ledger.

The outcome

AEGIS exists as a working safety architecture with two implementations, both built for Consultancy in Action and both red-teamed against their own threat model — destructive actions, prompt injection, secret exfiltration and runaway autonomy. It runs any cloud model via BYOK with zero markup, or fully local via Ollama at $0 token cost.

Commissioned cold, security-grade tooling like this — a Rust safety kernel with kernel-level sandboxing, a secrets firewall and a tamper-evident ledger — is a £130k–£245k specialist build over six to twelve months. We designed and built ours AI-accelerated, in about two weeks — a fraction of that time.

That's the real proof point. Our website shows we ship marketing-grade web fast; AEGIS shows we ship governed, auditable, security-grade AI infrastructure fast — which is exactly what we sell. And the audit ledger means that when we run an agent on your codebase, you get a record that proves precisely what it did.

Most coding agents bolt safety on as a yes/no prompt. AEGIS runs the agent inside a mandatory safety kernel it cannot reach around — and hands you a tamper-evident ledger that proves exactly what it did.

Five safeguards, in plain English

What it actually does to keep your code and data safe — without the jargon.

1

Nothing leaves unchecked — not even the AI request

Even the message we send to the AI model is screened by the firewall and written to the activity log first. Your code and data can't leave your machine without being checked and recorded.

2

A tamper-proof record you can verify

The activity log is cryptographically signed, so it can't be quietly altered or faked — and anyone can confirm it's genuine later, even offline. You get proof, not just a promise.

3

It spots hijack attempts and pauses

If the agent reads something suspicious — a booby-trapped file, web page or ticket trying to hijack it — it automatically pauses and asks you before doing anything risky, instead of just obeying.

4

Air-gap mode: prove nothing left the building

Switch on air-gap mode and AEGIS runs entirely on your own hardware, refuses any internet connection, and records signed proof that zero data left your machine — ideal for sensitive legal, healthcare and financial work.

5

One-click compliance report

Export a single signed report showing exactly what the agent changed, everything it contacted, and what it cost — tamper-proof and verifiable. Hand it to a client, auditor or regulator as evidence.

How this compares

Indicative — the same scope, delivered three different ways.

Specialist Rust + security team

6–12 months

£130k–£245k

Consultancy in Action — AI-accelerated

~2 weeks

A fraction · $0 to run local

By the numbers

What was delivered — verified facts from the build, not projected returns.

10
Safety principles enforced
instruction/data boundary, least-privilege, tiered consent, kill switch…
$0
Running cost (local)
local Ollama or BYOK at raw provider rates — no markup
2
AEGIS implementations
native Rust binary + OpenCode containment wrap
7 · ~13k
Rust crates · LOC
aegis-layer / core / agent / provider / tui…
Tamper-evident
Audit ledger
append-only, hash-chained — prove exactly what ran
BYOK + local
Model access
Anthropic / OpenAI / Google / OpenRouter, or Ollama — no lock-in

Built with

  • Rust
  • Aegis Layer (safety kernel)
  • seccomp-bpf / Landlock
  • macOS Seatbelt
  • Ollama (local)
  • Anthropic / OpenAI / Google / OpenRouter (BYOK)
  • MCP (sandboxed)
  • Docker / microVM
  • tamper-evident ledger
  • OpenCode (wrap edition)

Want something built like this?

We design and ship real, data-driven products — not demos. Tell us what you're trying to make and we'll talk through fit.