Appearance
What this is
How AI Control Center is built and how a request flows through it — including the substrate a security reviewer will ask about (which Aegis's docs omit).
Components
- Gateway — the public MCP+REST surface; orchestration tools only (
search_tools,execute_tool,confirm_operation, sessions). - Registry — normalized tool metadata (schema,
risk_level,confirm_required,data_scope), derived from DevPlane's Capability Radar. - Policy engine — the deterministic Grounded-Action router; the only decision authority (
allow/route/deny/abstain). The LLM is explain/suggest-only, never in the decision path. - Approval queue — routed actions wait here for a named human.
- Credential vault — downstream secrets, injected server-side at execution; never model-visible.
- Evidence ledger — append-only control records + legal hold.
- Identity — principals resolved to
{ tenant, role, scopes }.
Data flow
client → gw_session (intent) → search_tools (availability, NOT authz)
→ execute_tool → POLICY (execution-time boundary)
├─ allow → vault injects creds → downstream tool runs
├─ route → approval queue → human approve → vault → runs
└─ deny → blocked
→ every outcome → evidence ledgerThe security boundary is execution-time policy, not discovery. Search results are hints; the decision happens at execute_tool.
Substrate (the part Aegis doesn't publish)
- Hosting: the DevPlane surface on Vercel (Node runtime, Hono entry); cron via Vercel Cron.
- Storage: Postgres (registry, approvals, evidence, identity mappings); evidence is append-only with legal-hold flags.
- Secrets: encrypted credential vault (stable key, server-side decrypt only) — credentials never enter prompts, search payloads, public logs, or marketing systems.
- Identity/Auth: Clerk for principals + SSO; API keys are project+role scoped and cannot self-widen scope.
- Policy: typed rules in a static registry; deterministic, versioned, human-authored.
- Transport: MCP (JSON-RPC) for clients; REST for service-to-service; both declared once per the service standard.
Scale & availability
Serverless/stateless gateway nodes (scale horizontally); state in Postgres. Policy evaluation is in-memory rule matching (no network hop on the hot path). Discovery (search_tools) is cacheable; execution is not.
Self-hosted / customer-hosted
Enterprise deployments run the gateway + policy + vault inside the customer's VPC with a customer-managed Postgres and vault key; the registry can sync from the hosted catalog or be fully local. SSO via the customer's SAML/OIDC. Evidence stays in the customer's store.
Honest scope
This reflects the target architecture; some substrate (multi-region residency, full self-host packaging) is roadmap, not shipped — see the Changelog for current state rather than assuming parity with this page.