Pre-MVP Specifications & Architecture

Enterprise Control Plane for the Model Context Protocol

Kong + Apigee + Okta โ€” for MCP. Secure, govern, observe, and route Model Context Protocol traffic at enterprise scale.

Get Started โ†’ Explore Architecture
< 15ms
Added p50 Latency
10k/s
Throughput / Region
< 5ms
Cedar Policy Evaluation
4+
Supported Transports
The Challenge

Bridging the MCP Governance Gap

Organizations are deploying hundreds of MCP servers exposing Jira, ServiceNow, databases, and internal APIs to LLMs โ€” with no mature governance layer in between. Aegis is the missing control plane that secures this boundary.

The Policy-Enforcing Enforcement Pipeline

Every inbound MCP JSON-RPC operation flows through a stateless, fail-closed middleware pipeline prior to downstream execution.

MCP Client
LLM or Agent App
1. Transport
stdio / SSE / WS
2. AuthN/Z
OIDC / JWT / RBAC
3. Cedar Engine
Arg-level policy
4. Rate & Resilience
Redis Limiter / Polly
MCP Server
Jira / DB / Internal API
Features

Complete Unit of Governance

Aegis parses raw MCP JSON-RPC messages and governs every primitive in both directions, keeping compliance transparent and runtime latency low.

Deep Protocol Awareness

Governs all MCP primitives (Tools, Resources, Prompts, Sampling, Roots, Elicitation) across stdio, HTTP, SSE, and WebSockets transports.

Cedar Policy Engine

Fine-grained, argument-level policy-as-code evaluations (e.g. limiting SQL tools to SELECT statements) in under 5ms, fail-closed by default.

Tamper-Evident Auditing

Append-only, hash-chained logs with per-tenant retention and SIEM export (Splunk, AWS Security Lake) to verify regulatory compliance.

Enterprise Authentication

Centralized OIDC, OAuth2, and SAML integration (Okta, Entra ID, Auth0) with OAuth On-Behalf-Of flow mapping for downstream calls.

Resilience & Rate Limiting

Polly integration for timeouts, retries, and circuit breakers, paired with Redis-backed sliding-window rate limiting per tool/user.

Registry & Anti-Rug-Pull

Pins schemas and description hashes at registration, periodically validating downstream endpoints to block unapproved API drift.

Policy-As-Code

Fine-Grained Argument Validation

Define structured security boundaries. Secure argument values, operations, and identities in a declarative language.

// Limit SQL tool operations to SELECT statements for developer roles
permit(
    principal in Role::"Developer",
    action == Action::"tools/call",
    resource == Server::"sql-prod"
)
when {
    context.primitive == "tool" &&
    context.target == "sql.query" &&
    context.arguments.sql.matches("(?i)^\\s*SELECT\\s")
};

// Fail-closed platform invariant: deny finance tools to external principals
forbid(
    principal,
    action,
    resource == Server::"finance-restricted"
)
when {
    principal.is_external == true
};
policy:
  evaluator: cedar
  failMode: closed
deny:
  tools:
    - "finance.wire_transfer"
allow:
  tools:
    - "jira.search"
    - "sql.query"
constraints:
  sql.query:
    operations: [ SELECT ]
transforms:
  jira.search:
    redact: [ "$.response.assignee.email" ]
Aegis MCP specs
V1.0 Draft

Pre-MVP Status & Release Map

Specification Phase ยท Under Development

This repository currently holds the detailed product, architecture, and deployment specifications. Follow the recommended build milestones in the product requirements to Scaffolding, Core proxy pipeline, Auth, Cedar engine integration, and OTel diagnostics.

View Build Roadmap