Core Documentation

Aegis MCP Gateway acts as a central governance, auditing, and policy enforcement proxy between LLM-powered applications (MCP clients) and the internal network resources, endpoints, and databases they interact with (MCP servers).

Unlike standard HTTP reverse proxies, Aegis has deep protocol-level awareness. It intercepts, parses, and restructures raw Model Context Protocol JSON-RPC traffic. This allows Aegis to inspect argument scopes, inject identity tokens, filter output values, and track user actions.

MCP Primitives

Aegis enforces policies across all six primitive layers specified by the Model Context Protocol, executing checks in both client-to-server and server-to-client directions:

Primitive Direction Governance Role Example Enforcement
Tools Client → Server Verifies function execution permissions and argument payloads. Deny write-operations; check that query strings contain only SELECT.
Resources Client → Server Governs file reads, DB schema access, and external data fetches. Limit path reads to /shared/public/*; block local path traversal.
Prompts Client → Server Regulates templates exposed to LLMs. Restrict specialized financial prompts to users in the Advisors role.
Sampling Server → Client Intercepts requests asking the client LLM to generate completions. Forbid servers from triggering unapproved sub-generations.
Roots Client → Server Controls directory hierarchies exposed to downstream servers. Strip local file systems from roots list before routing to third-party endpoints.
Elicitation Server → Client Intercepts requests for user input or approval loops. Require MFA verification for critical transaction approvals.

Authentication & Identity

Aegis integrates with standard Enterprise Identity Providers (IdPs) to assert user and service identity. Inbound request tokens (JSON Web Tokens - JWTs) are intercepted and verified against active JSON Web Key Sets (JWKS):

  • Supported Integrations: Microsoft Entra ID, Okta, Auth0, Ping Identity, Google Workspace.
  • Identity Mapping: Resolves JWT claims to a uniform Principal { Subject, TenantId, Roles[], Attributes{} } available in the policy engine context.

Downstream Credentials

Aegis manages credentials securely, meaning downstream servers do not need direct access to primary user credentials. The gateway maps inbound user identities using two techniques:

  1. OAuth On-Behalf-Of (OBO): Exchanges the inbound user token for a scope-restricted token dedicated to the target downstream server.
  2. Gateway-Held Service Credentials: Inject service tokens fetched from a secure repository (such as HashiCorp Vault or AWS Secrets Manager) using the ISecretProvider port.

Cedar Policy Language

Aegis uses the Cedar Policy Language from AWS for writing authorization policies. Cedar's design features ensure that policies are fast, secure, and provably correct:

  • Forbid Wins: If a request matches both an allow and a forbid rule, the forbid rule overrides. This lets platform administrators enforce security boundaries that cannot be overridden by weaker application rules.
  • Formal Proofs: The Cedar engine supports mathematical validation, allowing security teams to audit policy safety under all scenarios.
  • In-Memory Evaluation: Evaluates policies in under 5ms (cached in memory) without network lookups during execution.

Context Properties

Aegis maps MCP Operation fields directly into the Cedar evaluation context:

context.primitive  // "tool" | "resource" | "prompt" | "sampling"
context.method     // e.g., "tools/call"
context.target     // e.g., "jira.create_issue"
context.arguments  // JSON element representing argument parameters

Server Integrity & Drift Validation

A major risk in MCP deployments is the "schema rug-pull" — where a compromised or altered downstream server updates its schema to expose dangerous operations or inject malicious tool descriptions. Aegis solves this via its Drift Validator:

  1. Registration Pinning: When a server is registered via the Control Plane, its schemas and description hashes are pinned.
  2. Active Scanning: The Drift Validator runs periodic polling against tools/list and resources/list endpoints, diffing responses against pinned hashes.
  3. Auto-Quarantine: If drift is detected, Aegis triggers an alert and immediately places the route into quarantine (disabling tool execution) until manually reviewed.