Aegis

A constitution-bound security scanner that refuses to act outside its charter. Exposes MCP tools for secrets detection (with SHA-256 redaction), obfuscation analysis, dependency checks, Dockerfile linting, and IaC scans across Terraform and GitHub Actions. Every decision lands in an append-only journal. Findings live in a portable SQLite index you can share with teammates to skip rescanning. The CLI runs standalone, the MCP server plugs into Claude Desktop or Cursor via stdio, and an optional LLM advisor step interprets high-severity hits. Blocks network calls unless the host is allowlisted, won't echo credentials into context, and treats prompt injection in scanned files as data. Built for defensive work, evaluated against labeled fixtures with precision and recall metrics in-tree.