# AEGIS **AI-native Defensive Security Operating System.** > This repository materializes the frozen architecture defined in `docs/architecture/`. It exists to support disciplined implementation of a defensive-only security platform whose objective is **sustainable trust**, not feature count. ## Status - Architecture Program: **COMPLETE** (60 documents, ~102,000 words). - Architecture Freeze: **APPROVED** (ARCH-58). - Implementation Readiness Report: **APPROVED** (ARCH-59). - Reference Architecture Review: **APPROVED** (ARCH-60). - Repository: **v1.0** (see `REPOSITORY-v1.0.md`). - Implementation: **AUTHORIZED** — begins with the Security Kernel per the confirmed priority order. ## Non-Negotiable Rules Every implementation must comply with the Engineering Constitution in `CLAUDE.md`. In particular: - No implementation may **contradict an approved ADR**. - No implementation may **bypass**: the Security Kernel, the Capability Broker, the Policy Engine, the Evidence Chain, the Audit Chain, Verification, or Architecture Governance. - Every PR satisfies: **Architecture Compliance, Threat Model Compliance, Verification Coverage, Security Review, Operational Review, Recovery Validation, Documentation Update, ADR Update** (if architecture changes). ## Repository Structure The layout is architecture-mandated per `docs/architecture/60-reference-architecture-review.md` §4. ``` CLAUDE.md # Engineering Constitution — highest authority docs/ # Architecture, ADRs, runbooks, verification, IRA/ORR, releases, schemas config/ # Signed configuration (per ARCH-22 class) contracts/ # Versioned wire formats (protobuf) crates/ # Rust workspace — security-critical hot paths packages/ # TypeScript workspace — engines + orchestration + UI tools/ # Ceremony, threat sim, CAV, chaos, consistency checker, doc harnesses tests/ # Golden (protected) + property + fuzz + integration + contract + e2e + fixtures deployments/ # Reference topologies R-1 through R-6 plugins/ # Example/reference plugins models/ # AI model manifests (weights fetched at build) scripts/ # Repo tooling .github/workflows/ # CI, signing pipeline, SBOM generation, two-CI verification ``` ## Implementation Priority Order Per ARCH-60 §2 R-9 (confirmed by governance 2026-07-10): 1. Security Kernel 2. Identity Engine 3. Capability Broker (Kernel sub-module) 4. Policy Engine 5. Evidence Engine 6. Audit Engine 7. Runtime Risk Engine 8. Verification Infrastructure 9. Recovery Domain 10. AI Safety Layer 11. AI Engine **Deterministic security is the foundation. AI is an enhancement.** AI Engine is implemented only after the deterministic security foundation exists. ## Success Not measured by features shipped. Measured by: - Architecture preserved. - Verification maintained. - Security guarantees upheld. - Operational simplicity retained. - Evidence remains reproducible. - Recovery remains verifiable. ## Getting Started (implementation team) 1. Read `CLAUDE.md` in full. 2. Read `docs/architecture/01-vision.md` and `docs/architecture/33-platform-design-principles.md`. 3. Read `docs/architecture/59-implementation-readiness-report.md` for the phased plan. 4. Read `docs/architecture/60-reference-architecture-review.md` for repository structure and the confirmed order. 5. Complete the four post-freeze Conditionals (ADR retrofit, Verification Matrix population, runbook authoring, structure adoption). 6. Begin implementation of the Security Kernel. ## License To be determined by legal review before public release.