Skip to main content

AEGIS-CHAOS: From 'Vibe Coding' to Closed-Loop SRE

Aegis-Chaos · Post 1 of 1 · → View on GitHub

From “Vibe Coding” to Closed-Loop SRE

How zero-trust policies, Git isolation, and math-based budget guardrails let an autonomous agent say “no” — and mean it.

Aegis-Chaos Dashboard Banner
Aegis-Chaos: An autonomous SRE control plane with real-time zero-trust guardrails.

Most AI coding assistants today operate on trust. You prompt, they generate, and you ship. That works—until it doesn’t. A single destructive command, an uncaught runaway loop, or a stale approval can turn an autonomous agent into a production incident.

Project Aegis-Chaos was built to answer a simple question: what happens when the AI says “no”?

This post walks through the zero-trust architecture, parallel isolation strategy, math-based budget guardrails, and end-to-end visual verification pipeline that make up our closed-loop SRE control plane—designed for the Google Developer Expert Sprint and built on the Antigravity SDK.

The Declarative Safety Stack Every tool call fans out through four policy layers before touching the shell. Tool Callrun_command L1 workspace_onlyfilesystem boundary L1 deny rm -rf /hard-coded block L2 ask_userevaluate_remediation_risk CheckpointRequestedFirestore escrow L6 allow *diagnostics pass Executeshell / cloud API L1 explicit deny L2 escrow gate L6 allow Design rule: the agent never reaches the shell without passing the stack.
Four layers. One direction. The stack is deny-by-default: nothing passes unless a layer explicitly allows it.

The Risk Predicate

The evaluate_remediation_risk predicate inspects the CommandLine string for destructive tokens or production environment references. A single match escalates the call to the L2 escrow gate:

  • Destructive: rm -rf, iptables, gcloud beta, kubectl delete, terraform destroy, pulumi destroy, drop database
  • Production: prod, production, live-cluster

Parallel Performance & Context Management

Autonomous remediation often requires multiple specialized subagents: one for infrastructure, one for UI validation, one for test coverage. Aegis-Chaos avoids context-window bloat by enforcing isolation at the Git level.

The .agents/skills/chaos-heal/SKILL.md playbook mandates plan-first discipline, an isolated Git worktree, parallel subagents scoped to that worktree, and a validation gate before any merge:

git worktree add ../remediation-worktree -b hotfix/remediate-latency

By scoping each subagent to a single worktree, we reduce prompt size, lower Tinput / Toutput / Tthoughts per turn, and enable parallel execution without competing for the same context window.

The Non-Blocking Checkpoint State Machine

Long-running remediation loops risk infinite retries or runaway token spend. Aegis-Chaos enforces a hard budget constraint in real time.

Cturn = κ · (Tinput + Toutput + Tthoughts) + Σ Ψtoolj
Symbol Meaning Default
κ (kappa)Cost per token0.0001
TinputPrompt tokens consumed
ToutputCompletion tokens generated
TthoughtsInternal reasoning tokens
Ψ (psi)Cost per tool call0.01
MTools invoked this turn
Ccumulative = Σ Cturnt ≤ Θbudget

If Ccumulative exceeds Θbudget (default 2.0), the TokenLedger trips a kill_switch. The conversation loop halts immediately.

At-Most-Once Execution via Firestore Delete-First

When a checkpoint is requested, the system must guarantee that the remediation session resumes exactly once, even under Cloud Tasks delivery retries.

resume_from_checkpoint enforces this by reading the Firestore checkpoint document, deleting it first — before any Git checkout or conversation replay — and then verifying the deletion succeeded by re-reading the document. Only after the delete is confirmed does the worker restore the Git worktree and resume the Antigravity conversation thread.

If the task retries, the document is already gone, so the worker returns False and the session scales down cleanly.

End-to-End Verification Flow

Visual regressions are first-class bugs. Aegis-Chaos ships an automated browser-actuation pipeline to catch them.

4.1 Performance Dashboard

The control plane interacts with a live dashboard exposing a latency metrics card with a Run Latency Probe button. Calling GET /latency?hotfix=enabled returns 45ms optimized; otherwise 2500ms degraded. The frontend toggles the card between .card.degraded (red #e74c3c) and .card.optimized (green #2ecc71).

4.2 Browser Actuation Script

.agents/skills/chaos-heal/scripts/verify_ui.py drives a headless Chrome debugging session, clicks #probe, reads getComputedStyle(el).borderTopColor, and compares it against design tokens. A screenshot is saved to artifacts/web_ui_assertion.png and a .webm recording to artifacts/validation_run.webm.

Aegis Latency UI Verification Card
The visual assertion card captured by Playwright after the latency probe runs.

Setup & Run Instructions

5.1 Prerequisites

  • Python 3.10+
  • Git
  • Docker (for GKE cluster MCP runtime)
  • Node.js / npx (for Playwright browser install, optional)

5.2 Clone and Install

git clone https://github.com/<org>/project-aegis-chaos.git
cd project-aegis-chaos
python3 -m venv venv
source venv/bin/activate
pip install -e .

5.3 Configure Antigravity CLI

Create ~/.gemini/antigravity-cli/settings.json:

{
  "toolPermission": "request-review",
  "theme": "monokai",
  "verbosity": "low",
  "title": { "enabled": true, "scripts": ["<repo>/.agents/skills/chaos-heal/scripts/render_title.sh"] },
  "statusLine": { "enabled": true, "scripts": ["<repo>/.agents/skills/chaos-heal/scripts/render_status.sh"] }
}

Create ~/.gemini/antigravity-cli/mcp_config.json:

{
  "mcpServers": {
    "gke_cluster_mcp": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-v", "${HOME}/.config/gcloud:/root/.config/gcloud:ro",
        "-v", "${HOME}/.kube:/root/.kube:ro",
        "-e", "KUBECONFIG=/root/.kube/config",
        "gcr.io/google-containers/kubectl:latest"
      ]
    }
  }
}

5.4 Launch Services

To experience Aegis-Chaos locally, we start the API webhook ingestion gateway and the dashboard side-by-side using the local virtual environment:

Terminal 1 — Webhook Ingest Gateway (port 8000):

./venv/bin/uvicorn src.aegis_chaos.webhook_ingest:app --host 0.0.0.0 --port 8000

Terminal 2 — Performance Dashboard (port 8080):

./venv/bin/python tests/mock_services/app.py

5.5 Run Offline Verification Suite

You can run our unit test harness validating the security fabric constraints, HMAC headers, timestamp skewing, and check pointing logic locally:

./venv/bin/pytest -q

Expected output: 8 passed in 0.02s

5.6 Run Automated Visual Verification

Playwright can actuate Chrome in headless mode to simulate visual regressions on the UI dashboard card (clicking the probe and capturing design tokens):

# Ensure Playwright browser binaries are present
./venv/bin/playwright install chromium

# Execute the UI validation script
./venv/bin/python .agents/skills/chaos-heal/scripts/verify_ui.py

This outputs RECORDING: artifacts/validation_run.webm and writes a visual PNG trace inside the artifacts/ directory.

5.7 Execute Autonomous Self-Healing Pipeline

To run the agent-driven orchestrator, load the safety policies and initiate the Antigravity session runner with a simple Python script:

import asyncio
from aegis_chaos.orchestrator import run_healing_pipeline

# Starts the stateful healing agent within your workspace
asyncio.run(run_healing_pipeline("/workspace/root"))

5.8 Direct Pipeline Execution

To run the entire pipeline end-to-end locally, configure the active environment variables and execute the local integration test:

# Configure active dev mode and webhook secret
export AEGIS_LOCAL_MODE=true
export AEGIS_WEBHOOK_SECRET=aegis-secret-key

# Execute the local E2E test
./venv/bin/python tests/test_local_e2e.py

This runs uvicorn in the background, triggers a real HTTP post to /webhooks/alert, validates the HMAC-SHA256 signature, dispatches to the task handler, checks out the git worktree, and verifies checkpoint deletion.

Security & Compliance Summary

Threat Vector Mitigation
Tampered webhook payloadHMAC-SHA256 with hmac.compare_digest
Replay attackMillisecond timestamp ±60s drift window
Runaway agent loopToken budget kill-switch (Ccumulative > Θbudget)
Destructive shell commandL1 explicit deny + L2 escrow checkpoint
Partial failure / retryFirestore delete() before side effects
Context pollutionGit worktree isolation + scoped subagent contexts

Lifecycle at a Glance

Closed-Loop SRE Lifecycle From anomaly detection to evidence-based reporting, every step is policy-gated and budget-bounded. Anomaly Detectedingress latency spike Webhook HMAC + Timestampreplay guard + signature Cloud Tasks Enqueuerun-{session_id} dedup Worker: Delete-FirstFirestore checkpoint Restore Git Worktreehotfix/remediate-latency Resume Agent Conversationconversation_id replay L1 workspace_onlyboundary L1 deny rm -rf /hard block L2 ask_userevaluate_remediation_risk CheckpointRequestedFirestore escrow L6 allow *diagnostics pass Token Ledger + Kill-SwitchC_cumulative ≤ Θ_budget L1 explicit deny / checkpoint path L2 escrow gate L6 allow / safe path Design rule: every path is logged, budgeted, and either approved or explicitly denied.
From anomaly to evidence: every arrow is a decision point, every box is a safety boundary.

Lifecycle at a Glance

The full closed-loop flow, in plain text:

Anomaly Detected
      │
      ▼
Webhook HMAC + Timestamp Guard
      │
      ▼
Cloud Tasks Enqueue run-{session_id}
      │
      ▼
Worker: Firestore delete-first checkpoint
      │
      ▼
Restore isolated Git worktree
      │
      ▼
Resume Antigravity agent conversation
      │
      ▼
   ┌──┴──┐
   │     │
L1 Deny  L2 Ask User
   │     │
   │     ▼
   │  CheckpointRequested → Firestore
   │     │
   │     ▼
   │  Out-of-band approval
   │     │
   └──┬──┘
       │
       ▼
   L6 Allow diagnostic
       │
       ▼
Token Ledger: C_turn, C_cumulative
       │
   ┌───┴───┐
   │       │
Budget OK  Budget Breached
   │       │
   │       ▼
   │   Kill-switch → scale down
   │       │
   └───┬───┘
       │
       ▼
Browser actuation: verify UI + record WebM
       │
       ▼
Report evidence + leave branch for review

Project Aegis-Chaos · autonomous self-healing SRE control plane built for the Google Developer Expert Sprint. Code: github.com/rabimba/aegis.

Comments

Popular posts from this blog

Deep Dive into the Google Agent Development Kit (ADK): Features and Code Examples

In our previous overview, we introduced the Google Agent Development Kit (ADK) as a powerful Python framework for building sophisticated AI agents. Now, let's dive deeper into some of the specific features that make ADK a compelling choice for developers looking to create agents that can reason, plan, use tools, and interact effectively with the world. 1. The Core: Configuring the `LlmAgent` The heart of most ADK applications is the LlmAgent (aliased as Agent for convenience). This agent uses a Large Language Model (LLM) for its core reasoning and decision-making. Configuring it effectively is key: name (str): A unique identifier for your agent within the application. model (str | BaseLlm): Specify the LLM to use. You can provide a model name string (like 'gemini-1.5-flash') or an instance of a model class (e.g., Gemini() ). ADK resolves string names using its registry. instruction (str | Callable): This is crucial for guiding the agent's be...

Build Smarter AI Agents Faster: Introducing the Google Agent Development Kit (ADK)

The world is buzzing about AI agents – intelligent entities that can understand goals, make plans, use tools, and interact with the world to get things done. But building truly capable agents that go beyond simple chatbots can be complex. You need to handle Large Language Model (LLM) interactions, manage conversation state, give the agent access to tools (like APIs or code execution), orchestrate complex workflows, and much more. Introducing the Google Agent Development Kit (ADK) , a comprehensive Python framework from Google designed to significantly simplify the process of building, testing, deploying, and managing sophisticated AI agents. Whether you're building a customer service assistant that interacts with your internal APIs, a research agent that can browse the web and summarize findings, or a home automation hub, ADK provides the building blocks you need. Core Concepts: What Makes ADK Tick? ADK is built around several key concepts that make agent development more s...

Curious case of Cisco AnyConnect and WSL2

One thing Covid has taught me is the importance of VPN. Also one other thing COVID has taught me while I work from home  is that your Windows Machine can be brilliant  as long as you have WSL2 configured in it. So imagine my dismay when I realized I cannot access my University resources while being inside the University provided VPN client. Both of the institutions I have affiliation with, requires me to use VPN software which messes up WSL2 configuration (which of course I realized at 1:30 AM). Don't get me wrong, I have faced this multiple times last two years (when I was stuck in India), and mostly I have been lazy and bypassed the actual problem by side-stepping with my not-so-noble  alternatives, which mostly include one of the following: Connect to a physical machine exposed to the internet and do an ssh tunnel from there (not so reliable since this is my actual box sitting at lab desk, also not secure enough) Create a poor man's socks proxy in that same box to have...