research(security): AEGIS pre-execution firewall — 3-stage intercept + Ed25519 chained audit, 1.2% FPR, 8.3ms overhead (arXiv:2603.12621)

[bug-ops]

Paper

arXiv:2603.12621 — AEGIS: No Tool Call Left Unchecked — A Pre-Execution Firewall and Audit Layer for AI Agents

Key Finding

Framework-agnostic 3-stage tool call intercept: (1) argument extraction, (2) risk scan, (3) policy validation. Produces an Ed25519+SHA-256 chained audit trail. Blocked 48/48 attack scenarios at 1.2% false positive rate and 8.3ms median overhead across 14 agent frameworks.

Applicability to Zeph

• zeph-tools: Zeph's ToolExecutor trait runs tools after the LLM returns a tool_use block. AEGIS-style pre-execution intercept fits naturally here — validate tool arguments against a policy before executing.
• Audit trail: PR feat(tools): ClaimSource provenance, ErrorDomain recovery, MCP tool pruning #2293 adds ClaimSource and AuditEntry. AEGIS's chained Ed25519 audit would extend this: each AuditEntry could sign over the previous hash, making the audit log tamper-evident.
• Risk scan stage: Complements the existing ExfiltrationGuard and sandbox checks. The 3-stage pipeline (extract → scan → validate) is more structured than current ad-hoc checks in legacy.rs / native.rs.
• Implementation sketch: Add PreExecutionFirewall trait to zeph-tools. Default impl passes through; security impl runs the 3 stages. Wire into CompositeExecutor.execute() before dispatching to the concrete executor.
• 1.2% FPR at 8.3ms: Well within acceptable bounds for interactive agent use.