AegisFS

Rust-hardened VFS. Agent Token Sandboxing. Chrono-Graveyard intercept. AegisFS turns the risk of rogue AI data destruction into confident autonomous engineering.

Comment

🛡️ AegisFS

Agent-Aware Sandboxed Virtual File Manager

AegisFS is a Rust-based Virtual File System (VFS) with kernel-level FUSE integration designed to protect your sensitive data from autonomous AI agents. By implementing a zero-trust sandbox and a "Chrono-Graveyard," it transforms reactive security into a mathematically enforced fortress for your local development environment.

🚨 The Problem: Speed vs. Security in the Agentic Era

Today, autonomous AI agents spend more time executing filesystem actions than human developers. Behind the scenes, these tools are constantly issuing system calls—reading files, writing code, and modifying configurations—often entirely outside of our visibility.

In the race to build products faster, the tech industry is aggressively prioritizing speed over security. Developers frequently skip safety checks or run highly autonomous tools while bypassing dangerous permission prompts just to iterate more quickly. This "speed trap" has consequences: recent assessments show that security vulnerabilities have tripled since the mass adoption of AI tools. If an agent hallucinates or suffers a prompt injection attack, it can silently exfiltrate SSH keys or wipe out critical project files.

To mitigate this, security-conscious developers have been forced to run their agentic coding tools inside clunky Virtual Machines (VMs) or isolated containers. But this introduces massive friction to the developer experience.

The Question: What if you could keep the speed of local host development, but physically guarantee your agent couldn't destroy your system?

💡 The Solution (Inspiration)

This exact dilemma inspired AegisFS.

Imagine an AI agent with write access to your filesystem accidentally deletes your SSH keys, overwrites your .env file with production credentials, and scrapes your private keys before you notice. What do you do?

AegisFS acts as an autonomous guardrail system designed to provide a "hardened shell" around your sensitive files. It ensures that even the most capable AI agents are physically and mathematically restricted from causing irreversible damage or exfiltrating critical secrets—allowing developers to build at maximum speed directly on their host machine, without the anxiety.

🚀 What It Does

AegisFS utilizes a kernel-level security middleware layer to enforce multiple layers of defense:

  • 🛡️ Agentic RBAC Sandbox: Token-based authentication with granular permissions (Read, Write, Admin) and path-based access control.
  • Chrono-Graveyard: A soft-delete mechanism that intercepts all deletions, moving files to a timestamped graveyard with a 24-hour TTL auto-purge.
  • 🎯 Pattern-Based Blocking: Categorically blocks access to sensitive files (.env, id_rsa, credentials, etc.) by filename pattern.
  • 🖥️ Dual-Mode Execution: Interactive TUI for human operators and a headless CLI for AI agents with Base64-encoded file content.
  • FUSE Integration: Kernel-level filesystem mounting on Linux that routes ALL file operations through AegisFS security middleware.

Key Innovation: We implement mathematical blocking for graveyard access. If an agent token is present and the path is the graveyard, access is categorically impossible. This is not a permission check; it's a structural truth that even Admin tokens cannot bypass.

🛠️ How We Built It

  • Language: Rust (Edition 2021) with tokio for high-performance async I/O.
  • Interface: ratatui + crossterm (Interactive TUI) and clap (Headless CLI).
  • Security Layer: fuser (FUSE integration for Linux) + libc (system call handling).
  • Data Management: serde + serde_json (State & Token persistence).
  • Time & Paths: chrono (TTL management) + dirs (cross-platform directory detection).

🚧 Challenges We Ran Into

  1. FUSE Cross-Platform Parity: FUSE is natively a Linux kernel feature. Implementing platform-conditional compilation to support Windows (via WSL) while providing clear error messages for native WinFsp requirements was a significant architectural hurdle.
  2. Path Canonicalization & UNC: Windows UNC paths (\\?\) frequently broke graveyard detection logic. We implemented a custom normalization engine to handle case sensitivity and path representation differences across OS environments.
  3. Async Recursion in Rust: Managing recursive directory logic in an async context required complex Box::pin implementations to prevent infinitely-sized futures, ensuring the VFS remains memory-safe and efficient.

✨ Accomplishments We're Proud Of

  • Zero-Trust Kernel Integration: By mounting via FUSE on Linux, any process is forced through AegisFS security logic, providing true system-wide protection.
  • Transparent Security UI: Built a dual-mode design where humans monitor blocked operations in a real-time TUI while agents interact via a headless, Base64-encoded CLI.
  • Hardened Recovery: The "Chrono-Graveyard" ensures that mistakes by an LLM are reversible within 24 hours, providing true peace of mind.

🧠 What We Learned

  • Ownership for Safety: Rust's ownership model provides memory safety without sacrificing the performance needed for intensive file I/O.
  • Structural Boundaries: Mathematical security boundaries (categorical impossibility) are significantly stronger and more reliable than simple permission hierarchies.
  • Proactive Purging: Time-to-Live (TTL) auto-purge is essential for graveyard systems to prevent storage bloat while maintaining a safety net.

🔮 What's Next for AegisFS

  • WinFsp Integration: Bringing native, kernel-level FUSE support to Windows users without requiring WSL.
  • Audit Logging: Exporting comprehensive, signed logs of all agent file interactions for enterprise compliance.
  • Encryption at Rest: Automatically encrypting graveyard contents with AES-256 for an additional layer of security.

Built With

  • chrono
  • clap
  • crossterm
  • dirs
  • fuser
  • libc
  • ratatui
  • rust
  • serde
  • tokio
Share this project:

Updates