The Aegis architecture follows a strictly decoupled, Zero-Trust pattern: 1. Control Plane (NestJS/Python): The control plane aggregates observability data via OpenTelemetry and runs ML-driven anomaly detection (using Prophet for forecasting). It generates 'Remediation Intents' but lacks the credentials to execute them directly. It stores tasks in an 'Encrypted Intent Buffer' (PostgreSQL + Redis). 2. Security Layer (OPA/JWS): Every intent is signed with an HMAC or RSA-4096 key. The local OPA sidecar provides the decision-ready 'Engine' that evaluates task safety against live cluster metrics (e.g., 'Is CPU > 80%? If yes, deny restart'). 3. Execution Plane (Go Agents): Lightweight agents deployed as DaemonSets in Kubernetes clusters. They pull tasks via an authenticated endpoint (GET /tasks?cluster_id=X). This 'External-In' isolation ensures that the control plane cannot 'hack' the cluster; it can only 'propose' work that the agent chooses to accept. 4. Observability Mesh (Otel/Loki): Aegis uses 'Blinded Observability.' Logs are encrypted at the agent level using HKDF-derived keys, ensuring that sensitive infrastructure data in Loki is only accessible to authorized engineers, even if the logging backend is compromised.

Designing Aegis required choosing safety over speed in several critical areas: - Pull-Based Latency vs. Push-Based Speed: A push-based system reacts in <10ms. A pull-based system has a polling latency of 1-5 seconds. I chose pull-based because the security benefits of closed inbound ports far outweigh the requirement for sub-second remediation in 99% of infra scenarios. - OPA vs. Hardcoded Logic: Hardcoding safety rules in the agent would be faster to develop. I chose OPA for its 'Declarative' nature, allowing teams to update guardrails instantly via GitOps without redeploying the execution agents. - Shadow Mode Complexity: Implementing a parallel 'Log-Only' path for every action doubled the state complexity. However, it was essential for 'Operator Trust'—without a way to see what the AI *would* have done, no SRE would ever turn the system to 'AUTONOMOUS' mode.

Aegis is engineered to scale across thousands of clusters. The 'Pull' mechanism is inherently horizontally scalable. By leveraging Redis for task distribution, a single Aegis control plane can support 10k+ agents polling at 5s intervals with sub-200ms API response times. We utilize 'Adaptive Polling' to reduce load: agents poll slower when the cluster is healthy and accelerate to 1s intervals when an anomaly is detected. The control plane is stateless, allowing for effortless N+1 scaling behind a standard load balancer. Our benchmarks show the system can handle 50,000 active remediation intents in the buffer without slowing down the task-pull endpoints.

Aegis is built on a Zero-Trust mandate. Security is the core value proposition. - JWS Intent Validation: We use JSON Web Signatures to ensure that only the verified control plane can issue commands. Agents rotate their public keys through a secure handshake every 24 hours. - Blinded Observability: Utilizing the HKDF (HMAC-based Key Derivation Function), we mask pod names, IP addresses, and custom labels in the logs before they leave the cluster. Only the 'Security Officer' role in the Aegis UI can de-mask the data. - Default-Deny Policies: In line with Staff-level engineering standards, our OPA policies are 'Default-Deny.' Unless a specific remediation action is explicitly whitelisted for a cluster ID, it is blocked, preventing the AI from 'inventing' new infrastructure patterns.

The Aegis dashboard (Next.js 15) is a high-performance command center for infrastructure state. - Real-Time Topology Explorer: Built with React Flow, the topology view provides a live, interactive map of cluster health. We use Server Components (RSC) to stream the initial dashboard state, reducing Time-to-Interactive (TTI) by 30%. - Remediation Timeline: SREs can view a 'Play-by-Play' breakdown of AI reasoning. Each recommendation links back to the Prometheus metrics that triggered it, providing a 'Full-Chain' audit trail from alert to action. - Optimistic UI with Rollback: When a human approves an action, the UI pessimistically shows the 'Applying' state. If the agent returns a 'Policy Violation' error, the UI rolls back instantly with a detailed explanation of why the guardrail blocked the action.