{ "audit_pack_signing": { "composes_with_customer_attestation": "https://aiegis.ie/docs/audit-packs/#hop-5-bind-to-your-network-identity-recommended-for-regulator-filings", "pubkey_url_pattern": "https://aiegis.ie/.well-known/aegis-evidence-pubkey/.pem (v0.4) \u2192 //.pem (v0.5+)", "schema_version": "v0.4.1", "scope_in_planned_v_0_5": "KMS-backed signing key (OVHcloud Frankfurt for sovereign tier)", "scope_in_planned_v_0_6": "Merkle transparency log appends signed manifest digests; design conforms to Certificate Transparency model (RFC 6962) for proof-of-inclusion verifier compatibility", "scope_in_planned_v_0_7": "Third-party witness federation cross-verifies operator-signed packs", "scope_in_v_0_4": true, "signing_algorithm": "Ed25519", "signing_kid_schema": { "v0_4_file": "v0_4_file: \u2014 file-stored per-customer key, no rotation", "v0_5_kms": "v0_5_kms::: \u2014 KMS-backed (planned v0.5)", "v0_7_witness": "v0_7_witness:::: \u2014 witness-federated (planned v0.7)" }, "trust_property_post_v_0_7": "forgery-resistant via third-party witness federation", "trust_property_pre_v_0_7": "tamper-evident, operator-self-attested", "verifier_sha256": "https://aiegis.ie/.well-known/aegis-evidence-verifier.sha256", "verifier_url": "https://aiegis.ie/.well-known/aegis-evidence-verifier.py" }, "browser_extension_permissions": { "host_permissions": [ "https://chat.openai.com/*", "https://chatgpt.com/*", "https://claude.ai/*", "https://gemini.google.com/*", "https://copilot.microsoft.com/*", "https://api.openai.com/*", "https://api.anthropic.com/*", "https://generativelanguage.googleapis.com/*", "https://aiegis.ie/*" ], "nativeMessaging": "Send captures to local SQLite", "storage": "Persist license + endpoint + enforce flag", "webRequest": "Observe outbound AI vendor API calls" }, "compliance_attestations": { "eu_ai_act_article_26": "supported", "gdpr": "controller_processor_arrangement_via_dpa", "iso_42001": "supported", "soc2_type_2": "operator_target_q3_2026" }, "customer_attestation": { "binding_fields": [ "org_id (must match AiEGIS audit pack)", "customer_legal_entity (CRO/Companies-House/equivalent registration)", "aegis_install_token_hash (matches manifest.install_token_redemption_hash from v0.4.5+)", "attestation_signature (customer-side Ed25519 over canonical JSON)", "attestation_pubkey (with key_authority pointing at TLS cert / CT log per RFC 6962 / DNSSEC)" ], "customer_publication_path": "https:///.well-known/aegis-customer-attestation.json", "purpose": "Two-party independent attestation: AiEGIS signs the audit pack proving event capture; customer signs an attestation at their own domain proving the events belong to their network identity. Closes leaked-pack-reuse and competitor-stolen-pack attack classes.", "regulator_workflow": "Regulator fetches AiEGIS audit pack + customer attestation. Cross-greps: pack.org_id == attestation.org_id AND pack.install_token_redemption_hash == attestation.aegis_install_token_hash. Verifies AiEGIS signature against pack.pubkey_url. Verifies customer signature against attestation.attestation_pubkey. Both pass = pack provably belongs to attested customer network.", "schema_url": "https://aiegis.ie/.well-known/aegis-customer-attestation-schema.json", "schema_version": "v0.4.5", "scope_in_planned_v_0_4_5": true, "scope_in_planned_v_0_5": true, "scope_in_planned_v_0_7": true, "scope_in_v_0_4": false, "trust_property": "two_party_independent_attestation", "trust_property_post_v_0_7": "forgery-resistant via third-party witness federation cross-verifying both signatures", "trust_property_pre_v_0_7": "tamper-evident through both signatures (operator-self-attested chain at AiEGIS side, customer-self-attested at customer side)" }, "data_flows": [ { "destination": "browser_content_script", "fields": [ "raw_prompt" ], "id": "intercept_prompt_in_browser", "leaves_browser": false, "leaves_machine": false, "source": "browser_content_script", "transport": "in_memory_javascript", "trigger": "User submits prompt; content script's wrapped window.fetch is invoked" }, { "destination": "browser_content_script", "fields": [ "raw_prompt" ], "id": "redact_in_browser", "leaves_browser": false, "leaves_machine": false, "output_fields": [ "prompt_redacted" ], "source": "browser_content_script", "transformation": "pii_redaction_via_regex_patterns", "transport": "in_memory_javascript", "trigger": "After interception, before policy check" }, { "decision": "ALLOW or BLOCK", "destination": "local_daemon_policy_endpoint", "fields": [ "prompt_redacted", "vendor", "url" ], "id": "policy_check_local", "leaves_machine": false, "source": "browser_content_script", "transport": "http_localhost", "trigger": "Redacted prompt sent to customer's local policy engine" }, { "destination": "ai_vendor_original_url", "fields": [ "original_user_prompt" ], "id": "forward_to_vendor_if_allowed", "leaves_machine": true, "modified_by_aegis": false, "note": "AiEGIS does NOT proxy this. Forwarded request hits the same URL the user requested with the same body the user typed.", "redirected_by_aegis": false, "source": "browser_content_script", "transport": "https_unmodified", "trigger": "Policy returned ALLOW" }, { "destination": "browser_content_script_throws_exception", "fields": [], "id": "block_if_policy_refuses", "leaves_machine": false, "outcome": "Wrapped fetch throws; prompt never reaches AI vendor.", "source": "browser_content_script", "transport": "javascript_exception", "trigger": "Policy returned BLOCK" }, { "destination": "local_native_host", "fields": [ "prompt_redacted", "response_redacted", "ts", "vendor", "model_version", "tab_title", "url", "policy_decision" ], "id": "capture_for_audit_log", "leaves_machine": false, "note": "Daemon never receives unredacted prompt content", "source": "browser_content_script", "transport": "chrome_native_messaging", "trigger": "After policy check (regardless of ALLOW or BLOCK)" }, { "destination": "local_sqlite", "fields": "all_capture_fields", "id": "persist_capture", "leaves_machine": false, "source": "local_native_host", "transport": "file_io", "trigger": "Native host receives event" }, { "data_subject_content_included": false, "destination": "https://aiegis.ie/api/license/check", "fields": [ "license_key" ], "id": "license_check", "leaves_machine": true, "note": "License key only. No prompts, no responses, no captures, no metadata. Verified by static-analysis gate check_outbound_endpoints.sh.", "source": "local_native_host", "transport": "https", "trigger": "Daemon weekly poll + on-launch (v0.3.5+)" }, { "data_subject_content_included": false, "destination": "https://aiegis.ie/api/fleet/license/issue", "field_lawful_basis": { "customer_email": "Article 6(1)(b) contract \u2014 operator must email license + revocation notices to admin" }, "field_retention": { "customer_email": "until_license_revoked_or_customer_offboarded; plaintext today, hash-and-evict in v0.5", "machine_hostname": "until_license_revoked_or_customer_offboarded", "os_name": "until_license_revoked_or_customer_offboarded" }, "fields": [ "machine_hostname", "os_name", "customer_email" ], "id": "license_issue", "leaves_machine": true, "note": "Runs once at install. No prompts captured yet at this point in the flow. Customer admin email stored on VPS as plaintext today; v0.5 ships hash-and-evict so VPS retains only the SHA-256 of the email after install confirmation.", "source": "admin_dashboard", "transport": "https", "trigger": "Initial install (one-time, admin-side)" }, { "data_subject_content_included": false, "destination": "https://aiegis.ie/api/team-share", "fields": [ "admin_uploaded_files" ], "id": "team_share_optional", "leaves_machine": true, "note": "Admin-controlled. Customer never uploads captured prompts via this path. Audit-logged on VPS side.", "source": "admin_dashboard", "transport": "https_bearer_auth", "trigger": "Admin manually uploads files (specs, scripts, policy bundles)" }, { "architectural_decision_ref": "Option A \u2014 usage-attestation-only, locked 2026-05-05 11:08 IST per Velo+Nel agreement; Option B (TLS MITM) is v0.6+ scope", "data_NOT_captured": [ "prompt_content (TLS-encrypted at OS layer \u2014 structurally invisible to ETW/ESF)", "response_content (same reason)", "TLS handshake bodies (only ClientHello SNI extension is captured, never application-layer payload)" ], "data_categories": [ "process_name", "process_path", "process_pid", "remote_hostname_resolved", "remote_ip", "remote_port", "connection_timestamp", "machine_id", "user_uid_or_sid" ], "destination": "AiEGIS daemon SQLite + audit pack aggregation", "id": "mac_native_capture", "lawful_basis": "Article 6(1)(b) \u2014 contract performance: customer purchased endpoint AI visibility", "purpose": "Capture process attribution metadata for AI-vendor desktop app traffic that browser-only tooling misses. Native sensor proves USAGE occurred (process X connected to api.openai.com at ts Y). Browser-side capture proves CONTENT (redacted prompt body). Customer audit pack reads both surfaces unified.", "retention": "30 days local; aggregated digests in 90-day audit packs", "scope_in_planned_v_0_5_5": true, "scope_in_v_0_4": false, "source": "macOS endpoint sensor (Endpoint Security Framework)", "tier": "enterprise + sovereign" }, { "architectural_decision_ref": "Option A \u2014 usage-attestation-only, locked 2026-05-05 11:08 IST per Velo+Nel agreement; Option B (TLS MITM) is v0.6+ scope", "data_NOT_captured": [ "prompt_content (TLS-encrypted at OS layer \u2014 structurally invisible to ETW/ESF)", "response_content (same reason)", "TLS handshake bodies (only ClientHello SNI extension is captured, never application-layer payload)" ], "data_categories": [ "process_name", "process_path", "process_pid", "remote_hostname_resolved", "remote_ip", "remote_port", "connection_timestamp", "machine_id", "user_uid_or_sid" ], "destination": "AiEGIS daemon SQLite + audit pack aggregation", "id": "windows_native_capture", "lawful_basis": "Article 6(1)(b) \u2014 contract performance: customer purchased endpoint AI visibility", "purpose": "Capture process attribution metadata for AI-vendor desktop app traffic that browser-only tooling misses. Native sensor proves USAGE occurred (process X connected to api.openai.com at ts Y). Browser-side capture proves CONTENT (redacted prompt body). Customer audit pack reads both surfaces unified.", "retention": "30 days local; aggregated digests in 90-day audit packs", "scope_in_planned_v_0_5": true, "scope_in_v_0_4": false, "source": "Windows endpoint sensor (ETW + Schannel + Kernel-Process providers)", "tier": "enterprise + sovereign" } ], "data_flows_explicitly_NOT_PRESENT": [ "siem_fanout", "syslog_export", "email_export", "third_party_llm_postprocessing", "telemetry_to_operator", "crash_reporting_to_operator", "analytics_pixels" ], "data_residency": { "primary": "customer_local_machine", "vps_does_not_hold": [ "prompts", "responses", "tab_titles", "urls", "captured_metadata" ], "vps_holds": [ "license_key_hash", "customer_email", "fleet_machine_metadata" ] }, "data_subject_rights": { "access": "via_customer_dpo", "erasure": "via_customer_dpo", "operator_can_fulfill_directly": false, "rationale": "Operator does not receive or store data subject content.", "rectification": "via_customer_dpo" }, "deployment": { "extension_chrome_id": "bcfemlbodhgneehigjajdilpkibcackd", "extension_chrome_id_derivation": "deterministic_from_manifest_key_field_sha256", "gpo_policy_template_status": "v_0_3_7_roadmap", "gpo_policy_template_url_v_0_3_7": "https://aiegis.ie/downloads/aegis_chrome_gpo_template.zip", "license_file_mode": "0600_owner_only", "license_file_path_linux": "~/.local/share/aegis/license", "license_file_path_mac": "~/.aegis/license", "license_file_path_windows": "%LOCALAPPDATA%\\AiEGIS\\license", "native_messaging_host_id": "com.aiegis.host" }, "effective_date": "2026-05-05", "encryption": { "at_rest_local_sqlite": "filesystem_acl_mode_600", "in_transit_to_vps": "tls_1_3", "v04_planned": [ "signed_jwt_licenses", "signed_audit_pack_ed25519", "signed_crl" ] }, "interception_model": "intercept_and_conditionally_block", "interception_model_details": { "can_refuse_forwarding": true, "default_policy": "ALLOW_ALL", "fail_mode_bound_to": "license_tier_claim_in_jwt", "fail_mode_enterprise_tier": "fail_closed", "fail_mode_smb_tier": "fail_open_with_warning", "fail_mode_sovereign_tier": "fail_closed", "modifies_outbound_content": false, "operator_reaches_policy_decisions": false, "policy_engine_endpoint": "http://localhost/api/protect", "policy_engine_location": "customer_local_daemon_localhost", "redirects_to_proxy": false, "scope_in": [ "chat_input_prompt_text", "vendor_api_json_body" ], "scope_out_planned_v_0_5": [ "file_content_scan", "mac_native_agent" ], "scope_out_planned_v_0_6": [ "windows_native_agent" ], "scope_out_v_0_3_x": [ "file_attachments_multipart_form_data", "voice_input", "image_input_outside_chat_text", "vendor_native_desktop_apps" ], "transport": "window_fetch_and_xhr_monkey_patch_in_content_script" }, "lawful_basis": { "primary": "Article 6(1)(b) \u2014 contract performance", "primary_description": "Customer organization contracted AiEGIS for endpoint AI compliance visibility; capture is necessary to deliver the contracted service.", "secondary": "Article 6(1)(f) \u2014 legitimate interest", "secondary_balancing_test": "Documented in /privacy \u00a73 (deployment must be employer-deployed with employee notification).", "secondary_description": "Customer's controller-side legitimate interest in detecting AI-policy violations across endpoints; balanced against employee privacy via opt-in deployment, named-purpose retention, and 30-day local-only storage." }, "operator": { "country": "IE", "name": "AiEGIS Ltd", "privacy_contact": "privacy@aiegis.ie", "security_contact": "security@aiegis.ie" }, "policy_url": "https://aiegis.ie/privacy", "retention": { "auto_prune_default_days_v_0_4": 90, "auto_prune_v_0_4_planned": true, "configurable": true, "current_v_0_3_5_behavior": "no_auto_prune", "customer_local_retention": "indefinite_until_customer_deletes", "enforced_at": "customer_local_daemon", "operator_retention_days": 0, "operator_retention_rationale": "Operator never receives data subject content; nothing to retain." }, "revocation_propagation": { "contract_origin": "audit_pack_signing v0.5 \u00a712", "empirical_lab_p99_ms": 0.0, "empirical_runs": 3, "empirical_sample_count": 18000, "empirical_zero_accepts_after_revoke": true, "measured_at": "2026-05-06", "p99_intra_host_ms": 50 }, "static_analysis_gates": [ { "name": "check_outbound_endpoints.sh", "pairs_with": [ "data_flows.allowlist", "browser_extension_permissions.host_permissions" ], "purpose": "Greps daemon + extension source for any HTTP/HTTPS URL not on the allowlist above. Pre-deploy gate. Fails the release if any unauthorized endpoint is found.", "version": "1.0" } ], "third_party_sharing": { "advertising_pixels": false, "analytics_pixels": false, "cross_site_cookies": false, "shares_with": [] }, "user_consent": { "first_run_modal": true, "policy_installed_users_can_disable": true, "user_can_disable_via_popup": true }, "version": "1.6" }