1 / 10

Aegis Platform

What we're building: a document protection platform where files carry their own security policies — access rules, identity verification, expiration, and audit logging — regardless of where they travel.

PRD v3.0  ·  Internal Technical Overview  ·  March 2026

Five Systems, Clear Boundaries

All communication via API. No system accesses another system's database.

Experience Layer
Aegis SecureTrust (Portal)
Dashboard, doc management, compliance, alerting, role admin. All human interaction. Configuration UI for Worker Factory modules and tools.
Auth RBAC Config Brand
Desktop Access
Aegis Client App
Native file handler for .aegisdoc files. Identity verification. Online-required auth via SecureTrust.
Win Mac
↓  API  ↓
Automation Layer
Aegis Worker Factory (Governed Module Runtime)
Deterministic workflow execution. Modular architecture with hot-swappable modules and tools.
Foundational
Intake Re-Protect Desktop Access Scheduling
Vertical
Wire Guardian + Hot-loadable
↓  API  ↓
Security Engine
Aegis Core (Protection)
Encryption, identity binding, policy enforcement, delegation, revocation. Sertainty SDK integration.
Intelligence Layer
Aegis Data Platform (Analytics)
Event ingestion, audit trails, hash-chained integrity, alerting, reporting, SMTP/SMS config.
All communication via API. No system accesses another database. Clear boundaries. Independent deployability.

How It Works

Two primary document protection paths — portal upload and automated intake.

Portal Upload (User-Initiated)
1 User uploads file in SecureTrust, picks group + policy
2 SecureTrust submits protect job to Worker Factory
3 Worker Factory calls Core to wrap file via Sertainty SDK
4 Core returns .aegisdoc → stored at user-specified location
5 Events logged to Data Platform. User sees confirmation
Storage Adapter (Automated)
1 Storage Adapter detects new file in monitored folder
2 File enters intake pipeline (or routes to Wire Guardian)
3 Worker Factory protects via Core with configured policy
4 Post-protection: move, rename, leave, or destroy original
5 Events logged. Failures retried once, then flagged
Desktop Access (Aegis Client App)
1 User double-clicks .aegisdoc → Client App launches
2 Client App → Worker Factory → SecureTrust: authenticate user (challenge/response)
3 Worker Factory verifies authorization in Core's identity DB, unprotects with workflow identity
4 Clear file delivered to Client App → opens in default application
5 Clear file securely deleted on close / session expiry. Events logged by both Client App and Worker Factory

Worker Factory: Three-Tier Architecture

The defining architectural principle — infrastructure that never changes, modules that ship with every deployment, and vertical modules built per customer.

Tier A — Platform Core
Infrastructure Services
Foundation that all modules depend on. Never changes per customer.
Job Management Module Registry Tool Registry Module-Tool Framework Scheduling Audit Pipeline Health Hot-Loading
Tier B — Foundational Modules & Tools
Ships With Every Deployment
Deterministic automation. Same in every deployment.
Modules
Storage Adapter Intake Pipeline Re-Protection Desktop Access Scheduled Tasks
Tools
Core API Client Storage Connector Document Parser Auth Relay Ref Data Lookup
Tier C — Vertical Module Framework
Customer / Industry Specific
Extensibility layer. Built during PS or loaded by customer. Hot-swappable.
Wire Guardian Module Template Tool Template Human Escalation + Your Module Here

Module-Tool Separation

Modules are orchestration logic — they decide what to do, in what order. Tools are shared capabilities — they interact with external systems. The same tool can be used by multiple modules. Each module declares which tools it requires and optionally uses.

Modules (Orchestration)
Intake Pipeline
requires: Core API Client, Storage Connector
Desktop Access
requires: Auth Relay, Core API Client
Wire Guardian
requires: Doc Parser, Ref Data, Core API Client
Re-Protection
requires: Core API Client, Storage Connector
← declares →
← invokes →
← governed →
undeclared = rejected
Tools (Shared Capabilities)
Aegis Core API Client
protect, unprotect, re-protect, identity, health
Storage Connector
read, write, move, delete, poll, webhooks
Document Parser
extract structured data from documents
SecureTrust Auth Relay
challenge/response authentication
Reference Data Lookup
Wire Guardian reference data queries
Permission enforcement: A module can only invoke tools declared in its definition. Undeclared tool invocations are rejected and logged. Independent development, testing, configuration, and lifecycle per module and per tool.

Hot-Loading: Extend Without Redeployment

Add new modules and tools to a running Worker Factory. No restart. No maintenance window. Discovered by SecureTrust within 60 seconds.

Hot-Load Sequence
Admin uploads module definition via SecureTrust UI
CAP-AWF-LOAD capability required
SecureTrust submits definition to Worker Factory API
Authenticated, authorized request
Worker Factory validates: interface compliance, tool declarations, schemas
Invalid definitions rejected with descriptive error
Module registered in registry. Event sent to Data Platform
module.registered event
Registry change notification pushed to SecureTrust
< 60 seconds discovery
New module appears in admin dashboard. Ready for work
Config, health, status visible immediately
What gets validated on load
Interface complianceRequired
Input/output contractsRequired
Tool declarations → registered toolsRequired
Configuration schemaRequired
Version fieldRequired
Code-signingPost-MVP
Runtime sandboxingPost-MVP
Lifecycle Management
  • Enable/disable individual modules and tools via SecureTrust
  • Disabled modules complete in-flight work, then stop
  • Disabling a tool puts all requiring modules in degraded mode
  • Deregister removes from registry entirely
  • Every lifecycle event audited to Data Platform

Wire Guardian: Vertical Module in Action

A concrete example of the module-tool framework. Wire Guardian verifies wire instruction documents against known-good reference data before protection.

📄
File Detected
Storage Adapter routes file to Wire Guardian (pre-protection module)
🔎
Parse
Document Parser tool extracts bank, routing, account, amount, beneficiary
Compare
Reference Data Lookup tool checks against known-good data
✓ / ⚠
Decide
Clean → auto-protect. Mismatch → flag for human review
Wire Guardian Tool Dependencies
Document ParserRequired
Reference Data LookupRequired
Aegis Core API ClientRequired
If any required tool is unavailable, Wire Guardian enters degraded mode and pauses processing until the tool recovers.
Human Escalation
  • Any mismatch creates a flagged item with discrepancy details, affected fields, confidence, and recommended action
  • Flagged items pushed to SecureTrust flagged queue
  • Analyst reviews: Approve Reject Escalate
  • Worker Factory executes the human decision
  • No autonomous action without human decision
Reference Data Management
Hybrid model: initial bulk load during PS Phase 3. Admin manages individual entries (add, edit, deactivate, reactivate) via SecureTrust UI. Deactivated entries excluded from comparisons — not deleted. Bulk import remains PS-managed. All changes audited.

Security & Audit Trail

Platform-enforced identity model, hash-chained audit trail, and capability-based access control.

Identity Model
Platform-Enforced
Documents wrapped with platform workflow identity only. All user-level access control enforced at the database level by Core. Identity changes are immediate — no file re-wrapping required.
Audit Trail
Hash-Chained + Sequenced
Per-document cryptographic hash chain links events. Global monotonic sequence number detects deletion. Customer-verifiable. 7-year default retention.
Access Control
44 Capabilities / 13 Domains
Named role bundles with checkbox capability matrix. Enforced solely by SecureTrust middleware. Backend systems trust that SecureTrust has verified capabilities.
Security Highlights
  • All inter-system communication encrypted in transit
  • All databases encrypted at rest, keys rotatable
  • Clear files securely deleted after delivery (overwritten, not unlinked)
  • Account suspension after configurable failed access attempts
  • Tool credentials encrypted at application layer before DB storage
  • No information leakage in error responses
  • Pen test before first production deployment
Data Subject Anonymization
Cross-system, irreversible PII anonymization:
  • SecureTrust: User account records
  • Core: Identity and delegation records
  • Data Platform: Audit events (actor, email, IP)
  • Replaces PII with anonymized token
  • Preserves hash chain integrity and record structure

Architecture: Ownership & Degraded Modes

Each system owns its own data. When one goes down, the others keep going.

Data Ownership

Aegis Core
Identity definitions Policy records Doc-identity mappings Delegation records License config
Aegis Data Platform
Events & audit trails Alert rules SMTP config SMS gateway config
Aegis Worker Factory
Job queue Module registry Tool registry Tool config & creds Flagged queue WG reference data
Aegis SecureTrust
User accounts Auth credentials RBAC roles/capabilities Group definitions Branding

Three-System Dependency Chain

Aegis Core
Worker Factory
SecureTrust

Core must be up for full operation. Worker Factory needs Core. SecureTrust needs both for full functionality.

Degraded Mode Behavior

Core Down
Worker Factory pauses intake & re-protection. Desktop access fails. SecureTrust enters read-only mode. Data Platform continues.
Data Platform Down
All systems continue operating. Audit events buffered locally by each system. Flush on recovery. Alerts & reporting unavailable.
Worker Factory Down
File intake stops. Desktop access unavailable. Existing documents and alerts unaffected. Core & Data Platform continue.
SecureTrust Down
Desktop auth blocked. Intake & scheduled tasks continue. Core & Data Platform unaffected.
Event buffering: All four producing systems (Core, Worker Factory, SecureTrust, Client App) buffer events locally when Data Platform is unavailable. Persistent storage, ordering preserved, automatic flush on recovery. Target: zero event loss.

SecureTrust Portal

The experience layer. Everything the user touches goes through here.

aegis.customer.com/dashboard
SecureTrust
J. Martinez
Dashboard
Documents
Alerts
Roles
Automation
2,847
Protected Docs
156
Users
3
Active Alerts
99.7%
Protection Rate
Recent Activity
2m Doc protected Q1-Portfolio.pdf
5m External access Klein-Setup.pdf
11m Alert Velocity anomaly
23m Revoked Former employee
1h Report SEC evidence.pkg
System Health
Core OK
Worker Factory OK
Data Platform OK
Client App OK
Wire Guardian OK
aegis.customer.com/documents
SecureTrust
J. Martinez
Dashboard
Documents
Alerts
Roles
Automation
All Client Internal Shared
+ Protect
DocumentProtectedAccessStatusRisk
Q1-Portfolio-Review.pdfMar 92mActiveLow
Klein-Account-Setup.pdfMar 88mActiveLow
Wire-Shapiro-03.pdfMar 7YestFlaggedHigh
Board-Materials-Feb.pdfFeb 26Mar 5ActiveMed
Compliance-Attest.pdfFeb 15Mar 1ActiveLow
Trust-Chen.pdfFeb 10Feb 22RevokedN/A
aegis.customer.com/alerts
SecureTrust
J. Martinez
Dashboard
Documents
Alerts
Roles
Automation
3
Active
12
Resolved
0
Pending
CRITICAL
15m
Velocity: Bulk Access
47 files in 3 min. Session quarantined by SecOps.
Suspended
HIGH
Yest
Wire Instruction Modified
Routing # changed. Hard stop by Wire Guardian.
Review
MEDIUM
Mar 7
After-Hours Access
Board-Materials mod at 11:42pm. Read-only applied.
Resolved
aegis.customer.com/automation
SecureTrust
J. Martinez
Dashboard
Documents
Alerts
Roles
Automation
Modules Tools Adapters + Load Module
Module Registry
ModuleTierVersionStatusToolsHealth
Intake Pipeline B 1.0.0 Running Core API Storage OK
Desktop Access B 1.0.0 Running Auth Relay Core API OK
Re-Protection B 1.0.0 Running Core API Storage OK
Wire Guardian C 1.2.0 Running Parser Ref Data Core API OK
Storage Adapter B 1.0.0 Running Storage OK
Tool Registry
ToolTypeVersionHealthUsed By
Aegis Core API Client api_client 1.0.0 OK Intake, Desktop, ReProt, WG Configure
Storage Connector connector 1.0.0 OK Intake, StorageAdpt, ReProt Configure
Document Parser parser 1.0.0 OK Wire Guardian Configure
SecureTrust Auth Relay auth 1.0.0 OK Desktop Access Configure
Reference Data Lookup data 1.0.0 OK Wire Guardian Configure
aegis.customer.com/roles
SecureTrust
J. Martinez
Dashboard
Documents
Alerts
Roles
Automation
Capability Matrix — 44 Capabilities / 13 Domains
Domain / Capability Admin Analyst User External
DOCUMENT MANAGEMENT
Upload & Protect
View Detail
Add Recipient
Delete
AWF MANAGEMENT
View Registries
Configure Tools
Configure Modules
Load Definitions
ALERTING
View Alerts
Acknowledge
Configure Rules
... 44 capabilities across 13 domains total

Deployment & Operations

Single-host, containerized, professional services required for every deployment.

Deployment Model
Flexible Topology
Single host or distributed across multiple hosts with no code changes. MVP validates single-host. Cloud-agnostic via containerization. AWS validated first.
Multi-Tenancy
Architecture Ready
Multi-tenant architecture from day one. MVP deploys one tenant per instance. Tenant context in all sessions, API calls, and audit events.
Operations
Done-For-You
Every deployment requires PS engagement. Semantic versioning. Maintenance window for upgrades. All config recoverable from DB backup.
Performance Targets
Authentication latency< 3s (p95)
File delivery after auth< 2s
Protection success rate> 99.5%
Health endpoint< 1s
Intake throughput> 10 files/min
Alert evaluation< 15s
Dashboard load< 2s
Concurrent users50 (target)
What's next after MVP: SSO/SAML, LLM-driven modules, multi-module marketplace, SIEM integrations, off-platform document access, horizontal scaling, mobile apps, no-code workflow builder.

PRD v3.0  ·  March 2026  ·  Internal Use Only