AIGIST
Constitutional AI Governance Toolkit
Private during R&D phase
“Morality is not a speech. It is a switch statement.”
AI agents are gaining autonomy, but the safety mechanisms guarding them are still just system prompts — speeches about why doing bad things is wrong. I’m building a typed policy and sandbox toolkit that compiles morality into WASM sandboxes, Zod schemas, and Biscuit Datalog rules. A speech can be argued with. Physics cannot. AIGIST is a deterministic governance architecture where an LLM is allowed to execute only what the cryptographic trust chain permits, only within a capability-scoped sandbox, and only after a Constitutional Supervisor co-signs the intent.
The Problem
What needed solving
As enterprises move beyond simple chatbots to autonomous agents that can execute code, modify databases, and interact with APIs, the risk of catastrophic failure increases exponentially. Current state-of-the-art safety relies on system prompts and post-generation filtering. But if an agent is compromised via prompt injection, it can simply ignore the instructions to "be safe". An enterprise cannot rely on asking an AI nicely not to delete its database.
The Solution
How I approached it
AIGIST shifts agent safety from the semantic layer (language) to the execution layer (cryptography and sandboxing). It doesn't replace the AI model; it governs it. By sitting as a middleman between the LLM and the tools it wants to call, AIGIST ensures that every tool call must be explicitly permitted by a cryptographic token, scoped to a specific task, and executed in an isolated WebAssembly sandbox.
How It Works
Under the hood
AIGIST implements a 5-layer Guardian Architecture that enforces safety through physics, not persuasion. Layer 1 uses Biscuit cryptographic tokens with Ed25519 signatures and Datalog attenuation rules — sub-agents are mathematically provable subsets of their parent’s authority, making privilege escalation impossible by construction.
Layers 2 through 5 add a WASM capability sandbox with deny-all defaults (the execution boundary), a Rust semantic firewall, a Constitutional Supervisor that co-signs every action via gRPC, and circuit breakers with health-score-based anomaly detection. Every layer operates independently — compromising one does not compromise the chain.
Architecture
The 5-Layer Guardian Stack
Cryptographic Identity
Biscuit tokens with Ed25519 signatures and Datalog attenuation rules. Sub-agents are mathematically provable subsets of their parent's authority.
Biscuit Tokens · Ed25519 · DatalogWASM Capability Sandbox
Each agent action runs in a Wasmtime sandbox with deny-all defaults. Only the exact capabilities required for the intent hash are provisioned.
Wasmtime · WASI · Capability-basedSemantic Firewall
A Rust hyper proxy that canonicalizes Unicode, scans for canary tokens, sanitizes content, and runs harm classification via Llama-Guard-3.
Rust · hyper · Llama-Guard-3Constitutional Supervisor
Every agent action is evaluated against Ternary Moral Logic rules and co-signed via gRPC before execution.
gRPC · TML EngineCircuit Breakers
Health-score-based anomaly detection protecting the chain. Drop below 0.1 health and the system zeroizes keys and self-sacrifices.
Token Bucket · 3σ AnomalyTML Engine
Ternary Moral Logic States
Permit
Action passes all checks and is authorized to execute
Sacred Pause
Insufficient context — action is held for human review
Prohibit
Action violates policy constraints and is blocked
Terminate
Action is flagged and violates compliance posture while in process. Process is terminated.
Impact
Results and outcomes
AIGIST introduces a fundamentally different approach to AI safety — one where constraints are architectural rather than conversational. The 5-layer architecture is fully implemented through Milestone 13, with 11 TypeScript packages and 4 Rust crates, full CI/CD, and a Next.js 15 governance dashboard live at aigist.io. The platform supports multi-jurisdiction privacy compliance across Canadian (AIDA, PIPEDA, DADM), EU, UK, and US regulatory frameworks.
Version 0.20.5 has shipped. The project is currently transitioning into an enterprise-secure agent host (M15), with OpenTelemetry observability, live dashboard wiring, and red team hardening as the final milestones before production deployment. The codebase is private during active development and security testing.