Skip to main content

Aegis Shield

Aegis Shield is the outbound protection layer. It catches secrets before they leave your machine.

What it does

  1. Detects secrets in your code using patterns and context
  2. Tokenizes them with deterministic, reversible tokens
  3. Preserves code structure so AI can still understand it
  4. Rehydrates tokens back to real values in AI responses

Token categories

CategoryWhat it matchesExample
KEYAPI keys, access keysAKIAIOSFODNN7EXAMPLE, sk_live_...
SECRETPasswords, secretssupersecret123
CONNConnection stringspostgres://user:pass@host/db
HOSTHostnames, URLsprod.internal.company.com
USERUsernames in auth contextsadmin, root
TOKENJWTs, bearer tokenseyJhbGciOiJ...

CLI usage

Find secrets: 
takumo-aegis scan ./src/

Found 5 secrets across 3 files:

src/config.ts
  Line 8    AWS Access Key       AKIAEXAMPLE...
  Line 12   Database URL         postgres://***...

src/lib/stripe.ts
  Line 3    Stripe Secret Key    sk_test_EXAMPLE...

src/.env
  Line 1    JWT Secret           [REDACTED]
  Line 2    API Key              [REDACTED]
Preview tokenized output: 
takumo-aegis tokenize ./src/config.ts

// Original had: postgres://admin:secret@prod:5432/app
export const dbUrl = "__TAKUMO_v1_CONN_a1b2c3d4__";

// Original had: AKIAIOSFODNN7EXAMPLE
export const awsKey = "__TAKUMO_v1_KEY_e5f6g7h8__";
Full round-trip with Claude: 
takumo-aegis shield ./src/config.ts --prompt "Add connection retry logic"

API usage

import { createSession } from '@takumo/aegis';

// Create a session (holds the token vault)
const session = createSession();

// Tokenize your code
const { content, detections } = session.tokenize(sourceCode, 'config.ts');

console.log(`Found ${detections.length} secrets`);
console.log(content);  // Safe to send to AI

// ... send `content` to Claude, get response ...

// Restore secrets in the response
const { content: finalCode, rehydratedCount } = session.rehydrate(claudeResponse);

console.log(`Restored ${rehydratedCount} secrets`);
console.log(finalCode);  // Has real secrets again

Multi-file sessions

One session can handle multiple files. Same secret = same token across files: 
const session = createSession();

// Both files use the same database password
const config = session.tokenize(configCode, 'config.ts');
const migrate = session.tokenize(migrateCode, 'migrate.ts');

// The password token is identical in both outputs
// Claude can see they use the same credential

Performance

Operation100 lines1,000 lines10,000 lines
Scan~5ms~50ms~200ms
Tokenize~2ms~10ms~50ms
Rehydrate~1ms~5ms~20ms