DEV Community: Justin Yuan

Awesome

Justin Yuan — Sun, 08 Mar 2026 19:11:46 +0000

I built a constitution for AI agents — budgets, permissions, and audits enforced before execution

Justin Yuan ・ Mar 8

I built a constitution for AI agents — budgets, permissions, and audits enforced before execution

Justin Yuan — Sun, 08 Mar 2026 19:11:02 +0000

Every agent framework today works like this: give the LLM an API key, define some tools, and let it run. Cost control? Check your bill at the end of the month. Quality assurance? Hope for the best.

Permissions? All or nothing.

This doesn't scale. When agents are spending real money, producing customer-facing output, and making autonomous decisions, "hope" is not a governance strategy.

What I built

Sovereign OS is an open-source orchestration system where governance is the architecture, not an afterthought.

Everything starts with a Charter — a single YAML file that declares:

Mission and objectives
Budget limits (per-task, daily, total runway)
Quality KPIs
Authorized capabilities

The execution pipeline enforces the Charter at every step:

Charter → CEO (plan) → CFO (approve budget) → Workers (execute) → Auditor (verify) → Ledger (record)

Key ideas

Pre-execution budget approval

The CFO agent checks every task against max_task_cost_usd, daily_budget_usd, and runway_days before a single token is spent. Not after.

Trust is earned

Agents start in a sandbox with zero capabilities. They unlock permissions (SPEND_USD, CALL_API, WRITE_FILES) by passing audits. This is the opposite of how every other framework works.

Immutable audit trail

Every output is verified against Charter KPIs. Audit reports include proof_hash (SHA-256 of inputs + output). The ledger is append-only JSONL — no deletions, sequence-numbered, verifiable offline.

Built-in monetization

SQLite job queue (Redis optional), Stripe integration for per-job billing, webhook delivery, ingest from Reddit, Shopify, WooCommerce.

Tech stack

Python 3.12+, FastAPI, SQLite + JSONL, OpenAI/Anthropic, Docker Compose, OpenTelemetry, Prometheus.

Try it

git clone https://github.com/Justin0504/Sovereign-OS

cd Sovereign-OS

docker compose up -d

Or local:

pip install -e ".[llm]"

python -m sovereign_os.web

MIT licensed. Self-hosted. No telemetry.

GitHub: https://github.com/Justin0504/Sovereign-OS

[Boost]

Justin Yuan — Sun, 08 Mar 2026 01:06:06 +0000

I built an open-source firewall for AI agents — it blocks dangerous tool calls before they execute

Justin Yuan ・ Mar 7

#ai #security #agents #openclaw

[Boost]

Justin Yuan — Sat, 07 Mar 2026 17:17:53 +0000

I built an open-source firewall for AI agents — it blocks dangerous tool calls before they execute

Justin Yuan ・ Mar 7

#ai #security #agents #openclaw

I built an open-source firewall for AI agents — it blocks dangerous tool calls before they execute

Justin Yuan — Sat, 07 Mar 2026 16:55:04 +0000

The problem nobody talks about

Every AI agent framework — LangChain, CrewAI, Anthropic, OpenAI — gives the LLM full control over which tools to call and with what arguments.

The model says "run this SQL query: DROP TABLE users" and your code just... executes it. No confirmation. No policy check. No audit trail.

Existing observability tools (LangFuse, Helicone, Arize) log what happened. That's useful for debugging. But the database is already gone.

What I built

AEGIS is an open-source, self-hosted firewall that sits between your AI agent and its tools.

It doesn't just observe — it intercepts and blocks before execution.

How it works

Agent calls a tool → AEGIS SDK intercepts → Gateway classifies (SQL? file? shell?) → Policy engine evaluates (injection? traversal? exfiltration?) → Decision: allow / block / pending (human reviews) → Ed25519 signed, SHA-256 hash-chained, stored in dashboard.

One line to integrate

import agentguard
agentguard.auto("http://localhost:8080")

# Your existing agent code — completely unchanged
client = anthropic.Anthropic()
response = client.messages.create(model="claude-sonnet-4-20250514", tools=[...])

What it catches out of the box

SQL injection — DROP, DELETE, TRUNCATE in database tools
Path traversal — ../../etc/passwd, sensitive directories
Command injection — rm -rf, curl | sh, shell metacharacters
Prompt injection — "ignore previous instructions" patterns
Data exfiltration — large payloads to external endpoints
PII leakage — SSN, email, phone, credit card, API keys (auto-redacted)

Human-in-the-loop

For high-risk actions, the agent pauses. You open the Compliance Cockpit, see the exact tool name and arguments, and click Allow or Block. The agent resumes in under a second.

agentguard.auto(
    "http://localhost:8080",
    blocking_mode=True,
    human_approval_timeout_s=300,
)

The dashboard

The Compliance Cockpit gives you:

Real-time trace stream with risk badges
Pending approvals queue
Token cost tracking (40+ models)
Session grouping
Anomaly detection
PII auto-redaction
Alert rules (Slack, PagerDuty, webhook)
Kill switch (auto-revoke after N violations)
Forensic export (PDF + CSV)
Agent behavior baseline (7-day profile)

SDK support

Python (9 frameworks, all auto-patched): Anthropic, OpenAI, LangChain/LangGraph, CrewAI, Google Gemini, AWS Bedrock, Mistral, LlamaIndex, smolagents

JavaScript/TypeScript:

import agentguard from '@justinnn/agentguard'
agentguard.auto('http://localhost:8080', { agentId: 'my-agent' })

Go (zero dependencies, stdlib only):

guard := agentguard.Auto()
result, err := guard.Wrap("query_db", args, queryFn)

Cryptographic audit trail

Every trace is Ed25519 signed and SHA-256 hash-chained. Modifying any record breaks the chain. This isn't logging — it's tamper-evident, cryptographically verifiable proof.

Deploy in 30 seconds

git clone https://github.com/Justin0504/Aegis
cd Aegis
docker compose up -d

Dashboard at localhost:3000. Gateway at localhost:8080.

Self-hosted. MIT licensed. No telemetry. No data leaves your infrastructure.

Try it

GitHub: https://github.com/Justin0504/Aegis

There's also a live demo agent (Claude-powered research assistant with its own chat UI) that walks through every feature: tracing, SQL injection blocking, PII detection, and human approval flow.

I'd love to hear what policies you'd want built in. Issues and PRs welcome.