Pattern: RFC-0005 RDP-03 “Embedded Lightweight”
Status: Phase A — documentation complete. Phase B — reference implementation on the aegis-lab host, in flight.
Tracking: aegis-labs#2
Kind: AEGIS reference deployment
What it is
The first fully-specified AEGIS-governed deployment pattern for running autonomous AI agents offline, on local hardware, with governance enforcement at the action boundary. RDP-03 specifies:
- A concrete hardware profile the deployment requires
- A short list of locally-servable language models that meet the capability bar
- An end-to-end deployment procedure from a clean Debian 13 host
- A catalogue of 11 adversarial test scenarios mapped to AEGIS enforcement rules
- The exact RDP-03 conformance claims this deployment makes, line by line
The deployment is air-gapped by design: no external API calls, no cloud model serving, no telemetry egress. Every component runs on the local host or a private LAN.
Why this matters
Most AEGIS demonstrations to date have run with cloud-hosted models behind external APIs — Claude Opus via Anthropic, Kimi K2.5 via Moonshot. RDP-03 closes that loop by specifying a deployment with the same governance properties but no network egress at all. This makes the deployment relevant for compliance contexts (regulated industries, sovereign data, classified environments) and demonstrates that AEGIS governance does not depend on cloud telemetry to function.
Specification artifacts
The full RDP-03 spec lives in the aegis-labs repository (private), comprising:
| File | Content |
|---|---|
hardware-requirements.md | GPU / RAM / storage / networking for concurrent local model serving under AEGIS governance, with minimum and recommended tiers |
model-selection-matrix.md | Ollama-compatible open-weight models evaluated against the Agents of Chaos agent capability bar — VRAM, context length, tool-use, and concurrency findings |
deployment-guide.md | End-to-end setup procedure: Ollama → OpenClaw → AEGIS plug-in → registry.json / policies → one worked example bringing a single governed agent online and running one AoC scenario |
test-scenario-catalog.md | All 11 Agents of Chaos case studies (Shapira et al., 2026) mapped to ATX-1 tactics and to specific AEGIS rules that prevent each failure |
rdp-03-integration.md | Line-by-line conformance claim against RFC-0005 RDP-03, the registry schema this deployment uses, and notes on where the deployment extends the base pattern |
A public-distribution version of the spec will be linked here once the Phase B implementation lands and the deployment guide has been validated against a clean install.
Evidence base
This deployment specification is not aspirational. Every design choice is grounded in a prior empirical run:
- 2026-04-08 Agents of Chaos lab reproduction — see Round 1 — Edge Deployment Evaluation. Phase 1 (~3 hours, ungoverned): agents autonomously mapped the network, discovered shared credentials, read cross-agent email inboxes, built offensive tools, and executed cross-team attacks. Phase 2 (~1 hour, AEGIS-governed via OpenClaw
before_tool_callplug-in): 64 of 76 tool calls blocked on governed agents, 0 shell/file-write/API-call actions reached infrastructure, communication channels preserved. - Bare-metal benchmark suite — submitted as part of the Edge Governance IEEE TNSE paper. Establishes AEGIS decision latency, throughput, and federation convergence across 5 simulated edge resource tiers.
Delta from Round 1 to RDP-03
| Axis | 2026-04-08 lab run | RDP-03 deployment |
|---|---|---|
| Model provider | External APIs (Kimi K2.5, Claude Opus) | Local Ollama, air-gapped |
| Governance substrate | AEGIS HTTP service on 5 Docker containers | AEGIS library embedded in each agent process |
| Capability registry | In-code Python objects | registry.json file, loaded via AEGISRuntime.from_config() (aegis-core v0.1.3+) |
| Agent framework | OpenClaw 2026.4.5 | OpenClaw 2026.4.5 — unchanged |
| Test scenarios | Ad-hoc exploration | The 11 case studies in the test scenario catalog |
| Deployment topology | 7 containers + 1 central governance service | N agent processes, each self-contained, shared append-only JSONL audit |
Everything else — failure mode categories, ATX-1 technique mappings, the 84% block rate on governed tool categories, the plug-in hook integration, agent configuration files — is directly reusable.
Relationship to other AEGIS work
| Repository | Role |
|---|---|
aegis-labs (this repo) | RDP-03 specification and Phase B implementation |
aegis-core | Runtime library. The RDP-03-required file-based capability registry shipped in aegis-core v0.1.3 as CapabilityRegistry.load_from_json() and AEGISRuntime.from_config() |
aegis-governance | RFC-0005 defines RDP-03 — the specification this deployment implements |
aegis-ops | Operational reference for the physical aegis-lab host |