What Vigils Is
Technical Architecture
The core runs as a Rust binary that maintains a SQLite ledger with SHA-256 hash chaining. Each tool call writes an entry that includes the previous hash, so any modification breaks the chain and becomes detectable during verification. Full-text search uses FTS5 on the redacted content.
Tauri wraps the Rust backend into a desktop application, exposing a local HTTP and WebSocket interface that agents connect to instead of calling MCP servers directly. The Chrome MV3 extension injects itself into browser contexts so that agents pasting into web UIs still route through the same policy layer.
Policy enforcement lives in a Rust DSL. Rules are evaluated before any call executes. OAuth scope allow-lists apply to remote MCP servers. The sandbox defaults to fail-closed: Wasm modules and Linux Landlock restrict file and network access unless explicitly granted.
Redaction runs in two stages. Hard-fingerprint rules catch common secret patterns. An optional ML ensemble can be enabled for higher recall on PII. Redacted text never reaches the model context or the on-screen logs.
Using Vigils With Existing Agents
Point an MCP client at the local Vigils endpoint instead of the original server. The agent continues to request tools as before; Vigils records the call, applies redaction, then either executes it under the sandbox or pauses for approval.
The approval queue shows the exact parameters and the policy rule that triggered review. Scoped grants let an operator approve a narrow action for a specific agent without opening broader permissions. Once approved, the ledger records the decision and the outcome.
Audit queries run against the local SQLite file. Because the hash chain is stored alongside the data, external verification scripts can recompute hashes and confirm integrity without needing network access.
Trade-offs and Limitations
Running every tool call through an additional process adds latency. Simple file reads that previously took milliseconds now pass through redaction and policy evaluation. For agents that issue hundreds of calls per minute, the overhead becomes measurable.
The Chrome MV3 extension only covers browser-based interactions. Desktop applications that agents drive through other means still require separate integration or manual oversight. The current sandbox supports Wasm and basic Linux Landlock; Windows and macOS confinement rely on the Tauri process model until native equivalents are added.
Policy writing requires familiarity with the Rust DSL. No graphical rule builder exists yet, so teams must maintain the rules as code. The redaction ML ensemble is optional and increases memory usage; users who disable it accept lower recall on unusual secret formats.
FAQs
Does Vigils store prompts on remote servers? No. All ledger entries, redacted text, and policy state remain in local SQLite files on the machine running the Tauri application.
Can Vigils block an agent from reading a specific directory? Yes. The default-deny firewall evaluates each call against per-agent rules before the sandbox receives the request, so directory access can be denied at the policy layer.
How do I verify the audit ledger has not been altered? Run the verification command shipped with the binary against the SQLite file; it recomputes the SHA-256 chain and reports any broken links.
---
๐ Related articles
- Agentic Coding: Una Trappola per lo Sviluppo Software?
- MemPalace: Il sistema AI con punteggio record nei benchmark e gratuito
- Phantom su GitHub: L'AI co-worker auto-evolvente e sicuro
Need a consultation?
I help companies and startups build software, automate workflows, and integrate AI. Let's talk.
Get in touch