Qwen-AEGIS Automated Epistemic Governance & Intelligence System — Multi-agent codebase auditing for Qwen Code.

npx qwen-aegis

Works on Mac, Windows, and Linux.

"An AI Principal Engineer — a machine that performs disciplined doubt."

What AEGIS Is · The 14 Audit Domains · The Agent Team · Commands · The Three Output Layers · Install

What AEGIS Is

AEGIS is a multi-session, multi-agent codebase audit system built on Qwen Code. It deploys a team of senior engineering personas — each an expert in a specific domain — to conduct a comprehensive analysis of any application codebase.

It is not a linter. It is not a static analyzer. It is not a report generator.

It is an AI Principal Engineer — a machine that performs disciplined doubt.

Core Philosophy

1. Disciplined Doubt Over Coherent Confidence — AEGIS optimizes for correctness under uncertainty, asymmetric risk detection, and institutional memory of failure patterns.
2. The Principal Builds the Story. The Devil's Advocate Breaks It. — No finding survives without challenge. Disagreement is signal, not noise.
3. Evidence > Assumptions > Code > Documentation — Strict separation between observations, interpretations, and judgments.

The 14 Audit Domains

| Domain | What It Covers | Agent | |--------|---------------|-------| | 0 — Context & Intent | What the system does, who uses it | Principal Engineer | | 1 — Architecture | Boundaries, coupling, layering | Architect | | 2 — Data & State | Schemas, migrations, consistency | Data Engineer | | 3 — Correctness | Logic bugs, edge cases, concurrency | Senior App Engineer | | 4 — Security | AuthN/AuthZ, injection, supply chain | Security Engineer | | 5 — Compliance | PII, encryption, audit logging | Compliance Officer | | 6 — Testing | Pyramid shape, determinism, coverage | Test Engineer | | 7 — Reliability | Retries, timeouts, circuit breakers | SRE | | 8 — Performance | Complexity, N+1, caching, bottlenecks | Performance Engineer | | 9 — Maintainability | Smells, naming, duplication, debt | Senior App Engineer | | 10 — Operability | CI/CD, observability, rollback, DX | SRE | | 11 — Change Risk | Blast radius, refactor safety | Staff Engineer | | 12 — Team Risk | Bus factor, tribal knowledge, silos | Staff Engineer | | 13 — Risk Synthesis | Predictions, emergent risks, forecasts | Principal Engineer |

The Agent Team

Core (12 Agents)

| Agent | Domains | Role | |-------|---------|------| | Principal Engineer | 0, 13 | Epistemic governor — resolves conflicts, synthesizes narrative | | Architect | 1 | Structural patterns, boundaries, dependency direction | | Data Engineer | 2 | Data models, schema evolution, consistency guarantees | | Security Engineer | 4 | AuthN/AuthZ, secrets, injection, supply chain | | Compliance Officer | 5 | PII, encryption, audit logging, regulatory exposure | | Senior App Engineer | 3, 9 | Logic correctness, maintainability, code health | | SRE | 7, 10 | Reliability, CI/CD, observability, developer experience | | Performance Engineer | 8 | Algorithmic complexity, caching, bottlenecks | | Test Engineer | 6 | Test pyramid, determinism, mutation resistance | | Staff Engineer | 11, 12 | Change risk, bus factor, knowledge silos | | Reality Gap Analyst | Cross-cutting | Detects divergence between code-as-written and system-as-run | | Devil's Advocate | Cross-cutting | Hunts collective blind spots, attacks confidence |

Transform (5 Agents)

| Agent | Role | |-------|------| | Remediation Architect | Translates diagnosis into structured change plans | | Change Risk Modeler | Scores blast radius, coupling, regression probability | | Pedagogy Agent | Explains fixes for AI-assisted developers | | Guardrail Generator | Writes project rules to prevent recurring problems | | Execution Validator | Defines verification plans — how to prove fixes work |

Commands

Core Commands (Diagnostic)

| Command | Purpose | |---------|---------| | /aegis:audit | Full diagnostic audit — guided wizard | | /aegis:resume | Resume an interrupted audit | | /aegis:status | Show current audit position | | /aegis:report | Generate final diagnostic report |

Transform Commands (Evolution)

| Command | Purpose | |---------|---------| | /aegis:remediate | Generate remediation knowledge (Layer B) | | /aegis:transform | Generate execution plans (Layer C) | | /aegis:playbook | View remediation playbooks for findings | | /aegis:guardrails | Generate project rules from audit findings |

The Three Output Layers

| Layer | What | Phases | Mutability | |-------|------|--------|------------| | A — Diagnostic Artifact | Findings, evidence, disagreements | 0-5 | Immutable truth | | B — Remediation Knowledge | Playbooks, patterns, guardrails | 6-7 | Derived from A | | C — Change Orchestration | Dependency graphs, PAUL projects | 8 | Operational planning |

The 7-Layer Epistemic Schema

Every finding passes through: Observation → Evidence Source → Interpretation → Assumptions → Risk Statement → Impact/Likelihood → Judgment

The 4-Layer Transformation Model

Remediation goes: Abstract Pattern → Framework Mapping → Language Mapping → Project Context

Intervention Levels

| Level | What | Confidence Required | |-------|------|---------------------| | 1 — Suggesting | "Consider this" | Any | | 2 — Planning | "Here's how to fix it" | Medium+ | | 3 — Authorizing | "Recommended with confidence X" | High | | 4 — Executing | "Apply this change" (via PAUL only) | High + Low risk |

AEGIS NEVER auto-executes. Ever.

How It Works

Phase 0: Context & Threat Modeling    → Principal Engineer
Phase 1: Automated Signal Gathering   → Tool runners
Phase 2: Deep Domain Audits           → 8 domain agents (parallel)
Phase 3: Change/Team/Reality Risk     → Staff Engineer, Reality Gap Analyst
Phase 4: Adversarial Review           → Devil's Advocate
Phase 5: Synthesis & Report           → Principal Engineer
────────────────────────────────────────────────────────
Phase 6: Remediation Synthesis        → Remediation Architect, Pedagogy
Phase 7: Change Risk Validation       → Change Risk Modeler, Guardrail Gen
Phase 8: Execution Planning           → Execution Validator → PAUL handoff

OSS Analysis Tools

AEGIS integrates with 7 free tools for comprehensive auditing:

| Tool | What It Does | |------|-------------| | SonarQube | Code smells, bugs, maintainability, duplication, complexity | | Semgrep | Security-focused SAST — XSS, SQL injection, IDOR, 20,000+ rules | | Trivy | All-in-one security scanner — OS packages, dependencies, IaC | | Gitleaks | Secrets detection — API keys, passwords, tokens in code + history | | Checkov | IaC security — Terraform, CloudFormation, K8s, Dockerfiles | | Syft | SBOM generation — complete package inventory | | Grype | Vulnerability scanning — CVE matching against SBOM |

All are optional — AEGIS works with or without them. Install what you need.

The PAUL Connection

AEGIS Transform produces complete PAUL project artifacts:

• PROJECT.md — Project definition with audit reference
• ROADMAP.md — Phased remediation with dependency ordering
• Phased PLAN.md files with risk metadata and verification gates

AEGIS proposes. PAUL disposes. The separation is absolute.

Install

npx qwen-aegis

The installer prompts you to choose:

1. Global (recommended) — Available in all Qwen Code projects
2. Local — Available in current project only

What Gets Installed

~/.qwen/aegis/                # Framework (82+ files)
├── core/                     # 12 Core agents, personas, workflows
├── transform/                # 5 Transform agents, personas, workflows
├── domains/                  # 14 audit domain knowledge modules
├── schemas/                  # Core output contracts
├── rules/                    # Epistemic governance rules
└── tools/                    # Tool adapter specifications

~/.qwen/commands/qwen-aegis/  # 8 slash commands
├── audit.md
├── resume.md
├── status.md
├── report.md
├── remediate.md
├── transform.md
├── playbook.md
└── guardrails.md

Quick Start

# 1. Start a full audit
/aegis:audit

# 2. Check progress anytime
/aegis:status

# 3. Resume after a break
/aegis:resume

# 4. Generate remediation
/aegis:remediate

# 5. Generate execution plan
/aegis:transform

License

MIT License.

Author

Chris Kahler — Chris AI Systems Adapted for Qwen Code by tylergriffin1350

Qwen Code is powerful. AEGIS makes it trustworthy.