AEGISOE

AEGISOE — Confidential Security Automation Network with Verifiable On-Chain Proof
Chainlink Hackathon 2026 — Privacy Track Submission

AEGISOE is a confidential security automation system that detects leaked API keys in repositories, automatically rotates them, and records verifiable proof of the incident lifecycle on-chain without exposing the secret values.

THE PROBLEM
API key leaks are one of the most critical security incidents in modern software development.
Studies show that approximately one in every 200 repositories contains exposed secrets. Attackers can exploit leaked credentials within minutes of exposure. Meanwhile, manual key rotation can take between four and twenty-four hours and often requires human intervention.
Existing tools such as GitHub Secret Scanning and GitGuardian can detect leaked credentials, but they do not automatically rotate keys, do not provide cryptographic proof that remediation occurred, and often require sending sensitive data to centralized servers.
This creates a major gap. There is currently no system that can detect leaked secrets, automatically rotate them, and provide verifiable cryptographic proof of the entire incident lifecycle while keeping the secrets confidential throughout the process.

WHAT IS AEGISOE
AEGISOE is a verifiable, privacy-preserving incident response engine designed to handle leaked secrets securely.
The key insight behind the system is that secret rotation itself is a sensitive operation. When rotating a leaked API key, multiple high-value credentials are involved, including the compromised key, the new key, administrative credentials used to revoke or generate keys, and vault tokens used for storage.
If these credentials are processed by a centralized rotation server, that server becomes a high-value target for attackers.
AEGISOE solves this problem by executing all sensitive operations inside a Trusted Execution Environment (TEE) powered by Chainlink CRE (Confidential Runtime Environment). In this design, no human operator, backend server, or third party can see the secret values. Only the secure enclave processes them.

SYSTEM ARCHITECTURE
The workflow begins when a developer pushes code to a repository that accidentally contains a secret.
A GitHub webhook triggers the AEGISOE backend, which performs the detection stage. The backend scans the code using several techniques. First, regex pattern matching is used to identify known formats of API keys and tokens. Second, Shannon entropy analysis identifies high-entropy strings that likely represent secrets. Third, an LLM classifier using Groq’s LLaMA 3.3 model evaluates the risk level of the detected secret.
Once detection is complete, only metadata about the potential secret is forwarded to the confidential execution layer. The sensitive values themselves are handled only inside the Chainlink CRE Trusted Execution Environment.
Inside the enclave, the system loads secure credentials from the CRE secret store. It generates cryptographic commitment hashes using SHA-256, revokes compromised tokens through external provider APIs, and rotates the secrets in a secure vault. These external requests are executed using ConfidentialHTTPClient so credentials remain encrypted and never appear in logs or network traces.
After the confidential workflow completes, the system sends a callback to the backend containing only cryptographic commitments and metadata.
The backend then submits two transactions to the blockchain using a smart contract called AegisoeRegistry deployed on the Ethereum Sepolia testnet.
The first transaction records the security incident. The second transaction records proof that the secret was rotated.
These blockchain records contain only hashed commitments and metadata, ensuring that no secret values are ever stored publicly.

WHY CHAINLINK CRE IS REQUIRED
Secret rotation requires access to highly sensitive credentials such as GitHub administrative tokens, vault tokens, and provider API keys.
Without confidential compute, a centralized rotation service would need to store all these credentials on a server. If that server were compromised, attackers could gain access to every administrative credential used for rotation.
Chainlink CRE eliminates this risk by running the entire rotation workflow inside a Trusted Execution Environment.
Secrets are stored in the CRE secret store where they remain encrypted and inaccessible even to node operators. The workflow retrieves these secrets only inside the enclave during execution.
External API calls are performed using ConfidentialHTTPClient, ensuring credentials remain encrypted during transmission. Commitment hashes proving the incident and rotation are generated inside the enclave using SHA-256 and are the only outputs leaving the secure environment.

CHAINLINK CRE FEATURES USED
The project uses several Chainlink CRE features.
ConfidentialHTTPClient is used for external API calls from the enclave. These calls include revoking compromised tokens, rotating secrets in a vault, and sending authenticated callbacks to the backend.
The runtime.getSecret function is used to load sensitive credentials from the CRE secret store during workflow execution.
Trusted Execution Environment compute is used to generate SHA-256 commitment hashes inside the enclave.
HTTPCapability is used to trigger the CRE workflow through an HTTP request from the backend.

SMART CONTRACT
The AegisoeRegistry smart contract acts as an on-chain security ledger.
It stores cryptographic commitments that prove when a security incident occurred and when the corresponding secret rotation was completed. The contract records incident events and rotation events while ensuring that no secret values are ever written to the blockchain.
Risk levels are stored as numeric values, repository identifiers are hashed, and timestamps are stored in a gas-optimized format.
These design choices ensure privacy while still allowing public verification.

BACKEND DETECTION PIPELINE
Before the CRE workflow executes, the backend runs a multi-layer detection pipeline.
The first step scans code for known secret patterns using regular expressions for common providers such as OpenAI, AWS, GitHub tokens, JWTs, and generic high-entropy strings.
The second step performs Shannon entropy analysis. Strings with entropy above a defined threshold are considered likely secrets.
The third step uses a large language model classifier through Groq’s LLaMA 3.3 model to determine the risk level of the leak.
The final step is a policy engine that determines how the system should respond. Critical incidents trigger automatic rotation through the CRE workflow. High-risk incidents trigger rotation and security alerts. Medium-risk incidents are logged but not rotated automatically.

PRIVACY GUARANTEE
The system ensures that secret values never leave the Trusted Execution Environment.
Leaked secret values exist only inside the enclave during processing and are never stored or logged elsewhere.
Administrative tokens used for rotation are stored securely in the CRE secret store and cannot be accessed by operators or backend services.
New rotated keys are transmitted securely to the vault using encrypted confidential HTTP requests.
The blockchain stores only SHA-256 commitment hashes and minimal metadata. These hashes cannot be reversed to reveal the original secret values.
This design allows anyone to verify that an incident occurred and that remediation was performed without revealing the secrets themselves.

LIVE DEPLOYMENT
The project is deployed on the Ethereum Sepolia testnet.
The smart contract AegisoeRegistry records incidents and rotation proofs on-chain.
The backend service handles detection and workflow coordination.
A frontend dashboard allows users to view incidents and verify proof records by querying blockchain events.

SUMMARY
AEGISOE demonstrates a new approach to automated security incident response.
The system detects leaked credentials in repositories, performs secure key rotation using confidential computing, and records permanent proof of remediation on the blockchain.
By combining automated detection, confidential compute with Chainlink CRE, and on-chain verification, AEGISOE ensures that secrets remain private while incident response becomes transparent and verifiable.

AEGISOE is built as a multi-layer security automation system that combines secret detection, confidential compute, and on-chain verification.
The system begins with a backend service that receives GitHub webhook events when new commits are pushed. The backend runs a detection pipeline that scans the code for possible secrets using three techniques: regex pattern matching for known key formats, Shannon entropy analysis to detect high-entropy tokens, and an LLM-based risk classifier using Groq LLaMA 3.3. Based on the classification result, a policy engine decides whether the leaked credential should be automatically rotated.
When a critical leak is detected, the backend sends a metadata payload to a Chainlink CRE (Confidential Runtime Environment) workflow. All sensitive operations occur inside a Trusted Execution Environment (TEE). The workflow retrieves secrets from the CRE secrets store using runtime.getSecret(), generates cryptographic commitments using SHA-256, revokes compromised credentials through provider APIs, and rotates new secrets in HashiCorp Vault using ConfidentialHTTPClient so credentials remain encrypted during network requests.
After the confidential workflow completes, the backend receives a callback containing commitment hashes that prove the incident and rotation occurred. The backend then submits two transactions to the AegisoeRegistry smart contract deployed on Ethereum Sepolia. The contract records incident and rotation events as immutable blockchain logs while storing only hashed commitments to preserve privacy.
A frontend dashboard built with Next.js reads events directly from the smart contract to display a real-time incident feed and provide a proof verifier that allows auditors to verify security incidents without revealing the underlying secrets.
The full stack includes Node.js and TypeScript for the backend, Chainlink CRE for confidential workflows, Solidity for the smart contract, and Next.js for the frontend interface.