Good take, and you're right that credential management is a separate layer from code-level permissions. Right now Aegis handles the "what code can it run" side: capability declarations control which operations a module can perform, and MCP tool outputs are automatically wrapped in tainted so they can't be used unsanitized. But the "what API keys does this agent have access to" question is more about infrastructure than language design. That said, the memory_access construct with encryption and scope enforcement could possibly be extended to handle credential storage, keys stored in a memory scope with read: [api_key] restrictions would only be accessible to modules that declare that scope. Definitely an area worth exploring further. Thx for the feedback

Yes, any external input (user prompts, tool outputs, API responses) is automatically wrapped in tainted[str]. You can't use it in a query, command, or f-string until you explicitly sanitize it. The runtime fundamentally blocks it.

Hey, yes Aegis has MCP support. MCP tools are declared in the syntax with the provider, and the transpiler handles the client calls, audit events, and capability checks automatically. There's also A2A (Agent-to-Agent) support for inter-agent communication. As for integration with something like claudecode/gpt/cursor, should be fairly straightforward, there's a full language spec and syntax reference in the docs folder that LLMs can use as context.

Sweet! Just read over the docs on github and pip install aegis-lang on your computer whenever you're ready. Any questions/comments/general feedback you may have feel free to reach out