Operator guide · @tuent/sentinel v0.4.0

See the blast radius. Restore a blocked agent.

The two commands an operator runs most. Sentinel installs project-local, so both run through npx. Operating across many repos? Add a global install once and every command is bare sentinel.

Download as PDF →

# project-local, matches the install on the site
npm install @tuent/sentinel && npx sentinel init claude-code
# optional, for operators who want the CLI everywhere
npm install -g @tuent/sentinel   # then: sentinel scan / sentinel release
Command one · assess before you enforce · sentinel scan
Runsentinel scan in a project root walks the repo and lists every file an agent could touch, scored by how sensitive each one looks by filename and path pattern. It does not read file contents, so it is a blast-radius map, not a found-secrets claim. Read only, writes nothing unless you pass --save. Add --path=../other-repo --format=json to point it elsewhere or pipe into tooling.
SafeIt refuses to walk a directory that is not a project root, no package.json or .git, unless you pass --path or --force. So it never crawls a home directory by accident. Symlinks are skipped.
ReadEach file is flagged high, medium, or low confidence. High means two or more sensitivity rules matched, medium is one strong match, low is everything else. Start policy from the high and medium rows, so you tighten forbid.targets before it matters, not after.
Command two · restore an escalated agent · sentinel release
RestoreRepeated violations escalate an agent: normal, then restricted, then quarantined, at thresholds you set (restrictAfter defaults to 3, quarantineAfter to 5). sentinel release --agent=<id> returns it to normal. Run it from a separate terminal if the agent's own Bash is blocked, so you are never locked out of the recovery path.
SoftOn a soft flag the developer releases a single blocked action in one click and keeps working. You do not have to be in the loop for those.
HardHard rules stay locked. A credential read or another default-floor deny is never released by a soft click. Those are decided deterministically and stay that way.
Related · prove what ran
Verifysentinel --verify-audit --agent=<id> re-walks the signed trail and returns a single VALID or INVALID verdict for a reviewer.
Readsentinel --show-audit --agent=<id> prints the actual signed entries, newest first, redacted to shape not contents by default.

scan tells you what an agent could reach before you write a line of policy. release gets a developer moving again the moment a stop was right but the work should continue. One reduces surprise. The other reduces friction.

Accuracy notes · Claude Code is the only live adapter. scan scores by filename and path pattern, never by reading contents. Figures reflect the present shipped state and move as the product ships.

See it catch real behavior, live.
A demo with a live agent, or a free eight week pilot shaped to your use case.
Book a live demo Back to docs