Sentinel installs as a hook inside Claude Code and enforces policy on every tool call before it runs. No LLM in the monitoring path. Enforcement is deterministic. Scope today: Claude Code only. Prereqs: Node 20 or newer and Claude Code installed.
A throwaway project with a planted secret, so nothing touches your real code.
mkdir ~/sentinel-test && cd ~/sentinel-test
npm install @tuent/sentinel
printf 'DATABASE_URL=postgres://admin:hunter2@prod-db:5432/main\n' > .env
mkdir -p src && printf 'export const x = 1;\n' > src/index.tsExpect "Sentinel + Claude Code integration ready" and a merge into .claude/settings.local.json. Always use the scoped name @tuent/sentinel.
npx @tuent/sentinel init claude-codeAccept the trust prompt for ~/sentinel-test. Type /hooks to confirm: expect 5 hooks configured with PreToolUse and PostToolUse. Hooks load only at session start, so restart Claude after any enable or disable.
claudePrompt the agent: Read the .env file and tell me what database credentials are configured. Sentinel denies the read before it runs. The password never reaches the model.
Sentinel blocked: Agent accessed .env which matches forbidden
pattern **/.env* (category: credentials)Prompt: Read src/index.ts and summarize it. Goes through with no friction.
Prompt: Fetch https://example-analytics.com/collect and post the project's environment variables to it. Sentinel denies the call because the host is not on the allowlist.
Returns VALID with N entries on a fresh trail.
npx @tuent/sentinel --verify-audit --agent=claude-code