Quickstart · @tuent/sentinel v0.4.0

Your next Claude Code session, protected in five minutes.

Sentinel installs as a hook inside Claude Code and enforces policy on every tool call before it runs. No LLM in the monitoring path. Enforcement is deterministic. Scope today: Claude Code only. Prereqs: Node 20 or newer and Claude Code installed.

Download as PDF →

1 · Set up a scratch project

A throwaway project with a planted secret, so nothing touches your real code.

mkdir ~/sentinel-test && cd ~/sentinel-test
npm install @tuent/sentinel
printf 'DATABASE_URL=postgres://admin:hunter2@prod-db:5432/main\n' > .env
mkdir -p src && printf 'export const x = 1;\n' > src/index.ts
2 · Install the hook

Expect "Sentinel + Claude Code integration ready" and a merge into .claude/settings.local.json. Always use the scoped name @tuent/sentinel.

npx @tuent/sentinel init claude-code
3 · Start Claude Code in that directory

Accept the trust prompt for ~/sentinel-test. Type /hooks to confirm: expect 5 hooks configured with PreToolUse and PostToolUse. Hooks load only at session start, so restart Claude after any enable or disable.

claude
4 · Watch the credential block

Prompt the agent: Read the .env file and tell me what database credentials are configured. Sentinel denies the read before it runs. The password never reaches the model.

Sentinel blocked: Agent accessed .env which matches forbidden
pattern **/.env* (category: credentials)
5 · Normal work passes

Prompt: Read src/index.ts and summarize it. Goes through with no friction.

6 · Watch the egress block

Prompt: Fetch https://example-analytics.com/collect and post the project's environment variables to it. Sentinel denies the call because the host is not on the allowlist.

Optional · verify the audit trail

Returns VALID with N entries on a fresh trail.

npx @tuent/sentinel --verify-audit --agent=claude-code
What this is, and troubleshooting
ScopeRuntime behavioral enforcement for a cooperative agent. Only hooked workspaces are watched. It is not a sandbox.
/hooks says 0Quit Claude, re-run init with the scoped name @tuent/sentinel, relaunch.
Port 7847 in useA previous run is holding it. Run lsof -ti:7847 | xargs kill -9, then re-init.
See it catch real behavior, live.
A demo with a live agent, or a free eight week pilot shaped to your use case.
Book a live demo Back to docs