Technical brief · @tuent/sentinel v0.4.0

A control layer between identity and execution.

Teams hand Claude Code to their developers. The agent reads files, calls tools, runs commands, and touches systems across the org. It executes, and it does not push back. Sentinel installs as a native Claude Code hook and checks every tool call in process, before it runs, deterministically, with no model in the enforcement path.

The question is no longer who has access. It is whether this actor should be allowed to do this, here, now.

Download as PDF →

Hook checkpoints · four deterministic defense layers
Layer 1
Role boundary
Actions outside the role's scope are denied outright.
Layer 2
Intent alignment
Each action is measured against the task the developer typed.
Layer 3
Behavioral baseline
Deviation from known patterns surfaces drift a static rule misses.
Layer 4
Pre-execution gate
The hard stop. Blocked means it never ran.

On-prem. Bring your own keys. Zero external model calls in the enforcement path. The thing protecting the agent does not inherit the prompt injection surface of the agent it watches.

What you get · four capabilities
Prevent
Policy enforced before execution.
Every tool call is checked against your .sentinel.yaml and allowed or denied before it runs, not flagged afterward. Out of the box the policy protects credential stores, private keys, cloud configs, and system directories. A network allowlist gates tool-level requests.
Detect
A behavioral baseline per agent.
Sentinel learns each agent's normal pattern of work and surfaces deviations from it in reports. An anomaly layer on top of the static rules, for the novel behavior a fixed list will not catch. It informs. It does not block.
Prove
A signed record of every tool call.
Every decision, allowed or denied, is appended to a per-project, hash-chained, Ed25519 signed trail anchored by a signed manifest. You can compromise the agent. You cannot compromise the guard.
Assess
See the blast radius first.
sentinel scan walks the repo and lists the files a coding agent could reach, scored by how sensitive each looks by path pattern. Read only. A blast-radius map, so you can tighten policy before it matters.

Endpoint watches processes. Network watches traffic. Both are blind to which file an agent read and whether it matched the task it was given. Sentinel runs where the action happens, in process, at the tool-call boundary.

The policy · one file, .sentinel.yaml

You do not write rules from scratch. init writes a starter policy with a default floor already in place; you tune it, and Sentinel recommends tightening from the actions your developers approve and deny.

Enforcement options · all optional
scopeBoundaryDefault advisory. enforce denies out-of-scope file reads and writes. Advisory logs a scope violation but still runs.
egressScreenDefault off. Screens shell network commands against the allowlist. Detection first: it logs interpreter and obfuscated egress rather than blocking it.
askOnDestructiveDefault on. Routes a curated set of irreversible destructive shell commands to Claude Code's confirmation prompt.
unknownToolsDefault warn. Disposition for unrecognized tool names. warn allows and logs; deny blocks, with an allowlist escape hatch.
.sentinel.yaml
policy:
  allow:
    actions: [file_read, file_write, tool_invocation, network_request, command_exec]
    targets:        # advisory for file and tool actions, logged if outside
      - "src/**"
      - "test/**"
    networkHosts:   # a tool-level network_request is denied unless listed
      - "api.anthropic.com"
      - "github.com"
  forbid:
    targets:        # hard deny. Ships a floor for credentials, keys, cloud, system dirs
      - "secrets/**"
      - "/etc/**"
enforcement:
  restrictAfter: 3   # restrict the agent after this many violations
  quarantineAfter: 5 # quarantine after this many. One command restores it
The signed audit trail · prove what ran
Verifysentinel --verify-audit re-walks the whole hash chain and checks every Ed25519 signature, then returns a single VALID or INVALID verdict you can hand to a reviewer.
Readsentinel --show-audit prints the actual signed entries behind that verdict, newest first. Paths and commands are redacted to shape not contents by default; a deny names what was reached, not the secret it would expose.
RecoverOn a soft flag the developer releases a blocked action in one click. A restricted or quarantined agent is restored with sentinel release from a separate terminal.
Scope and security model · what it is, precisely
FrameA guardrail with a verifiable record, not a sandbox. Enforcement happens where Claude Code asks to run a tool, through its hook, on a cooperative agent doing normal work. It is not adversarial containment.
TrailTamper-evident, not tamper-proof. The trail is hash-chained and signed, so tampering or a deleted entry is detectable and provable. The value is proof.
HostSame-host ceiling. Sentinel runs on the same machine as the agent, so a process determined to route around it on that host can. That is where the signed trail is the backstop: you can still detect and prove what happened. For prevention against a hostile process, pair Sentinel with OS and network isolation.
DetectBehavioral detection is observational. The baseline layer surfaces anomalies in reports. It is a signal to investigate, not an enforcement control.
Coverage, install, and present state
AgentsClaude Code today, through a native hook. That is the only live integration. Support for additional runtimes is on the roadmap; the policy model is built to extend without forking per tool.
Installnpm install @tuent/sentinel then npx sentinel init claude-code. Requires Node 20 or newer. The gateway auto-starts on the next Claude Code run. Licensed Apache 2.0, open source, inspect every line.
State@tuent/sentinel on npm, dist-tag latest. The signed audit trail and the false positive recovery loop are live end to end. The test suite is written and maintained alongside the enforcement engine and runs green at HEAD.

Accuracy notes · Claude Code is the only live adapter. Cross-vendor correlation is the next build, not a present claim. Figures reflect the present shipped state and move as the product ships.

See it catch real behavior, live.
A demo with a live agent, or a free eight week pilot shaped to your use case.
Book a live demo Back to docs