Security and recovery
for agentic work.

Sentinel turns AI-touched code, runtime, and security risk into evidence-bound recovery decisions: Atlas context, authority boundaries, verification, and the autonomy level you allow.

kernel.cycle · routing now 10 stages
01Observe · watchers ingest
02Bind · capability passport
03Classify · novelty class
04Constrain · policy, axioms
05Compile · bounded option set
06Adjudicate · Tadabbur · Qiyas
07Render · option + receipt
08Execute / Defer · autonomy ladder
09Verify · predicate satisfied
10Learn · ledger + doctrine
atlas_snapshot #117 · d9b6677d56
atlas 81,787 nodes | edges 539,944 | snapshots #117 | changes_24h 6,967 | atlas-sentinel.service active | build live
Slab 01 · Composite risk

A scanner sees rows.
Sentinel sees a recovery decision.

ESLint and npm audit will surface each of these on their own. Sentinel runs the co-occurrence through the kernel and emits a single compound_app_risk rescue priority — because four bugs that share a blast radius are one emergency, not four work items.

Your scanner output eslint + npm audit
dangerous_dynamic_execution
app.use(eval) on operator-supplied string
possible_command_injection
child_process.exec receives unsanitized input
security_todo
// TODO: replace before prod · never replaced
wide_open_cors
Access-Control-Allow-Origin: *
Sentinel · compound_app_risk
"One vibe-coded app, four co-occurring failures. Rescue, don't triage."
Novelty class · SUBSTRATE_COMPOSITE Sample · 1 TP / 0 FP on vibe fixture Routed · rescue.compose → option_set
Slab 02 · Properties

Replayable. Hashed.
Autonomy-capped.

Three properties of every Sentinel finding — and the reasons buyers can defend the install to a CTO.

01 · Replayable

Same evidence, same option set. Forever.

The kernel compiles the action space mechanically from the evidence graph. Run a finding 100 times, get the same ranked options, the same rejection reasons, the same compilation hash.

$ atlas sentinel route --source sentinel-composite --kind compound_app_risk --limit 1
compiled options3
hashsha256:9c7e…a1f3
$ atlas sentinel route --source sentinel-composite --kind compound_app_risk --limit 1
hashsha256:9c7e…a1f3 (identical)
02 · Hashed

Every claim is a signature.

Findings ship with passport, event, and compilation hashes. The evidence_anchor points to a node in Atlas. Nothing said about the finding is unverifiable.

passport_hash  sha256:c4d9…7e02
event_id       finding.created/4b17
compilation   sha256:18c8…1330
evidence       atlas:node/contributions.js:32
verified       node --check passed
03 · Autonomy-capped

Auto-fix you can trust because it can't lie about what it changed.

Sentinel's capability passport pins max_autonomy_level: 2 by default. Higher rungs require tests, allowlists, and readback — authorized explicitly, never assumed.

  • L1Observe & explain
  • L2Propose repair with verificationdefault cap
  • L3Apply in safe workspace with tests
  • L4Execute allowlisted repair with readback
Slab 03 · Surfaces

Eight surfaces, one event grammar.

Sentinel federates eight watchers across the places software actually fails. Every watcher emits the same event shape, so a Kubernetes alert and a vibe-coded eval injection land in the same ledger.

Kubernetes

k8s watcher
66 live pod_unhealthy findings · top: emr-realtime · CrashLoopBackOff

systemd

systemd watcher
service_failed · service_restart_loop · aria-deep-work.service

Runtime health

runtime-health watcher
live probe results normalized as findings

CLI state

cli-state watcher
"hard gates softened" drift detected across Claude Code & Codex

Repo working tree

repo-state watcher
dirty / stale / cross-session conflict findings

Codebase

codebase watcher
NodeGoat eval injection caught at contributions.js:32-34 · 3 TP / 0 FP

Dependencies

dependency-audit watcher
Snyk/Goof · 20 routed vulns · 20 TP / 0 FP

Composite risk

sentinel-composite
Novel · co-occurring findings → compound_app_risk
Event grammar observation.created finding.created option.compiled repair.proposed task.requested verification.completed lesson.recorded blocker.opened blocker.closed
Slab 04 · Receipts

Proof, not screenshots.

On every reviewed slice so far: 27 findings, 27 true positives, 0 false positives — across NodeGoat, Goof, and the vibe fixture. Below: the latest three rows of the public ledger. Every hash regenerates locally.

sentinel · public ledger / latest 3 live · refreshed daily at 00:00 UTC
Finding Surface Severity Compilation hash Autonomy Outcome
compound_app_risk
SEN-2026-05-17-031 · vibe-fixture
sentinel-composite crit sha256:a116b221b053… L2 → L3 applied · verified
prototype_pollution
SEN-2026-05-16-024 · goof
dependency-audit high sha256:7e3c91f8d24a… L2 repair proposed
pod_unhealthy
SEN-2026-05-17-018 · emr-realtime
k8s high sha256:09b7b959d04a… L1 routed · awaiting auth
3 shown of ? routed · cycle ok=true Open the full ledger →

Every row is real. Every hash is regenerable. If we ever publish a row we can't reproduce, treat it as a bug — and email proof@aria.dev.

Slab 05 · The kernel

Built on the Aria
cognitive kernel.

LLMs should not be trusted to invent the action space. The kernel compiles the action space mechanically from evidence, axioms, domain topology, runtime state, owner policy, and verification predicates.

The model improves language, analysis, tradeoff explanation, and implementation quality — but only inside the bounded options the kernel allows. Sentinel is the first product on the kernel; Atlas is the substrate it watches. Sentinel is the security and recovery layer for teams letting AI touch real systems.

Client surfaces
Claude Code · Codex · OpenCode · CLI
Harness · L1 packet
Cognition + axioms + skills + memory
per-turn injection from substrate
Harness · L2 BIND
Fitrah axiom evaluation · capability passport
intent receipt · packet-hash binding
Harness · L3 gate runtime
Coach kernel · Mizan output gate · pre-tool gate
18+ Claude hooks · stop gate
Cognitive kernel
10-stage compile · Tadabbur-12 · Qiyas-15
Observe → Bind → Classify → Constrain → Compile → Adjudicate → Render → Execute/Defer → Verify → Learn
Sentinel
first product
Repo-org
next
Task runner
action ledger
Future
tba
Slab 06 · The wild

Six moments the kernel turned a failure into a receipt.

Six panels from an in-flight library, auto-curated from Codex, Claude Code, and OpenCode sessions on Aria's own infrastructure. Every panel anchored to a real transcript line; every line regenerable from the path printed at the bottom of the card. More land as new sessions clear review.

Curated 2026-07-16T03:29:57.430Z · atlas snapshot #117 · panel library is in-flight, this is the first six Open all current panels →
Slab 07 · Operator session

Watch me use Sentinel on the product itself.

The launch proof should not be a polished demo. The next public session is an operator run: start from a real Sentinel finding, open the Atlas dossier, route the task, apply the smallest bounded fix, and rebuild the marketing site while the receipt changes on screen.

Formatlive operator session, no synthetic fixture unless named
Runfinding → dossier → task ledger → bounded repair → verification
EvidenceAtlas snapshot #117, build receipt, browser screenshots
Audienceteams shipping AI-touched work into real systems
Schedulingdate announced from owner account after the rehearsal pass