Local LLM rule evaluator for coding agent hooks. Gates agent actions against repo-defined rules using Ollama. Silent when everything passes, blocks on violations.
# Add the marketplace
/plugin marketplace add AndurilCode/sentinel
# Install the plugin
/plugin install sentinel@sentinel
# Initialize in your repo
/sentinel-init/sentinel-init handles everything: installs Ollama if missing, pulls the model, starts the server, and scaffolds .claude/sentinel/ in your repo.
/sentinel-ruleWalks you through creating a rule: what to protect, trigger type, scope, severity. Writes the YAML to .claude/sentinel/rules/.
| Command | Description |
|---|---|
/sentinel-init |
Install prerequisites, scaffold config and rules |
/sentinel-rule |
Create a rule through guided conversation |
/sentinel-config |
View or update configuration |
Sentinel runs as a PreToolUse hook. On every agent action:
- Matches the action against rule scope globs (no LLM call if nothing matches)
- Evaluates matching rules in parallel — one Ollama call per rule, binary classification
- Blocks on violations (outputs
permissionDecision: deny), silent on pass
Rules live in your repo at .claude/sentinel/rules/*.yaml. The plugin evaluator lives outside your repo.
id: dangerous-commands
trigger: bash
severity: block
scope:
- "git push --force*"
- "*rm -rf*"
exclude:
- "*--dry-run*"
prompt: |
A coding agent is about to execute: {{command}}
RULE: Force-pushing and recursive deletion are prohibited.
Does this command violate the rule?
Respond ONLY with JSON: {"violation": true/false, "confidence": 0.0-1.0, "reason": "one line"}See examples/ for more: file write guards, MCP production gates, secret detection.
Sentinel recognizes tool names from multiple coding agents out of the box:
| Agent | File write | Terminal | MCP format |
|---|---|---|---|
| Claude Code | Write, Edit, MultiEdit, NotebookEdit |
Bash |
mcp__server__tool |
| GitHub Copilot (VS Code) | create_file, replace_string_in_file |
run_in_terminal |
native tool names |
| Cursor | edit_file |
run_terminal_cmd |
mcp_server_tool |
| Windsurf | write_to_file, edit_file |
run_command |
native tool names |
| Cline | write_to_file, replace_in_file |
execute_command |
use_mcp_tool wrapper |
| Amazon Q | fs_write |
execute_bash |
@server/tool |
To add a custom agent or override mappings, set tool_map in your config.yaml:
tool_map:
my_write_tool: file_write
my_shell_tool: bashFor agents with different MCP naming conventions (e.g. Cursor), configure the prefix and separator:
mcp_prefix: "mcp_"
mcp_separator: "_"See docs/reference.md for the full configuration reference.
- Python 3
- Ollama with a pulled model (default:
gemma3:4b)
PyYAML is auto-installed on first run if missing.