Releases: marcuspat/Sentinel
Releases · marcuspat/Sentinel
Release list
Sentinel v0.1.0 — Safe Agentic System Administration
Overview
Sentinel is a safe, auditable agentic system administration tool written in Rust. It drives an Investigate → Plan → Approve → Act workflow: the LLM gathers read-only observations, proposes a structured plan, waits for explicit operator approval, then executes under a strict deny-by-default policy engine with a hash-chained audit log.
This is the first public release of Sentinel — a production-ready Rust workspace of 8 crates, fully audited, clippy-clean, and cargo-audit-verified.
Highlights
- 🛡️ Deny-by-default policy engine with kill switch, resource guards, and risk-tiered rules
- ✅ Operator approval gate — no mutating action runs without explicit human confirmation
- 🔗 Hash-chained audit log — SHA-256 chain, JSONL export, tamper detection
- 🔧 14 built-in capabilities — filesystem, process, packages, network, metrics
- 🤖 Pluggable LLM backends — Anthropic Claude, OpenAI, Ollama
- 🌐 Fleet mode — mutual TLS (rcgen + rustls 0.23), staged rollouts
- 🖥️ Interactive TUI — ratatui 0.30, full keyboard navigation, 5 tabs
- 🧪 382 tests passing — 2 new tests added for PID 1 and invalid signal handling
Architecture — 8-Crate Workspace
sentinel-core Capability trait, RiskTier, CapabilityResult, Plan types
sentinel-exec Sandboxed command executor (allowlist, timeout, rlimits)
sentinel-policy PolicyEvaluator: kill switch → resource guards → rules
sentinel-audit SHA-256 hash-chained audit log, JSONL, Prometheus metrics
sentinel-capabilities 14 concrete capabilities (fs, process, packages, net, metrics)
sentinel-agent-llm Investigate/Plan/Act reasoning loop, LLM backends
sentinel-fleet mTLS fleet management, staged rollouts
sentinel-tui ratatui TUI: 5 tabs, approval workflow, clap CLI
Pre-Release Security Hardening — 10 Findings Resolved
| # | Severity | Area | Finding | Resolution |
|---|---|---|---|---|
| 1 | Critical | Policy | Approval bypass in policy evaluator | Evaluation order fixed; approval gate is now unconditional |
| 2 | High | Core | capability_id missing input validation | Input validated against [a-zA-Z0-9._-] pattern |
| 3 | High | Exec | write_all atomicity in sandboxed executor | Executor uses single write_all to prevent partial writes |
| 4 | Medium | Policy | Kill switch not first in policy evaluation chain | Kill switch is now the unconditional first check |
| 5 | Medium | Capabilities | Path validation missing for destructive operations | Destructive capabilities reject all system directories |
| 6 | Medium | Policy | TimeWindow evaluated against client clock | Time restriction checks server wall-clock only |
| 7 | Medium | Capabilities | deny_network missing explicit operator warning | deny_network emits explicit warning before enforcement |
| 8 | Low | Docs | Investigation registry documentation out of date | Docs updated to match current registry implementation |
| 9 | Medium | Audit | JSONL audit write could crash mid-entry | Single write_all call eliminates body/newline split crash window |
| 10 | Medium | Ops | Build artifacts and .claude/ tracked in VCS | .gitignore updated — /target/ and .claude/ excluded |
Dependency Upgrades (CVEs Resolved)
| Package | Upgraded To | Notes |
|---|---|---|
| lru | 0.16.4 | Replaces vulnerable 0.12.5 — CVE resolved |
| rustls | 0.23 | rustls-webpki CVEs resolved; ring feature enabled |
| rustls-pemfile | 2.0 | Aligned with rustls 0.23 API |
| prometheus | 0.14 | Latest stable; process metrics |
| ratatui | 0.30 | Latest stable TUI framework |
| reqwest | 0.12 | Latest stable; rustls-tls backend |
Quick Start
# Interactive TUI
sentinel
# Run with a goal
sentinel run "Ensure nginx is running and serving traffic"
# With Anthropic Claude backend
ANTHROPIC_API_KEY=sk-... sentinel run "Fix high disk usage on /var"
# Build (requires Rust 1.75+)
cargo build --releaseDocumentation
- docs/adr/ — Architecture Decision Records
- docs/ddd/ — Domain-Driven Design documentation
- Full release notes and validation report attached below
Built with Rust. Designed for operator trust. Apache-2.0