An attack seen once anywhere immunizes every agent everywhere.
Runtime enforcement + a tamper-evident antibody network that spreads immunity across nodes — on-premise, sovereign, zero third-party runtime dependencies.
This is the open-core edition of SENTINEL. It includes the full architecture, the antibody network, the tamper-evident ledger, the federation crypto (KeyRing), the fail-closed enforcement engine, and the complete public interfaces — enough to understand the system, run it end-to-end, and integrate against it.
The detection core — the exact matcher algorithms (sequence alignment, graph topology, risk flow, fusion) and the cross-session danger-core extractor that achieve the benchmarked accuracy — is the commercial core and is provided under license. In this edition those modules ship as working interface stubs so the whole system runs.
Open: the architecture, the network, the standard. Licensed: the detection brain.
Every AI-agent security tool detects or gateways — they sit in monitoring mode, and immunity does not spread. SENTINEL is a living immune system:
- Blocks the hijacked action at runtime (fail-closed).
- Extracts a content-free, signed "antibody" — the attack's structural signature, never your data.
- Shares it across every node — an attack identified once immunizes the whole network.
attack → BLOCK → antibody → shared memory → everyone immune
The network effect is the moat: a competitor can copy a feature, not a running network.
pip install -e ".[dev]"
pytest # 25 infrastructure tests pass; 7 detection-core tests skip (commercial)Fully working here: antibody protocol structure, tamper-evident hash-chain + Merkle ledger, signed feed export/import with verification, federation KeyRing (rotation, revocation, replay protection), fail-closed enforcement engine, node model, discovery, CLI.
Interface-only (commercial core): the matcher algorithms and the cross-session danger-core extractor that produce the benchmarked detection numbers.
See OWASP_AGENTIC_MAPPING.md — the architecture maps
to 8/10 fully, 2/10 partially. Core strengths: ASI01 (Goal Hijack) and ASI06
(Memory/Context Poisoning).
Palo Alto, Lasso, Lakera, Prompt Security — all centralized cloud. Regulated buyers (healthcare, finance, defense, EU sovereignty) legally cannot send agent traffic to a US cloud. SENTINEL is standard-library-only, air-gappable, sovereign by construction.
The detection core (matchers + danger-core extractor), the full benchmark suite, and the 100k-scale gate are available under commercial license, along with the reproducible evidence a buyer can re-run.
Contact: hybridarchitect@proton.me
Open-core edition: Apache-2.0. Commercial core: separate license.