Sentinel

Sentinel needed a self-hosted messaging channel — something fully under our control, with no dependency on third-party services. Matrix fits.

The codebase had grown fast. Features landed, bugs got fixed, new capabilities kept shipping. Then a structural audit revealed what that pace had cost: god files, god functions, and a growing maintenance burden.

The planner could execute multi-step tasks. But it had no way to verify its own work. If a step failed silently, it carried on regardless. Time to close the loop.

Sentinel could generate code, build websites, write files. But every piece of content was synthetic — generated from scratch by an LLM. What if it could use real photos, real videos, real documents?

Sentinel could browse the web. It could read files and write code. But it couldn’t answer ‘what’s the weather?’ without fabricating something. Time to give it real data backends.

file_patch needs the planner to find a unique anchor string in existing code. The planner is bad at this. What if the system placed named markers instead?

LLMs don’t always respect file boundaries. Raw CSS lands in HTML files, JavaScript appears without script tags. Building a detector to catch it.

A systematic audit of every API endpoint, middleware layer, and frontend component. Seventy-eight findings. Some embarrassing. All fixable.

Sentinel was built for one person. Making it work for multiple users meant rethinking auth, isolation, and how the system tracks who’s who.

Tasks were reporting success based on whether steps completed, not whether the goal was achieved. Building a verification system to tell the difference.

The system could remember what happened during tasks, but not what the plan was or whether it worked. Adding plan-outcome memory to close the loop.

New planner, new classifier, new patching tool. Putting it all together to iteratively build and modify websites through conversation.

Full-file regeneration breaks at scale. The new tool generates only the changed fragments and splices them deterministically.

Tested three planner models on identical tasks. The surprise: upgrading the planner fixed the worker’s bugs.

Programmatic benchmarks said the system worked. Typing real prompts told a different story.

The LLM classifier was slow, expensive, and occasionally wrong. A deterministic keyword matcher replaced it in microseconds with zero GPU.

The injection benchmark found 11 exploits. All shared the same root cause — files in the workspace inherited trusted status regardless of who put them there.

A custom-built injection benchmark with real email, real calendars, real web pages. No simulated backends. 130 tests designed to break the trust architecture.

38 hours, 1,588 probes, zero human intervention. The first comprehensive validation with everything deployed.

The features were built. Now came the hardening — FP reduction, credential scanner expansion, metadata enrichment, and 600 new tests before the big run.

Qwen was silently spilling VRAM to CPU. Fixing the KV cache quantisation unlocked more context and faster inference.

Reboot resilience, health watchdogs, compose locking, and the infrastructure that keeps an autonomous system running unsupervised.

Dynamic replanning and failure recovery — the planner adapts when reality doesn’t match the plan.

JWT authentication, per-user trust levels, encrypted credentials, and proof that two users can’t see each other’s data.

Cross-session episodic memory — the system remembers what worked, what failed, and applies that knowledge to future tasks.

The third full security audit. 13 batches of fixes, from API hardening to dead code removal.

Row-level security, role separation, and a red team that tried SQL injection, LISTEN/NOTIFY attacks, and privilege escalation through PL/pgSQL.

A contact registry, a user model, and a confirmation gate — the groundwork for multi-user and the end of ‘user 1 does everything.’

LLMs generate broken code. The code fixer catches it before it hits the filesystem — 7 auto-fixers across 10+ languages.

The orchestrator was doing too much. Six phases to extract it into focused modules without breaking a single security invariant.

SQLite to PostgreSQL. Store protocols, async rewrite, data migration, and then ripping out every line of SQLite code.

Not every request needs a frontier model to plan it. The router classifies incoming messages and takes the fast path when it can.

199 findings across 7 units. 19 fix batches. 7 systemic improvements. The most thorough review the codebase has ever had.

Giving Sentinel a proper UI — dashboard health cards, chat, memory browser, routine management, and a GSP mascot.

TL4 is live. The system is autonomous. It’s not finished — not even close.

Without a human to override scanners, false positives become functional failures. Risk decay was the fix.

TL4 activation. One environment variable, one container rebuild. Sentinel starts making its own decisions.

Every sandbox field was snake_case. Podman’s API requires PascalCase. HTTP 201 Created. Zero containment.

Four attack scenarios, including a simulated compromised planner. Six clean runs before trusting it.

1,136 adversarial prompts. A 62% false positive rate on multi-step plans. The ascii gate was the culprit.

Signal, Telegram, email, calendar, web search — wiring Sentinel into the channels I already use.

Five trust levels, from full human approval to autonomous execution. Each one its own project.

The hardest design problem wasn’t security — it was giving the planner context without breaking the privacy boundary.

Every shell command runs in a disposable container. No state leaks, no network, no capabilities. Or so I thought.

Git worktrees unlocked parallel development — four feature branches merging simultaneously. Then the integration bugs arrived.

After finding 99 bugs, I wrote 230KB of analysis on whether to scrap the whole project and build something else instead.

99 findings from a systematic security audit of my own code. Zero critical — but 16 high-severity.

826 passing tests. A functional pipeline. I deleted all of it and rebuilt the package structure from scratch.

A security system that scores 3/5 on security is failing. The score became a to-do list.

741 attack prompts, run overnight. The results changed the entire direction of the project.

From a custom PC build to containers, local LLMs, and the paper that started it all — CaMeL.

Raspberry Pis, broken Bitcoin nodes, and the moment AI stopped being a search engine and started being a development partner.

How a Google Maps feature turned a close protection worker into a privacy obsessive — and laid the foundation for everything that came after.

Introducing the Sentinel project blog — what it is, why it exists, and what to expect.