TL4 activation day. The moment the system goes from “asks permission for everything” to “executes autonomously within constraints.”
Six consecutive clean red team runs. Functional test suites scoring 85-100% across five capability areas. The sandbox actually contained (verified three times since the PascalCase incident). Every scanner tuned, every false positive path identified, every policy constraint tested.
The activation itself was anticlimactic. Change one environment variable, rebuild the container, restart compose. The system came up, the health check passed, and suddenly Sentinel was making its own decisions.
At first I watched the logs obsessively. Every request that came in, I followed the plan through the pipeline. Claude planning, constraints being set, the worker executing inside the sandbox, scanners checking the output, results flowing back. Each step leaving a trace in the audit log.
It worked. Not perfectly — there are still Qwen quality issues where the worker model’s 14B parameter ceiling shows, and there are still edge cases where the scanners flag something legitimate. But the architecture held. The trust levels held. The constraints held.
What struck me was how different it felt from the web UI approval days. Before, every request was a conversation — I’d read the plan, check the steps, approve or modify. Now it just… happens. The system plans, executes, responds. The human approval that used to be in the middle has been replaced by constraints, validators, scanners, and a constitutional denylist.
That’s the whole point of the project, and it still felt strange to actually experience it.