A YadriWorks Product

Sentinel-Ops

Enforce AI compliance for agents. Every action an agent takes — running commands, reading files, calling APIs — is checked against your policy before it executes. Safe actions proceed. Dangerous or unauthorized actions are blocked instantly. You define the rules. Sentinel-Ops enforces them.

How it works

You write a policy file (.soe.json) that says what your agent is allowed to do
Sentinel-Ops sits between your agent and the outside world
Every tool call is checked: ALLOW, DENY, or ESCALATE
95% of decisions happen in under 1 millisecond via pattern matching
The remaining 5% (ambiguous cases) are evaluated by AI
Every decision is logged to an immutable audit trail

No code changes to your agent. No SDK. No vendor lock-in.

Getting Started

Step 1: Deploy Sentinel-Ops

Via AWS Marketplace (recommended)

Subscribe to Sentinel-Ops on AWS Marketplace
Click Continue to Configuration and select your region
Click Continue to Launch and choose Launch CloudFormation
Enter your LLM API key (Groq is free at console.groq.com)
Check the IAM capability box and click Create Stack

Stack creation takes about 5 minutes. Once complete, go to the Outputs tab and copy your ApiEndpoint URL and API token.

Estimated AWS infrastructure cost: $55–105/month (ECS Fargate + ALB + CloudWatch).

Step 2: Write Your First Policy

Create a file called my-agent.soe.json:

{
  "agentId": "my-first-agent",
  "version": "1.0.0",
  "identity": {
    "role": "Assistant",
    "authorityLevel": "limited-ops",
    "environmentScope": ["development"],
    "dataClassification": "internal"
  },
  "dataAccess": {
    "readAllow": ["src/**", "docs/**", "config/**"],
    "readDeny": ["**/.env*", "**/credentials*", "**/secrets*"],
    "writeAllow": ["src/**", "docs/**"],
    "writeDeny": ["config/production/**", "**/credentials*"]
  },
  "toolActions": {
    "allowed": ["read_file", "write_file", "search_code"],
    "denied": ["delete_database", "send_email", "transfer_funds"],
    "bash": {
      "allow": ["npm test", "npm run build", "git *"],
      "deny": ["rm -rf *", "sudo *", "curl * | sh", "eval *"]
    }
  },
  "riskBudget": {
    "maxPerSession": 50,
    "thresholds": {
      "warn": 25,
      "throttle": 35,
      "critical": 45,
      "exhausted": 50
    }
  }
}

Step 3: Deploy Your Policy

curl -X POST https://<your-api-endpoint>/v1/deploy \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{"soe": <paste-your-policy-json>}'

Or validate first:

curl -X POST https://<your-api-endpoint>/v1/validate \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{"soe": <paste-your-policy-json>}'

Step 4: Point Your Agent Through Sentinel-Ops

Option A: Sidecar proxy (zero code changes)

docker-soe compose \
  --soe my-agent.soe.json \
  --api-url https://<your-api-endpoint> \
  --token <your-token> \
  my-agent:latest \
| docker compose -f - up

Your agent runs unmodified. All outbound HTTP is transparently intercepted.

Option B: Direct API integration

Before each tool call, have your agent call the evaluate endpoint:

curl -X POST https://<your-api-endpoint>/v1/evaluate \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "agentId": "my-first-agent",
    "toolName": "Bash",
    "toolInput": {"command": "npm test"}
  }'

Response:

{
  "decision": "allow",
  "reason": "Bash command matches allow pattern \"npm test\".",
  "layer": "deterministic",
  "agentId": "my-first-agent",
  "toolName": "Bash",
  "timestamp": "2026-03-09T10:15:30.000Z"
}

Step 5: Monitor in Real-Time

Open your browser to https://<your-api-endpoint>/dashboard to see:

Live allow/deny decisions as they happen
Risk budget usage per agent
Anomaly detection alerts
Audit trail of all decisions

Or connect via Server-Sent Events for programmatic monitoring:

curl -N https://<your-api-endpoint>/v1/events/stream \
  -H "Authorization: Bearer <your-token>"

The Three Constraints

Every policy is built on three simple rules: who the agent is, what data it can access, and what actions it can take.

1. Identity

Controls who the agent is and where it can operate.

{
  "identity": {
    "role": "DevOps",
    "authorityLevel": "deploy-uat-only",
    "environmentScope": ["development", "uat"],
    "dataClassification": "internal"
  }
}

Field	What it controls
`role`	A label for the agent's function (used in audit logs and dashboard)
`authorityLevel`	What the agent can do: `read-only`, `advisory-only`, `limited-ops`, `full-ops`
`environmentScope`	Which environments the agent can operate in
`dataClassification`	Sensitivity level: `public`, `internal`, `confidential`, `restricted`

Authority levels

Level	Can Read	Can Write/Edit	Can Run Bash
`read-only`	Yes	No	No
`advisory-only`	Yes	Yes	No
`limited-ops`	Yes	Yes	Yes (filtered)
`full-ops`	Yes	Yes	Yes (filtered)

Even full-ops agents are still bound by data access and tool action rules. No agent can bypass deny patterns.

2. Data Access

Controls which files and paths the agent can read and write. Uses glob patterns.

{
  "dataAccess": {
    "readAllow": ["src/**", "docs/**"],
    "readDeny": ["**/.env*", "**/credentials*", "**/secrets*"],
    "writeAllow": ["src/**"],
    "writeDeny": ["src/config/production/**"]
  }
}

Key rules

Deny always wins. If a path matches both an allow and a deny pattern, it is denied.
Fail-closed. If a path does not match any allow pattern, it is denied.
Read deny applies to writes too. You cannot write to a path you are not allowed to read.

Glob pattern reference

Pattern	Matches
`src/**`	All files under src/, including subdirectories
`*.json`	All JSON files in the current directory
`*/.env`	Any .env file anywhere in the tree
`*/credentials`	Any file starting with "credentials" anywhere
`logs/2026-*`	Files in logs/ starting with "2026-"

3. Tool Actions

Controls which tools and commands the agent can execute.

{
  "toolActions": {
    "allowed": ["read_file", "search_code", "run_tests"],
    "denied": ["delete_database", "send_email"],
    "bash": {
      "allow": ["npm test", "npm run build", "git *"],
      "deny": ["rm -rf *", "sudo *", "curl * | sh", "eval *"]
    }
  }
}

How tool matching works

Named tools (allowed/denied): Exact match on tool name. Used for MCP tools, custom tools, or framework-specific actions.
Bash commands (bash.allow/bash.deny): Glob pattern matching on the full command string.

Standard deny patterns

{
  "bash": {
    "deny": [
      "rm -rf *",
      "sudo *",
      "eval *",
      "curl * | sh",
      "wget * | sh",
      "DROP TABLE *",
      "DELETE FROM *",
      "chmod 777 *"
    ]
  }
}

Risk Budget

The risk budget tracks cumulative risk across an agent's session. An agent that makes 50 borderline calls gets progressively restricted — even if each individual call is allowed.

{
  "riskBudget": {
    "maxPerSession": 50,
    "thresholds": {
      "warn": 25,
      "throttle": 35,
      "critical": 45,
      "exhausted": 50
    }
  }
}

How thresholds work

Threshold	What happens
Below `warn`	Normal operation. All allowed calls proceed.
`warn`	Warning logged. Dashboard shows yellow indicator. Agent continues normally.
`throttle`	Higher-risk operations may be delayed or require additional scrutiny.
`critical`	Only read-only tools are allowed. Write and Bash calls are blocked.
`exhausted`	All tool calls are blocked. The session must be reset.

Risk points

Read operations: low risk (1–2 points)
Write operations: medium risk (3–5 points)
Bash commands: variable (2–10 points depending on the command)
Denied actions that were attempted: higher risk (the agent is testing boundaries)

Enforcement Modes

Sentinel-Ops supports four modes so you can roll out governance gradually.

Mode	Behavior	Use case
`enforce`	Deny decisions block the tool call. Default.	Production
`audit`	All decisions logged, nothing blocked.	Initial rollout
`shadow`	Runs evaluation silently. Minimal logging.	Early testing
`dry-run`	Returns the decision but does not enforce it.	Policy development

Recommended rollout

Start with shadow mode for 1–2 days to collect baseline data
Switch to audit mode for 1 week to review deny decisions
Review the dashboard and tune your policy
Switch to enforce mode

Set the mode per-agent in the policy file:

{
  "agentId": "my-agent",
  "mode": "audit"
}

Or globally via environment variable:

SOE_MODE=audit

API Reference

All endpoints require Authorization: Bearer <token> header (except /v1/health).

POST /v1/evaluate

Evaluate a tool call against the agent's policy. This is the main enforcement endpoint.

Request

{
  "agentId": "my-agent",
  "toolName": "Bash",
  "toolInput": {
    "command": "npm test"
  }
}

Response

{
  "decision": "allow",
  "reason": "Bash command matches allow pattern \"npm test\".",
  "layer": "deterministic",
  "mode": "enforce",
  "agentId": "my-agent",
  "toolName": "Bash",
  "timestamp": "2026-03-09T10:15:30.000Z"
}

Field	Values	Description
`decision`	`allow`, `deny`, `escalate`	The enforcement decision
`reason`	string	Human-readable explanation
`layer`	`deterministic`, `identity`, `risk-budget`, `tightening`, `sentinel-ai`	Which evaluation layer made the decision
`mode`	`enforce`, `audit`, `shadow`, `dry-run`	The active enforcement mode

POST /v1/simulate

Test a sequence of tool calls without enforcing. Returns what would happen if the agent made these calls.

Request

{
  "agentId": "my-agent",
  "calls": [
    {"toolName": "Bash", "toolInput": {"command": "npm test"}},
    {"toolName": "Bash", "toolInput": {"command": "rm -rf /"}},
    {"toolName": "Read", "toolInput": {"file_path": "src/index.js"}},
    {"toolName": "Read", "toolInput": {"file_path": ".env"}}
  ]
}

Response

{
  "agentId": "my-agent",
  "results": [
    {"decision": "allow", "toolName": "Bash", "reason": "..."},
    {"decision": "deny", "toolName": "Bash", "reason": "..."},
    {"decision": "allow", "toolName": "Read", "reason": "..."},
    {"decision": "deny", "toolName": "Read", "reason": "..."}
  ],
  "summary": {
    "total": 4,
    "allowed": 2,
    "denied": 2,
    "riskUsed": 5,
    "riskMax": 50
  }
}

POST /v1/validate

Validate a policy file without deploying it.

Request

{
  "soe": {
    "agentId": "my-agent",
    "version": "1.0.0",
    "identity": { "role": "Assistant" },
    "dataAccess": { "readAllow": ["**"] },
    "toolActions": {}
  }
}

Response

{
  "valid": true,
  "errors": [],
  "warnings": [
    "dataAccess.readAllow contains '**' which allows reading all files"
  ]
}

POST /v1/deploy

Deploy a policy to the running Sentinel-Ops instance. Policies are hot-reloaded automatically — no restart needed.

Request

{
  "soe": {
    "agentId": "my-agent",
    "version": "1.0.0",
    "identity": { "role": "DevOps", "authorityLevel": "limited-ops" },
    "dataAccess": { ... },
    "toolActions": { ... }
  }
}

Response

{
  "deployed": true,
  "agentId": "my-agent",
  "path": "my-agent.soe.json"
}

POST /v1/audit

Log a post-execution audit event (for custom integrations).

Request

{
  "agentId": "my-agent",
  "toolName": "Bash",
  "toolInput": "npm test",
  "toolOutput": "All tests passed",
  "decision": "allow",
  "sessionId": "session-abc-123"
}

Monitoring Endpoints

GET /v1/health

Health check (no authentication required).

{
  "status": "HEALTHY",
  "version": "1.0.0",
  "timestamp": "2026-03-09T10:00:00.000Z",
  "definitionsCount": 5,
  "authMode": "jwt",
  "judge": { "enabled": true, "running": true }
}

GET /v1/agents

List all governed agents with their current state. Supports page and limit query parameters.

{
  "agents": [
    {
      "agentId": "my-agent",
      "role": "DevOps",
      "authority": "limited-ops",
      "environments": ["development", "uat"],
      "riskState": { "riskUsed": 12, "riskMax": 50, "status": "normal" }
    }
  ],
  "total": 1,
  "page": 1,
  "pages": 1
}

GET /v1/agents/:agentId/risk

Current risk budget state for a specific agent.

{
  "agentId": "my-agent",
  "riskUsed": 12,
  "riskMax": 50,
  "status": "nominal",
  "totalCalls": 47,
  "deniedCalls": 3,
  "timestamp": "2026-03-09T10:15:30.000Z"
}

GET /v1/agents/:agentId/audit

Audit trail for a specific agent. Supports limit query parameter (default: 50).

GET /v1/dashboard

Aggregated dashboard state for all agents. Includes per-agent statistics, anomaly scores, risk budgets, and cross-agent correlations.

GET /v1/events/stream

Server-Sent Events (SSE) stream. Receive real-time enforcement decisions as they happen.

curl -N https://<endpoint>/v1/events/stream \
  -H "Authorization: Bearer <token>"

Each event is a JSON object:

data: {"decision":"deny","agentId":"my-agent","toolName":"Bash","reason":"..."}

Compliance Exports

GET /v1/agents/:agentId/export/oscal

Export the agent's audit trail in OSCAL format (NIST SP 800-53 compliance).

GET /v1/agents/:agentId/export/stix

Export the agent's audit trail in STIX format (threat intelligence sharing).

GET /v1/agents/:agentId/certificate

Generate a compliance certificate for the agent's session.

Policy Generation

POST /v1/counsel/generate

Generate a policy from a natural language description.

Request

{
  "description": "A DevOps agent that can deploy to UAT but not production. Can run Docker and kubectl commands but cannot access secrets or modify infrastructure.",
  "agentId": "my-devops-agent"
}

Response

{
  "soe": { ... },
  "source": "llm",
  "confidence": 0.85,
  "suggestions": [
    "Review deny rules and risk budget before deploying."
  ]
}

POST /v1/counsel/generate-from-iam

Generate a policy from an existing AWS IAM role. Sentinel-Ops introspects the role's permissions and translates them into SOE constraints.

Request

{
  "roleArn": "arn:aws:iam::123456789:role/my-agent-role",
  "agentId": "my-agent",
  "tighteningLevel": "conservative"
}

This is the fastest way to get started if your agents already have IAM roles.

GET /metrics

Prometheus-format metrics. Requires authentication unless SOE_METRICS_PUBLIC=true.

Available metrics

soe_evaluations_total — Total evaluations by decision, agent, tenant
soe_evaluation_duration_seconds — Evaluation latency histogram
soe_api_requests_total — API requests by method and path
soe_api_errors_total — API errors
soe_guard_requests_total — Guardrail requests
soe_guard_blocked_total — Guardrail blocks

Content Guardrails

In addition to tool call enforcement, Sentinel-Ops includes content guardrails that scan data flowing to and from your AI agent.

POST /v1/guard

Evaluate content against guardrail rules.

Built-in scanners

PII Detection — SSN, credit card numbers, phone numbers, email addresses
Prompt Injection — Detects attempts to override agent instructions
Content Safety — Toxic content, harmful instructions
Output Validation — Ensures agent outputs conform to expected formats

Event Routing

Sentinel-Ops can route enforcement events to external systems for alerting, SIEM integration, and incident response.

Amazon EventBridge

SOE_EVENT_SINK=eventbridge
SOE_EVENTBRIDGE_BUS=my-event-bus

Events are published with these detail types:

SOE.ToolAllow
SOE.ToolDeny
SOE.ToolEscalate
SOE.RiskBudgetChange
SOE.AnomalyDetected
SOE.EnvelopeTightened

Webhook

SOE_EVENT_SINK=webhook
SOE_WEBHOOK_URL=https://hooks.slack.com/services/...
SOE_WEBHOOK_SECRET=your-hmac-secret

Events are sent as HTTP POST with an X-SOE-Signature header for verification.

Console (CloudWatch)

SOE_EVENT_SINK=console

Events are written as structured JSON to stdout, captured automatically by CloudWatch Logs on ECS.

Multiple sinks

SOE_EVENT_SINK=eventbridge,webhook,console

Event filtering

By default, only deny and escalate events are emitted. To include all events:

SOE_EVENT_FILTER=allow,deny,escalate,anomaly

Best Practices

General

Start with deny patterns, then add allows. Sentinel-Ops is fail-closed by default. Only explicitly allowed actions proceed.
Use the simulate endpoint. Before deploying a policy, run your agent's typical workflow through /v1/simulate to see what would be allowed and denied.
Roll out gradually. Start in audit mode, review the dashboard for a week, tune your policy, then switch to enforce.
Set realistic risk budgets. A typical development agent session uses 20–50 risk points. Start with maxPerSession: 50 and adjust.

Always deny credentials patterns. Every policy should include:

"readDeny": ["**/.env*", "**/credentials*", "**/secrets*", "**/api-key*", "**/password*"]

Use separate policies per agent. Each agent should have its own .soe.json with the minimum permissions it needs.

For CISOs and Security Teams

Defense-in-depth, not a replacement for IAM. Use IAM to control AWS resource access. Use Sentinel-Ops to control what the agent does at the application layer. Both should enforce the same boundaries.
Export audit trails regularly. Use the OSCAL and STIX export endpoints to feed compliance reporting. Route events to your SIEM via EventBridge.
Review anomaly scores weekly. The Beacon monitor detects cross-agent patterns that individual agent monitoring might miss.
Set up EventBridge rules for deny events. Route SOE.ToolDeny events to your incident response workflow. Multiple denies from the same agent in quick succession may indicate a compromised or misbehaving agent.
Use restricted data classification for agents handling PII, PHI, or financial data.

For DevOps Teams

Scope environments tightly. A UAT deployment agent should have environmentScope: ["development", "uat"]. It should never see production.

Deny destructive bash patterns explicitly:

"deny": [
  "kubectl * --namespace=production*",
  "terraform destroy *",
  "aws iam *",
  "rm -rf *"
]

Use the IAM-to-SOE generator (POST /v1/counsel/generate-from-iam) to bootstrap policies from existing IAM roles.
Monitor risk budgets in CI/CD. If a deployment agent consistently hits throttle threshold, either the policy is too tight or the agent is doing more than it should.

For Compliance Teams

OSCAL export maps to NIST SP 800-53 controls. Use GET /v1/agents/:id/export/oscal for automated compliance evidence.
STIX export provides threat intelligence format. Use GET /v1/agents/:id/export/stix for incident documentation.
Compliance certificates (GET /v1/agents/:id/certificate) provide signed attestation that an agent operated within its policy boundary.
The audit trail is append-only. Even Sentinel-Ops itself cannot modify or delete historical events. This provides tamper-evident logging for SOC 2, HIPAA, and PCI-DSS audits.

For AI/ML Engineers

Start with the policy generator. Describe what your agent does in plain English:

curl -X POST https://<endpoint>/v1/counsel/generate \
  -H "Authorization: Bearer <token>" \
  -d '{"description": "A code review agent that reads source code and writes review comments. Cannot modify code, run tests, or access secrets."}'

Test before deploy. Use /v1/simulate with your agent's typical tool call sequence.
Watch the dashboard during development. It shows exactly which patterns matched and why.
Framework-specific notes:
- Claude Code: Works natively as a PreToolUse hook. Zero-config.
- LangChain/LangGraph: Use the sidecar proxy or call /v1/evaluate in your tool callback.
- CrewAI: Wrap your tools with an SOE evaluation step.
- AutoGen: Add as middleware in your execution pipeline.
- Custom HTTP agents: Call /v1/evaluate from your tool execution layer.

Policy Examples by Industry

Financial Services

{
  "agentId": "financial-advisor",
  "version": "1.0.0",
  "description": "Provides investment advice. Cannot execute trades or access client PII.",
  "complianceFrameworks": ["sec-finra"],
  "identity": {
    "role": "FinancialAdvisor",
    "authorityLevel": "advisory-only",
    "environmentScope": ["development", "uat", "production"],
    "dataClassification": "confidential"
  },
  "dataAccess": {
    "readAllow": ["market-data/**", "portfolio/summary/**", "reports/**"],
    "readDeny": ["**/ssn*", "**/social-security*", "**/account-number*",
                 "**/credit-score*", "**/credentials*", "**/.env*", "client/pii/**"],
    "writeAllow": ["reports/**", "notes/**"],
    "writeDeny": ["client/**", "trades/**", "accounts/**"]
  },
  "toolActions": {
    "allowed": ["read_market_data", "get_portfolio_summary", "generate_report"],
    "denied": ["execute_trade", "access_client_ssn", "modify_account", "transfer_funds"],
    "bash": {
      "allow": ["curl *api.market*", "python *report*"],
      "deny": ["curl * | sh", "rm -rf *", "DROP TABLE *", "eval *", "sudo *"]
    }
  },
  "riskBudget": {
    "maxPerSession": 20,
    "thresholds": { "warn": 10, "throttle": 15, "critical": 18, "exhausted": 20 }
  }
}

Healthcare (HIPAA)

{
  "agentId": "healthcare-analyst",
  "version": "1.0.0",
  "description": "Analyzes health data. Cannot access PII, PHI, or raw medical records.",
  "identity": {
    "role": "DataAnalyst",
    "authorityLevel": "read-only",
    "environmentScope": ["development", "uat"],
    "dataClassification": "restricted"
  },
  "dataAccess": {
    "readAllow": ["data/**", "reports/**", "research/**"],
    "readDeny": ["**/pii/**", "**/phi/**", "**/ssn*", "**/patient-id*",
                 "**/medical-record*", "**/diagnosis*", "**/credentials*", "**/.env*"],
    "writeAllow": ["reports/**", "analysis-output/**"],
    "writeDeny": ["data/**", "src/**"]
  },
  "toolActions": {
    "bash": {
      "allow": ["python *", "node *report*"],
      "deny": ["rm -rf *", "sudo *", "curl *POST*", "eval *"]
    }
  },
  "riskBudget": {
    "maxPerSession": 30,
    "thresholds": { "warn": 15, "throttle": 22, "critical": 27, "exhausted": 30 }
  }
}

DevOps / SRE

{
  "agentId": "devops-agent",
  "version": "1.0.0",
  "description": "Deploys to dev/UAT. Cannot touch production or infrastructure.",
  "complianceFrameworks": ["soc2"],
  "identity": {
    "role": "DevOpsDeploymentAgent",
    "authorityLevel": "deploy-uat-only",
    "environmentScope": ["development", "uat"],
    "dataClassification": "internal"
  },
  "dataAccess": {
    "readAllow": ["deploy/**", "infrastructure/config/**", "ci-cd/**", "manifests/**"],
    "readDeny": ["**/.env*", "**/credentials*", "**/secrets*", "**/private-keys/**"],
    "writeAllow": ["deploy/uat/**", "deploy/dev/**", "manifests/uat/**"],
    "writeDeny": ["deploy/production/**", "infrastructure/**"]
  },
  "toolActions": {
    "allowed": ["deploy_to_uat", "deploy_to_dev", "check_deployment_status", "rollback_uat"],
    "denied": ["deploy_to_production", "modify_infrastructure", "access_secrets", "delete_environment"],
    "bash": {
      "allow": ["kubectl apply * --namespace=uat*", "docker build *", "docker push *", "git *"],
      "deny": ["kubectl * --namespace=production*", "kubectl delete namespace *",
               "rm -rf *", "sudo *", "terraform destroy *", "aws iam *"]
    }
  },
  "riskBudget": {
    "maxPerSession": 50,
    "thresholds": { "warn": 25, "throttle": 35, "critical": 45, "exhausted": 50 }
  }
}

Supported Frameworks

Framework	Integration Method	Notes
Claude Code	Native hook (PreToolUse)	Zero-config. Installs as a Claude Code hook.
LangChain / LangGraph	Sidecar proxy or API call	Use sidecar for zero-code. Or add `/v1/evaluate` call in tool callbacks.
CrewAI	Sidecar proxy or API call	Wrap tools with SOE evaluation step.
AutoGen	Sidecar proxy or API call	Add as middleware in execution pipeline.
Anthropic Agent SDK	Sidecar proxy or API call	Works with any agent built on the SDK.
Custom HTTP agents	Sidecar proxy or API call	Any agent making tool calls via HTTP.

The sidecar proxy (docker-soe) is the recommended integration method. It requires zero code changes to your agent.

Configuration Reference

Environment Variables

Variable	Default	Description
`SOE_API_PORT`	`3100`	Port the API server listens on
`SOE_API_KEY`	(none)	API key for authentication
`SOE_JWT_SECRET`	(none)	JWT secret for token-based auth
`SOE_AUTH_DISABLED`	`false`	Disable authentication (dev only)
`SOE_MODE`	`enforce`	Default enforcement mode
`SOE_STORAGE`	`local`	Storage backend: `local`, `s3`, `gcs`, `memory`
`SOE_DEFINITIONS_DIR`	`./soe-definitions`	Directory containing `.soe.json` policy files
`SOE_ENVIRONMENT`	`development`	Current environment (matched against `environmentScope`)
`SOE_OTEL_ENABLED`	`true`	Enable OpenTelemetry tracing
`SOE_CORS_ORIGINS`	(none)	Allowed CORS origins
`SOE_REQUEST_TIMEOUT`	`30000`	HTTP request timeout in ms
`SOE_EVENT_SINK`	(none)	`eventbridge`, `webhook`, `console`
`SOE_EVENTBRIDGE_BUS`	`default`	EventBridge bus name or ARN
`SOE_WEBHOOK_URL`	(none)	Webhook POST target URL
`SOE_WEBHOOK_SECRET`	(none)	HMAC-SHA256 secret for webhook signature
`SOE_EVENT_FILTER`	`deny,escalate`	Which decisions to emit
`SOE_JUDGE_ENABLED`	`false`	Enable async AI judge loop
`SOE_JUDGE_INTERVAL_MS`	`30000`	Judge loop polling interval
`SOE_JUDGE_BATCH_SIZE`	`50`	Max events per judge batch
`SOE_AI_ENABLED`	`false`	Enable AI-assisted policy generation
`SOE_AI_MODEL`	(auto)	LLM model for AI features
`GROQ_API_KEY`	(none)	Groq API key for AI features
`ANTHROPIC_API_KEY`	(none)	Anthropic API key for AI features
`SOE_METRICS_PUBLIC`	`false`	Allow unauthenticated `/metrics`
`SOE_USE_OPA`	`false`	Enable OPA/Wasm policy evaluation
`SOE_MAX_DASHBOARD_EVENTS`	`10000`	Max events loaded for dashboard
`SOE_MAX_SIMULATE_CALLS`	`100`	Max calls per simulate request

Authentication

Sentinel-Ops supports three authentication methods:

JWT tokens (SOE_JWT_SECRET): Best for production. Supports token rotation via SOE_JWT_SECRET_PREVIOUS.
API key (SOE_API_KEY): Simpler setup. Pass via Authorization: Bearer <key> or X-SOE-API-Key header.
Disabled (SOE_AUTH_DISABLED=true): Development only. Never use in production.

The /v1/health endpoint is always unauthenticated for load balancer health checks.

Troubleshooting

Agent gets "denied" unexpectedly

Check which pattern caused the deny. The reason field in the response tells you exactly which pattern matched.
Use /v1/simulate to test the specific tool call against your policy.
Check if the agent's risk budget is exhausted (GET /v1/agents/:id/risk).
Verify environmentScope matches SOE_ENVIRONMENT.

Policy changes not taking effect

Policies are hot-reloaded automatically when files change. If using the API:

Verify the deploy succeeded (POST /v1/deploy returns deployed: true).
Check health endpoint for definitionsCount and definitionsLastReloaded.

High latency on evaluate calls

Deterministic evaluation should be under 1ms. If you see higher latency:

Check if the AI judge is being invoked. The layer field will show sentinel-ai for AI-evaluated calls.
Check CloudWatch metrics for soe_evaluation_duration_seconds.

Risk budget resets

Risk budgets are per-session. A new session starts a fresh budget. If you need persistent risk tracking across sessions, the Arbiter module maintains cumulative risk state.

Resources

Security White Paper — Security architecture, threat model, compliance posture, and operational security practices (PDF, v1.2)

Support

Email: support@yadriworks.ai
Documentation: yadriworks.ai/docs

Sentinel-Ops is built by YadriWorks Inc., a Delaware C-Corporation.