Architecture

Five stages. One verdict. Zero trust in the agent.

Every tool call crosses the same control plane before any upstream side effect. Any layer can veto; every decision is written to a replayable chain.

Agent mTLS client cert
Proxy parks tool call
Brain intent + drift + injection
Policy Rego + velocity
HIL gate approve, deny, expire
Upstream side effect waits here
Ledger verdict + outcome
Green path

Low-risk calls keep moving.

Proxy inspects, Brain and policy agree, upstream executes, and the ledger stores the allow verdict plus outcome.

Yellow path

Risky calls wait for a human.

The proxy parks the request as Pending; Slack or Teams approval releases it, while expiry fails closed.

Red path

Denied calls never reach upstream.

Brain, policy, velocity, or HIL veto ends the request before credentials are injected or the side effect fires.

  1. 01

    Proxy

    mTLS ingress · Vault credential injection · coordinator

    Agents authenticate with client certs. Real credentials never touch the agent — the proxy injects them into upstream calls only after the verdict resolves.

  2. 02

    Brain

    Three‑signal semantic eval

    • Intent classification — does the call match the agent's declared role?
    • Persona drift — embeddings vs. baseline; jailbreaks separate in vector space.
    • Indirect injection — a sandboxed inspector model reads tool input for embedded instructions (Claude Haiku 4.5 by default; any provider via CLAVENAR_BRAIN_MODELS_FILE).
    Inspector isolation

    The inspector is a different model from your agent's primary LLM. Compromising one doesn't compromise the other.

  3. 03

    Policy Engine

    Pure‑Rust Rego · velocity circuit breaker

    Your existing Rego policies, evaluated in‑process. Per‑agent velocity tracker (in‑memory or NATS‑KV for multi‑instance) catches runaway loops and credential‑harvesting bursts.

  4. 04

    HIL

    Human approvals for the dangerous bits

    Yellow‑tier tools (wires, prod writes, mass emails) park as Pending. Approvers click Approve in Slack or Teams. Expired requests fail closed. The agent waits.

  5. 05

    Ledger

    SHA‑256 hash‑chained forensic store

    Every verdict, every approval, every upstream outcome — written in canonical JSON, chained to the prior entry. Tamper a row and /verify tells you which one. Cold‑tier export ships signed Parquet manifests to S3 for seven‑year retention.

What the agent never gets

Real upstream credentials Direct upstream socket Policy mutation rights Approval authority Ledger rewrite path

Failure behavior

Component fault Default posture Operator signal
Semantic engine unavailable Do not silently skip inspection; use an explicit fallback or hold the request. Brain health and per-request evidence show degraded inspection.
Policy store unavailable No policy verdict, no upstream release. Proxy surfaces a policy-decision fault instead of an allow.
HIL channel unavailable Yellow requests remain pending until approval or expire closed. Queue and notification health identify the stuck channel.
Ledger append unavailable The decision is not treated as complete proof. Operator sees a proof-path fault and can replay by correlation ID.
NATS-KV unavailable Single-instance velocity still protects the process; fleet-wide breaker waits for KV health. Velocity health shows local vs. shared-window state.
Request replay

A refund that must not run early.

The proxy receives the tool call, parks it, resolves Brain, policy, and HIL, and only then releases the upstream call. The correlation ID ties every row together for later audit.

POST /mcp/tools/call
{
  "tool": "refund.issue",
  "amount": 8500,
  "customer_id": "cus_9d2",
  "correlation_id": "demo-sentinel-003"
}

verdict: Pending -> Approved -> UpstreamCalled
proof: /audit/correlation/demo-sentinel-003