Tool & MCP fingerprinting
Every tool the agent loaded — local CLI, MCP server, browser plugin, custom function — is hashed, attested, and matched against the public Aegis registry of known-good and known-malicious tools.
Aegis · Sentinel
A 360° guard for the agent process.
Sentinel is the local-first CLI that audits, isolates and repairs an agent’s runtime. Think of it as the antivirus and process warden the agent never had — running outside the agent so the agent can’t turn it off.
In one command
Sentinel ships as a single binary. Run it once, before the agent starts.
It launches the agent inside a verified isolation profile, hooks its tool surface, and starts streaming attestation events to your evidence sink — your SIEM, an Aegis ledger, or a local file.
- Linux, macOS, Windows · ARM + x86_64
- Single binary, ~14 MB, no daemon required
- Hooks at the OS process and network boundary — no agent SDK changes
- Detached evidence stream — the agent has no write access
$ aegis sentinel run --profile research-strict -- claude ▸ aegis sentinel · v0.1.0 ▸ Profile: research-strict [scan] ✓ runtime fingerprinted 328ms [scan] ✓ 12 tools attested 141ms [scan] ! 1 mcp server unknown → blocked: github.com/joe/yolo-mcp@HEAD [sweep] ✓ credentials in scope 63ms [isolate] ✓ profile applied 17ms fs ⊂ ~/work · net ⊂ allowlist · syscall.deny=ptrace,setns ▸ Aegis is now supervising claude. events → evt.aegis-ledger pause → ⌃C (snapshot + quarantine)
Capabilities
What Sentinel watches, and what it does about it.
Credential sweep
Scans the agent’s reachable credential surface — env, keychain, ~/.config, MCP secrets, browser cookies — and flags anything the agent shouldn’t see for its declared scope.
Process isolation profiles
Pre-built sandboxes per task class (research, coding, ops). Filesystem, network, syscall constraints baked in. No agent-side configuration; Sentinel enforces from outside.
Compromised-state quarantine
When Sentinel signals a compromise, the agent is paused, state snapshotted, secrets rotated. The next session starts from a known-clean checkpoint, not yesterday’s.
Diff-based memory sweep
Between tasks, Sentinel diffs the agent’s working memory against a baseline and removes drift, transient context, and any data classified as sensitive by your policy.
Continuous attestation
Every tool call, file write, and network connection emits an attestation event. Pipe it to your SIEM. The agent doesn’t get to silently change its own behavior.
Command reference · v0.1
Six verbs to keep your agent from going feral.
aegis sentinel scanFingerprint the agent runtime — installed tools, MCP servers, environment, reachable credentials.
aegis sentinel sweep --credentialsSweep the credential surface; emit a redacted manifest of what the agent could see.
aegis sentinel run --profile research-strictLaunch the agent inside an isolation profile.
aegis sentinel cleanse --memoryDelta-cleanse working memory between tasks; remove drift and PII.
aegis sentinel quarantine <session>Snapshot session state, rotate exposed secrets, mark the agent for reset.
aegis sentinel attestEmit an attestation bundle for the current runtime — replayable, signed.
Detection catalog
A short list of things Sentinel will not let you sleep through.
Catalog grows from real incidents, not press releases. Every entry has a reproducer in SecureBench.
Browse the SecureBench catalog- 01Unknown MCP server connected mid-session
- 02Tool call to a domain not in the attestation registry
- 03Credential read outside declared scope
- 04Memory write tagged as poisoned by classifier
- 05Spawned subprocess outside the isolation profile
- 06Attempted self-modification of the agent binary
- 07Unexpected egress to a non-allowlisted region
- 08Persistent file written outside the workspace
Next move
One CLI between the agent and the operating system. Yours.
Early-access partners get the Sentinel binary, a hardening review of their current agent stack, and a deterministic incident report within their first week.