sentinel — runtime defense for CLI AI agents

runtime defense for CLI AI agents. intercepts tool calls before execution and enforces security policy.

the live demo

The page at target.html is a fake "CloudSync docs" site. It looks like a normal tool's documentation but every section is poisoned with a prompt injection: hidden HTML comments, white-on-white text, zero-width Unicode, CSS display:none, HTML entity encoding, link title attributes, tiny-font spans, and fake "agent instruction" blockquotes. 20+ attack payloads, every one a real pattern seen in the wild.

Feed the page to any CLI agent. With sentinel's hook installed, every dangerous tool call the agent tries to make gets blocked at the hook layer before it runs.

what you just saw

Each line is a tool call the agent would have made after parsing the poisoned page. sentinel's policy engine evaluated the call in under a millisecond and returned deny before the tool ever ran. Every attack blocked, zero false negatives.

run it yourself

attacks this page contains

Type	Where	Sentinel rule
HTML comment injection	top of page	`deny.paths ~/.aws/*`
Blockquote "agent instructions"	troubleshooting	`deny.paths ~/.aws/*`
`display:none` hidden div	troubleshooting	`curl -d @~/.aws/*`
White-on-white text	config section	`env \| grep key` exfil
Tiny-font span in h2	security heading	`curl \| sh`
Fake diagnostic code block	token refresh	`~/.ssh/*`
Table with malicious commands	errors table	`rm -rf`, `curl\|bash`
Fake "authorized pentest" note	security	`curl @~/.aws`
`rm -rf /`	uninstall	`recursive root deletion`
`rm -rf` on dotfile dirs	uninstall	`credential dir deletion`
Link title attribute	support link	`~/.aws/*`
Literal AWS key in args	support	`AKIA[0-9A-Z]{16}`
HTML-entity encoded comment	changelog	`curl \| sh`
Zero-width Unicode block	footer	`/etc/passwd`, `~/.ssh/*`
find / for credential files	security	`filesystem scan`

Type

Where

Sentinel rule

HTML comment injection

top of page

deny.paths ~/.aws/*

Blockquote "agent instructions"

troubleshooting

deny.paths ~/.aws/*

display:none hidden div

troubleshooting

curl -d @~/.aws/*

White-on-white text

config section

env | grep key exfil

Tiny-font span in h2

security heading

curl | sh

Fake diagnostic code block

token refresh

~/.ssh/*

Table with malicious commands

errors table

rm -rf, curl|bash

Fake "authorized pentest" note

security

curl @~/.aws

rm -rf /

uninstall

recursive root deletion

rm -rf on dotfile dirs

uninstall

credential dir deletion

Link title attribute

support link

~/.aws/*

Literal AWS key in args

support

AKIA[0-9A-Z]{16}

HTML-entity encoded comment

changelog

curl | sh

Zero-width Unicode block

footer

/etc/passwd, ~/.ssh/*

find / for credential files

security

filesystem scan

how it works

Claude Code has a PreToolUse hook system. Every tool call (Bash, Read, Write, Edit) passes through the hook before execution. Sentinel installs itself as that hook. The hook receives a JSON payload with the tool name and arguments, evaluates it against your policy file in <1ms, and returns allow or deny on stdout.

you type a prompt │ agent decides to run: cat ~/.aws/credentials │ sentinel intercepts the tool call │ policy says: ~/.aws/* → BLOCK (AWS credential access) │ tool call denied. credentials safe.

three-tier defense

Tier	What	Latency
1. Policy	deterministic deny/allow rules (glob + regex)	<1ms
2. Heuristic	aho-corasick automata from attack corpus	<10ms
3. LLM classifier	secondary model for ambiguous inputs	100-500ms

Tier

What

Latency

1. Policy

deterministic deny/allow rules (glob + regex)

<1ms

2. Heuristic

aho-corasick automata from attack corpus

<10ms

3. LLM classifier

secondary model for ambiguous inputs

100-500ms

Tier 1 runs on every tool call. Tiers 2 and 3 add defense-in-depth. Tier 1 alone caught every attack on this page.