Sentinel
Local LLM rule evaluator for coding agent hooks.
Gates agent actions against repo-defined rules using Ollama. Silent when everything passes, blocks on violations.
Quick start
# Add the marketplace
/plugin marketplace add AndurilCode/sentinel
# Install the plugin
/plugin install sentinel@sentinel
# Initialize in your repo
/sentinel-init
/sentinel-init handles everything: installs Ollama if missing, pulls the model, starts the server, and scaffolds .claude/sentinel/ in your repo.
Create rules
/sentinel-rule
Walks you through creating a rule: what to protect, trigger type, scope, severity. Writes the YAML to .claude/sentinel/rules/.
Commands
| Command | Description |
|---|
/sentinel-init | Install prerequisites, scaffold config and rules |
/sentinel-rule | Create a rule through guided conversation |
/sentinel-config | View or update configuration |
How it works
Sentinel runs as a PreToolUse hook. On every agent action:
- Matches the action against rule scope globs (no LLM call if nothing matches)
- Evaluates matching rules in parallel — one Ollama call per rule, binary classification
- Blocks on violations (outputs
permissionDecision: deny), silent on pass
Rules live in your repo at .claude/sentinel/rules/*.yaml. The plugin evaluator lives outside your repo.
Example rule
id: dangerous-commands
trigger: bash
severity: block
scope:
- "git push --force*"
- "*rm -rf*"
exclude:
- "*--dry-run*"
prompt: |
A coding agent is about to execute: {{command}}
RULE: Force-pushing and recursive deletion are prohibited.
Does this command violate the rule?
Respond ONLY with JSON: {"violation": true/false, "confidence": 0.0-1.0, "reason": "one line"}
See examples/ for more: file write guards, MCP production gates, secret detection.
Supported agents
Sentinel recognizes tool names from multiple coding agents out of the box:
| Agent | File write | Terminal | MCP format |
|---|
| Claude Code | Write, Edit, MultiEdit, NotebookEdit | Bash | mcp__server__tool |
| GitHub Copilot (VS Code) | create_file, replace_string_in_file | run_in_terminal | native tool names |
| Cursor | edit_file | run_terminal_cmd | mcp_server_tool |
| Windsurf | write_to_file, edit_file | run_command | native tool names |
| Cline | write_to_file, replace_in_file | execute_command | use_mcp_tool wrapper |
| Amazon Q | fs_write | execute_bash | @server/tool |
To add a custom agent or override mappings, set tool_map in your config.yaml:
tool_map:
my_write_tool: file_write
my_shell_tool: bash
For agents with different MCP naming conventions (e.g. Cursor), configure the prefix and separator:
mcp_prefix: "mcp_"
mcp_separator: "_"
See docs/reference.md for the full configuration reference.
Requirements
- Python 3
- Ollama with a pulled model (default:
gemma3:4b)
PyYAML is auto-installed on first run if missing.
AndurilCode
