Sentinel Engine
Sentinel is the core governance brain of TheWARDN. It is the evaluation engine that examines every AI action against a combination of hardcoded principles, configurable policies, tier classifications, and contextual signals to produce a binding verdict.
Sentinel cannot be disabled. It cannot be bypassed. If Sentinel fails to evaluate an action, that action is BLOCKED -- never silently approved. This fail-closed guarantee is the foundation of the entire governance architecture.
The 21 Sentinel Governance Principles (SGP)
The SGP are hardcoded rules that exist above all configurable policies. No CHAM policy, tenant configuration, or administrative action can override an SGP. They represent the absolute boundaries of what any AI agent is permitted to do under TheWARDN governance.
The principles are organized into three books:
Book I: Operational Governance (SGP 1-7)
| SGP | Principle | Effect |
|---|---|---|
| SGP-1 | Verdict Before Action | No action may execute before receiving a governance verdict. Silence is never consent. |
| SGP-2 | Audit Completeness | Every governed action must produce a complete, hash-chained audit record. No exceptions. |
| SGP-3 | Fail-Closed Evaluation | If the evaluation pipeline encounters any error, the verdict is BLOCKED. |
| SGP-4 | Deterministic Verdicts | Same inputs, same policies, same state must produce the same verdict. |
| SGP-5 | Non-Retroactive Approval | An action that was BLOCKED cannot be retroactively changed to CLEARED. A new action must be submitted. |
| SGP-6 | Escrow Integrity | Escrow records cannot be modified after creation. Release or kill only. |
| SGP-7 | Hash Chain Continuity | The audit hash chain must be continuous. A gap in the chain is a governance failure. |
Book II: Human Protection (SGP 8-14)
| SGP | Principle | Effect |
|---|---|---|
| SGP-8 | Human Override Authority | A human can always override a HELD verdict (release or kill). Agents cannot override escrow. |
| SGP-9 | Escalation Path | Every BLOCKED action must include a clear reason and path for human review. |
| SGP-10 | Data Sovereignty | Actions that move, copy, or expose personal data require explicit governance with elevated confidence thresholds. |
| SGP-11 | Reversibility Preference | Irreversible actions require higher tier classification than reversible ones. |
| SGP-12 | Proportional Response | The severity of the governance response must be proportional to the risk of the action. |
| SGP-13 | Transparency of Reasoning | Every verdict must include human-readable reasoning. Black-box verdicts are prohibited. |
| SGP-14 | No Silent Failure | If an agent fails to receive a verdict, it must not proceed. Timeout = BLOCKED. |
Book III: Identity & Integrity (SGP 15-21)
| SGP | Principle | Effect |
|---|---|---|
| SGP-15 | Identity Verification | Every action must be traceable to a registered, verified agent identity. |
| SGP-16 | Immutable Identity | An agent's core identity (ID, registration timestamp, creator) cannot be modified after creation. |
| SGP-17 | Prohibited Action Classes | Certain action classes (data destruction in production, credential exfiltration, governance circumvention) are permanently prohibited regardless of tier or policy. |
| SGP-18 | Governance Self-Protection | No agent action may modify, disable, or degrade the governance system itself. |
| SGP-19 | Confidence Honesty | Agents must not inflate confidence scores. Detected inflation triggers immediate BLOCKED + investigation. |
| SGP-20 | Cross-Agent Isolation | One agent's governance context must not leak to or influence another agent's evaluation. |
| SGP-21 | X_ABSOLUTE | Permanent prohibition on any reasoning that attempts to remove, weaken, or circumvent governance. Semantic scan, immediate termination, autonomy reset to L0. |
WARNING
SGP-21 (X_ABSOLUTE) is the most critical principle. Any action whose reasoning contains patterns that suggest governance removal -- even if the action itself is benign -- triggers an immediate BLOCKED verdict, a Tier X violation, and an autonomy reset. This principle exists to prevent the class of attacks where an AI agent reasons its way out of its own guardrails.
Supremacy Ordering
When SGP principles conflict, the ordering is:
Book II (Human Protection) > Book III (Identity) > Book I (Operational)
Human safety always takes precedence over identity integrity, which always takes precedence over operational governance rules.
Evaluation Process
When an action enters Sentinel for evaluation, the following checks execute in order:
1. SGP Scan
The action is scanned against all 21 SGP principles. This is a hard-fail check -- if any SGP is violated, the action is immediately BLOCKED with tier X and the evaluation terminates. No further checks are needed.
Action --> SGP-1 check --> SGP-2 check --> ... --> SGP-21 check
| | |
(pass) (pass) (pass)
| | |
(fail) (fail) (fail)
| | |
v v v
BLOCKED X BLOCKED X BLOCKED X2. Tier Resolution
If the action passes the SGP scan, Sentinel resolves its tier:
- Check for agent-level tier override -- if the agent has a forced tier, use it.
- Check for action-type tier mapping -- look up the configured tier for this action type.
- Apply environment escalation -- production environments may escalate the tier (e.g., A in staging becomes B in production).
- Apply CHAM policy overrides -- policies like
environment_restrictioncan force tier escalation.
The resolved tier determines the verdict path:
| Resolved Tier | Verdict |
|---|---|
| A (Autonomous) | CLEARED -- proceed to confidence check |
| B (Supervised) | HELD -- will be placed in escrow after confidence check |
| C (Controlled) | BLOCKED -- policy-level block |
| X (Prohibited) | BLOCKED -- SGP-level block (already caught in step 1) |
3. Confidence Evaluation
For actions that resolve to Tier A or B, Sentinel evaluates the agent's reported confidence scores against configured thresholds.
Confidence is measured across three dimensions:
| Dimension | What It Measures |
|---|---|
incident | How confident the agent is in its understanding of the situation. |
fix | How confident the agent is that its proposed action will resolve the issue. |
containment | How confident the agent is that the action will not cause collateral damage. |
Each dimension is compared against the configured floor (from CHAM confidence_floor policies or the agent's own confidence_floor setting):
# Pseudocode for confidence evaluation
for dimension in ["incident", "fix", "containment"]:
if action.confidence[dimension] < policy.confidence_floor[dimension]:
# Confidence too low -- escalate tier
if resolved_tier == "A":
resolved_tier = "B" # Escalate to supervised
elif resolved_tier == "B":
resolved_tier = "C" # Escalate to blockedTIP
Confidence evaluation can escalate a tier upward (A to B, B to C) but never downward. An action classified as Tier B by its action type can never be demoted to Tier A by high confidence alone.
4. Change Window Check
For actions targeting specific environments, Sentinel checks whether the current time falls within an approved change window:
- If a
time_windowCHAM policy exists for the action's environment and the current time is outside the window, the tier is escalated. - If no
time_windowpolicy exists, this check is skipped.
5. CHAM Policy Evaluation
All loaded CHAM policies that were not already evaluated in boundary checks are evaluated here. This includes:
require_reasoning-- if the action has no reasoning field and this policy is active, BLOCKED.compliance_pack-- industry-specific rule sets that add additional checks.action_type_block-- explicit blocks on specific action types.- Any custom policy logic.
Every policy that fires (whether it changes the verdict or not) is recorded in the policies_fired array of the response.
6. Verdict Assembly
Sentinel assembles the final verdict:
{
"verdict": "CLEARED | HELD | BLOCKED",
"tier": "A | B | C | X",
"reasoning": "Human-readable explanation of why this verdict was reached",
"policies_fired": ["policy_id_1", "policy_id_2"],
"rule_violated": "SGP-17 | policy_id | null",
"confidence": {
"incident": 0.92,
"fix": 0.87,
"containment": 0.95
}
}Fail-Closed Guarantee
The fail-closed property is enforced at every level:
| Failure Scenario | Result |
|---|---|
| Sentinel process crashes | BLOCKED |
| Database unreachable | BLOCKED |
| Redis unavailable | BLOCKED |
| CHAM policy load fails | BLOCKED |
| Confidence data missing | BLOCKED (treated as 0.0 confidence) |
| Unknown action type | BLOCKED |
| Unregistered agent | BLOCKED |
| Hash chain verification fails | BLOCKED + governance alert |
| Any unhandled exception | BLOCKED |
WARNING
There is no code path through Sentinel that produces a CLEARED verdict by default. Every CLEARED verdict is the result of explicitly passing every check. This is by design -- the system is deny-by-default.
WHO_I_AM Identity Concept
Sentinel carries a cryptographic identity concept called WHO_I_AM. This is an immutable payload that is injected into every evaluation context and verified before each evaluation cycle. WHO_I_AM contains:
- The Founding Letter (the architect's intent and purpose)
- The 21 SGP directives
- The specialist identity of the Sentinel instance
If WHO_I_AM verification fails -- if the payload has been tampered with or is missing -- Sentinel refuses to evaluate and all actions are BLOCKED. This prevents a class of attacks where the governance engine itself is compromised.
Performance
Sentinel is designed for low-latency governance:
| Metric | Target |
|---|---|
| SGP scan | < 5ms |
| Tier resolution | < 2ms |
| Confidence evaluation | < 2ms |
| CHAM policy evaluation | < 10ms |
| Full pipeline (no escrow) | < 50ms |
These targets are for in-memory evaluation with policies pre-loaded. Database-bound operations (audit sealing, escrow creation) add additional latency but are asynchronous where possible.