IAGA Sentinel
Docs

Overview

GitHub156

IAGA Sentinel sits next to your AI agents and answers the one question the agent itself cannot: prove what it did, and prove the record was not altered afterward.

What it is

Agents now touch the shell, the filesystem, databases, third-party APIs, and secrets. When a regulator, an auditor, or your DPO asks you to prove what an agent did, most teams have nothing to show. IAGA Sentinel produces that proof. Every governance verdict becomes an Ed25519-signed receipt linked into a Merkle append-log, verifiable offline and bit-exact on replay, structured to line up with EU AI Act Article 12 (record-keeping) and to feed the Annex IV technical documentation a high-risk system needs.

Three things in one binary

  • A kernel. Process launches go through iaga run, which consults the governance pipeline before spawning. The HTTP sidecar still works for SDK-aware agents.
  • A signed log. Every governance verdict produces an Ed25519-signed receipt linked to the previous one in a Merkle append-log, per run. Replay verifies the chain bit-exact and detects policy drift.
  • A reasoning brain. Optional ONNX models emit evidence, never verdicts. The deterministic policy decides; ML produces scores the policy can read.

All of it is driven by Dictum: a typed policy DSL with deterministic tree-walk evaluation and a Hindley-Milner type checker, loadable as a --policy overlay on top of the YAML profile system.

What the recent releases added

  • 1.6 — a published Docker image. Run the open build with no Rust toolchain: docker run -p 4010:4010 -e IAGA_SENTINEL_OPEN_MODE=true ghcr.io/edoardobambini/iaga-sentinel:latest serve --seed-demo. Demo data is pre-seeded and the operator dashboard comes up at http://localhost:4010/.
  • 1.5.6 — Dictum. The typed policy language formerly called APL is now Dictum end-to-end: .dictum files, the iaga-sentinel-dictum crate, the dictum build feature, and a dictum[…] reason on every signed receipt. The rename is behavior-preserving: the receipt wire format stays byte-identical and .apl / --apl keep working as aliases. The release also ships a self-contained “Test Me Now” demo kit.
  • 1.5.4 — the policy enforces what it promised. Dictum’s secret_ref() now detects real credentials and PII inside a payload, and a new url_host() builtin gives policies a per-host egress allowlist. Every block or review carries its cause into the audit event and the signed receipt, and receipts hash-chain across a whole session into one tamper-evident Merkle chain.
  • 1.5 — cost control. LLM token and dollar spend is priced locally (no external billing API), captured into the signed receipt and the audit ledger, and surfaced through /v1/cost/*, a dashboard panel, and iaga cost, with per-session budgets expressible in Dictum and a deterministic response cache. Default-off feature: the default build stays byte-identical.
  • 1.4 — the integration surface. First-class adapter examples for 16 frameworks (Claude Code, Claude Agent SDK, OpenAI, OpenAI Codex, LangChain, LangGraph, CrewAI, AutoGen, LlamaIndex, MCP, Vercel AI, and more) plus a lightweight Rust client crate.

An honest posture

IAGA Sentinel enforces softly and certifies hard. The signed evidence and the replay are real and verifiable now, from a clean checkout. Authoritative kernel-level enforcement (eBPF/LSM) is not in the open build; it lives on the Enterprise roadmap, and iaga kernel status says so by reporting authoritative: no. Until that ships, the value here is the proof, not the block. We do not market enforcement we do not provide.

The proof does not depend on us. Anyone can verify a receipt chain offline against its Merkle root, with no call home and no trust in IAGA required. The evidence is cryptographic, not testimonial.

What makes it different

  • Proof, not testimony. Ed25519 + Merkle receipts, verifiable offline against a root, with no call home.
  • Honest posture. Soft enforcement is stated in the evidence itself (is_authoritative: false); iaga kernel status reports authoritative: no. We do not market enforcement we do not provide.
  • Sovereign by construction. Runs air-gapped; BUSL-1.1 converts to Apache-2.0; the evidence stays in your hands, with no CLOUD Act exposure.
  • EU AI Act-shaped. The receipt lines up with Article 12 logging and feeds the Annex IV technical documentation a high-risk system needs by 2 August 2026.

Where to go next

  • How it works: receipts, the Merkle log, and offline verification.
  • EU AI Act mapping: Article 12 and Annex IV, obligation by obligation.
  • Quickstart: three commands to a signed, offline-verifiable verdict.
  • Tutorial: from zero to verified evidence, in 16 parts, including troubleshooting.
  • Reference: Cargo features, the CLI, environment variables, and the HTTP surface.
  • The source is on GitHub, source-available under BUSL-1.1.