IAGA Sentinel
Docs

How it works

Deterministic policy decides. ML only produces evidence. The verdict stays reproducible, and the record is signed, chained, and verifiable offline.

Deterministic policy decides

Every allow, review, or block decision is made by Dictum, a typed policy DSL with deterministic tree-walk evaluation and a Hindley-Milner type checker. Machine-learning models produce scores the policy can read, never the decision. Models are pinned by digest and re-read from the receipt on replay, not re-run. That is what makes a run non-repudiable, the property a regulator actually requires.

Dictum builtins act on the real payload: secret_ref() detects credentials and PII, and url_host() enforces a per-host egress allowlist. Every block or review records its cause in the signed receipt, and receipts hash-chain across a whole session into one tamper-evident Merkle chain.

# type-check a policy (always available)
iaga policy check no_pii_egress.dictum

# load a Dictum bundle as a live overlay on top of the YAML profile
iaga serve --policy strict.dictum

Every verdict is signed and chained

Each verdict becomes an Ed25519-signed receipt linked to the previous one in a Merkle append-log, per run. Replay re-checks the chain bit-exact and surfaces policy drift. The signer is a pluggable trait, so you can bring your own key (BYOK) from a file or a KMS-mounted path.

# list runs, then replay one
iaga replay --list
iaga replay <run_id>

# verify signatures + Merkle links only
iaga replay <run_id> --verify-only

Anyone verifies it offline

Export a run, then verify it with the standalone iaga-verify binary. It has no database, no server, and makes no call home. It checks the Ed25519 signatures and the Merkle chain against one public key. It is the artifact you hand an auditor.

# export a run, then verify it anywhere, fully offline
iaga replay <run_id> --export run.json
iaga-verify run.json --key <hex>
Receipts → pairwise hashes → one root. Verify the root, verify everything.

It is a layer, not a replacement

IAGA Sentinel records signed evidence next to the agent stack you already run. Point any SDK at the HTTP sidecar (POST /v1/inspect), or run the MCP proxy to sign every tool call. Whatever routes or enforces underneath, the evidence layer goes on top of it. Signed receipts can also flow into your OpenTelemetry stack as spans.