git.agentic
Full security layer built · open-source launch prep Apache 2.0 TypeScript

Agents run npm install and execute code nobody read.

Sentinel is a transparent auditing proxy in front of registry.npmjs.org: it serves real packages unchanged, but intercepts every tarball, scores it with a deterministic audit engine, and attaches a verdict — so an agent or a human sees the risk before install-time code runs.

npm can't retract bad releases, has no install-time permissions, and lets attackers squat names. The event-stream pattern — a clean package ships a trojaned patch release — still works today, and agents install with zero risk signaling.

The demo

A previously-clean package ships a patch release with a postinstall that harvests secrets. Sentinel's verdict, and what npm install sees when it fetches the bad tarball:

$ sentinel audit color-stream 1.4.1

  color-stream@1.4.1
  ────────────────────────────────────────────────────────
  install    ⚠ runs lifecycle scripts
  score      ░░░░░░░░░░ 0/100
  verdict    BLOCK
  findings (7)
  critical [install-scripts] postinstall reads environment variables,
                              decodes an encoded blob
  critical [secret-exfil]    reads sensitive material (~/.npmrc, AWS
                              credentials) with a network egress sink
  high     [network-egress]  connects to a hardcoded IP address
  high     [obfuscation]     uses eval()

$ npm install --registry http://localhost:4873 color-stream
  HTTP 403  x-sentinel-verdict: block  x-sentinel-score: 0

# and a clean package passes untouched
$ sentinel audit is-odd 3.0.1
  is-odd@3.0.1  → score 100/100  ALLOW  (signed, no install scripts)

How it works

Status

What started as the audit-proxy wedge has grown into the full layer (July 2026): signed per-enterprise policy and install-time permission manifests, a deny-by-default capability sandbox, offline signature and Sigstore-provenance verification, known-malicious (GHSA) and CVE-range detection, supply-chain identity and release-anomaly heuristics, whole-tree lockfile auditing with SBOMs and signed attestations, a CI-native GitHub Action, an agent-native MCP server, durable observability, and a hardened network trust boundary. Current work is open-source launch prep; the long arc is policy and install-time permissions for the whole ecosystem.

Docs: README · Architecture · ADRs