How it works · mechanism, not metaphor

Sentinel is a federated daemon.
The kernel is its brain.

Sentinel watches eight surfaces, seals every finding to Atlas, runs it through a 10-stage deterministic pipeline, and emits a bounded set of governed options. Every option carries its own verification predicate, the autonomy level it is allowed to execute at, and the explicit reasons higher-risk alternatives were rejected. None of it is LLM judgment. All of it is replayable.

Specaria.daemon.capability_passport.v1 Pipeline10 stages · Tadabbur-12 · Qiyas-15 Source~/.aria/atlas/src/{kernel,sentinel}/
11.1 · Federated daemon

Sentinel is not a scanner. It is a federated daemon.

A scanner runs, prints findings, exits. Sentinel runs as a daemon, registers with the Aria runtime, and emits every finding through a sealed protocol — capability passport, shared event grammar, kernel compilation, autonomy cap, verification predicate. The protocol is what makes the output trustworthy to a senior engineer.

01 · auth
Capability passport
src/sentinel/capability-passport.mjs
02 · emit
Shared event grammar
src/sentinel/event-grammar.mjs
03 · compile
Cognitive kernel
src/kernel/deterministic-cognitive-kernel.mjs
04 · option
Compiled option set
src/sentinel/work-emitter.mjs
05 · cap
Autonomy ladder
passport.risk_budget
06 · verify
Verification predicate
src/sentinel/exec.mjs
07 · learn
Learning signal
lesson.recorded · ledger

The capability passport, before any tool runs.

Sentinel registers with the Aria runtime by emitting a aria.daemon.capability_passport.v1. The passport is a hashed object that declares — and structurally constrains — exactly what Sentinel is allowed to do, what it is prohibited from doing, and the autonomy cap it ships under.

The defaults are conservative. max_autonomy_level: 2 on every install. Higher rungs require explicit allowlist, tests, and readback — never granted by default, never assumed. Reputation (true-positive rate, verification success, rollback incidents) earns the right to raise the cap.

The passport is the trust artifact a CTO can defend. No other autonomous-fix product exposes one.

Schema  aria.daemon.capability_passport.v1
Source  ~/.aria/atlas/src/sentinel/capability-passport.mjs
Hashed in  every event · authority.passport_hash
capability-passport.mjs · SENTINEL_CAPABILITY_PASSPORT sha256:c4d97e02… 
// const SENTINEL_CAPABILITY_PASSPORT = Object.freeze({
  schema: 'aria.daemon.capability_passport.v1',
  daemon_id: 'atlas-sentinel',
  product_surface: 'sentinel',

  capabilities: [
    'runtime_health_scan', 'k8s_health_scan',
    'systemd_health_scan', 'cli_state_scan',
    'repo_state_scan', 'codebase_pattern_scan',
    'finding_rank', 'fix_proposal_route',
  ],

  authority_scope: [
    'read_runtime_state', 'read_repo_state',
    'write_sentinel_findings', 'write_hive_events',
    'request_aria_task_work', 'propose_repairs',
  ],

  prohibited_authority: [
    'execute_production_repair_without_scoped_authority',
    'declare_launch_readiness',
    'close_cross_daemon_blocker_without_verification',
    'mutate_doctrine_without_owner_approval',
    'push_or_deploy_without_explicit_boundary',
  ],

  max_autonomy_level: 2,
  autonomy_ladder: {
    1: 'observe_and_explain',
    2: 'propose_repair_with_verification',
    3: 'apply_in_safe_workspace_with_tests',
    4: 'execute_allowlisted_repair_with_readback',
  },

  required_proofs: [
    'evidence_anchor',
    'deterministic_kernel_compilation',
    'verification_predicate',
    'hive_event_id',
    'aria_task_route_or_explicit_non_route_reason',
  ],

  risk_budget: {
    default_autonomy_level: 2,
    live_runtime_cap: 2,
    code_without_tests_cap: 2,
    branch_with_tests_cap: 3,
    allowlisted_non_production_cap: 4,
  },
// });

Autonomy ladder · default cap L2.

The autonomy level a finding is allowed to execute at is set in the passport before the cycle runs, capped per risk class. Sentinel cannot raise its own cap. A customer raises a class explicitly with allowlist + tests, or it stays at proposal-level forever.

L1 · observe
Observe & explain
Detects, ranks, explains the finding. Zero state change. Default on every new finding class until reputation is earned.
L2 · propose
Propose repair with verification
Emits repair.proposed with the full fix payload AND the verification predicate that would prove it worked. No execution.
default cap on launch
L3 · apply
Apply in safe workspace with tests
Applies the fix in a branch or safe workspace where tests exist, runs verification, stops before merge or deploy.
requires allowlist + tests
L4 · execute
Execute allowlisted repair with readback
Executes the repair on live runtime — only on a customer-defined allowlist, with mandatory readback verification.
requires explicit boundary

Shared event grammar · nine events, one schema.

Every Sentinel output flows through nine standard events with a fixed schema (aria.shared_daemon_event.v1). Multiple daemons (Sentinel today, the Repo-State Organizer next, future product daemons) emit the same event types — Hive gets one canonical stream.

observation.created
Raw watcher signal, pre-finding.
finding.created
Confirmed finding with evidence anchor.
option.compiled
Kernel returned a CompiledOption.
repair.proposed
Fix payload + verification predicate, awaiting decision.
task.requested
Routed into the Aria Task ledger.
verification.completed
Predicate ran. Expected vs observed captured.
lesson.recorded
Learning signal written. Updates a rule, weight, fixture, or template.
blocker.opened
Cannot proceed. Explicit boundary recorded.
blocker.closed
Boundary resolved.
11.2 · The kernel

10 stages. 12 contemplations.
15 perspectives. One option set.

Every kernel pass runs the same ten stages in order. Tadabbur and Qiyas are not paragraphs the model writes after deciding — they are deterministic passes that mutate or reject options before any option is released. Cognition is mechanism, not ceremony.

The force-to-action contract
LLMs should not be trusted to invent the action space. The kernel compiles the action space mechanically from evidence, axioms, domain topology, runtime state, owner policy, and verification predicates. The LLM then improves language, analysis, tradeoff explanation, and implementation quality — only inside that bounded space.

The 10-stage pipeline.

Each stage's output is hashed and recorded. The full pipeline run is deterministic: same observation + same evidence + same policy produces the same option set with the same rejection reasons. That is what makes a Sentinel finding replayable.

01
Observe
Ingest facts from Atlas, Sentinel, Hive, task runner, runtime probes, files, services, tests, logs, owner corrections.
02
Bind
Attach evidence hashes, source trust labels, freshness timestamps, ownership pointers, blast radius estimates, uncertainty markers.
03
Classify
Determine domain, action class, resource class, environment, reversibility, authority requirement, likely failure mode.
04
Constrain
Apply axioms, owner policy, safety boundaries, doctrine, compliance, runtime contracts as executable constraints.
05
Compile
Generate a stable option set; each option includes expected result, evidence required, allowed autonomy level, verification predicate, rejection reasons for higher-risk alternatives, learning target.
06
Adjudicate
Deterministically rank by usefulness, evidence strength, reversibility, urgency, user burden, downstream risk.
07
Render
Present the option set in the right shape for the surface — CLI text, UI card, agent prompt, task ledger row.
08
Execute or defer
Execute only when the option permits and authority is present; otherwise emit a proposal, branch action, or owner decision.
09
Verify
Check expected vs observed with real evidence. No readiness or repair claim bypasses verification.
10
Learn
Feed outcome — success, false positive, owner correction, rollback — back into Atlas / Hive so future compilations improve.
Pre-rank consequence pass

Tadabbur · 12 stages

deterministic · runs before option ranking · can mutate or reject
  1. embeddefine the exact object under reflection
  2. excavateseparate surface request from deeper intent
  3. root_tracetrace causal origin and mechanism
  4. multi_lensevaluate affected parties and systems
  5. patternidentify recurrence, symmetry, drift shape
  6. consequenceproject 1st, 2nd, 3rd-order effects
  7. dwellinghold unresolved risk; do not collapse early
  8. collapsename the most defensible synthesis
  9. principleextract a reusable rule
  10. inversionname what would make the action fail
  11. personalbind operator or user responsibility
  12. voicerender in the right register for the surface
Each stage must output one of: constraint_added, option_changed, option_rejected, verification_added, learning_signal_added, uncertainty_recorded. If all 12 stages produce no mutation, the pass is marked invalid and the kernel refuses to release the option set.
Post-compile adjudication pass

Qiyas · 15 perspectives

deterministic · stress-tests the compiled option set
  1. owner_now
  2. owner_future
  3. operator_client
  4. investor_or_buyer
  5. llm_consumer
  6. human_end_user
  7. skeptic
  8. compliance
  9. engineering_quality
  10. cognitive_load
  11. scale
  12. islamic_scholar
  13. clinical_scholar
  14. red_team_attacker
  15. future_self
Each perspective returns one of: accept, downgrade, reject, or requires_evidence — with a reason, a changed field if any, the required evidence if any, and the learning implication. No requires_evidence verdict survives silently — every one becomes a verification predicate, an owner decision, or an explicit unverified boundary.

The compiled option · the kernel's product primitive.

Everything the kernel emits is a CompiledOption. Sentinel's findings, the task runner's work items, future products' actions — same object, same fields, same rules. Verification is built in. The rejected alternatives are written down.

kernel · option.compiled finding SEN-2026-05-17-031 · pass hash sha256:a116b221b053… 
CompiledOption {
  id                    opt.repair.compound_app_risk.001
  action_class          propose_repair
  target                atlas:/codebase/vibe-app/server.js
  expected_result       eval() removed · cors locked · child_process arg-array

  evidence_required [
    atlas_dossier(server.js),
    co_occurrence(dangerous_dynamic_execution, possible_command_injection),
    verified_owner_policy(no-eval-in-prod),
  ]

  allowed_autonomy      2   // from passport.risk_budget.code_without_tests_cap

  verification_predicate {
    syntax     node --check server.js     // passed
    rescan     sentinel composite count: 1 → 0
    policy     no eval() in package
  }

  rejected_alternatives [
    { id: opt.repair.compound_app_risk.002,
      reason: 'apply directly to live runtime — autonomy cap is L2' },
    { id: opt.repair.compound_app_risk.003,
      reason: 'patch eval-only — leaves command-injection unfixed (composite)' },
  ]

  learning_target       substrate-composite/vibe-app fixture · weight +0.04
  compilation_hash      sha256:a116b221b053a8d4f9c7e02fc4d97
}
11.3 · Why this matters now

More code written by LLMs.
Less code reviewed by senior humans.

The center of gravity in software has moved. Most teams shipping today have a coding agent in the loop on every PR. Many teams ship code paths whose first reviewer was the LLM that wrote them. The work has scaled. The review has not.

The new failure modes are not the old ones. Hallucinated APIs. Drifted deploys. Composite security regressions across four files that each looked harmless. False-done claims from an agent that thinks "tests passed" means "shipped correctly." Vibe-coded paths that look right because the pattern looks right, but the pattern itself was wrong.

Linters didn't predict this. Type systems didn't predict this. The governance layer your CTO is being asked about does not exist yet. Aria Sentinel + Atlas + the kernel is what we think it should be: deterministic infrastructure that bounds what a coding agent can do, anchored to a live graph of what the codebase actually is, replayable down to the compilation hash.

LLM-written code · share of new commitsillustrative

2022 — 2026 · rolling 30d · large-codebase median
80% 40% 0% 2022 2024 2026
x · time (years) y · % of new commits authored by agent

Manual review per LOC · senior-human minutesillustrative

2022 — 2026 · same teams, normalized
high mid low 2022 2024 2026
x · time (years) y · senior-human review minutes per kLOC

Install Sentinel. Read your own ledger.

Sixty seconds on a clean machine. BYOK. The kernel runs locally on port 4319; the harness daemon on 8790. Your code never leaves your laptop.

Install (60 sec) → Open the ledger