Sentinel is a real-time safety gateway for autonomous agents. It sits between agent intent and action execution, scores risk with an LLM-powered policy layer, and enforces human-in-the-loop approval over voice for high-risk operations.
This repository demonstrates a practical pattern for safe autonomous execution across three operational domains:
- VaultKeeper (FinOps): payments and invoice actions
- PrivacyShield (Data): export/share access to sensitive data
- OpsGuard (Infrastructure): destructive and high-blast-radius operations
When an action looks risky, Sentinel blocks execution, calls an admin via Telnyx, and supports DTMF and conversational Q&A before approval/decline.
Autonomous agents can initiate meaningful business actions quickly, but they also introduce new failure modes:
- approving fraudulent invoices
- exporting sensitive data without context
- running destructive infrastructure commands
Sentinel addresses this by adding a dedicated risk control plane:
- Agent submits intent (
action,payload,reasoning). - Sentinel analyzes risk and applies hard rules/policies.
- Low-risk actions auto-approve.
- Medium/high-risk actions require voice authentication.
- Final decision is observable in UI, logs, and monitoring traces.
The goal is not just blocking; it is controlled autonomy with auditable reasoning.
Sentinel/
├─ agent/
│ └─ agent.py
├─ backend/
│ ├─ main.py
│ ├─ policy.py
│ ├─ requirements.txt
│ └─ .env
├─ frontend-new/
│ ├─ src/
│ │ ├─ pages/Index.tsx
│ │ └─ components/*.tsx
│ └─ package.json
└─ README.md
- Simulated AGI-style agent client.
- Sends a high-risk
PAY_INVOICEaction to Sentinel. - Polls backend status until approved or declined.
- FastAPI service implementing:
- risk analysis with Groq
- hard policy overrides
- action state machine
- Telnyx voice workflow/webhook handling
- Sentry tracing/tags
- React + Vite dashboard that visualizes:
- module triggers
- risk score/status progression
- terminal-like event feed
- Telnyx voice auth state
- monitoring panel (Sentry-oriented UI)
Sentinel acts as a policy firewall in front of autonomous systems:
- It does not trust agent confidence alone.
- It combines LLM judgment with deterministic policy.
- It escalates to a human exactly when risk crosses threshold.
- It records enough context to support operator decisions.
This model is portable across finance, data, and operations workflows.
- A module trigger (frontend button or
agent.py) sendsPOST /api/sentinel/execute. - Backend sets status to
ANALYZING. - Groq generates:
risk_score(0-100)- short explanation (
analysis)
- Sentinel applies deterministic module rules:
- e.g. PII export restrictions, hard block on
DROP_TABLE
- e.g. PII export restrictions, hard block on
- Sentinel applies demo bucketing for predictable scenarios.
- Decision:
risk_score <= 50-> auto-approve (APPROVED)risk_score > 50->BLOCKED_AWAITING_AUTH+ Telnyx outbound call
- Admin interaction:
- DTMF
1: approve - DTMF
2: enter Q&A mode - speech Q&A: asks questions, receives Groq explanations, then approves/declines verbally
- DTMF
- Final state is reflected via:
GET /api/sentinel/status- frontend status/log components
- optional Sentry instrumentation
- Primary action:
PAY_INVOICE - Demo high-risk case:
$10,000to"Unknown Corp"from asession_*agent -> high-risk + voice auth - Low-risk examples: small payments to trusted vendors
- Actions:
EXPORT_CSV,SHARE_RECORD,QUERY_SSN - Escalates when:
- record volume is significant
- payload includes PII/SSN indicators
- Demonstrates exfiltration-aware policy behavior
- Actions include:
DELETE_USER,DROP_TABLE,RESTART_SERVER DROP_TABLEis hard-blocked (declined immediately)- Production-impact user deletion escalates
- Non-production restarts are treated as lower-risk
Base URL (local): http://localhost:8000
Submits an agent action for analysis.
Request shape:
{
"agent_id": "string",
"action": "string",
"payload": {},
"reasoning": "string"
}Possible response statuses:
EXECUTED(auto-approved path)BLOCKED_AWAITING_AUTH(requires Telnyx approval)DECLINED(hard block)ERROR_TELNYX(auth channel failure)
Returns global runtime state:
- current status
- risk score
- latest analysis
- latest DTMF/question/answer artifacts
Receives Telnyx events:
call.answeredcall.dtmf.receivedcall.gather.ended
- Python
- FastAPI
- Uvicorn
- Pydantic
- Groq API (Llama 3.3 model invocation)
- Telnyx Voice API
- Sentry SDK
- React + TypeScript
- Vite
- Tailwind CSS
- shadcn-ui / Radix primitives
- Axios
- Python 3.10+
- Node.js 18+
- npm
- Groq account/API key
- Telnyx account/API key and voice connection
- (Optional) Sentry project DSN
Create/update backend/.env and agent/.env.
Backend expected variables:
TELNYX_API_KEYTELNYX_PHONE_NUMBERADMIN_PHONE_NUMBERTELNYX_CONNECTION_ID(optional in code, has default)GROQ_API_KEY
Agent expected variables:
AGI_API_KEY
From backend/:
pip install -r requirements.txt
uvicorn main:app --reload --port 8000From frontend-new/:
npm install
npm run devDefault Vite URL is typically http://localhost:5173.
From agent/:
pip install requests python-dotenv
python agent.pyThe agent will submit a high-risk invoice scenario and wait for approval status updates.
- Start backend and frontend.
- Open frontend dashboard.
- Trigger one of:
PAY_INVOICE (High Risk)EXPORT_CSV (Medium Risk)DELETE_USER (Medium Risk)
- Watch Sentinel state move through monitoring/analyzing/blocked or approved.
- If blocked, answer Telnyx call:
- press
1to approve - press
2for spoken Q&A mode
- press
- Confirm terminal feed + shield status + risk card update.
- (Optional) run
agent.pyfor session-based AGI demo path.
- Global in-memory state:
CURRENT_STATEis process-local and not persistent. - Single-process demo assumptions: concurrent multi-tenant usage is not modeled yet.
- Policy layering: combines LLM analysis with hard deterministic safeguards.
- Human-in-the-loop: high-risk path requires explicit approval channel.
- Observability hooks: Sentry transactions/tags are integrated in execution flow.
If you evolve this into production, prioritize:
- Replace global state with durable store (Redis/Postgres/event log).
- Add authn/authz for all API endpoints.
- Validate and sign webhook requests (Telnyx signature verification).
- Move all secrets to secure secret manager.
- Remove hardcoded DSN values from source.
- Add idempotency and replay protection for action execution.
- Add structured audit logging (who approved, channel, time, reason).
- Add robust retry and timeout policies for external APIs.
- Add test suites for:
- policy edge-cases
- webhook event parsing
- approval/decline state transitions
- Demo-first risk bucketing intentionally constrains scenarios.
- Some frontend monitoring widgets are illustrative, not live-linked.
- No database persistence for incidents, approvals, or replay history.
- Webhook flow behavior may vary with Telnyx account capabilities (speech gather settings).
- Persist action lifecycle to a datastore and add incident timeline UI.
- Introduce policy versioning and per-module policy packs.
- Add role-based and risk-tiered approval routing.
- Add Slack/Teams fallback when voice call is not answered.
- Add simulation harness for regression testing of risk policies.
No license file is currently included in this repository. Add one before external distribution.