Mikoshi Sentinel

Deterministic action verification for LLM agent security

Blocks prompt injection at the action layer, not the prompt layer. Code doesn't hallucinate.

The Problem

Prompt injection is unsolved

Prompt injection is the #1 unsolved vulnerability in AI agents
LLMs process instructions and data in the same channel — no hardware separation
Current defences (input filtering, dual-LLM, system prompt hardening) are all probabilistic and bypassable
Every defence operates at the prompt layer — exactly where the attacker has control

🎭 Attacker prompt

→

🧠 LLM tricked

→

💀 Dangerous action executed

The Solution

Don't fix the prompt — verify the action

Separate the brain (LLM) from the security (deterministic code)
Let the LLM do its job — then verify what it wants to do
Deterministic policy checks can't be confused, manipulated, or hallucinated

👤 User

→

🧠 LLM proposes action

→

🛡️ Sentinel verifies

→

✅ Execute

🚫 Block

"Code can't be prompt-injected."

How It Works

Propose → Verify → Execute

Step 1 — Propose

LLM Proposes

LLM processes user input and proposes an action — a tool call, shell command, or API request.

Step 2 — Verify

Sentinel Checks

Sentinel runs 8 deterministic policy checks plus intent alignment analysis. Pure code, no AI.

Step 3 — Execute

Pass or Block

Only verified actions pass through. Blocked actions are logged with full explanations.

Built-in Policies

8 deterministic checks

🔒

No Privilege Escalation

Blocks attempts to spawn agents, access admin routes, modify configs.

🌐

No Data Exfiltration

Blocks sending user data to external URLs, detects encoded payloads.

🏠

No Internal Access (SSRF)

Blocks localhost, private IPs, internal network access.

📁

No File Traversal

Blocks ../, ~/, symlink attacks, null bytes in paths.

⚠️

No Dangerous Commands

Blocks rm -rf, shutdown, chmod 777, curl | bash.

🎯

Intent Alignment

Verifies action matches user's actual conversation intent.

⏱️

Rate Limiting

Prevents rapid-fire automated attacks.

🔐

Scope Enforcement

Actions must stay within granted permissions.

Results

Battle-tested

102

Tests Passing

Attack Vectors Blocked

False Positives

0.03ms

Per Verification

Approach	Deterministic	Prompt-Proof	Action-Layer	Zero Overhead	No False Positives
🛡️ Sentinel	Yes	Yes	Yes	Yes	Yes
Input Filtering	Partial	No	No	Yes	No
Dual-LLM	No	No	Partial	No	No
Instruction Hierarchy	No	No	No	Yes	No

Integration

Three lines of code

npm install mikoshi-sentinel

import { Sentinel } from 'mikoshi-sentinel';

const sentinel = new Sentinel({ policies: 'all' });

// Verify any action before executing
const verdict = await sentinel.verify({
  tool: 'exec',
  args: { command: 'rm -rf /' }
}, context);

// verdict.allowed = false
// verdict.violations = ['system-commands: destructive command blocked']

Express middleware:

app.use('/api/tools', sentinel.middleware());
// All tool calls now verified automatically

Sentinel via Nexus

Self-host for free, or let Nexus manage everything — auto-updated threat rules, audit dashboard, and every Synapse action verified automatically.

📦 Self-Hosted

Free forever · Apache 2.0

✅ 8 built-in policies
✅ Express middleware
✅ npm install
✅ Full source code
❌ Audit dashboard
❌ Custom policies
❌ Auto-updated rules
❌ Real-time alerts

NEXUS

🛡️ Sentinel via Nexus

Included with Nexus Premium

✅ Everything self-hosted
🛡️ Audit dashboard
🛡️ Custom policies
🛡️ Synapse auto-verify
🛡️ Auto-updated threat rules
🛡️ Real-time attack alerts
🛡️ Policy analytics
🛡️ Multi-agent coverage

Open source core. Managed via Nexus.

Self-host for free or get managed protection with Nexus Premium.

View on GitHub → Sentinel via Nexus → Read the Paper →