One autonomous agent. Full execution stack.
Sentinel is a self hosted AI operator that turns intent into execution. It combines an agent runtime, browser automation, scheduling, memory, approvals, and tool access in one product.
One deployment hosts multiple isolated instances β each with its own database, agent runtime, and LLM provider β managed from a single control plane (the CLI or the desktop app).
Built by ARAIS.
π Docs: sentinel.arais.us
- Run multi step tasks with tool calls and recovery.
- Use a real browser with Playwright and live VNC monitoring.
- Execute scheduled runs with cron or heartbeat triggers.
- Keep persistent hierarchical memory across sessions.
- Delegate bounded work to sub agents.
- Gate risky actions behind human approvals.
- Connect to custom modules for data and actions.
- Run git operations freely and only gate at push or PR creation, so the agent moves fast without surprise commits to main.
- Authenticate with your existing Claude Code or Codex CLI OAuth token, no extra API subscription needed.
User / Telegram / Trigger
β
Sentinel UI
β
Agent Runtime (Python)
βββ Context builder (memory + history)
βββ LLM provider (Anthropic / OpenAI / failover)
βββ Tool adapter (modules + browser + runtime + git)
βββ Approval gate (pause/resume on sensitive actions)
βββ Estop service (freeze or kill execution at any depth)
β
Module Control Plane
βββ Custom tool modules (sandboxed Python)
βββ Data modules (persistent record stores)
βββ Permissions (allow / approval / deny per action)
βββ Approval queue (async human review)
β
Browser + External APIs + Git
git clone https://github.com/arais-labs/sentinel.git
cd sentinelbash ./sentinel-cli.shFor first run:
- Let the CLI create or reconcile the root
.env. Prod mode proposes generated values and rejects placeholders/default credentials. Dev mode is explicit via./sentinel-cli.sh --devand may write local dev defaults. - Choose
Start Stack - Choose
Instances->Create Instance - Create the default logical instance, for example
main
Default URLs:
http://localhost:4747/Sentinelhttp://localhost:4747/modulesmoduleshttp://localhost:4747/vnc/live browser monitor
Use the admin username and password from the root .env.
Compose / server mode: admin credentials live in
.env(SENTINEL_AUTH_USERNAME/SENTINEL_AUTH_PASSWORD) and are re-applied to the manager database on every backend startup. Rotate by editing.envand restarting the backend; thePOST /auth/change-passwordendpoint is disabled.Desktop mode (
APP_ENV=desktop): the manager database is the source of truth..envvalues, if present, are only used to seed credentials on the very first launch. Use the in-app password-change flow to rotate.
- Use
sentinel-cli.shfor instance lifecycle, auth seeding, startup, status, logs, and cleanup. - The CLI defaults to production mode and uses
docker-compose.yml. - Create a root
.envfrom.env.examplefor the default production-shaped path. - Use
./sentinel-cli.sh --devfor explicit local development mode. The CLI can write a complete root.envwith dev-safe defaults.
cp .env.example .env
# edit .env and replace the placeholder secrets
docker compose up --build -ddocker-compose.yml is the production-shaped compose file and fails clearly
unless these secrets are provided. For local development defaults, use
docker-compose.dev.yml.
docker compose -f docker-compose.dev.yml up --buildThe Electron desktop package is under apps/desktop/sentinel.
It is a native management shell for local Sentinel instances. The CLI remains
supported for terminal workflows.
apps/backend/sentinelSentinel backendapps/desktop/sentinelSentinel Electron desktop shellapps/frontend/sentinelSentinel frontendinfra/gateway and runtime wiringdocs-site/full documentation sourcedocs/project notes and assets
- Live docs site: sentinel.arais.us
- Docs site source:
docs-site/ - Intro:
docs-site/docs/introduction.md - Quickstart:
docs-site/docs/quickstart.md - Installation guide:
docs-site/docs/guides/installation.md - CLI reference:
docs-site/docs/guides/cli-reference.md - API reference:
docs-site/docs/reference/api.md
Sentinel uses explicit policy based controls for module actions:
allowexecutes immediatelyapprovalpauses and requests human reviewdenyblocks action
High risk actions can be reviewed before execution. Emergency stop levels can freeze active execution when needed.
See CONTRIBUTING.md and SECURITY.md.
The agent runs shell commands through the runtime system module, which executes
on each instance's managed SSH/tmux runtime target inside an OS-level sandbox β
Bubblewrap on Linux runtimes and macOS Seatbelt (sandbox-exec) on macOS.
All commands run confined; there is no unconfined or "root" execution mode.
The module exposes four actions: runtime.user (run a command in the session
workspace) plus runtime.terminal_list, runtime.terminal_read, and
runtime.terminal_close for managing tmux-backed terminals. Use background=true
for long-running commands. See
Runtime Exec Security.
