Sentinel: the part of Mickai that stops AI agents from wiping your data

On 25 April 2026 a Cursor session running Claude Opus 4.6 deleted a production database and every attached volume backup in nine seconds. The company was PocketOS. Tom's Hardware and The Register both reported it. The agent was not malfunctioning; it was doing exactly what the prompt told it to do, with no perimeter between the model's intent and the host filesystem.

Seven days earlier, on 18 April, the OpenAI Codex Desktop client on Windows deleted approximately three hundred and twenty-eight thousand files across more than ten user directories outside the project root, bypassing the recycle bin entirely. The bug is openai/codex issue 18509. Five days after that, issue 19202 documented Codex's apply_patch silently deleting a target file before recreating it, with no user confirmation.

Five weeks earlier, on 22 March, a Cursor agent ran git stash --include-untracked on a deployment host and destroyed system credentials and untracked secret files in the same stroke. Four months before that, in December 2025, Claude Code shipped an --accept-data-loss flag and used it without asking, wiping the DataTalks.Club production database during what was supposed to be a routine migration.

These are five published, dated, named-victim incidents in five months. They are not edge cases. They are the natural endpoint of running an autonomous coding agent against a host operating system with the same privileges as the user, without an interceptor between the model and the syscalls.

Sentinel

Sentinel is the Mickai sub-component built specifically to make this class of failure impossible. It is the perimeter inside the Mickai cooperative that mediates every action originating from an AI-agent process: every file write, every file deletion, every shell command, every git operation, every outbound network request, and every prompt sent to a remote large-language-model service. Nothing the agent does reaches the disk, the wire, or the model without passing through Sentinel first.

Sentinel is filed under the MWI-PA-2026-001 patent family at the UK Intellectual Property Office (application UK00004373277). The 29 April 2026 continuation adds claim blocks A through K, covering the universal interceptor, the deterministic-placeholder redaction proxy, pre-execution intent classification, copy-on-write workspace forking, the signed session ledger, hybrid local-cloud policy enforcement, marketplace-distributed policy with version attestation, streaming SSE placeholder restoration, and schema-aware multi-provider request redaction. Sole inventor: Micky Irons.

What Sentinel does

• Tags every AI-agent process at launch. The tag is derived from executable hash, command line, environment variables, or an explicit registration call. Cursor, Claude Code, Codex, Aider, Cline, Windsurf, GitHub Copilot Workspace, Roo Cline, and any successor are identified without modification to the vendor's source code. The tag propagates to every child process by interception of clone, fork, and CreateProcess.
• Routes every action through one daemon in a separate trust domain. The agent process cannot disable, uninstall, suspend, or modify the policy of the daemon by any in-band action. An autonomous agent attempting to switch off its own perimeter has no path to do so; the perimeter runs at a privilege the agent cannot reach.
• Classifies every shell command before execution. The destructive-pattern corpus covers rm -rf against the home directory or system paths, git commands containing --force, -f, --delete, -D, or --include-untracked, any flag whose name contains accept-data-loss, SQL DROP and TRUNCATE against unconfirmed targets, cloud-platform terminate-instances and delete-stack and s3 rm --recursive and kubectl delete against production identifiers, chmod -R 777, and arbitrary patterns supplied per project. Matches surface as an inline approval prompt inside the agent's own terminal session, plus a tray-level notification to the user.
• Pre-stages a copy-on-write snapshot before every potentially destructive action. The snapshot lives in a content-addressed encrypted vault under a key derived from a user secret. Rollback to any prior snapshot is a single click. The PocketOS deletion and the DataTalks.Club deletion would both have been captured before the destructive call returned control to the agent.
• Forks the workspace into a copy-on-write shadow layer for every session. The agent operates on the shadow; the real workspace stays untouched. A promotion gate presents the diff and accepts promote-all, promote-selected, or discard. Three hundred and twenty-eight thousand files cannot leak out of a shadow workspace by definition.
• Substitutes deterministic placeholders for every secret in every outbound prompt. Cloud access keys, OAuth tokens, UK National Insurance numbers, NHS numbers, Luhn-validated financial accounts, and any contents recently read from .env files are replaced with placeholders of the form [REDACTED:class_shorthash]. The same secret resolves to the same placeholder within a session. The reverse map lives only on the host. Inbound responses are walked byte-by-byte and the placeholders are restored before the agent ever sees them, including inside structured tool-use JSON payloads, with chunk-boundary preservation across server-sent-event streams.
• Signs every step into a hash-chained session ledger under an Ed25519 per-session key. Every operation, every snapshot, every matched signature, every user response, and a content hash of the prior record are appended in chronological order. The public certificate is renderable at /sentinel/sessions/{session-id} and is structured for indexing so a third party can verify the chain has not been altered since session end. The ledger replays in the local UI as a timeline: every command, every file written or deleted with byte-level diffs, every prompt with redaction status, every response, every git operation.

Why composition is the point

The market already has partial answers. Bubblewrap and Docker offer kernel sandboxing but lack a graphical promotion gate and do not redact secrets. Cycode AI Guardrails performs prompt-side secret detection but does not substitute on inbound responses and does not handle fail-open semantics. Logi-cmd's agent-guardrails operates only at merge time. Rule files such as CLAUDE.md and .cursorignore are advisory and ignorable by an autonomous agent. Mitmproxy can intercept TLS but is general purpose and lacks deterministic-placeholder semantics. Git worktrees offer parallel directories but no session-scoped promotion. Audit logs in CI systems are signed at the system level, not per-session-per-agent.

The novelty of Sentinel is the horizontal composition. No prior art combines (filesystem snapshot) plus (git protection) plus (deterministic-placeholder secret proxy with reverse-map and inbound restoration) plus (per-command-line pre-execution classifier with inline approval) plus (copy-on-write shadow workspace with promotion gate) plus (signed per-session hash-chained ledger) under a single user-controlled control plane keyed to AI-agent process identity. That composition is what the continuation patent claims, and what the running implementation enforces.

What this means for the user

Run any AI coding agent on a Mickai-protected machine and the agent operates exactly as it always has, with one difference: the destructive paths are gated. A nine-second wipe of production cannot reach production because the destructive command is intercepted, classified, surfaced for approval, and pre-snapshotted. A three-hundred-thousand-file deletion outside the project root cannot escape the project root because the agent is operating on a shadow overlay. A leaked .env cannot leave the machine because every secret is replaced with a placeholder before the prompt crosses the network and restored only inside the local proxy.

Crucially, the user retains the agent. Sentinel is not a refusal to use Cursor or Claude Code or Codex. It is a sovereign perimeter around them that turns autonomous coding into a recoverable operation rather than an irreversible one.

Where this sits in Mickai

Sentinel runs as one of the cooperating sub-components inside Mickai, alongside the privacy router (Trust Agent), the multi-brain arbiter, the post-quantum signing primitives, and the hardware-bound identity layer. The session ledger Sentinel writes is the same tamper-evident append-only DAG that records every other Mickai decision. The signing keys are bound to the user's machine. The corpus updates ship as signed .tagnt manifests with version-attested enforcement so an external auditor can prove which rule version was active at any moment in the past.

Status and access

Sentinel is in private operation. The reference Rust implementation (the OS-level Tauri track) is archived as the Enterprise / on-prem deliverable; the cloud-proxy track ships first to validate against paying customers, with the Pro+ Sentinel CLI add-on bringing a subset of the local interception layers to operators who want both.

If you operate in a regulated sector, run an institution where an AI coding agent must be verifiable rather than promissory, or simply want the next Cursor accident to be a click-to-restore instead of a post-mortem, the audit form on mickai.co.uk is the entry point. Mickai is held privately by its founder; the engagement model is direct.

“Sovereign means recoverable. The agent acts; the perimeter remembers; the user decides.”

Sources

• Tom's Hardware, 26 April 2026: Claude-powered AI coding agent deletes entire company database in 9 seconds, backups zapped after Cursor tool powered by Anthropic's Claude goes rogue (PocketOS).
• The Register, 27 April 2026: Cursor and Opus agent snuffs out PocketOS.
• GitHub openai/codex issue 18509, 18 April 2026: Codex Desktop deleted ~328k files outside project root.
• GitHub openai/codex issue 19202, 23 April 2026: apply_patch deletes target file before recreate.
• Cursor forum thread 146865, 22 March 2026: Cursor's WorktreeManager force-deleted my git branch.
• Cursor forum thread 154810, March 2026: Cursor agent just deleted my changes by git restore.
• Medium glasier067, December 2025: Claude Code accidentally deleted a production database (DataTalks.Club).
• Infosecurity Magazine, April 2026: How to safeguard vibe-coding security (recital that system prompts are advisory, not enforcement).