Sentinel: Universal AI-Agent Action Interceptor with Signed Audit.

Process-tagged perimeter that intercepts every action of every AI coding agent on the host. 91 claims across eleven blocks (A through K).

Sentinel is the Mickai sub-component built specifically to make destructive AI-agent failure impossible by construction. It tags every AI-agent process at launch (Cursor, Claude Code, Codex, Aider, Cline, Windsurf, GitHub Copilot Workspace, Roo Cline, and any successor) without source-code modification, then routes every filesystem write, every shell command, every git operation, every outbound network request, and every prompt sent to a remote LLM through one daemon in a separate trust domain. Destructive shell commands are classified before execution against a corpus that covers rm -rf against the home directory, --force / --delete / --include-untracked git flags, accept-data-loss flags, SQL DROP and TRUNCATE, cloud-platform terminate-instances and delete-stack and s3 rm --recursive against production identifiers, chmod -R 777, and arbitrary user-supplied per-project rules. Every potentially destructive action is pre-staged into an AES-GCM encrypted copy-on-write snapshot under a key derived from a user secret. Workspace operations happen in a copy-on-write shadow layer with a promotion gate so destructive bulk deletions cannot escape the sandbox. Every outbound LLM prompt has secrets replaced with deterministic placeholders of the form [REDACTED:class_shorthash]; the reverse map lives only on the host, and inbound responses are walked byte-by-byte with placeholders restored before the agent sees them, including inside structured tool-use JSON payloads, with chunk-boundary preservation across server-sent-event streams. Every operation, snapshot, matched signature, user response, and prior-record hash is appended in chronological order to a per-session Ed25519-signed hash-chained ledger. The continuation adds 91 new claims across eleven independent blocks (A through K): the universal interceptor, the deterministic-placeholder redaction proxy, pre-execution intent classification, copy-on-write workspace forking, the signed session ledger, hybrid local/cloud policy enforcement, marketplace-distributed policy with version attestation, streaming SSE placeholder restoration, schema-aware multi-provider request redaction, and audited rule-marketplace governance.