Sentinel
Sentinel is the always-on detection layer that watches your agent stack while it runs. Where RadCheck is a one-time scan, Sentinel monitors continuously — surfacing silence gaps, stall patterns, and compaction pressure before they become incidents.
Sentinel is advisory only. It detects and signals — it never takes autonomous action, restarts services, or modifies your configuration.
What Sentinel Does
- Monitors for stalled or silent agent behavior during live operation
- Tracks compaction acceleration and emits disk pressure advisories
- Maintains a four-state protection machine that escalates based on signal accumulation
- Feeds real-time event context into Agent911 and Watchdog
- Emits structured alerts that operators and downstream tools can consume
The Four Protection States
Sentinel maintains a state machine across four levels:
| State | Meaning |
|---|
NOMINAL | No anomalies detected — system within expected parameters |
SUSPECT | Early warning signals present — elevated monitoring |
ACTIVE | Active anomaly confirmed — alert emitted |
STORM | Compaction storm state — multiple overlapping signals |
sentinel_protection_state.json and via Agent911.
What Sentinel Monitors
Silence gaps — expected agent activity has stopped without a clean shutdown signal.
Stall patterns — process appears alive (port up) but meaningful work has stopped. Sentinel distinguishes between “running” and “progressing.”
Compaction pressure — memory compaction acceleration that historically precedes multi-minute stalls. Sentinel adds a comp_alert signal to every Watchdog status cycle when compaction budget is stressed.
Disk growth slope — Sentinel emits a SENTINEL_DISK_PRESSURE advisory when log volume growth exceeds safe thresholds.
How Sentinel Integrates with Watchdog
Sentinel runs inside the Watchdog loop. Every Watchdog heartbeat cycle receives Sentinel’s current protection state. This means:
- Watchdog stall detection inherits Sentinel’s compaction context
- A
STORM state in Sentinel appears in watchdog.log and ops_events.log
- Agent911 reads both surfaces — the protection state influences its top-risk ranking
Output Files
| File | Contents |
|---|
compaction_alert_state.json | Current compaction pressure level, acceleration rate, timestamp |
sentinel_protection_state.json | Current state, last transition, active signals |
ops_events.log | Append-only event log — all Sentinel state transitions and alerts |
From Sentinel to Agent911
Sentinel is detection. Agent911 is the unified incident view.
When Sentinel reports ACTIVE or STORM:
- Run
triage immediately to capture a proof bundle before touching anything
- Open Agent911 for a unified incident view with all active signals
- Check
sentinel_protection_state.json for the specific active signal list
Pricing
Sentinel is a paid product — the recommended first step after a RadCheck baseline scan. See Pricing for current rates.
