Skip to content
TruthVouch Docs

Sentinel: Architecture

Understand how the Sentinel Agent monitors AI tool usage, enforces policies locally, and securely reports to TruthVouch Cloud.

Architecture Overview

Employee Device
Sentinel Agent
Application Monitor
  • Detects AI tool launches (ChatGPT, Copilot, Gemini, Claude)
  • Hooks into application APIs
Local Policy Engine
  • Loads policies from disk cache
  • Enforces DLP rules in real-time
  • No cloud round-trip (offline-first)
  • Blocks/warns based on policy
Local Database (SQLite)
  • Usage logs
  • Policy cache
  • Encrypted at rest
Telemetry Reporter
(Hourly or on-demand)
  • Sends usage summary to cloud
  • Encrypted HTTPS
  • No user data or request contents
HTTPS (encrypted)
Hourly sync
TruthVouch Cloud
  • Dashboard
  • Policy Management
  • Analytics

Key Components

1. Application Monitor

Detects when users launch or interact with AI tools:

Supported Tools:

  • OpenAI (ChatGPT, GPT-4)
  • Anthropic (Claude)
  • Google (Gemini)
  • Microsoft (Copilot, GitHub Copilot)
  • Local models (Ollama, LLaMA)

Detection Methods:

  • Process monitoring (detect exe/app launch)
  • Network inspection (detect API calls)
  • Clipboard monitoring (detect pastes to web apps)
  • Browser extension integration

2. Local Policy Engine

Real-time policy enforcement without cloud round-trip:

Enforcement Rules:

  • Allowlist/Blocklist — Permitted AI tools
  • DLP patterns — Block sensitive data (PII, secrets, credentials)
  • Time-based policies — Restrict access during work hours
  • Risk-based policies — Flag high-risk requests, block suspicious usage
  • Content filters — Prevent submissions to non-approved tools

Execution:

  • Policies loaded from encrypted local cache
  • Evaluated instantly (sub-100ms latency)
  • Cached results prevent repeated checks

3. Local Database

SQLite database stores:

  • Usage logs — Tool, timestamp, blocked status, reason
  • Policy cache — Last-synced policies with hash verification
  • Configuration — Agent settings, endpoints, credentials

Security:

  • Encrypted at rest with device key
  • Accessible only to Sentinel process
  • Automatic rotation of old logs

4. Telemetry Reporter

Securely reports usage to TruthVouch Cloud:

What is sent:

  • Tool name, timestamp, action (allowed/blocked)
  • Policy rule that matched (without user data)
  • Aggregate counts, not individual requests

What is NOT sent:

  • User input or prompts
  • Request/response contents
  • Clipboard data
  • Browsing history
  • File contents

Frequency:

  • Default: Hourly sync
  • Configurable: 5 minutes to 24 hours
  • On-demand: Via dashboard or local API

Platform-Specific Details

Windows

  • Service: Runs as Windows Service (LOCAL SYSTEM)
  • Hooks: WinAPI process monitoring, network interception
  • Storage: C:\ProgramData\TruthVouch\Sentinel\
  • Logs: Event Viewer → Applications and Services → TruthVouch

macOS

  • Service: Runs as LaunchDaemon
  • Hooks: System Extensions (URLFilter, NetworkFilter)
  • Storage: /Library/Application Support/TruthVouch/Sentinel/
  • Logs: /var/log/TruthVouch/sentinel.log

Linux

  • Service: Systemd service
  • Hooks: netlink sockets, process monitoring
  • Storage: /etc/truthvouch/sentinel/
  • Logs: /var/log/truthvouch/sentinel.log

Policy Sync Architecture

Device
Sentinel Agent
Policy Cache
(Version: v42)
Hourly — HTTPS POST /api/v1/policy?version=v42
Cloud
Policy Database
(Version: v42)
If version matches: 304 Not Modified
If newer exists: 200 OK + policies.json (compressed)

Offline Mode

Sentinel continues functioning without cloud connectivity:

Capabilities:

  • All policies enforced from cache
  • Usage logs accumulated locally
  • Cloud features disabled (analytics, real-time alerts)

Restoration:

  • On reconnect, syncs accumulated logs
  • Checks for new policies
  • Resume real-time features

Log Retention:

  • Default: 30 days of local logs
  • Configurable: Up to 365 days
  • Auto-cleanup of oldest logs

Security Model

End-to-End Encryption

Device Key
(stored on device)
Cloud Key
(stored in cloud)
Shared Secret
Used to encrypt telemetry payloads
HTTPS (double encryption)
Encrypted → Cloud

Certificate Pinning

  • Sentinel pins TruthVouch API certificate
  • Prevents man-in-the-middle attacks
  • Certificate updated via secure channel

Code Signing

  • Sentinel executable signed by TruthVouch
  • Signature verified on launch
  • Tampering detected immediately

Performance Characteristics

CPU Usage

  • Idle: <1% (no AI tools active)
  • Monitoring: 1-3% (watching for AI tool launch)
  • Enforcing: <1ms latency per policy check
  • Sync: <2% for 30 seconds (hourly)

Memory Usage

  • Baseline: 50-100MB
  • With policies loaded: 150-200MB
  • Policy cache limit: 500MB (configurable)

Disk Usage

  • Agent binaries: 30MB
  • Local database: 10-50MB (logs)
  • Cached policies: 5-10MB

Network Usage

  • Idle: ~1KB/hour (keep-alive)
  • Hourly sync: 5-50KB (depends on policy size)
  • Usage reports: 1-5KB/sync

Threat Model

Protected Against

  • User bypassing policies (enforced locally)
  • Local policy modification (signed, encrypted)
  • Eavesdropping (encrypted HTTPS)
  • Policy injection (hash verification)

Not Protected Against

  • Privileged user with admin/root access
  • Hardware keylogger
  • Physical device theft (encrypted data)

Architecture Decisions

Why Local Enforcement?

  • Offline capability — Works without cloud
  • Low latency — Sub-100ms enforcement
  • Privacy — No request contents sent to cloud
  • Compliance — Meets air-gap requirements

Why Hourly Sync?

  • Freshness — New policies within 1 hour
  • Overhead — Minimal bandwidth and CPU
  • Scalability — Millions of devices sustainable
  • Configurable — Adjust per organization

Why Encrypted Cache?

  • Data residency — Policies stay on device
  • Compliance — Meets GDPR/HIPAA requirements
  • Offline operation — Cache survives reboots

See Policy Synchronization for detailed policy sync process.