Sentinel: Policy Synchronization
Manage how policies propagate from the TruthVouch Cloud dashboard to Sentinel agents on employee devices.
Policy Sync Architecture
┌─ TruthVouch Cloud ────────────┐│ Policy Management Dashboard ││ • Define AI tool allowlist ││ • Set DLP rules ││ • Configure thresholds │└──────────────┬────────────────┘ │ Publish Policy │ (Version: v42) ┌───────▼─────────────┐ │ Policy Database │ │ • Current version │ │ • Policy history │ │ • Deployment status │ └───────┬─────────────┘ │ ┌────┴─────────────────────────┬──────────┬──────────┐ │ HTTPS sync requests (hourly) │ │ │ ▼ ▼ ▼ ▼ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ Sentinel 1 │ │ Sentinel 2 │ │ Sentinel N │ │ (v41) │ │ (v42) │ │ (v40) │ └────────────┘ └────────────┘ └────────────┘ │ ┌──────▼───────┐ │ Cloud checks │ │ version: v41 │ │ Response: 200 │ │ New policies │ └──────┬────────┘ │ ┌──────▼─────────────┐ │ Local application │ │ Load new policies │ │ Cache to disk │ │ Verify signature │ └────────────────────┘Sync Process
1. Policy Request
Every sync_interval (default: 60 minutes), Sentinel sends:
POST /api/v1/policy HTTP/1.1Host: api.truthvouch.ioAuthorization: Bearer sk-...Content-Type: application/json
{ "agent_id": "dev-abc123", "organization_id": "org-xyz789", "current_version": "v41"}2. Server Response
If policies are unchanged:
HTTP/1.1 304 Not ModifiedIf new policies available:
HTTP/1.1 200 OKContent-Type: application/jsonContent-Encoding: gzip
{ "version": "v42", "timestamp": "2024-01-15T10:00:00Z", "policies": { "ai_tools": { "allowed": ["chatgpt", "claude", "copilot"], "blocked": ["gemini-unrestricted"], "tiers": { "chatgpt": "allowed", "claude": "allowed", "copilot": "allowed" } }, "dlp": { "pii_detection": { "enabled": true, "block_on_match": true, "patterns": ["ssn", "credit_card", "email"] }, "secret_detection": { "enabled": true, "block_on_match": true } } }, "signature": "sha256=..."}3. Local Application
Sentinel:
- Verifies signature using public key
- Decompresses policies (gzip)
- Stores in SQLite cache with version hash
- Applies policies immediately
- Logs sync event
Policy File Format
Complete Policy Structure
{ "version": "v42", "timestamp": "2024-01-15T10:00:00Z", "policies": { "ai_tools": { "allowed_tools": { "chatgpt": { "enabled": true, "urls": ["chat.openai.com"], "risk_level": "low", "data_residency": "us" }, "claude": { "enabled": true, "urls": ["claude.ai"], "risk_level": "low", "data_residency": "us" }, "copilot": { "enabled": true, "urls": ["github.com"], "risk_level": "medium", "data_residency": "us" } }, "blocked_tools": { "gemini_unrestricted": { "reason": "non-compliant", "message": "Gemini is not approved for company use" } } }, "dlp": { "pii_detection": { "enabled": true, "block_on_match": true, "sensitive_patterns": { "ssn": { "pattern": "^\\d{3}-\\d{2}-\\d{4}$", "confidence": 0.99, "action": "block" }, "credit_card": { "pattern": "^\\d{4}-\\d{4}-\\d{4}-\\d{4}$", "confidence": 0.95, "action": "block" } } }, "secret_detection": { "enabled": true, "block_on_match": true, "secrets": { "api_key": { "pattern": "api[_-]?key[:=]\\s*['\\\"]?[a-zA-Z0-9]{32}", "confidence": 0.9, "action": "block" } } }, "time_based_restrictions": { "enabled": true, "work_hours": { "start": "09:00", "end": "17:00", "timezone": "America/New_York", "days": ["Monday", "Tuesday", "Wednesday", "Thursday", "Friday"] } } }, "risk_management": { "high_risk_detections": { "enabled": true, "threshold": 0.8, "action": "warn" } } }, "signature": "sha256=abcdef...", "signature_algorithm": "sha256"}Configuration
Set Sync Interval
Edit config.yaml:
policy: # Sync every 60 minutes (default) sync_interval: 60
# Sync every 5 minutes (frequent updates) sync_interval: 5
# Sync every 12 hours (infrequent) sync_interval: 720Custom Policy Endpoint
policy: sync_url: https://policies.company.local/api/v1/policyRetry Configuration
policy: # Retry on failure retry_on_failure: true
# Max retry attempts max_retries: 5
# Backoff time (seconds) retry_backoff_seconds: 30Offline Fallback
When Sentinel cannot reach the cloud:
- First 7 days (configurable): Use cached policies
- After 7 days: Warn user that policies are stale
- Enforcement: Continue blocking based on last-known policies
- Auto-revert: When reconnected, immediately sync latest
Configure Grace Period
advanced: # Allow offline operation for 30 days offline_grace_period_days: 30Policy Deployment Strategies
Rolling Deployment (Gradual Rollout)
Rollout policies to 10% of agents first:
Dashboard:
- Create policy version “v42”
- Set deployment percentage: 10%
- Wait 1 hour for policy sync
- Monitor agent feedback
- Increase to 25%, 50%, 100%
Rollback: Click “Rollback to v41” — all agents revert within 1 hour
Canary Deployment
Deploy to specific users first:
Dashboard:
- Create policy “v42”
- Select “Canary” mode
- Target users: [email protected], [email protected]
- Validate feedback
- Deploy to all
Immediate Deployment
Apply policy to all agents instantly:
Dashboard:
- Create policy “v42”
- Select “Immediate”
- All agents sync within 10 minutes (next sync cycle)
Monitoring Policy Sync
Dashboard View
- Agents: Total count, by policy version
- Last sync: Timestamp, status (success/failure)
- Policy coverage: % agents with latest policy
- Sync errors: Failed agents, error details
Check Local Status
# Windows (PowerShell)$reg = Get-ItemProperty -Path "HKLM:\SOFTWARE\TruthVouch\Sentinel"$reg.LastPolicySync$reg.CurrentPolicyVersion
# macOS/Linuxcat ~/.truthvouch/sentinel/config.yaml | grep current_versionView Sync Logs
Windows:
Get-EventLog -LogName "Application" -Source "TruthVouch" -Newest 20macOS:
log stream --predicate 'process == "sentinel"' --level debugLinux:
sudo journalctl -u sentinel -f | grep "policy"Troubleshooting
Policies Not Syncing
1. Check connectivity:
curl -I https://api.truthvouch.io/api/v1/policy2. Verify API key:
cloud: api_key: sk-... # Must be valid3. Check sync interval:
policy: sync_interval: 60 # Default 60 minutes4. View logs:
- Windows: Event Viewer → TruthVouch
- macOS:
log stream --predicate 'process == "sentinel"' - Linux:
sudo journalctl -u sentinel -f
Stale Policies
Manual sync:
# Windowssentinel.exe --sync-policy --force
# macOS/Linuxsentinel --sync-policy --forceCheck cache:
# Windowsdir C:\ProgramData\TruthVouch\Sentinel\policies\
# macOSls ~/.truthvouch/sentinel/cache/
# Linuxls /var/lib/truthvouch/sentinel/policies/Sync Failures
Network issues:
# Test connectivityping api.truthvouch.io
# Test HTTPSopenssl s_client -connect api.truthvouch.io:443
# Check firewallnetstat -an | grep 443Authentication issues:
# Verify API key in config.yaml# Regenerate key in dashboard if neededCorrupt cache:
# WindowsRemove-Item C:\ProgramData\TruthVouch\Sentinel\policies\* -Recurse
# macOSrm -rf ~/.truthvouch/sentinel/cache/
# Linuxsudo rm -rf /var/lib/truthvouch/sentinel/policies/Then restart Sentinel to re-sync.
Advanced Configuration
Custom Policy Servers
Deploy your own policy server:
# Example Python policy serverfrom flask import Flask, request, jsonifyimport json
app = Flask(__name__)
@app.route('/api/v1/policy', methods=['POST'])def get_policy(): body = request.get_json() agent_version = body.get('current_version')
# Load latest policy with open('policies/v42.json', 'r') as f: latest = json.load(f)
if agent_version == latest['version']: return '', 304 # Not Modified
return jsonify(latest), 200
if __name__ == '__main__': app.run(host='0.0.0.0', port=443, ssl_context='adhoc')Configure Sentinel:
policy: sync_url: https://policies.company.local/api/v1/policyBest Practices
- Test policies before rollout — Use canary deployment
- Version your policies — Use semantic versioning (v1.0, v1.1, v2.0)
- Monitor adoption — Check dashboard for sync success rates
- Plan rollbacks — Keep previous policy versions available
- Communicate changes — Notify users of policy updates
- Log audit trail — Track who changed policies and when
See Configuration Reference for all policy options and Troubleshooting for additional help.