@neurosec/sentry
v1.1.3
Published
NeuroShield Sentry — host-level agent protection daemon. Detects and blocks malicious AI agent actions at the OS level.
Maintainers
Readme
NeuroShield Sentry
Host-level agent protection daemon. Detects AI agent processes running on your infrastructure, sandboxes them with kernel-level isolation, and enforces policies on filesystem access, network egress, syscalls, and skill/tool execution.
npm install -g @neurosec/sentry
neuroshield-sentry setup
sudo neuroshield-sentry installHow It Works
The Sentry daemon runs on each host and connects to your NeuroSec security platform:
- Discovery — scans
/proc/*for processes matching agent framework signatures (LangChain, CrewAI, Claude Code, MCP, AutoGen, etc.) - Sandbox — applies cgroups v2 (CPU/memory limits), seccomp (syscall allowlist), and Landlock (filesystem path restrictions) to each agent process
- Enforcement — evaluates every file access, network connection, and syscall against policy. Monitor mode = log-only. Enforce mode = block violations. Quarantine mode = kill on repeat offenses
- Skill Authorization — detects tool definitions from MCP manifests, env vars, and process args. High-risk skills (shell exec, file write, database queries) require approval or are blocked
- Audit — all decisions are logged as JSON Lines with auto-rotation and SIEM-ready format
Quick Start
# Install globally
npm install -g @neurosec/sentry
# Interactive setup (prompts for NeuroSec URL, org ID, token)
neuroshield-sentry setup
# Or non-interactive for automation
neuroshield-sentry setup \
--org=org_abc123 \
--token=nst_yourtoken \
--mode=enforce \
--url=https://api.neurosec.ai
# Install as system service (systemd on Linux, launchd on macOS)
sudo neuroshield-sentry install
# Check status
neuroshield-sentry status
# Launch an agent through Sentry's platform sandbox wrapper
neuroshield-sentry launch --framework=codex -- node agent.js
# View real-time enforcement decisions
neuroshield-sentry logs -f
# Start the daemon manually
sudo neuroshield-sentrydCLI Reference
| Command | Description |
|---------|-------------|
| setup | Generate sentry.yaml configuration |
| install | Install system service (systemd/launchd) |
| ca | Show/export the local CA agents must trust for HTTPS interception (--pem, --fingerprint) |
| verify-trust [host] | Confirm the CA is correctly trusted for a provider host (default api.openai.com) |
| launch | Start an agent through Sentry's launch-time sandbox wrapper |
| status | Show daemon status and active processes |
| logs | Tail the audit log (-f to follow, -n 100 for lines) |
| version | Print version |
| help | Show usage |
Local API
When running, the daemon exposes a local HTTP API on 127.0.0.1:9191:
GET /api/v1/status — Daemon status
GET /api/v1/processes — Tagged agent processes
GET /api/v1/processes/:pid — Single process detail
GET /api/v1/decisions — Recent enforcement decisions
GET /api/v1/policy — Active policy
POST /api/v1/policy/reload — Force policy sync
GET /api/v1/approvals — Pending skill approvals
POST /api/v1/approve/:id — Approve a skill invocation
POST /api/v1/deny/:id — Deny a skill invocationHTTPS Interception & CA Trust
Sentry's LLM proxy inspects agent traffic by terminating TLS — a controlled man-in-the-middle. It runs a local Certificate Authority and mints a per-hostname leaf for each provider an agent contacts. Agents must trust this CA, or every intercepted HTTPS call fails with a TLS error. This is the one runtime prerequisite for HTTPS interception (enabled by default).
# Show the CA path, fingerprint, and OS-specific trust instructions
neuroshield-sentry ca
# Export the CA to distribute to agent hosts
neuroshield-sentry ca --pem > sentry-ca.pem
# Confirm trust is correctly wired (handshake through the live proxy)
neuroshield-sentry verify-trust api.openai.comTrust the exported CA per-process (least privilege) or system-wide:
| Runtime / OS | How to trust |
|---|---|
| Node.js | NODE_EXTRA_CA_CERTS=/path/sentry-ca.pem node agent.js |
| Python | export REQUESTS_CA_BUNDLE=/path/sentry-ca.pem SSL_CERT_FILE=/path/sentry-ca.pem |
| Go / curl | export SSL_CERT_FILE=/path/sentry-ca.pem |
| Debian/Ubuntu | cp sentry-ca.pem /usr/local/share/ca-certificates/neuroshield-sentry.crt && update-ca-certificates |
| RHEL/Fedora | cp sentry-ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust extract |
| macOS | security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain sentry-ca.pem |
| Windows | Import-Certificate -FilePath sentry-ca.pem -CertStoreLocation Cert:\LocalMachine\Root |
Note: Node.js ignores the system trust store — Node agents still need
NODE_EXTRA_CA_CERTSeven after a system-wide install. Full details, rotation, and certificate-pinning caveats are in TRUST.md. To inspect only plaintext traffic and skip CA setup entirely, setproxy.intercept_https: false.
Requirements
- Linux (kernel 5.4+ for cgroups v2, seccomp, Landlock) or macOS (Ventura+)
- Node.js >= 20
opensslon PATH — used to provision the CA and mint interception leaf certs- Systemd (Linux) or launchd (macOS) for service installation
- Root/sudo access for sandbox (cgroups, seccomp) and
/procscanning
Configuration
Config is at /etc/neuroshield/sentry.yaml. Key settings:
neurosec:
endpoint: "https://api.neurosec.ai"
org_id: "your-org-id"
token_path: /etc/neuroshield/sentry.token
enforcement:
mode: "monitor" # monitor | enforce | quarantineAll settings are also configurable via environment variables (NEUROSEC_ORG_ID, SENTRY_ENFORCEMENT_MODE, etc.)
Platform Backends
| Feature | Linux | macOS | |---------|-------|-------| | Cgroups CPU/memory limits | ✓ cgroups v2 | — | | Seccomp syscall filtering | ✓ BPF | — | | Landlock FS restrictions | ✓ kernel 5.13+ | — | | Seatbelt sandbox profile | — | ✓ sandbox-exec | | Endpoint Security monitor | — | ✓ ES framework | | Process discovery (/proc) | ✓ | limited | | Network monitoring | ✓ nftables/iptables | ✓ pf |
Kubernetes
Deploy as a DaemonSet for per-node enforcement:
kubectl apply -f https://raw.githubusercontent.com/neurosec-ai/neurosec/main/packages/sentry/k8s/daemonset.yaml