npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mikoshi-sentinel

v1.0.1

Published

Deterministic action verification for LLM agent security

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

darrenedwards111darrenedwards111

Keywords

llmsecurityprompt-injectionagentverificationdeterministicpolicy

Readme

Prompt injection is unsolved because LLMs process instructions and data in the same channel. Sentinel solves this by verifying actions, not prompts — using deterministic code that can't be manipulated by clever input.

License: Apache 2.0 npm version

The Problem

Every current defence against prompt injection — input filtering, system prompt hardening, dual-LLM checking — is probabilistic. An LLM-based check can be fooled by the same techniques it's trying to detect, because it processes instructions and data in a shared context.

The Solution

Separate the decision from the enforcement. Let the LLM decide what to do. Let deterministic code decide whether it's allowed to do it.

Sentinel sits between the LLM and the tools. Every proposed action passes through a pipeline of deterministic policy checks (pure code, not prompts) before execution. Code doesn't hallucinate. Code can't be prompt-injected.

┌──────────┐     ┌──────────────┐     ┌──────────┐     ┌──────────┐
│   LLM    │────▶│   Sentinel   │────▶│ Verdict  │────▶│ Execute  │
│ (Propose)│     │  (Verify)    │     │ Allow/   │     │ (or      │
│          │     │              │     │ Block    │     │  Block)  │
└──────────┘     │ ┌──────────┐ │     └──────────┘     └──────────┘
                 │ │ Policies │ │
                 │ │ (Code)   │ │
                 │ ├──────────┤ │
                 │ │ Intent   │ │
                 │ │ Verifier │ │
                 │ ├──────────┤ │
                 │ │ Audit    │ │
                 │ │ Logger   │ │
                 │ └──────────┘ │
                 └──────────────┘

Quick Start

npm install mikoshi-sentinel
import { Sentinel } from 'mikoshi-sentinel';

const sentinel = new Sentinel();

// Verify an action before executing it
const verdict = await sentinel.verify({
  tool: 'exec',
  args: { command: 'rm -rf /' }
});

console.log(verdict.allowed);    // false
console.log(verdict.violations); // [{ policy: 'systemCommands', reason: '...', severity: 'critical' }]

How It Works

The Propose → Verify → Execute Pipeline

  1. Propose — The LLM decides on an action (tool call)
  2. Verify — Sentinel runs the action through deterministic policy checks
  3. Execute — Only if all policies pass does the action execute

Built-in Policies

| Policy | What it blocks | Severity | |--------|---------------|----------| | Privilege Escalation | sudo, admin routes, config modifications | Critical | | Data Exfiltration | Sending data to external URLs, webhook.site, ngrok | Critical | | Internal Access | localhost, private IPs, cloud metadata (SSRF) | Critical | | File Traversal | ../, ~/, null bytes, symlink attacks | Critical | | System Commands | rm -rf, curl|bash, reverse shells, fork bombs | Critical | | Intent Alignment | Prompt injection patterns, DAN mode, context shifts | Critical | | Rate Limiting | Rapid-fire tool calls, repeated identical actions | High | | Scope Enforcement | Tool whitelists, path restrictions, permission scoping | High |

Custom Policies

sentinel.addPolicy('noWeekends', (action, context) => {
  const day = new Date().getDay();
  if (day === 0 || day === 6) {
    return { pass: false, reason: 'No deployments on weekends', severity: 'medium' };
  }
  return { pass: true, reason: 'Weekday', severity: 'none' };
});

Express Middleware

import express from 'express';
import { Sentinel } from 'mikoshi-sentinel';

const app = express();
const sentinel = new Sentinel();

app.use('/api/tools', sentinel.middleware());

app.post('/api/tools', (req, res) => {
  // Only reaches here if Sentinel approved the action
  res.json({ status: 'executed', verdict: req.sentinelVerdict });
});

Intent Verification

Optional LLM-backed or heuristic intent checking:

const sentinel = new Sentinel({
  enableIntentVerification: true,
  llmFn: async (prompt) => await myLLM.complete(prompt), // Optional
});

const verdict = await sentinel.verify(action, {
  conversationHistory: messages // Recent conversation for context
});

console.log(verdict.intent); // { confidence: 0.95, aligned: true, method: 'heuristic' }

API

new Sentinel(config)

| Option | Type | Default | Description | |--------|------|---------|-------------| | useBuiltinPolicies | boolean | true | Load all 8 built-in policies | | enableIntentVerification | boolean | true | Enable intent alignment checking | | llmFn | function | null | Async LLM function for intent verification | | intentThreshold | number | 0.5 | Minimum intent confidence score | | audit | object | {} | Audit logger options | | scope | object | {} | Default scope restrictions |

sentinel.verify(action, context)

Returns:

{
  allowed: boolean,        // Final verdict
  confidence: number,      // 0.0 - 1.0
  violations: [{           // Policy violations (empty if allowed)
    policy: string,
    reason: string,
    severity: 'critical' | 'high' | 'medium' | 'low'
  }],
  intent: {                // Intent verification result (if enabled)
    confidence: number,
    aligned: boolean,
    method: 'heuristic' | 'llm',
    reason: string
  },
  elapsed: string          // Verification time
}

Performance

  • Policy checks: <5ms (deterministic function calls)
  • Intent verification (heuristic): ~2ms
  • Intent verification (LLM-backed): ~200ms
  • Overhead: Negligible for the security guarantee

Research Paper

The architecture and evaluation of Mikoshi Sentinel is described in our paper:

Mikoshi Sentinel: Deterministic Action Verification as a Defence Against Prompt Injection in LLM Agents — Mikoshi Research, 2025

See paper/mikoshi-sentinel.tex

Landing Page

🌐 mikoshi.co.uk/sentinel

License

Apache 2.0 — Built by Mikoshi Ltd

Contact

📧 [email protected]