Back to Grip OS
Security wrapper for MCP servers
Grip Sentinel
Little Snitch for AI Agents
Grip OS's built-in security engine — "Little Snitch for AI agents." Grip Sentinel enforces policy rules, detects anomalies via EWMA, and maintains a SHA-256 hash-chained audit log. 1,080+ tests across the full security surface. Every MCP tool call in Grip OS is protected by Sentinel automatically.
dev.gripos.sentinel
SENTINELv1.0.0
alert mode
Policy Rules (4 active)
block_filesystem_write
*.write*142
allow_read_tmp
fs.read /tmp/*1203
block_env_access
process.env.*37
alert_network_calls
net.fetch *891
Audit Log (SHA-256 hash chain)
14:32:01fs.readFileALLOWa3f8c1...
14:32:03process.env.getDENY7b2e4d...
14:32:05net.fetchALERTe9d1f0...
Tests: 987 passing
Rules: 4 active
Chain: intact
What makes Grip Sentinel special
Security Modes
- silent-allow — log everything, allow all (monitoring/learning)
- alert — log + alert on risky calls (default)
- silent-deny — silently block risky calls
- lockdown — block all unrecognized calls
Threat Protection
- Prompt injection via tool calls
- Unauthorized file access prevention
- Credential exfiltration detection
- EWMA-based anomalous call pattern detection
- Automatic circuit breaker lockdown on sustained anomalies
Audit & Compliance
- SHA-256 hash-chained tamper-evident audit log
- Policy rule import/export (JSON)
- 1,080+ tests across the full security surface
Integration
- Built into Grip Station — no separate install required
- Configurable via Station's Mission Control panel
- CLI: init, status, mode, rules export/import