Security scanning
Because every Claude Code request flows through the daemon, Sentinel can scan it in flight — before it reaches Anthropic, and again on the way back. The Security tab is where you review findings, tune detectors, and approve or deny held actions.

What it detects
Section titled “What it detects”- Secrets — API keys, tokens, and private keys (matched by shape and known prefixes).
- PII — personally identifiable information in prompts and tool payloads.
- Prompt injection — instructions embedded in tool results or fetched content that try to redirect the model.
- Risky tool use —
Bash,Write, andWebFetchcalls, with sub-command matching so you can be specific about what’s risky.
Enforcement modes
Section titled “Enforcement modes”Choose how aggressively Sentinel acts on findings in Settings → Security:
- Observe — record findings, don’t block anything.
- Block HIGH — block only high-severity findings.
- Block MEDIUM + HIGH — block medium- and high-severity findings.
The approve/deny hold
Section titled “The approve/deny hold”With Hold blocked requests for approval enabled, a blocked action doesn’t just fail — it pauses and surfaces a pending-block banner in the Security tab with Approve and Deny buttons and a countdown. This gives a single, auditable surface for risky actions (and one hook point for future remote-approval integrations like Slack). When a hold is waiting and you’re on another tab, the Security tab shows a red dot.
Detector tuning & allowlist
Section titled “Detector tuning & allowlist”- Detector tuning lets you adjust sensitivity per detector category.
- The allowlist suppresses known-safe matches (with a reason and who added it), so legitimate patterns stop generating noise.
Setup wizard
Section titled “Setup wizard”A first-run security setup wizard walks you through choosing an enforcement mode and the hold behavior so you don’t have to discover the settings yourself.

Related
Section titled “Related”- Permission rules — allow/deny/ask rules that push into Claude Code.
- Sandbox isolation — OS-level limits on files and network.
- Every finding is mirrored into the Alerts timeline and can fire an OS notification when it clears your configured severity threshold.