Skip to content

Settings reference

Settings live in ~/.sentinel/settings.json and are edited through the app’s Settings panel. This page documents the settings you’re most likely to touch, grouped by area, with their defaults.

The Settings panel

SettingDefaultWhat it does
launchAtLogintrueStart Sentinel automatically when you log in.
theme'system'UI theme: system, light, or dark.
autoUpdatefalseAutomatically install signed updates when available.
SettingDefaultWhat it does
switchingMode'off'off (manual) or auto (automatic switching). See Accounts.
poolExcludedIds[]Account IDs to keep out of the Auto pool.
SettingDefaultWhat it does
overageEnabledIds[]Accounts allowed to spend into overage.
budgetWeeklyUsdByAccount{}Per-account weekly overage cap (USD).
budgetWeeklyUsdGlobalnullGlobal weekly overage cap (USD).
overageBufferPct5Headroom percentage before a cap pauses an account.
overageOsNotifytrueFire an OS notification on overage transitions.
SettingDefaultWhat it does
securityScanEnabledtrueMaster switch for in-flight scanning.
securityEnforcementModenullnull (observe), block HIGH, or block MEDIUM+HIGH.
securityScanSecretstrueDetect API keys, tokens, and private keys.
securityScanInjectionfalseDetect prompt injection in tool results / fetched content.
securityScanToolUsetrueFlag risky Bash / Write / WebFetch calls.
securityApproveHoldSec60Seconds a held action waits for approve/deny before timing out.
securityOsNotifyThreshold'high'Minimum severity that fires an OS notification.
claudeCodeSyncEnabledfalseKeep permission rules in sync with ~/.claude/settings.json.
toolPermissionsEnabledfalseEnforce permission rules.

isolationPolicy is an object (default disabled) controlling OS-level isolation:

FieldWhat it does
enabledTurn the sandbox on.
syncToClaudeCodeMirror the policy into Claude Code’s sandbox config.
network.allowedDomains / deniedDomainsNetwork destinations commands may / may not reach.
filesystem.allowRead / allowWrite / denyRead / denyWritePath access rules.

See Sandbox isolation.

SettingDefaultWhat it does
compressionEnabledfalseTrim oversized tool_result payloads.
compressionLevel'conservative'conservative, moderate, or aggressive.
compressionRetrievalEnabledfalseKeep originals retrievable via mcp__sentinel__retrieve.
codeModeEnabledfalseBridge MCP servers through the loopback endpoint.
SettingDefaultWhat it does
alertSoundName'Glass'Sound played for alerts.
telemetryRetentionDays30How long OTel telemetry is kept.
securityEventRetentionDays30How long security findings are kept.
dataRetentionDays365General data retention.
requestLoggingEnabledfalseCapture request logs (advanced/debugging).
logLevel'info'Daemon log verbosity.