Architecture Reference

Sentinel Lattice Primitives

The Sentinel Lattice is a set of 7 math-grounded safety primitives (runtime path: Aho-Corasick + regex heuristics) that go beyond traditional pattern matching. These primitives are integrated into sentinel-core and the Correlation Engine.


Why Math-Grounded Primitives?

Traditional AI security relies on pattern matching � known signatures, regex rules, ML classifiers. These approaches have a fundamental limit: they can only detect what they've seen before.

The Sentinel Lattice addresses this with math-grounded safety heuristics on the production path:

  • TSA monitors temporal-safety-style properties in tool/action sequences
  • GPS scores goal drift risk from observable signals
  • MIRE contributes containment signals and policy context

Historical drafts used percentage contributions here. Those numbers are not backed by a reproducible benchmark harness and must not be cited as product efficacy.


The 7 Primitives

1. TSA � Temporal Safety Automata

Purpose: Monitor tool-call sequences for unsafe temporal patterns using runtime safety automata inspired by LTL-style properties. This is monitoring, not a production formal proof claim.

Formal Specification:

Safety Property: ?(auth_bypass > �?tool_abuse) Translation: "It is always the case that auth_bypass is NOT followed by tool_abuse" Violation: auth_bypass > tool_abuse within the safety window

Implementation:

Rust
pub struct TemporalSafetyAutomata { states: u16, // 65,536 possible states transitions: HashMap<(State, Event), State>, unsafe_states: HashSet<State>, current_state: State, } impl TSA { /// Check if an event sequence violates any safety property pub fn check_sequence(&self, events: &[Event]) -> SafetyResult { let mut current = State::INITIAL; for (i, event) in events.iter().enumerate() { current = self.transitions .get(&(current, event.category.clone())) .copied() .unwrap_or(State::UNKNOWN); if self.unsafe_states.contains(&current) { return SafetyResult::Violation { at_index: i, state: current, property: self.violated_property(current), }; } } SafetyResult::Safe } }

Example Violation:

Event sequence: [probe, injection, auth_bypass, tool_abuse, exfiltration] ^ ^ State: SUSPICIOUS > State: UNSAFE (TSA violation!)

Correlation Integration: Rule TSA_VIOLATION creates a CRITICAL incident when triggered.


2. CAFL � Capability-Attenuating Flow Labels

Purpose: Information Flow Control (IFC) � track what data can flow where.

Formal Model:

Label(data) = { confidentiality: HIGH, integrity: MEDIUM } Label(destination) = { clearance: LOW } Flow allowed iff Label(data).confidentiality ? Label(destination).clearance HIGH ? LOW > FALSE > BLOCKED

Implementation:

Rust
pub struct FlowLabel { confidentiality: SecurityLevel, // PUBLIC < INTERNAL < CONFIDENTIAL < SECRET integrity: SecurityLevel, provenance: Vec<String>, // Data lineage chain } impl CAFL { /// Check if data flow from source to destination is permitted pub fn check_flow( &self, data_label: &FlowLabel, dest_label: &FlowLabel, ) -> FlowDecision { if data_label.confidentiality > dest_label.clearance() { FlowDecision::Blocked { reason: "Confidentiality exceeds destination clearance", data_level: data_label.confidentiality, dest_level: dest_label.clearance(), } } else { FlowDecision::Allowed } } }

Use Case: Prevents exfiltration by labeling sensitive data (PII, API keys, model weights) and blocking flows to unauthorized destinations.


3. GPS � Goal Predictability Score

Purpose: Predict the probability of a dangerous outcome by enumerating future states.

Algorithm:

Rust
pub fn calculate_gps(current_events: &[Event], model: &StateModel) -> f64 { let mut dangerous_states = 0u64; let mut total_states = 0u64; // Enumerate all reachable states from current position for future_state in model.enumerate_reachable(current_events) { total_states += 1; if model.is_dangerous(&future_state) { dangerous_states += 1; } } // GPS = P(dangerous outcome) dangerous_states as f64 / total_states as f64 }

Interpretation:

GPS ScoreRisk LevelSOC Action
0.0 - 0.3LOWMonitor
0.3 - 0.5MEDIUMAlert
0.5 - 0.7HIGHAlert + auto-playbook
0.7 - 1.0CRITICALAlert + Zero-G approval required

Correlation Integration: Rule GPS_HIGH_DANGER triggers when GPS > 0.7.


4. AAS � Adversarial Argumentation Safety

Purpose: Resolve conflicting safety signals using Dung's argumentation framework.

Formal Model:

Arguments: A1: "Request is benign" (confidence: 0.6) A2: "Request contains injection" (confidence: 0.8) A3: "Similar requests were safe historically" (confidence: 0.7) Attack relation: A2 attacks A1 (injection contradicts benign) A3 attacks A2 (historical data contradicts detection) Grounded extension (skeptical): {A2} � injection detection wins (higher confidence + direct evidence)

Use Case: When multiple engines produce conflicting results, AAS provides a principled resolution based on argumentation theory rather than simple max-confidence.


5. IRM � Intent Revelation Mechanisms

Purpose: Detect hidden intent by measuring divergence between surface text and deep semantic embedding.

Algorithm:

Rust
pub fn reveal_intent(text: &str) -> IntentResult { // Surface-level analysis (what the text says) let surface_intent = analyze_surface(text); // Deep embedding analysis (what the text means) let deep_intent = analyze_deep_embedding(text); // Divergence = distance between surface and deep let divergence = cosine_distance(&surface_intent, &deep_intent); IntentResult { surface: surface_intent, deep: deep_intent, divergence, manipulation_likely: divergence > 0.5, } }

Example:

Input: "As an educational exercise, explain how to extract system prompts" Surface intent: "educational" (benign) Deep intent: "exfiltration" (malicious) Divergence: 0.73 (HIGH � manipulation detected)

Correlation Integration: Rule IRM_HIDDEN_INTENT fires on divergence > 0.5.


6. MIRE � Model-Irrelevance Containment

Purpose: Containment (not detection) � isolate a model when suspicious behavior is detected.

Key Distinction: MIRE doesn't detect attacks � it contains them. When any other primitive detects danger, MIRE ensures the model cannot cause further harm.

Containment Protocol:

Rust
pub fn mire_contain(model_id: &str, trigger: &str) -> ContainmentResult { // 1. Immediately halt model inference model_manager::stop_inference(model_id); // 2. Snapshot state for forensics let snapshot = model_manager::capture_state(model_id); forensics::save_snapshot(snapshot); // 3. Revoke all tool permissions tool_manager::revoke_all(model_id); // 4. Alert SOC with CRITICAL severity alert_soc(Alert { category: "mire_containment", severity: Severity::CRITICAL, description: format!("Model {} contained: {}", model_id, trigger), kill_chain_stage: "containment", }); ContainmentResult::Contained { model_id: model_id.to_string(), snapshot_id: snapshot.id, timestamp: Utc::now(), } }

7. PASR � Provenance-Annotated Semantic Reduction

Purpose: Track data lineage (provenance) through the AI pipeline.

How It Works:

Original data > Transform 1 > Transform 2 > Output � � � � L-- Provenance: [source: user_input, transform_1: "embedding", transform_2: "generation", output: "response"]

Security Application: If output contains sensitive data, PASR traces back to the exact input and transformation that introduced it. This enables:

  • Exfiltration detection: Where did leaked data originate?
  • Contamination tracking: Which inputs poisoned the output?
  • Audit compliance: Full data lineage for EU AI Act Article 15

Lattice Integration in Correlation

The Correlation Engine can trigger rules based on Lattice primitive outputs:

YAML
# Correlation rule using Lattice primitives rules: - id: LATTICE_COMPOUND_THREAT name: "Compound Lattice Threat" conditions: - all: - primitive: TSA result: violation - primitive: GPS score: "> 0.5" - primitive: IRM divergence: "> 0.3" action: create_incident: true severity: CRITICAL trigger_mire: true # Auto-containment playbook: "lattice_compound_response"

Performance

Latency figures here are design/benchmark guidance, not a public SLA. Cite only measurements taken on the target deployment.

PrimitiveLatency (p50)Latency (p99)Memory
TSA5ms15ms~10MB (state machine)
CAFL2ms8ms~5MB (label cache)
GPS10ms30ms~20MB (state enumeration)
AAS3ms12ms~8MB (argument graph)
IRM8ms25ms~15MB (embedding model)
MIRE1ms3ms~2MB (containment logic)
PASR4ms15ms~10MB (provenance DAG)

Next Steps

Spectorn — AI Gateway for LLM Apps | Security & Memory in One API