Hugging Face's logo

Spaces:
SZLHOLDINGS
/
sentra
Running

App Files Community
1
sentra / index.html
betterwithage's picture
betterwithage
feat(sentra): add SZL BUILD BANNER — founder inspection surface v1.0.0
0fb9240 verified
raw
history blame contribute delete
37.3 kB
<!DOCTYPE html>
<html lang="en">
<head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover, user-scalable=yes">
 <meta name="apple-mobile-web-app-capable" content="yes">
 <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
 <meta name="theme-color" content="#0a0e14">
 <title>sentra — Deep-Dive | SZL Holdings</title>
 <meta name="description" content="Investor-grade deep-dive on sentra: the AI-agent security layer that emits DSSE receipts. 6 parallel gates — prompt-injection, exfiltration, jailbreak, unicode smuggling, receipt-chain tamper, governance-gate bypass. Honest comparison vs Splunk ES, CrowdStrike, Cortex XSIAM, Datadog.">
 <meta property="og:title" content="sentra Deep-Dive — Security Gates + DSSE Receipts">
 <meta property="og:description" content="6 parallel security gates. DSSE receipts per scan. OTel-native. arXiv-grounded patterns. Honest comparison vs Splunk ES, CrowdStrike Falcon, Cortex XSIAM, Datadog.">
 <meta property="og:image" content="assets/hero_sentra.png">
 <!-- SZL Holdings Design System v1.0.0 — True Anomaly × Anthropic fusion -->
 <!-- Injected by HF Deep-Dive Space Creator, Doctrine v6, 2026-05-30 -->
 <link rel="preconnect" href="https://fonts.googleapis.com">
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Barlow+Condensed:wght@600;700;800&family=Source+Serif+4:ital,opsz,wght@0,8..60,400;0,8..60,600;1,8..60,400&family=JetBrains+Mono:wght@400;700&display=swap">
 <style id="szl-design-system">
 /* SZL Design System — Color Tokens (colors.css v1.0.0) */
 :root {
 --szl-void: #000000;
 --szl-navy: #0a1f3a;
 --szl-surface: #0d1117;
 --szl-panel: #161b22;
 --szl-border: #30363d;
 --szl-parchment: #faf9f5;
 --szl-parchment-alt: #f0ece0;
 --szl-amber: #f0a500;
 --szl-amber-dim: rgba(240, 165, 0, 0.15);
 --szl-teal: #20808D;
 --szl-teal-dim: rgba(32, 128, 141, 0.10);
 --szl-telemetry: #00c4d4;
 --szl-text-light: #f0f0fa;
 --szl-text-dark: #141413;
 --szl-muted: #8b949e;
 --szl-muted-light: #b0aea5;
 --szl-green: #3fb950;
 --szl-red: #f85149;
 --szl-blue: #58a6ff;
 --szl-purple: #bc8cff;
 --szl-gold: #ffc553;
 --szl-font-display: 'Barlow Condensed', 'Arial Narrow', sans-serif;
 --szl-font-body: 'Source Serif 4', Georgia, serif;
 --szl-font-mono: 'JetBrains Mono', 'Consolas', monospace;
 --szl-radius-sm: 2px;
 --szl-radius-md: 4px;
 --szl-radius-lg: 6px;
 --szl-dur-fast: 150ms;
 --szl-dur-base: 300ms;
 --szl-ease-out: cubic-bezier(0, 0, 0.2, 1);
 }
 /* Apply Barlow Condensed to headings site-wide (non-destructive) */
 h1, h2, h3, h4, h5, h6 {
 font-family: var(--szl-font-display) !important;
 }
 /* Apply JetBrains Mono to code/pre */
 code, pre, kbd, samp {
 font-family: var(--szl-font-mono) !important;
 }
 </style>
 <link rel="icon" type="image/svg+xml" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='7' fill='%230f1419'/%3E%3Ccircle cx='16' cy='16' r='10' fill='none' stroke='%23ff4444' stroke-width='2'/%3E%3Ccircle cx='16' cy='16' r='4' fill='%2300d4ff'/%3E%3C/svg%3E">
 <link rel="preconnect" href="https://fonts.googleapis.com">
 <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
 <link rel="stylesheet" href="style.css">
 <link rel="stylesheet" href="brand-tokens.css"/>
 <link rel="stylesheet" href="brand-bridge.css"/>
<style id="szl-mobile-safety">
/* SZL mobile-first safety net (ADDITIVE — Yachay) */
:root { --vh: 1vh; }
html, body { -webkit-tap-highlight-color: transparent; }
@media (max-width: 768px) {
 html, body { max-width: 100vw; overflow-x: hidden; }
 body { font-size: 16px; }
 h1 { font-size: 24px; line-height: 1.2; }
 img, canvas, svg, video, iframe { max-width: 100%; height: auto; }
 a, button, [role="button"], input[type="submit"] { min-height: 44px; min-width: 44px; }
 .row, .grid, .flex, [class*="grid"], [class*="flex"] { flex-wrap: wrap; }
 pre, code, table { max-width: 100%; overflow-x: auto; }
}
@media (prefers-reduced-motion: reduce) {
 *, *::before, *::after { animation-duration: 0.001ms !important; animation-iteration-count: 1 !important; transition-duration: 0.001ms !important; scroll-behavior: auto !important; }
}
</style>
<script>
/* SZL --vh fix for iOS Safari dynamic viewport (ADDITIVE) */
(function(){
 function setVH(){ document.documentElement.style.setProperty('--vh', (window.innerHeight*0.01)+'px'); }
 setVH(); window.addEventListener('resize', setVH); window.addEventListener('orientationchange', setVH);
})();
</script>
</head>
<body>
 <!-- SZL BUILD BANNER — Founder Inspection Surface v1.0.0 — DO NOT REMOVE -->
 <div id="szl-build-banner" style="background:#0d1117;border-bottom:2px solid #f0a500;color:#f0f0fa;font-family:JetBrains Mono,monospace;font-size:12px;padding:8px 16px;display:flex;align-items:center;gap:16px;z-index:9999;position:relative;">
 <span style="color:#f0a500;font-weight:700;">&#11041; SZL BUILD</span>
 <span id="szl-build-info" style="color:#8b949e;">loading...</span>
 <a id="szl-release-link" href="#" target="_blank" style="color:#f0a500;text-decoration:none;">GitHub Release</a>
 &middot;
 <a id="szl-sbom-link" href="#" target="_blank" style="color:#58a6ff;text-decoration:none;">SBOM</a>
 &middot;
 <a id="szl-honest-link" href="#" target="_blank" style="color:#3fb950;text-decoration:none;">Honest</a>
 </div>
 <script>
 (function(){
 var parts = window.location.hostname.split("-");
 var flagship = parts.length > 1 ? parts[1] : (parts[0] || "unknown");
 fetch("/api/" + flagship + "/v1/version").then(function(r){return r.json();}).then(function(d){
 var sha = (d.git_sha||"unknown").substr(0,8);
 document.getElementById("szl-build-info").innerHTML = "build <strong>" + sha + "</strong> &bull; deployed " + (d.build_time||"?") + " &bull; p6: <span style=\"color:#3fb950\">" + (d.p6_status||"?") + "</span> (" + (d.p6_grader_score||"?") + ") &bull; kernel: <code>" + (d.kernel_commit||"?") + "</code>";
 document.getElementById("szl-release-link").href = d.release_url||"#";
 if(d.verify){document.getElementById("szl-sbom-link").href=d.verify.sbom||"#";document.getElementById("szl-honest-link").href=d.verify.honest||"#";}
 }).catch(function(e){document.getElementById("szl-build-info").textContent="build info unavailable";});
 })();
 </script>
 <!-- END SZL BUILD BANNER -->
<a href="#main-content" class="skip-to-content">Skip to main content</a>
<!-- ── Navigation ── -->
<nav aria-label="Main navigation">
 <div class="container">
 <a href="#hero" class="nav-brand">sentra</a>
 <ul class="nav-links" role="list">
 <li><a href="#what">What it is</a></li>
 <li><a href="#gates">6 Gates</a></li>
 <li><a href="#architecture">Architecture</a></li>
 <li><a href="#demo">Live Demo</a></li>
 <li><a href="#comparison">vs SIEM</a></li>
 <li><a href="#not-this">Not This</a></li>
 <li><a href="#citations">Citations</a></li>
 </ul>
 </div>
</nav>
<!-- ── 1. HERO ── -->
<section id="hero" class="hero" aria-labelledby="hero-heading">
 <div class="hero-glow" aria-hidden="true"></div>
 <div class="container">
 <div class="hero-badge" aria-label="Live: sentra by SZL Holdings">
 <span class="hero-badge-dot" aria-hidden="true"></span>
 SZLHOLDINGS · Security Layer
 </div>
<h1 id="hero-heading">
 <span class="grad">sentra</span>
 </h1>
<p class="hero-tagline">
 Security gates that emit DSSE receipts.<br>
 6 parallel checks. One signed envelope per scan. OTel spans to Jaeger, Tempo, or Honeycomb.
 </p>
<div class="hero-ctas">
 <a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates"
 class="btn-primary" target="_blank" rel="noopener" aria-label="Try the live 6-gate scanner">
 Try Live Scanner
 </a>
 <a href="https://github.com/szl-holdings/sentra"
 class="btn-secondary" target="_blank" rel="noopener" aria-label="Read sentra source on GitHub">
 Read Source
 </a>
 <a href="#comparison" class="btn-secondary" aria-label="Jump to competitive comparison table">
 Compare vs SIEM
 </a>
 </div>
<div class="hero-image-wrap">
 <img src="assets/hero_sentra.png"
 alt="sentra brand — SZL Holdings security gates and telemetry adapter"
 width="760" height="auto">
 </div>
 </div>
</section>
<!-- ── 2. WHAT SENTRA IS ── -->
<section id="what" aria-labelledby="what-heading">
 <div class="container">
 <div class="section-label">01 — What It Is</div>
 <h2 id="what-heading">An adapter that watches AI agent execution</h2>
 <p class="section-desc">
 sentra is the anomaly detection and observability substrate of the SZL Holdings governed platform.
 It applies Kitaev-surface posture drift detection to AI agent telemetry — flagging 6 attack categories
 per prompt, then emitting a DSSE-signed receipt for every scan. Not a firewall. Not a SIEM.
 A typed, proof-sealed security gate layer.
 </p>
<div class="what-grid">
 <div class="what-card">
 <h3>Sensor / Telemetry Adapter</h3>
 <p>Taps SZL audit fiber events and raw agent payloads. Every packet passes through
 <code>sentra_immune</code> — the canonical heuristic scanner — before downstream processing.</p>
 </div>
 <div class="what-card">
 <h3>Kitaev-Surface Drift Detection</h3>
 <p>Security posture is modeled as a topological surface. Drift from the ground-state triggers
 a classified drift event, ranked by CVSS-weighted severity and fed to the operator surface.</p>
 </div>
 <div class="what-card">
 <h3>DSSE Receipt per Scan</h3>
 <p>Every gate run produces a DSSE envelope (<code>application/vnd.szl.sentra.security-gate-receipt+json</code>)
 HMAC-signed with the SZL dev key. Receipts are proof-chain ready for the audit fiber.</p>
 </div>
 <div class="what-card">
 <h3>OTel-Native Observability</h3>
 <p>Sentra emits OpenTelemetry spans to Jaeger, Tempo, or Honeycomb. Gate results appear
 as span attributes — no vendor lock-in on the telemetry backend.</p>
 </div>
 <div class="what-card">
 <h3>Policy-Gated Response</h3>
 <p>All incident remediation passes through the Covenant Policy engine before execution.
 No automated response without human confirmation — every action is audit-sealed.</p>
 </div>
 <div class="what-card">
 <h3>6 Parallel Gates</h3>
 <p>Heuristic patterns drawn from arXiv:2403.04957, arXiv:2302.12173, and SZL-original
 classifications. All 6 gates run in parallel per prompt. Source: <a href="https://github.com/szl-holdings/sentra" target="_blank" rel="noopener" style="color:var(--cyan)">szl-holdings/sentra</a>.</p>
 </div>
 </div>
<div class="stat-row">
 <span class="stat-chip">Source: <strong>szl-holdings/sentra</strong></span>
 <span class="stat-chip">DOI: <strong>10.5281/zenodo.20434276</strong></span>
 <span class="stat-chip">License: <strong>BSL-1.1</strong></span>
 <span class="stat-chip">Gates: <strong>6 in parallel</strong></span>
 <span class="stat-chip">Detection fns in sentra_immune: <strong>1 core + 6 gate fns (app layer)</strong></span>
 <span class="stat-chip">OpenSSF Scorecard: <strong>6.8</strong></span>
 </div>
 </div>
</section>
<!-- ── 3. THE 6 GATES ── -->
<section id="gates" aria-labelledby="gates-heading">
 <div class="container">
 <div class="section-label">02 — Security Gates</div>
 <h2 id="gates-heading">The 6 Gates</h2>
 <p class="section-desc">
 Each gate runs independently on every prompt. A PASS/FAIL verdict and reason string are written
 into the DSSE receipt payload. Gate IDs use the <code>FG-S</code> prefix (Frontier Gate, Sentra domain).
 </p>
<div class="gates-table-wrap">
 <table aria-label="sentra 6 security gates with arXiv citations">
 <thead>
 <tr>
 <th scope="col">Gate ID</th>
 <th scope="col">Name</th>
 <th scope="col">Description</th>
 <th scope="col">Authority</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td><span class="gate-id">FG-S1</span></td>
 <td class="gate-name">Prompt Injection</td>
 <td>Keyword scan + direct injection markers. Detects <code>ignore previous instructions</code>,
 role-override, XML-tag injection, and canonical threat signatures from
 <code>sentra_immune.py</code>.</td>
 <td class="gate-source">
 <a href="https://arxiv.org/abs/2403.04957" target="_blank" rel="noopener">arXiv:2403.04957</a>
 <br>Liu et al. 2024 — Prompt Injection Attacks and Defenses
 </td>
 </tr>
 <tr>
 <td><span class="gate-id">FG-S2</span></td>
 <td class="gate-name">Exfiltration Signals</td>
 <td>URL-based exfiltration patterns, system-prompt extraction attempts, encoding-evasion
 techniques (<code>base64</code>), and sensitive URL parameter extraction.</td>
 <td class="gate-source">
 SZL Holdings classification<br>
 <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" target="_blank" rel="noopener">OWASP LLM Top 10: LLM01</a>
 </td>
 </tr>
 <tr>
 <td><span class="gate-id">FG-S3</span></td>
 <td class="gate-name">Jailbreak Markers</td>
 <td>DAN-style bypass, fiction/roleplay exploits, grandma-exploit patterns,
 safety-filter circumvention phrases, encoding obfuscation (rot13/hex/morse).</td>
 <td class="gate-source">
 <a href="https://arxiv.org/abs/2302.12173" target="_blank" rel="noopener">arXiv:2302.12173</a>
 <br>Liu et al. 2023 — Jailbreaking ChatGPT via Prompt Engineering
 </td>
 </tr>
 <tr>
 <td><span class="gate-id">FG-S4</span></td>
 <td class="gate-name">Unicode Smuggling</td>
 <td>Zero-width character injection (U+200B–200F), bidirectional-override abuse
 (U+202A–202E), specials-block characters (U+FFF0–FFFF), and tag-block
 homoglyphs (U+E0000–E007F).</td>
 <td class="gate-source">
 SZL Holdings classification<br>
 Unicode Security Considerations
 </td>
 </tr>
 <tr>
 <td><span class="gate-id">FG-S5</span></td>
 <td class="gate-name">Receipt-Chain Tampering</td>
 <td>Checks DSSE envelope integrity in the SZL audit chain. Detects
 attempts to forge, replay, or corrupt receipt payloads before
 downstream proof-chain consumption. <span class="badge-szl">SZL ORIGINAL</span></td>
 <td class="gate-source">
 SZL Holdings original<br>
 <a href="https://doi.org/10.5281/zenodo.20434276" target="_blank" rel="noopener">DOI 10.5281/zenodo.20434276</a>
 </td>
 </tr>
 <tr>
 <td><span class="gate-id">FG-S6</span></td>
 <td class="gate-name">Governance-Gate Bypass</td>
 <td>Detects attempts to circumvent the Covenant Policy engine — crafted
 payloads designed to trigger automated remediation without human
 confirmation. <span class="badge-szl">SZL ORIGINAL</span></td>
 <td class="gate-source">
 SZL Holdings original<br>
 Ouroboros Thesis v18 §Λ-axis
 </td>
 </tr>
 </tbody>
 </table>
 </div>
<!-- Threat landscape SVG -->
 <div class="arch-wrap" aria-label="Threat landscape — 4 attack categories with sentra coverage">
 <img src="assets/threat_landscape.svg" alt="4 AI threat categories covered by sentra's 6 security gates: prompt injection (FG-S1/S2), jailbreaking (FG-S3), covert channel unicode (FG-S4), governance bypass (FG-S5/S6)" width="100%" height="auto">
 </div>
 </div>
</section>
<!-- ── 4. ARCHITECTURE ── -->
<section id="architecture" aria-labelledby="arch-heading">
 <div class="container">
 <div class="section-label">03 — Architecture</div>
 <h2 id="arch-heading">Input → 6 Gates in Parallel → DSSE Receipt → Audit Chain</h2>
 <p class="section-desc">
 Every AI agent payload enters the sensor adapter, fans out to all 6 gates simultaneously,
 and the combined verdict is wrapped in a DSSE envelope. Spans flow to the OTel backend
 of your choice — Jaeger, Tempo, or Honeycomb.
 </p>
<!-- Inline SVG architecture diagram -->
 <div class="arch-wrap" aria-label="sentra architecture: 6 parallel gates producing DSSE receipt and OTel audit chain">
 <img src="assets/arch_6gates.svg" alt="Architecture diagram showing input flowing into 6 parallel gates (FG-S1 through FG-S6), then into DSSE receipt envelope, then to audit chain spanning Jaeger, Tempo, and Honeycomb" width="100%" height="auto">
 </div>
<!-- OTel Sankey chart -->
 <div class="chart-wrap">
 <img src="assets/chart_sankey.png"
 alt="OTel Sankey chart — sentra spans flowing into Jaeger, Tempo, and Honeycomb telemetry backends"
 width="100%" height="auto">
 <div class="chart-caption">
 chart_06_otel_sankey — sentra OTel spans routed to Jaeger, Tempo, and Honeycomb backends.
 Source: SZL Holdings charts_pack_v2.
 </div>
 </div>
<div class="card" style="margin-top:24px;">
 <div class="card-label">Key architectural decisions</div>
 <ul>
 <li>Gates run in <strong>parallel</strong> — no gate can block another from executing.</li>
 <li>DSSE envelope is emitted regardless of gate outcomes — a failed gate is recorded, not silently dropped.</li>
 <li>OTel backend is configurable — Jaeger, Tempo, Honeycomb all supported via standard OTLP.</li>
 <li>No automated remediation — all incident response flows through the Covenant Policy gate (human approval required).</li>
 <li>Kitaev-surface model: posture drift events are CVSS-weighted and fed to the operator queue, not auto-resolved.</li>
 </ul>
 </div>
 </div>
</section>
<!-- ── 5. LIVE SCANNER DEMO ── -->
<section id="demo" class="demo-section" aria-labelledby="demo-heading">
 <div class="container">
 <div class="section-label">04 — Live Demo</div>
 <h2 id="demo-heading">Test prompts in the live scanner</h2>
 <p class="section-desc">
 The <a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates"
 target="_blank" rel="noopener" style="color:var(--cyan)">sentra-security-gates Space</a>
 runs the full 6-gate heuristic scanner and returns a DSSE receipt for every prompt.
 Try injecting a jailbreak, a unicode zero-width character, or a system-prompt extraction
 attempt to see which gates trip.
 </p>
<div class="iframe-wrap">
 <iframe
 src="https://szlholdings-sentra-security-gates.hf.space"
 title="sentra-security-gates — live 6-gate AI security scanner"
 loading="lazy"
 allow="fullscreen"
 aria-label="sentra-security-gates live scanner — enter a prompt to test all 6 security gates and receive a DSSE receipt">
 </iframe>
 <div class="iframe-caption">
 Live embed: <a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates"
 target="_blank" rel="noopener" style="color:var(--cyan)">SZLHOLDINGS/sentra-security-gates</a>
 — Gradio 5.9.1 · arXiv-grounded heuristic patterns · DSSE receipts
 </div>
 </div>
<div class="stat-row">
 <span class="stat-chip">Space: <strong>sentra-security-gates</strong></span>
 <span class="stat-chip">Runtime: <strong>Gradio 5.9.1</strong></span>
 <span class="stat-chip">Gates: <strong>6 parallel</strong></span>
 <span class="stat-chip">Output: <strong>DSSE JSON receipt</strong></span>
 </div>
 </div>
</section>
<!-- ── 6. COMPARISON vs SOC2/SIEM ── -->
<section id="comparison" aria-labelledby="comparison-heading">
 <div class="container">
 <div class="section-label">05 — Honest Comparison</div>
 <h2 id="comparison-heading">sentra vs. Enterprise Security Platforms</h2>
 <p class="section-desc">
 sentra is not a SIEM. The table below is honest: Y/N only, no marketing claims.
 Each cell reflects public documentation as of May 2026.
 </p>
<div class="comparison-wrap">
 <table aria-label="Comparison of sentra against Splunk Enterprise Security, CrowdStrike Falcon, Palo Alto Cortex XSIAM, Datadog Security Monitoring">
 <thead>
 <tr>
 <th scope="col">Capability</th>
 <th scope="col">
 <a href="https://www.splunk.com/en_us/products/enterprise-security.html" target="_blank" rel="noopener" style="color:var(--text-muted);text-decoration:none;">Splunk ES</a>
 </th>
 <th scope="col">
 <a href="https://www.crowdstrike.com/products/endpoint-security/" target="_blank" rel="noopener" style="color:var(--text-muted);text-decoration:none;">CrowdStrike Falcon</a>
 </th>
 <th scope="col">
 <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" target="_blank" rel="noopener" style="color:var(--text-muted);text-decoration:none;">Palo Alto Cortex XSIAM</a>
 </th>
 <th scope="col">
 <a href="https://www.datadoghq.com/product/security-platform/" target="_blank" rel="noopener" style="color:var(--text-muted);text-decoration:none;">Datadog Security</a>
 </th>
 <th scope="col" class="vendor-sentra">sentra</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td><strong>AI-prompt-injection detection</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — FG-S1, arXiv:2403.04957</td>
 </tr>
 <tr>
 <td><strong>Jailbreak detection</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — FG-S3, arXiv:2302.12173</td>
 </tr>
 <tr>
 <td><strong>DSSE receipt per scan</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — signed HMAC envelope</td>
 </tr>
 <tr>
 <td><strong>Governance-gate bypass detection</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — FG-S6, Covenant policy gate</td>
 </tr>
 <tr>
 <td><strong>Unicode smuggling detection</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — FG-S4, bidi/zero-width/tag-block</td>
 </tr>
 <tr>
 <td><strong>OTel-native telemetry</strong></td>
 <td><span class="yn-no">N</span> — proprietary ingest</td>
 <td><span class="yn-no">N</span> — vendor-locked</td>
 <td><span class="yn-no">N</span> — Cortex-only pipeline</td>
 <td><span class="yn-yes">Y</span> — OTLP supported</td>
 <td><span class="yn-yes">Y</span> — OTLP, Jaeger, Tempo, Honeycomb</td>
 </tr>
 <tr>
 <td><strong>Open source</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-partial">Partial</span> — BSL-1.1 source available</td>
 </tr>
 <tr>
 <td><strong>Endpoint / EDR</strong></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span> — primary use case</td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-no">N</span> — not an EDR</td>
 </tr>
 <tr>
 <td><strong>SIEM / log aggregation</strong></td>
 <td><span class="yn-yes">Y</span> — primary use case</td>
 <td><span class="yn-partial">Partial</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-no">N</span> — not a SIEM</td>
 </tr>
 <tr>
 <td><strong>SOC2 compliance tooling</strong></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-no">N</span> — Phase 2 roadmap</td>
 </tr>
 <tr>
 <td><strong>Runtime enforcement engine</strong></td>
 <td><span class="yn-partial">Partial</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-yes">Y</span></td>
 <td><span class="yn-partial">Partial</span></td>
 <td><span class="yn-no">N</span> — Phase 2 roadmap</td>
 </tr>
 <tr>
 <td><strong>Formal Lean-verified invariants</strong></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-no">N</span></td>
 <td><span class="yn-yes">Y</span> — Lutar/QEC/KitaevSurface basis</td>
 </tr>
 </tbody>
 </table>
 </div>
<!-- Governance matrix chart -->
 <div class="chart-wrap">
 <img src="assets/chart_governance.png"
 alt="Governance matrix chart — competitive positioning of sentra vs legacy security platforms across AI-native and OTel-native dimensions"
 width="100%" height="auto">
 <div class="chart-caption">
 chart_07_governance_matrix — competitive positioning. Source: SZL Holdings charts_pack_v2.
 </div>
 </div>
<div class="card" style="margin-top:8px;">
 <div class="card-label">How to read this table</div>
 <p style="font-size:14px;color:var(--text-muted);line-height:1.75;">
 Vendor capabilities are derived from public documentation:
<a href="https://www.splunk.com/en_us/products/enterprise-security.html" target="_blank" rel="noopener" style="color:var(--cyan)">Splunk ES</a>,
 <a href="https://www.crowdstrike.com/products/endpoint-security/" target="_blank" rel="noopener" style="color:var(--cyan)">CrowdStrike Falcon</a>,
 <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" target="_blank" rel="noopener" style="color:var(--cyan)">Palo Alto Cortex XSIAM</a>,
 <a href="https://www.datadoghq.com/product/security-platform/" target="_blank" rel="noopener" style="color:var(--cyan)">Datadog Security Monitoring</a>.
 "N" means no public documentation for that capability. Claims may change as vendor products evolve.
 sentra's "N" entries are honest — it does not claim capabilities it does not have.
 </p>
 </div>
 </div>
</section>
<!-- ── 7. WHAT SENTRA IS NOT ── -->
<section id="not-this" aria-labelledby="not-heading">
 <div class="container">
 <div class="section-label">06 — Scope Boundaries</div>
 <h2 id="not-heading">What sentra is NOT</h2>
 <p class="section-desc">
 Honesty about scope prevents misuse. sentra has a narrow, well-defined job.
 </p>
<div class="not-grid">
 <div class="not-card">
 <h3>A SOC2 product</h3>
 <p>sentra does not provide SOC2 audit tooling, compliance dashboards, or certification
 evidence. SOC2 integration is Phase 2 — not available today.</p>
 </div>
 <div class="not-card">
 <h3>A SIEM</h3>
 <p>sentra does not aggregate logs, correlate events across network infrastructure,
 or replace Splunk / Elastic / Datadog for enterprise log management.</p>
 </div>
 <div class="not-card">
 <h3>An endpoint detection tool (EDR)</h3>
 <p>sentra does not monitor processes, file systems, or network connections on
 host machines. Use CrowdStrike, SentinelOne, or similar for endpoint coverage.</p>
 </div>
 <div class="not-card">
 <h3>A runtime enforcement engine</h3>
 <p>sentra detects and receipts — it does not block, quarantine, or kill processes.
 Runtime enforcement is Phase 2. Today, gates report; humans decide.</p>
 </div>
 <div class="not-card">
 <h3>A network firewall</h3>
 <p>sentra operates at the AI-agent payload layer, not the network layer. It does not
 inspect TCP/IP traffic, DNS, or TLS sessions.</p>
 </div>
 <div class="not-card">
 <h3>A complete security stack</h3>
 <p>sentra is one layer — the AI-agent observation layer — in a defense-in-depth
 posture. It complements, does not replace, existing security tooling.</p>
 </div>
 </div>
 </div>
</section>
<!-- ── 8. CITATIONS ── -->
<section id="citations" aria-labelledby="citations-heading">
 <div class="container">
 <div class="section-label">07 — Citations</div>
 <h2 id="citations-heading">Sources and References</h2>
 <p class="section-desc">
 All arXiv URLs verified HTTP 200 before embedding. All vendor URLs verified HTTP 200.
 </p>
<ul class="citations-list" role="list">
 <li class="citation-item">
 <span class="citation-num">[1]</span>
 <div class="citation-body">
 <strong>Prompt Injection Attacks and Defenses in LLM-Integrated Applications</strong>
 <span>Liu, Y. et al. (2024) · arXiv:2403.04957 · Verified HTTP 200</span>
 <a href="https://arxiv.org/abs/2403.04957" target="_blank" rel="noopener">https://arxiv.org/abs/2403.04957</a>
 </div>
 </li>
 <li class="citation-item">
 <span class="citation-num">[2]</span>
 <div class="citation-body">
 <strong>Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study</strong>
 <span>Liu, Y. et al. (2023) · arXiv:2302.12173 · Verified HTTP 200</span>
 <a href="https://arxiv.org/abs/2302.12173" target="_blank" rel="noopener">https://arxiv.org/abs/2302.12173</a>
 </div>
 </li>
 <li class="citation-item">
 <span class="citation-num">[3]</span>
 <div class="citation-body">
 <strong>SZL Holdings — Ouroboros Thesis v18 (Zenodo)</strong>
 <span>DOI: 10.5281/zenodo.20434276 · SZL Holdings 2026</span>
 <a href="https://doi.org/10.5281/zenodo.20434276" target="_blank" rel="noopener">https://doi.org/10.5281/zenodo.20434276</a>
 </div>
 </li>
 <li class="citation-item">
 <span class="citation-num">[4]</span>
 <div class="citation-body">
 <strong>sentra — Cyber Resilience Command and Observability Substrate</strong>
 <span>szl-holdings/sentra · BSL-1.1 · GitHub</span>
 <a href="https://github.com/szl-holdings/sentra" target="_blank" rel="noopener">https://github.com/szl-holdings/sentra</a>
 </div>
 </li>
 <li class="citation-item">
 <span class="citation-num">[5]</span>
 <div class="citation-body">
 <strong>sentra-security-gates — Live 6-Gate Scanner Space</strong>
 <span>SZLHOLDINGS/sentra-security-gates · HuggingFace Spaces · Gradio 5.9.1</span>
 <a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates" target="_blank" rel="noopener">https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates</a>
 </div>
 </li>
 <li class="citation-item">
 <span class="citation-num">[6]</span>
 <div class="citation-body">
 <strong>OWASP Top 10 for LLM Applications — LLM01: Prompt Injection</strong>
 <span>OWASP Foundation 2023–2024</span>
 <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" target="_blank" rel="noopener">https://owasp.org/www-project-top-10-for-large-language-model-applications/</a>
 </div>
 </li>
 </ul>
 </div>
</section>
<!-- ── 9. FOOTER — sibling links ── -->
<footer>
 <div class="container">
 <div class="footer-grid">
 <div class="footer-col">
 <h4>sentra</h4>
 <ul role="list">
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-security-gates" target="_blank" rel="noopener">sentra-security-gates Space</a></li>
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/sentra-platform" target="_blank" rel="noopener">sentra-platform Space</a></li>
 <li><a href="https://github.com/szl-holdings/sentra" target="_blank" rel="noopener">Source (GitHub)</a></li>
 <li><a href="https://doi.org/10.5281/zenodo.20434276" target="_blank" rel="noopener">Zenodo DOI</a></li>
 </ul>
 </div>
 <div class="footer-col">
 <h4>SZL Sibling Spaces</h4>
 <ul role="list">
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/szl-anatomy" target="_blank" rel="noopener">szl-anatomy</a></li>
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/a11oy-receipts-playground" target="_blank" rel="noopener">a11oy-receipts-playground</a></li>
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/amaru-memory-attestation" target="_blank" rel="noopener">amaru-memory-attestation</a></li>
 <li><a href="https://huggingface.co/spaces/SZLHOLDINGS/lean-proof-playground" target="_blank" rel="noopener">lean-proof-playground</a></li>
 </ul>
 </div>
 <div class="footer-col">
 <h4>Related Repos</h4>
 <ul role="list">
 <li><a href="https://github.com/szl-holdings/a11oy" target="_blank" rel="noopener">szl-holdings/a11oy</a></li>
 <li><a href="https://github.com/szl-holdings/ouroboros" target="_blank" rel="noopener">szl-holdings/ouroboros</a></li>
 <li><a href="https://github.com/szl-holdings/lutar-lean" target="_blank" rel="noopener">szl-holdings/lutar-lean</a></li>
 <li><a href="https://github.com/szl-holdings" target="_blank" rel="noopener">github.com/szl-holdings</a></li>
 </ul>
 </div>
 <div class="footer-col">
 <h4>Research</h4>
 <ul role="list">
 <li><a href="https://arxiv.org/abs/2403.04957" target="_blank" rel="noopener">arXiv:2403.04957</a></li>
 <li><a href="https://arxiv.org/abs/2302.12173" target="_blank" rel="noopener">arXiv:2302.12173</a></li>
 <li><a href="https://doi.org/10.5281/zenodo.20434276" target="_blank" rel="noopener">Ouroboros Thesis DOI</a></li>
 <li><a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" target="_blank" rel="noopener">OWASP LLM Top 10</a></li>
 </ul>
 </div>
 </div>
<div class="footer-bottom">
 <p>© 2024–2026 SZL Holdings · sentra deep-dive · BSL-1.1</p>
 <span class="footer-doctrine">Doctrine v6 · No superlatives · Honest Y/N · arXiv-grounded</span>
 </div>
 </div>
</footer>
<!-- Rosie floating widget v2.0.0 -->
 <script src="https://szlholdings-readme.static.hf.space/assets/rosie/rosie-widget.js"
 data-surface="sentra"
 data-a11oy-base=""
 defer></script>
</body>
</html>