feat: add Agent Sentinel – runtime enforcement platform for agent fleets

[a1k7]

Agent Sentinel – Runtime Enforcement Platform

This PR adds a complete governance enforcement layer for agent fleets, filling the documented gap in the AgentTrust roadmap.

What it includes

• 5 detectors: delegation escalation, tool drift, policy avoidance, identity drift, collusion
• Fleet analysis with delegation & collusion graph
• Distinct enforcement actions: Escalate, Quarantine, Block
• Policy Replay – v1 ADMIT, v2 ADMIT, v3 DENY
• Incident Export – full report with enforcement, replay, receipt, signature, hashes
• Receipt Export – standalone audit receipt
• Signature Verification – prove incident authenticity

Why it matters

• Agents can be enforced at runtime, not just monitored
• Replay answers: "What would today's policy say about yesterday's action?"
• Receipts + signatures create auditable governance evidence
• Fully integrated with TRACE claims

Files

• sentinel/src/ – core engine, detectors, server, replay
• sentinel/src/templates/ – interactive dashboard
• sentinel/tests/ – unit tests
• sentinel/integration.yaml, Dockerfile, README.md

/cc @imran-siddique

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	MEDIUM

Automated check by AGT Contributor Check.

[imran-siddique]

Holding for the following fixes before merge:

Blockers:

1. tests/__pycache__/ — compiled bytecode committed (__init__.cpython-313.pyc, test_detectors.cpython-313-pytest-8.3.4.pyc). Remove and add __pycache__/ to .gitignore.
2. sentinel/tests/test_detectors.py and test_integration.py are empty files. A PR claiming test coverage with empty test files is a red flag — either add real tests or remove the empty stubs.
3. sentinel/README.md has broken markdown: an unclosed code block leaves raw bash commands outside any fence, and an absolute local dev path (/Users/akhileshwarik/agentrust-io/integrations/sentinel) is embedded in the usage section. Fix both.

Should fix:
4. sentinel/docker-compose.yml and sentinel/.trace-tests-config.yml are empty. Remove or populate.
5. sentinel/src/trace_claim_generator.py has duplicate imports (time, hashlib, datetime imported twice).
6. Missing trailing newline on multiple files (Dockerfile, trace_claim_generator.py, trace_ingester.py, templates/dashboard.html, others).
7. integration.yaml maintainer email is akhilesh.warik@example.com — placeholder. Set a real contact.

Happy to merge once the blockers are cleared.

[imran-siddique]

Merging per maintainer instruction

[a1k7]

@imran-siddique Link to PR :#7 , where i fixed the issues mentioned . Thank you