Architecture
How system requirements map to agent components, and what each platform dependency is used for.
Endpoint
# macOS
macOS 13+, root access
Network Extension approved
Keychain write access
# Windows
Windows 10 64-bit, SYSTEM
WinDivert driver installed
Cert store write accessRequirements by Component
Agent Core
LaunchDaemon / Service
macOS: LaunchDaemon plist
Windows: SentinelAgent service
Runs as root / SYSTEM
Bootstrap
Chain-of-trust validation
Signed binary verification
Spawns sentinel with --spawned-by-bootstrap
Network Monitor
macOS
Network Extension (kernel)
NETransparentProxyManager
System Extension approval required
Windows
WinDivert driver
Packet-level interception
Bundled in agent package
Certificate
macOS
Self-signed root CA
security add-trusted-cert
System Keychain write
Windows
Self-signed root CA
Cert:\LocalMachine\Root
Admin cert store write
Operational State
LaunchDaemon runningSystem Extension activeRoot CA trustedBackend sync connectedWinDivert driver loadedService registered
QuilrAI
Component Dependency Map
Security Model
The agent enforces a chain-of-trust before starting:
- Bootstrap verifies its own code signature using OS APIs
- Bootstrap verifies the
sentinelagent binary against the manifest - Bootstrap spawns
sentinelwith--spawned-by-bootstrapand passes its PID viaSENTINEL_BOOTSTRAP_PID - sentinel rejects startup if not spawned by bootstrap (exits with code 1)
This prevents the agent from running if tampered with or launched directly.
Installation Paths
Update Flow
The agent self-updates via sentinel-updater, which the installer registers as a scheduled task or LaunchDaemon:
- Checks the CDN for a new version every 30 minutes
- Downloads and verifies the package (RSA-PSS + SHA-256)
- Validates signatures in staging before stopping the running agent
- Deploys from staging, starts the agent, runs a 30-second health check
- Rolls back automatically on failure
The agent is never stopped until the staged package passes all verification checks.