VerifAIer Sentinel · AI Governance Infrastructure · Oversight Runtime
Governance Pipeline
Six-layer governance runtime. Interaction capture through local audit vault. Fully local, independent of model provider. Click any layer to expand.
D key: step through
01
content_script.js — Chrome Extension MV3
Browser Capture
DOM event interception before AI submission. Zero prompt exfiltration.
local-first
no-cloud
What it does
Registered as a Chrome MV3 content script; runs inside the AI platform page.
Intercepts
input, paste, and submit DOM events before the prompt is dispatched to the AI service.Supported platforms: ChatGPT, Claude.ai, Gemini (selectors in
platform_selectors.json).Does not modify the page, network requests, or AI responses.
Does not capture response text, user identity, or cookies.
Output to Sentinel Engine
{ contextString: string, // raw prompt text auditType: 'on_demand' // always }
Platform selectors
platform_selectors.json → chatgpt, claude, gemini → textarea selectors per platform
⬤
local-first enforced here: captured text is passed to the local Sentinel Engine only, never forwarded to any remote governance service.
02
sentinel_engine.js — VerifAIer v1.9.0
Sentinel Engine
Pure synchronous pipeline coordinator. No I/O. No browser API.
no-hidden-calls
pure function
Public API
analyzeText(text) → { status: 'green'|'yellow'|'red', confidence: number, reason: string, details: string[], findings: { rule: string, severity: string }[] }
Internal call chain
analyzeText(text) → scanText(text) → each rule.pattern.test(text) ← [{ rule, severity }] → analyzeFindings(findings) ← { status, confidence, reason, details } → buildExplanation(details) ← human-readable explanations
Severity mapping
error findings → status: 'red', confidence 0.90 warning findings → status: 'yellow', confidence 0.70 no findings → status: 'green', confidence 0.95
⬤
Pure coordinator: sentinel_engine.js has no network calls, no DOM access, and no browser API calls. JS port of Python
sentinel_analyzer.py and sentinel_explainer.py.
03
local_rules.js — 5 active rules
Rule Engine
RegExp pattern evaluators. Pure functions. One finding per rule name per scan.
SQL_INJECTION_RISK
SECRET_EXPOSURE
EVAL_USAGE
SHELL_INJECTION_RISK
DEBUG_MODE_ON
Rule structure
{ pattern: RegExp, rule: string, severity: 'error' | 'warning' } // Evaluation: deduplicated per rule name for rule of RULES: if !seen.has(rule) && rule.pattern.test(text) findings.push({ rule, severity })
Active rules
SQL_INJECTION_RISK (error): f-string / concatenation / .format() SQL patterns inside .execute()SECRET_EXPOSURE (error): password|api_key|token = 'value' pattern, 4+ char valuesEVAL_USAGE (error): \beval\s*\( dynamic code executionSHELL_INJECTION_RISK (error): subprocess call with shell=TrueDEBUG_MODE_ON (warning): DEBUG = True left in production context
⬤
Pure functions: all rule evaluations are
RegExp.test(string). No I/O, no global state, no async. Governance-layer profiles may apply additional finding type mappings and severity overrides (Layer 4).
04
governance_policy.js — VerifAIer Sentinel
Governance Policy
Profile-driven severity overrides and escalation rules. Deterministic verdict computation.
deterministic-receipts
5 profiles
Profile resolution
GOVERNANCE_PROFILES[profile_id] → { severity_overrides: { finding_type: severity }, escalation_rules: [{ finding_type, escalate_to: 'red' | 'yellow', reason: string }], minimum_status: null | 'yellow' }
Available profiles
default
developer
enterprise
banking
government
Verdict computation
For each finding: look up
severity_overrides[finding_type] (if configured by active profile).Evaluate
escalation_rules: if finding_type matches, apply escalate_to status.Verdict = max of all escalated statuses:
red > yellow > green.Apply
minimum_status floor: enterprise/banking/government require at least yellow; a clean audit on a regulated profile cannot silently produce green.Output:
{ status, confidence } + applied escalation log.
⬤
Deterministic: pure function over findings + profile_id. The same findings under the same profile always produce the same verdict. No randomness, no runtime state.
05
audit_receipt.js — VerifAIer v1.9.1
Receipt Builder
SHA-256 tamper-evident receipt over canonical JSON. Deterministic. Replay-safe.
deterministic-receipts
replay-safe
authoritative_for_wiw=false
Receipt construction
inputHash = SHA256(contextString) resultHash = SHA256(canonicalJson(result)) diagnosticsHash = SHA256(canonicalJson(diagnostics)) receipt_id = 'vai-' + inputHash[0:8] + '-' + resultHash[0:8] receipt_hash = SHA256(canonicalJson(receipt_fields)) // created_at excluded from hash by design created_at = new Date().toISOString() // appended last; does not affect integrity
canonicalJson(obj)
// Sorts object keys recursively // Produces identical string across // all JS runtimes regardless of // insertion order canonicalJson({ z: 1, a: 2 }) → '{"a":2,"z":1}' // always
Receipt fields
receipt_id, audit_type, input_hash, result_hash, diagnostics_hash, status, confidence, findings_count, rules_detected: [], llm_mode, latency_ms, extension_version, receipt_hash, // integrity seal created_at // excluded from hash
⬤
Replay-safe & deterministic: identical
contextString + result always produce the same receipt_id and receipt_hash.
authoritative_for_wiw: false is hard-coded. This field is never set to true by the browser runtime.
06
audit_vault.js — chrome.storage.local
Audit Vault
Local-only receipt persistence. No cloud sync. No remote access. JSON-exportable.
local-first
no-cloud
Storage layer
Uses
chrome.storage.local (browser-local, device-specific).chrome.storage.sync is intentionally not used. Receipts never leave the device.Receipts survive browser restarts and extension updates.
Default Chrome storage.local limit: ~5MB (configurable).
Export path
audit_vault.js // read/write wiw_signal_export.js // JSON export report_export.js // CSV / PDF
Query capabilities
Query by
status: filter green / yellow / red receipts.Query by
timestamp range: date-bounded audit windows.Lookup by
receipt_id: deterministic ID enables replay verification.Replay-safe: re-running the same audit produces the same receipt_id, vault deduplicates cleanly.
What never happens
No upload to remote storage
No vendor attestation dependency
No cloud backup or sync
⬤
Audit trail ownership: receipts live in the user's browser storage. Integrity is verifiable without vendor access. The SHA-256 hash is self-contained in each receipt.
Pipeline Integrity Properties
local-first
All 6 layers execute within the browser process. No governance data transits a remote server at any point in the pipeline.
deterministic
SHA-256 over canonical JSON. canonicalJson() sorts keys recursively. Same prompt + same profile = same receipt_id + receipt_hash, always.
replay-safe
Receipts carry no side-effecting state. Re-running the same audit produces the same receipt_id. The vault deduplicates deterministically.
authoritative_for_wiw=false
Hard-coded invariant in audit_receipt.js. This runtime surface never asserts write-in-write authority. Not configurable.
pure rule evaluation
All rule evaluations are RegExp.test(string). No I/O, no global state, no async. Rules are verifiable by reading local_rules.js directly.
no vendor dependency
Receipt integrity is self-verifiable via SHA-256. Audit trail is in chrome.storage.local. No SLA, no vendor uptime, no remote attestation required.
On-Disk Layout & Verification
Every artifact has a path. Every path has a hash.
# Local file layout — ~/.verifaier/
~/.verifaier/
receipts/
ses-8f2a1b3c-receipt.json
ses-4d91e22a-receipt.json
memory_receipts/
MR-a3f8c12de901.json
links.json
flight_recorder/
ses-8f2a1b3c/
events.jsonl
proof_id.txt
enterprise_workspace/
workspace_artifact.json
readiness_token.json
evidence-2026-05-16/
design_partner_bundle.zip
# Hash verification — any session, any time
vai replay --session ses-8f2a1b3c --verify
Session ses-8f2a1b3c
Events 47
Receipt ~/.verifaier/receipts/ses-8f2a1b3c-receipt.json
Recomputing Merkle root over 47 events...
Derived root a3f8c12de901bb47...
Receipt root a3f8c12de901bb47...
VERIFIED ✓ Chain integrity confirmed.
authoritative_for_wiw=false
# Verify workspace hash
vai enterprise workspace-verify
VERIFIED ✓ workspace_hash matches all 18 subsystems.