Legacy Sentinel Extension Surface (v1.33.0) — This page documents the rule taxonomy and verdict system from the browser extension era. The governance logic is fully preserved in the Enterprise CLI platform. For the current governance engine, see the Deep Governance Audit and AI Coding Governance pages.

VerifAIer Sentinel · governance engine

Verdict System & Rule Taxonomy

Deterministic escalation logic applied locally. No model inference. No cloud calls. Every verdict is reproducible from the same input under the same profile.

Pure local execution Deterministic output No model inference governance_policy.js

01 — verdict system

Three-State Verdict

GREEN
No Actionable Findings

The rule engine detected no pattern matches, or all matched findings fall below the active profile's escalation thresholds.

Triggers when: findings array is empty, or all findings are suppressed by profile severity thresholds.

Minimum status override: profiles with minimum_status: "yellow" cannot produce GREEN, regardless of findings.
YELLOW
Review Required

One or more findings are present and at least one escalation rule targets yellow, or the profile enforces a minimum_status of yellow.

Triggers when: a finding matches a escalate_to: "yellow" rule, or no red rule matched but minimum_status is yellow.

Human action: interaction should be reviewed before proceeding. Receipt exported with findings detail.
RED
Blocked — Policy Violation

At least one finding triggered a escalate_to: "red" escalation rule in the active profile. Interaction is flagged for immediate action.

Triggers when: any finding's type matches an escalation rule with escalate_to: "red". The wildcard rule "*" (sovereign profile) matches all types.

Human action: interaction blocked at UI layer. Receipt written to audit vault with full escalation reason chain.

02 — finding taxonomy

Finding Types

Six types are produced by the active rule engine. Four are reserved for forward-compatible profile configuration (dashed border) — no current rule emits them.

ACTIVE
SQL_INJECTION_RISK

Raw or template-literal SQL strings passed directly to an AI prompt without parameterization. Indicates potential for malicious query construction.

SELECT.*FROM.*WHERE.*\$\{
BASE: HIGH Injection
ACTIVE
UNSAFE_EVAL

Presence of eval(), Function(), or similar dynamic code execution patterns in AI-generated or AI-augmented content.

eval\(|new Function\(
BASE: HIGH Execution
ACTIVE
SHELL_INJECTION_RISK

Shell metacharacters or command chaining operators in prompt content that could be passed to a subprocess or command executor.

;\s*rm|&&\s*curl|\|\s*sh
BASE: HIGH Injection
ACTIVE
AUTH_BYPASS_RISK

Patterns that attempt to circumvent authentication or authorization checks, such as always-true conditions in auth context.

OR 1=1|ignore.*auth|bypass.*login
BASE: HIGH Auth
ACTIVE
HARDCODED_SECRET

API keys, tokens, or credentials pasted inline into prompt content. Detects common secret prefixes and high-entropy strings.

sk-[A-Za-z0-9]{32,}|Bearer [A-Z0-9]{20,}
BASE: HIGH Secrets
ACTIVE
PROMPT_INJECTION_RISK

Indirect instruction patterns embedded in user content or retrieved data that attempt to override the AI system's behavioral instructions.

ignore previous instructions|disregard.*system
BASE: MEDIUM Injection
FORWARD-COMPATIBLE
INSECURE_CREDENTIAL_HANDLING

Credential material transmitted, stored, or logged in a manner inconsistent with security policy. Reserved for session and token handling audits.

— (no current rule produces this type)
BASE: MEDIUM Auth
FORWARD-COMPATIBLE
UNVALIDATED_INPUT

User-controlled data passed to downstream processing without sanitization. Covers future schema validation and input boundary checks.

— (no current rule produces this type)
BASE: LOW Input
FORWARD-COMPATIBLE
POLICY_BYPASS

Explicit attempt to circumvent governance policy enforcement, such as disabling audit logging or suppressing findings.

— (no current rule produces this type)
BASE: HIGH Governance
FORWARD-COMPATIBLE
UNSAFE_EXECUTION

Dynamic code execution beyond eval() scope — child processes, WASM loading, or runtime code generation from AI output.

— (no current rule produces this type)
BASE: HIGH Execution

03 — escalation logic

Escalation Chain

Deterministic invariant: given the same findings[] array and profileId, the function applyGovernancePolicy() always returns the same output. No randomness. No external calls. No state mutation.

1
Rule Engine Output

local_rules.js evaluates the captured interaction text with pure RegExp functions. Each match produces a structured finding with type, severity, match, and confidence. No network. No model calls.

{ type: "SQL_INJECTION_RISK", severity: "HIGH", confidence: 0.94, match: "SELECT * FROM users WHERE id = ${userId}" }
2
Profile Loaded

The active governance profile is resolved from the profile registry (GOVERNANCE_PROFILES[profileId]). Unknown profile IDs fall back to default silently.

profile = GOVERNANCE_PROFILES["enterprise"] // { minimum_status: "yellow", severity_overrides: { SQL_INJECTION_RISK: "CRITICAL", ... }, ... }
3
severity_overrides Applied

For each finding, the profile's severity_overrides map is consulted. If the finding type appears in the map, the override replaces the rule engine's base severity. The original finding object is never mutated — a new object is composed via Object.assign().

overriddenSeverity = profile.severity_overrides["SQL_INJECTION_RISK"] || finding.severity // "CRITICAL" (overridden from "HIGH")
4
escalation_rules Evaluated

Each escalation rule is checked against the finding type. If a match exists, the verdict is raised to the rule's escalate_to status. The escalation reason string is appended to escalationReasons[] in the output. Wildcard rules (finding_type: "*") match all types.

rule = { finding_type: "SQL_INJECTION_RISK", escalate_to: "red", reason: "enterprise:sql_injection_always_red" } // policyTriggered = true, minStatus raised to "red"
5
minimum_status Enforced

After all findings are processed, the profile's minimum_status is compared against the computed status. The status rank is red > yellow > green. If the profile minimum exceeds the computed status, the minimum wins. Enterprise, Banking, and Government profiles set minimum_status: "yellow".

if (profile.minimum_status) { if (_rank[profile.minimum_status] > _rank[minStatus]) { minStatus = profile.minimum_status; // floor enforced } }
Verdict Returned

applyGovernancePolicy() returns a pure object. No side effects. The return value is consumed by audit_receipt.js to compose the deterministic SHA-256 receipt.

{ escalatedFindings: [...], escalationReasons: ["enterprise:sql_injection_always_red"], minimumStatus: "red", profileId: "enterprise", policyTriggered: true, ... }

04 — profile matrix

Severity by Profile

Effective severity after severity_overrides and escalation target per profile. Cells show: effective severity / escalation status. MIN = minimum_status floor (no escalation rule fired, but profile floor applies).

Finding Type Default Developer Enterprise Banking Government
SQL_INJECTION_RISK
HIGH
HIGH → yellow
CRITICAL → red
CRITICAL → red
CRITICAL → red
UNSAFE_EVAL
HIGH
CRITICAL → red
HIGH MIN: yellow
CRITICAL → red
CRITICAL → red
SHELL_INJECTION_RISK
HIGH
CRITICAL → red
HIGH MIN: yellow
CRITICAL → red
CRITICAL → red
AUTH_BYPASS_RISK
HIGH
HIGH
CRITICAL → red
CRITICAL → red
CRITICAL → red
HARDCODED_SECRET
HIGH
HIGH
CRITICAL → red
CRITICAL → red
CRITICAL → red
PROMPT_INJECTION_RISK
MEDIUM
MEDIUM
HIGH → red
CRITICAL → red
CRITICAL → red
INSECURE_CREDENTIAL_HANDLING forward-compatible
MEDIUM
HIGH → yellow
CRITICAL → red
CRITICAL → red
CRITICAL → red
UNVALIDATED_INPUT forward-compatible
LOW
LOW
HIGH MIN: yellow
HIGH MIN: yellow
HIGH MIN: yellow
POLICY_BYPASS forward-compatible
HIGH
HIGH
HIGH MIN: yellow
CRITICAL → red
CRITICAL MIN: yellow
UNSAFE_EXECUTION forward-compatible
HIGH
CRITICAL → red
HIGH MIN: yellow
CRITICAL → red
CRITICAL MIN: yellow
Enterprise, Banking, and Government profiles enforce minimum_status: "yellow" — no clean GREEN verdict is possible under these profiles, regardless of findings.

05 — finding structure

Escalated Finding Object

escalatedFinding — output of applyGovernancePolicy() profile: enterprise 
{
  // ── Original rule engine fields ────────────────────────────────────
  "type":                 "SQL_INJECTION_RISK",         // finding type from local_rules.js
  "match":               "SELECT * FROM users WHERE id = ${userId}",
  "confidence":          0.94,                           // 0.0 – 1.0 from rule scorer
  "offset":              142,                            // character position in input

  // ── After applyGovernancePolicy() ─────────────────────────────────
  "severity":            "CRITICAL",                     // overridden from "HIGH" by enterprise profile
  "governance_escalated": true,                            // escalation rule was triggered
  "governance_reason":   "enterprise:sql_injection_always_red",

  // ── Written into audit receipt ─────────────────────────────────────
  "profile_id":          "enterprise",
  "verdict_contribution": "red"                           // this finding set the final verdict
}

Immutability invariant: applyGovernancePolicy() uses Object.assign({}, finding, ...) — it never mutates the input findings array. The original rule engine output is preserved unchanged. The escalated object is a new allocation.

06 — profile reference

Profile Summary

Profile ID Regulatory Context Risk Tolerance Minimum Status Audit Tier Escalation Rules
default none medium none standard 0
developer none medium none developer 5
enterprise enterprise_compliance low yellow enterprise 5
banking pci_dss_sox very_low yellow regulated 9
government fisma_fedramp very_low yellow government 7
sovereign sovereign_data zero yellow sovereign 1 (wildcard *)

Local-first invariant: all six profiles are resolved from the in-extension registry (GOVERNANCE_PROFILES) at runtime. No profile data is fetched from a remote server. Profile selection changes the deterministic outcome of the same input — no model is re-queried.