Sentinel Band

Most "agent fixes your cloud" demos hand one LLM both the findings and the keys. One prompt injection in a bucket tag and it's deleting your audit logs. Sentinel Band is built so that no single agent holds both read and write AWS access, and no agent trusts another agent's prose. Only validated JSON schemas cross agent boundaries. Four independent gates have to agree before anything is written to AWS: Independent verification — a second agent, in its own process, re-queries AWS itself to confirm a finding. It never inherits the first agent's claims. Deterministic policy gate — pure Python (no LLM) re-derives the risk tier and checks a hardcoded allowlist + exact parameters before any boto3 write. Wired executor — even a call that passes the gate cannot run unless its concrete boto3 executor is explicitly mapped in code. Rollback requirement — Remediation refuses to run anything without a registered inverse. rollback_possible is an enforced invariant; a human can undo any auto-fix with one message. If any gate disagrees, the write does not happen. Everything fails closed.