Security Posture Overview
Sentinel and Zeus operate under a Zero-Trust, Offline-First security model:
- No external dependencies — All AI/LLM ops run locally (localhost)
- Secrets isolated — All API keys/tokens in .env, never committed
- Perimeter security — AdGuard + SearXng provide DNS filtering, ad-blocking, safe search
- Network sovereignty — Bridged LAN (br0) on enp3s0 — no NAT, no public exposure
- Compliance-first — Aligned with HIPAA, NIST 800-53, ISO 27001
Philosophy:
"If it requires an internet connection, it's not part of Sentinel or Zeus."
Operational Security
| Control | Implementation | Evidence |
|---|---|---|
| Secrets Management | env_file: .env in all Docker Compose services | [1] |
| No Hardcoded Credentials | All passwords, API keys, tokens in .env | [1] |
| Network Isolation | network_mode: host — direct bridge to br0, no Docker NAT | [1] |
| Telemetry Disabled | QDRANT__TELEMETRY__ENABLED=false, N8N_DIAGNOSTICS_ENABLED=false | [1] |
| Audit Logging | JSON-structured logs, 100MB/3-file rotation | [1] |
| Resource Limits | deploy.resources.limits — memory, CPU, GPU reservations | [1] |
Compliance Mapping
| Framework | Alignment | Status | Notes |
|---|---|---|---|
| HIPAA | Full Implementation | Compliant | Medical model environment — data never leaves host |
| NIST 800-53 | Moderate Baseline | Mapped | Security controls aligned |
| ISO 27001 | ISMS Requirements | Aligned | Information security management |
| DoD 8570 | IAT Level III | Former | Expired 2020; eligible for re-investigation [1] |
Data Classification & Handling
| Level | Data Type | Storage | Transmission | Handling Rules |
|---|---|---|---|---|
| Confidential | API keys, tokens, passwords | Encrypted at rest (env_file:), never in compose | TLS 1.3 in-transit (via AdGuard) | Never committed to VCS |
| Internal | Embeddings, RAG results, logs | Local storage (qdrant-data, open-web-data) | localhost only | Retained per SLA |
| Public | Observability metrics | Grafana dashboards (localhost:3030) | Unauthenticated, LAN-only | No PII |
Incident Response
| Step | Action | Tools Used |
|---|---|---|
| Detection | zeus-validator.sh + prometheus alerts | Prometheus rules, curl healthchecks |
| Isolation | docker compose restart + network review | network_mode: host review |
| Escalation | Audit logs reviewed, docker logs | JSON-structured logging |
| Recovery | Restore from vaulted .env backup + vaulted docker-compose.yml.backup | git + rsync |
RTO/RPO: <4 hr / <15 min (measured via validator SLAs) [1] | For Ethereum/Blockchain Validator 5 min with hot-standby 5 seconds. One attestation not 300+
Contact Information
Chief Architect, Sovereign AI Infrastructure
Stephen Sargent
Email
Location
Phoenix, AZ
Availability
Immediate
Clearance
TS/SCI Eligible [1]
Schedule