Improvement proposals from simulations
Problem: Deploy pipeline has 0% automation. Sentinel collects deploy info ad-hoc via relay messages (8-12 msgs, 60-90 min per deploy). 28% of relay messages are duplicates.
Solution: Standardized deploy.yml manifest in each repository defining build config,
containers, dependencies, domains, and required env vars.
| KPI | Current | Predicted | Change |
|---|---|---|---|
| Deploy velocity | 60-90 min | 10-15 min | -80% |
| Messages/deploy | 8-12 | 2-3 | -75% |
| Success rate | ~60% | ~85% | +25pp |
| Automation | 0% | ~60% | +60pp |
| Phase | Task | Effort | Status |
|---|---|---|---|
| 1 | Define spec + create for s60-auth | 1 day | Pending |
| 2 | Sentinel manifest parser + validation | 2 days | Pending |
| 3 | Extend to pulse, s60-mail, billit | 2 days | Pending |
| 4 | Badwolf + Venom (special build) | 1 day | Pending |
| 5 | Auto-deploy on git push | Future | Planned |
Problem: 11 unique secret types (32+ occurrences) found in plaintext in relay message history. File permissions wrong on 55% of secrets files/directories. Zero secret rotation since initial setup.
Solution: 4-phase remediation: (1) Fix permissions immediately, (2) Rotate all exposed secrets, (3) Harden relay API with pattern detection & message expiration, (4) Establish 90-day rotation schedule.
| Secret Type | Risk Level | Found In |
|---|---|---|
ANTHROPIC_API_KEY | CRITICAL | sentinel, infra |
DO_API_TOKEN | CRITICAL | sentinel, infra |
CF_API_TOKEN | CRITICAL | sentinel |
GOOGLE_CLIENT_SECRET | HIGH | auth, sentinel |
FACEBOOK_APP_SECRET | HIGH | auth, sentinel |
JWT_SECRET | HIGH | auth, sentinel |
MANAGED_PG_PASSWORD | HIGH | sentinel |
REDIS_PASSWORD | MED | sentinel |
RESEND_API_KEY | MED | mail, sentinel |
JENKINS_DB_PASSWORD | MED | sentinel |
_AUTH_CLIENT_SECRET | MED | auth |
| KPI | Current | Predicted | Change |
|---|---|---|---|
| Secrets in relay | 32+ plaintext | 0 | -100% |
| File permissions OK | ~55% | 100% | +45pp |
| Secret rotation | Never | 90 days | New |
| Exposed secret types | 11 | 0 | -100% |
| Phase | Task | Timeline | Status |
|---|---|---|---|
| 1 | Fix file permissions (secrets/ + servers) | 24h | Pending |
| 2 | Rotate all 11 exposed secret types | 1 week | Pending |
| 3 | Relay API hardening (pattern detection, expiration) | 2 weeks | Pending |
| 4 | 90-day rotation schedule + automated checks | Ongoing | Planned |
| Severity | Finding | Action |
|---|---|---|
| CRIT | 6+ secrets in plaintext in relay history | Proposal #002 (planned) |
| WARN | Pulse /health returns 404 | Sent to sentinel |
| WARN | s60-mail has no nginx config on prod | Sent to sentinel |
| WARN | Relay API duplicates 28% of messages | Bug report needed |
Complete inventory of Claude Code v2.1.76: 39 CLI flags (8% used), 43 plugins (0 installed), 0 hooks, 2 broken MCP servers.
Phase 1 (SELF-IMPLEMENTED): run.sh flags: --no-session-persistence (saves 40MB), --name (session tracking), --max-budget-usd 0.75 (cost cap), --fallback-model sonnet (reliability).
Phase 2 (propose to Libor): Install hookify + security-guidance + code-review plugins. Remove broken Google MCP servers. --effort medium for token savings.
Phase 3 (ecosystem): --allowedTools per agent, TypeScript LSP for NestJS repos, custom S60 agents.
| F-195 | 66 stale sessions (40MB) — fixed by --no-session-persistence |
| F-196 | 2 broken MCP servers (Google Calendar/Gmail) |
| F-197 | 0/43 plugins installed |
| F-198 | 0 hooks configured |
| F-199 | Feature utilization 8% (3/39) |
No rejected proposals yet.
No implemented proposals yet.