feat: Add sentinel-iq kit#209
Conversation
|
Warning Review limit reached
Next review available in: 7 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Repository UI (base), Organization UI (inherited) Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
WalkthroughChangesSentinelIQ adds a security incident triage kit with IOC extraction, structured ATT&CK-based classification prompts, Lamatic workflow orchestration, and a Next.js dashboard for submitting alerts and reviewing results. SentinelIQ triage flow
Suggested reviewers: 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
:robot_face: AgentKit Structural ValidationNew Contributions Detected
Check Results
|
|
Failure recorded at 2026-07-10T09:43:46Z UTC. If this PR is not fixed within 4 weeks it will be automatically closed. |
There was a problem hiding this comment.
Actionable comments posted: 26
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@kits/sentinel-iq/.gitignore`:
- Around line 1-7: Remove the redundant `.env.*`, `.env`, and `.env.local`
entries from the `.gitignore`, and replace the broad `.env*` pattern with
explicit environment-file patterns that continue ignoring local secrets while
allowing `.env.example` to be committed.
In `@kits/sentinel-iq/agent.md`:
- Line 18: Add exactly one trailing newline to kits/sentinel-iq/agent.md after
the final content, preserving all existing text.
- Around line 1-10: Correct the introductory documentation for the SentinelIQ
agent: use “SentinelIQ,” “security,” and “severity,” change “an alert of” to “an
alert from,” remove the extra space before the closing parenthesis, and use
“domains” in the IOC capability description.
In `@kits/sentinel-iq/apps/.gitignore`:
- Around line 1-2: Add a negation rule for .env.example immediately after the
.env* ignore pattern in the gitignore, so the required example environment file
remains tracked while other environment files stay ignored.
In `@kits/sentinel-iq/apps/actions/orchestrate.ts`:
- Around line 1-6: Replace the raw environment-based Lamatic configuration and
fetch usage in the orchestrate action with the parent kit’s
`../../lamatic.config` and the `lamatic` SDK. Use the imported config’s step
definitions and SDK methods for invoking the Sentinel triage flow, removing
direct `SENTINEL_TRIAGE_FLOW_ID` access and any raw API request logic.
- Around line 60-71: Guard the success path in the polling loop by applying
optional chaining to the nested access in the status handling logic around
checkStatus, matching the existing failed/error branch. Safely retrieve
data.output.result and handle an absent value according to the function’s
expected return behavior instead of allowing a TypeError.
- Around line 8-22: Update graphqlRequest to enforce a finite fetch timeout
using an AbortController or AbortSignal.timeout, and pass the signal to fetch.
Validate res.ok immediately after the request and throw a descriptive error for
non-2xx responses before parsing the body; retain the existing GraphQL error
validation for successful responses.
- Around line 39-40: Replace the full `console.error` response logging in
`executeWorkflow` with a minimal, non-sensitive status or identifier log. Safely
access `data.executeWorkflow.result.requestId` using optional chaining and
validate the result, handling missing response fields with a clear error or
fallback instead of allowing an unhelpful TypeError.
In `@kits/sentinel-iq/apps/app/globals.css`:
- Around line 5-8: Replace the hardcoded background and text colors in the body
rule with CSS custom properties, define the corresponding variables according to
the kit’s Tailwind v4 `@theme` conventions, and reference those variables from
body.
In `@kits/sentinel-iq/apps/app/page.tsx`:
- Around line 6-15: Align TriageResult.confidence with the schema in
sentinel-triage_llm-node_system.md: choose whether confidence is numeric or
textual, then update both the prompt and the TriageResult interface
consistently; if it represents a 0–100 score, type it as a number and ensure
parsing/validation handles numeric LLM output.
- Around line 86-93: Replace index-based React keys in the sample alerts, queue
items, IOC list, and remediation steps by using stable item-specific
identifiers; use each sample alert string for the static sample list and
appropriate unique fields for the other mapped objects, updating the map
callbacks as needed. In particular, fix the queue rendering associated with the
prepend operation in the relevant queue state logic so reordering cannot reuse
incorrect component instances.
- Around line 121-148: Make confidence formatting consistent across the queue
and detail views by updating the queue item rendering in the list map to append
“%” to item.confidence, matching the selected confidence display in the detail
panel.
- Around line 47-55: Correct the typo in the non-quota error message within the
catch block of the page component: update “must have exhasted” to “must have
exhausted” in the setError call.
In `@kits/sentinel-iq/apps/lib/lamatic-client.ts`:
- Around line 3-7: Replace the non-null assertions in lamaticConfig with
explicit startup validation for LAMATIC_API_KEY, LAMATIC_PROJECT_ID, and
LAMATIC_API_URL; throw a clear error identifying any missing variable before
constructing the configuration, then expose validated string values.
In `@kits/sentinel-iq/apps/package.json`:
- Around line 10-22: Add lamatic, shadcn/ui-required dependencies,
react-hook-form, zod, and lucide-react to the appropriate dependency section in
the package manifest, using versions compatible with the existing Next.js and
React versions; ensure the kit app code imports these packages where required.
In `@kits/sentinel-iq/apps/tailwind.config.ts`:
- Around line 1-16: Upgrade the sentinel-iq kit’s tailwindcss dependency in
package.json to v4+, replace the v3 directives in app/globals.css with `@import`
"tailwindcss" and define p1–p4 under an `@theme` block, and remove the obsolete
tailwind.config.ts or retain only settings required for compatibility.
In `@kits/sentinel-iq/constitutions/default.md`:
- Around line 4-6: Correct the typos in the constitution guardrails: update “te
reference table” to “the reference table” in the ATT&CK technique rule, remove
“it” so the sparse-alert rule says “reduce the confidence,” and change “to taken
an action” to “to have taken an action” in the action-claim rule.
In `@kits/sentinel-iq/lamatic.config.ts`:
- Around line 2-4: Correct the metadata typos in the kit configuration: update
the `name` value from “SentinalIQ” to “SentinelIQ” and change the description
wording from “intosevernity” to “into severity” in the exported configuration
object.
- Around line 14-17: In the sentinel-triage step configuration, update the
property name from envkey to envKey to match the contract expected by
getFlowId() in lamatic-client.ts, and correct the environment variable value
from SENTINAL_TRIAGE_FLOW_ID to SENTINEL_TRIAGE_FLOW_ID so it matches
orchestrate.ts and .example.env.
In `@kits/sentinel-iq/prompts/sentinel-triage_llm-node_system.md`:
- Around line 1-31: Add a top-level Markdown heading before the existing
SentinelIQ prompt content, preserving the prompt text and JSON schema unchanged,
and ensure the file ends with exactly one trailing newline to satisfy
markdownlint rules MD041 and MD047.
- Line 22: Clarify the confidence value in the prompt schema and align it with
the downstream TriageResult type in page.tsx. Choose one
representation—preferably a numeric value for a 0–100 score or explicitly a
string—and update both the prompt example and TriageResult.confidence
consistently, preserving the percentage rendering in the selected result
display.
In `@kits/sentinel-iq/README.md`:
- Line 5: Update the Live demo URL in the README to the canonical deployment
https://sentinel-iq-plum.vercel.app instead of the current URL.
- Line 9: Resolve Markdown lint failures in README.md by adding blank lines
after the What it does, Setup, Flow, and quota headings, and ensure the file
ends with exactly one newline.
- Line 23: Unify the flow ID environment variable name across the kit: update
the misspelled SENTINAL_TRIAGE_FLOW_ID declaration in lamatic.config.ts to
SENTINEL_TRIAGE_FLOW_ID, matching the README and apps/actions/orchestrate.ts
references.
- Line 18: Resolve the environment template naming mismatch in the Sentinel IQ
setup documentation: provide the template as apps/.env.example, matching the
existing cp .env.example .env.local command and kit convention. Update the
referenced template file or configuration accordingly, without changing the
command.
In `@kits/sentinel-iq/scripts/sentinel-triage_code-node.ts`:
- Line 2: Update the ipRegex declaration to validate each IPv4 octet is within
0–255 instead of accepting any one-to-three-digit value, while preserving
matching of complete dotted IPv4 addresses and global scanning behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 4f3e7ce1-c656-465c-95ca-7009cb930022
⛔ Files ignored due to path filters (2)
kits/sentinel-iq/apps/package-lock.jsonis excluded by!**/package-lock.jsonkits/sentinel-iq/assets/dashboard.pngis excluded by!**/*.png
📒 Files selected for processing (21)
kits/sentinel-iq/.gitignorekits/sentinel-iq/README.mdkits/sentinel-iq/agent.mdkits/sentinel-iq/apps/.example.envkits/sentinel-iq/apps/.gitignorekits/sentinel-iq/apps/actions/orchestrate.tskits/sentinel-iq/apps/app/globals.csskits/sentinel-iq/apps/app/layout.tsxkits/sentinel-iq/apps/app/page.tsxkits/sentinel-iq/apps/lib/lamatic-client.tskits/sentinel-iq/apps/next-env.d.tskits/sentinel-iq/apps/next.config.mjskits/sentinel-iq/apps/package.jsonkits/sentinel-iq/apps/postcss.config.mjskits/sentinel-iq/apps/tailwind.config.tskits/sentinel-iq/apps/tsconfig.jsonkits/sentinel-iq/constitutions/default.mdkits/sentinel-iq/lamatic.config.tskits/sentinel-iq/prompts/sentinel-triage_llm-node_system.mdkits/sentinel-iq/prompts/sentinel-triage_llm-node_user.mdkits/sentinel-iq/scripts/sentinel-triage_code-node.ts
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@kits/sentinel-iq/flows/sentinel-triage.ts`:
- Around line 12-15: Remove the personal email value from the meta.author.email
field in the sentinel triage metadata, or replace it with a non-personal
project/team identifier while preserving the author metadata structure.
- Around line 49-65: Remove the empty sticky note node identified by id
"sticky-note-542" from the flow definition, including its associated position
and data fields.
- Line 42: Update both references to sentinel_triage_code_node_123_code in the
sentinel-triage flow to point to `@scripts/sentinel-triage_code-node.ts`, matching
the existing script filename.
In
`@kits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.ts`:
- Around line 9-10: Replace the hardcoded account-specific credentialId in the
sentinel-triage model configuration with the cloned kit’s Lamatic credential
reference, using the project’s standard credential configuration mechanism
rather than embedding a fixed UUID.
In `@kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.md`:
- Around line 1-16: The SentinelIQ system prompt lacks a defined format for the
required confidence field. Update the prompt’s severity guidance to include an
explicit “Confidence: low | medium | high” line, ensuring outputs match the
schema expected by the sentinel triage flow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI (base), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: a8ccc454-1487-4e37-9489-9c26166cf50a
📒 Files selected for processing (5)
kits/sentinel-iq/apps/.env.examplekits/sentinel-iq/flows/sentinel-triage.tskits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.tskits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.mdkits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_user_1.md
|
Hi @amareshhebbar! 👋 Before this PR can be reviewed by maintainers, please resolve all comments and requested changes from the CodeRabbit automated review. Steps to follow:
This helps keep the review process efficient for everyone. Thank you! 🙏 |
|
Fixed everything from this round... added the script file that didn't get committed earlier, fixed the typo and duplicate email in lamatic.config.ts, fixed the step id mismatch, removed the empty sticky note, and added the confidence format line to the prompt. Studio check is passing now. Let me know if anything else is needed.And it;s ready for reviewing |
SentinelIQ — Security Incident Triage Agent
Triages raw security alerts (SIEM logs, EDR alerts, phishing reports) into severity-scored, MITRE ATT&CK-mapped incident reports with remediation steps.
Live demo: https://sentinel-iq-plum.vercel.app
What it does
Flow
API trigger → Code node (IOC extraction) → Generate JSON node (triage + ATT&CK mapping) → API response
Tested with
Brute force, phishing, and other alert types across the P1–P4 severity range.
Note
Demo deployment runs on Gemini's free tier (20 requests/day) — if the UI shows a quota message, that's expected, not a bug.
kits/sentinel-iq/README.md— SentinelIQ kit overview, setup/run steps, demo/quota notes, and flow reference.kits/sentinel-iq/agent.md— agent capabilities (IOC extraction, P1–P4 severity w/ confidence, ATT&CK mapping, remediation) and explicit non-goals.kits/sentinel-iq/constitutions/default.md— JSON-only output rules, allowed ATT&CK technique validation, confidence adjustments for sparse data, and “recommend only” behavior.kits/sentinel-iq/lamatic.config.ts— kit metadata and a mandatorysentinal-triagestep wired toSENTINAL_TRIAGE_FLOW_ID.kits/sentinel-iq/.gitignore— ignores local/deployment artifacts and sensitive env/build output.kits/sentinel-iq/scripts/sentinel-triage_code-node.ts— extracts and deduplicates IOCs (IPv4, domains, hashes, usernames) fromalert_text.kits/sentinel-iq/prompts/sentinel-triage_llm-node_system.mdandkits/sentinel-iq/prompts/sentinel-triage_llm-node_user.md— defines the triage schema (P1–P4, confidence, ATT&CK fields, IOC array, remediation steps) and supplies alert/IOC inputs.kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.mdandkits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_user_1.md— instructor prompt content for the specific LLM node.kits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.ts— configures Gemini model (gemini-3.1-flash-lite).kits/sentinel-iq/flows/sentinel-triage.ts— defines the end-to-end workflow graph:triggerNode(“API Request”) acceptingalert_textdynamicNode(code)dynamicNodeinstructor LLM producing structured JSON (severity/confidence, ATT&CK tactic/technique, summary, IOCs, remediation)responseNodemapping instructor output fields into the HTTP JSON response (viaresponseEdge)stickyNoteNodein the graph (editor-only metadata)kits/sentinel-iq/apps/app/page.tsx— UI to paste alerts, trigger triage, render a queued results list and a details panel (including IOC chips and remediation steps), and handle quota-rate messaging.kits/sentinel-iq/apps/app/layout.tsxandkits/sentinel-iq/apps/app/globals.css— app layout and styling (dark theme, Tailwind setup).kits/sentinel-iq/apps/actions/orchestrate.ts— GraphQL-based workflow runner (triageAlert) that triggers execution, polls byrequestId, and returns the final result or errors/timeouts.kits/sentinel-iq/apps/lib/lamatic-client.ts— reads Lamatic env vars and resolves flow IDs for configured steps.apps/package.json,apps/package-lock.json,apps/tsconfig.json,apps/next.config.mjs,apps/next-env.d.ts,apps/tailwind.config.ts,apps/postcss.config.mjs.kits/sentinel-iq/apps/.env.example,kits/sentinel-iq/apps/.example.env,kits/sentinel-iq/apps/.gitignore.kits/sentinel-iq/assets/dashboard.png.