Skip to content

feat: Add sentinel-iq kit#209

Open
amareshhebbar wants to merge 22 commits into
Lamatic:mainfrom
amareshhebbar:feat/sentinel-iq
Open

feat: Add sentinel-iq kit#209
amareshhebbar wants to merge 22 commits into
Lamatic:mainfrom
amareshhebbar:feat/sentinel-iq

Conversation

@amareshhebbar

@amareshhebbar amareshhebbar commented Jul 10, 2026

Copy link
Copy Markdown

SentinelIQ — Security Incident Triage Agent

Triages raw security alerts (SIEM logs, EDR alerts, phishing reports) into severity-scored, MITRE ATT&CK-mapped incident reports with remediation steps.

Live demo: https://sentinel-iq-plum.vercel.app

What it does

  • Extracts IOCs (IPs, domains, hashes, usernames) from raw alert text
  • Classifies severity P1–P4 with confidence
  • Maps to MITRE ATT&CK tactics/techniques
  • Generates remediation steps
  • Dashboard queue view with sample alerts to try

Flow

API trigger → Code node (IOC extraction) → Generate JSON node (triage + ATT&CK mapping) → API response

Tested with

Brute force, phishing, and other alert types across the P1–P4 severity range.

Note

Demo deployment runs on Gemini's free tier (20 requests/day) — if the UI shows a quota message, that's expected, not a bug.

  • Added/updated kit docs & configuration:
    • kits/sentinel-iq/README.md — SentinelIQ kit overview, setup/run steps, demo/quota notes, and flow reference.
    • kits/sentinel-iq/agent.md — agent capabilities (IOC extraction, P1–P4 severity w/ confidence, ATT&CK mapping, remediation) and explicit non-goals.
    • kits/sentinel-iq/constitutions/default.md — JSON-only output rules, allowed ATT&CK technique validation, confidence adjustments for sparse data, and “recommend only” behavior.
    • kits/sentinel-iq/lamatic.config.ts — kit metadata and a mandatory sentinal-triage step wired to SENTINAL_TRIAGE_FLOW_ID.
    • kits/sentinel-iq/.gitignore — ignores local/deployment artifacts and sensitive env/build output.
  • Added triage processing logic:
    • kits/sentinel-iq/scripts/sentinel-triage_code-node.ts — extracts and deduplicates IOCs (IPv4, domains, hashes, usernames) from alert_text.
    • kits/sentinel-iq/prompts/sentinel-triage_llm-node_system.md and kits/sentinel-iq/prompts/sentinel-triage_llm-node_user.md — defines the triage schema (P1–P4, confidence, ATT&CK fields, IOC array, remediation steps) and supplies alert/IOC inputs.
    • kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.md and kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_user_1.md — instructor prompt content for the specific LLM node.
    • kits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.ts — configures Gemini model (gemini-3.1-flash-lite).
  • Added the Lamatic flow definition:
    • kits/sentinel-iq/flows/sentinel-triage.ts — defines the end-to-end workflow graph:
      • triggerNode (“API Request”) accepting alert_text
      • IOC extraction dynamicNode (code)
      • dynamicNode instructor LLM producing structured JSON (severity/confidence, ATT&CK tactic/technique, summary, IOCs, remediation)
      • responseNode mapping instructor output fields into the HTTP JSON response (via responseEdge)
      • includes a stickyNoteNode in the graph (editor-only metadata)
  • Added the dashboard + API integration (Next.js app):
    • kits/sentinel-iq/apps/app/page.tsx — UI to paste alerts, trigger triage, render a queued results list and a details panel (including IOC chips and remediation steps), and handle quota-rate messaging.
    • kits/sentinel-iq/apps/app/layout.tsx and kits/sentinel-iq/apps/app/globals.css — app layout and styling (dark theme, Tailwind setup).
    • kits/sentinel-iq/apps/actions/orchestrate.ts — GraphQL-based workflow runner (triageAlert) that triggers execution, polls by requestId, and returns the final result or errors/timeouts.
    • kits/sentinel-iq/apps/lib/lamatic-client.ts — reads Lamatic env vars and resolves flow IDs for configured steps.
    • Frontend config/support files: apps/package.json, apps/package-lock.json, apps/tsconfig.json, apps/next.config.mjs, apps/next-env.d.ts, apps/tailwind.config.ts, apps/postcss.config.mjs.
    • Env/ignore templates: kits/sentinel-iq/apps/.env.example, kits/sentinel-iq/apps/.example.env, kits/sentinel-iq/apps/.gitignore.
  • Added visual preview:
    • kits/sentinel-iq/assets/dashboard.png.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@amareshhebbar, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 7 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: b94a8265-7895-4208-b1f0-e91f13e33f7a

📥 Commits

Reviewing files that changed from the base of the PR and between b51e696 and eeb673b.

📒 Files selected for processing (5)
  • kits/sentinel-iq/.gitignore
  • kits/sentinel-iq/apps/.gitignore
  • kits/sentinel-iq/flows/sentinel-triage.ts
  • kits/sentinel-iq/lamatic.config.ts
  • kits/sentinel-iq/scripts/sentinel-triage_code-node-123_code.ts

Walkthrough

Changes

SentinelIQ adds a security incident triage kit with IOC extraction, structured ATT&CK-based classification prompts, Lamatic workflow orchestration, and a Next.js dashboard for submitting alerts and reviewing results.

SentinelIQ triage flow

Layer / File(s) Summary
Triage contracts and processing
kits/sentinel-iq/constitutions/default.md, kits/sentinel-iq/prompts/*, kits/sentinel-iq/scripts/*, kits/sentinel-iq/flows/*, kits/sentinel-iq/model-configs/*, kits/sentinel-iq/lamatic.config.ts, kits/sentinel-iq/apps/lib/*
Defines JSON output constraints, severity and ATT&CK mappings, model settings, workflow structure, IOC extraction, flow metadata, and environment-based flow resolution.
Lamatic workflow orchestration
kits/sentinel-iq/apps/actions/*, kits/sentinel-iq/apps/.example.env, kits/sentinel-iq/apps/.env.example
Executes authenticated GraphQL workflow requests, polls execution status, and handles success, failure, and timeout states.
Next.js dashboard and app foundation
kits/sentinel-iq/apps/app/*, kits/sentinel-iq/apps/package.json, kits/sentinel-iq/apps/tsconfig.json, kits/sentinel-iq/apps/*config*, kits/sentinel-iq/apps/next-env.d.ts, kits/sentinel-iq/apps/.gitignore, kits/sentinel-iq/.gitignore
Adds the Next.js application shell, Tailwind styling, alert submission UI, triage queue, result details, and local artifact exclusions.
Kit documentation and usage notes
kits/sentinel-iq/README.md, kits/sentinel-iq/agent.md
Documents capabilities, setup, flow composition, deployment notes, agent outputs, and non-goals.

Suggested reviewers: amanintech, d-pamneja

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description summarizes the feature, but it omits the required PR Checklist/template sections and several file-structure and validation details. Rewrite the PR description to match the repository template and include the checklist items, file structure details, and validation status.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding the SentinelIQ kit.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

:robot_face: AgentKit Structural Validation

New Contributions Detected

  • Kit: kits/sentinel-iq

Check Results

Check Status
No edits to existing kits ✅ Pass
Required root files present ✅ Pass
Flow .ts files present ✅ Pass
lamatic.config.ts valid ✅ Pass
No changes outside kits/ ✅ Pass

⚠️ Warnings

  • kits/sentinel-iq is missing .env.example — bundles and kits should include one

🎉 All checks passed! This contribution follows the AgentKit structure.

@github-actions

Copy link
Copy Markdown
Contributor

Failure recorded at 2026-07-10T09:43:46Z UTC. If this PR is not fixed within 4 weeks it will be automatically closed.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 26

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/sentinel-iq/.gitignore`:
- Around line 1-7: Remove the redundant `.env.*`, `.env`, and `.env.local`
entries from the `.gitignore`, and replace the broad `.env*` pattern with
explicit environment-file patterns that continue ignoring local secrets while
allowing `.env.example` to be committed.

In `@kits/sentinel-iq/agent.md`:
- Line 18: Add exactly one trailing newline to kits/sentinel-iq/agent.md after
the final content, preserving all existing text.
- Around line 1-10: Correct the introductory documentation for the SentinelIQ
agent: use “SentinelIQ,” “security,” and “severity,” change “an alert of” to “an
alert from,” remove the extra space before the closing parenthesis, and use
“domains” in the IOC capability description.

In `@kits/sentinel-iq/apps/.gitignore`:
- Around line 1-2: Add a negation rule for .env.example immediately after the
.env* ignore pattern in the gitignore, so the required example environment file
remains tracked while other environment files stay ignored.

In `@kits/sentinel-iq/apps/actions/orchestrate.ts`:
- Around line 1-6: Replace the raw environment-based Lamatic configuration and
fetch usage in the orchestrate action with the parent kit’s
`../../lamatic.config` and the `lamatic` SDK. Use the imported config’s step
definitions and SDK methods for invoking the Sentinel triage flow, removing
direct `SENTINEL_TRIAGE_FLOW_ID` access and any raw API request logic.
- Around line 60-71: Guard the success path in the polling loop by applying
optional chaining to the nested access in the status handling logic around
checkStatus, matching the existing failed/error branch. Safely retrieve
data.output.result and handle an absent value according to the function’s
expected return behavior instead of allowing a TypeError.
- Around line 8-22: Update graphqlRequest to enforce a finite fetch timeout
using an AbortController or AbortSignal.timeout, and pass the signal to fetch.
Validate res.ok immediately after the request and throw a descriptive error for
non-2xx responses before parsing the body; retain the existing GraphQL error
validation for successful responses.
- Around line 39-40: Replace the full `console.error` response logging in
`executeWorkflow` with a minimal, non-sensitive status or identifier log. Safely
access `data.executeWorkflow.result.requestId` using optional chaining and
validate the result, handling missing response fields with a clear error or
fallback instead of allowing an unhelpful TypeError.

In `@kits/sentinel-iq/apps/app/globals.css`:
- Around line 5-8: Replace the hardcoded background and text colors in the body
rule with CSS custom properties, define the corresponding variables according to
the kit’s Tailwind v4 `@theme` conventions, and reference those variables from
body.

In `@kits/sentinel-iq/apps/app/page.tsx`:
- Around line 6-15: Align TriageResult.confidence with the schema in
sentinel-triage_llm-node_system.md: choose whether confidence is numeric or
textual, then update both the prompt and the TriageResult interface
consistently; if it represents a 0–100 score, type it as a number and ensure
parsing/validation handles numeric LLM output.
- Around line 86-93: Replace index-based React keys in the sample alerts, queue
items, IOC list, and remediation steps by using stable item-specific
identifiers; use each sample alert string for the static sample list and
appropriate unique fields for the other mapped objects, updating the map
callbacks as needed. In particular, fix the queue rendering associated with the
prepend operation in the relevant queue state logic so reordering cannot reuse
incorrect component instances.
- Around line 121-148: Make confidence formatting consistent across the queue
and detail views by updating the queue item rendering in the list map to append
“%” to item.confidence, matching the selected confidence display in the detail
panel.
- Around line 47-55: Correct the typo in the non-quota error message within the
catch block of the page component: update “must have exhasted” to “must have
exhausted” in the setError call.

In `@kits/sentinel-iq/apps/lib/lamatic-client.ts`:
- Around line 3-7: Replace the non-null assertions in lamaticConfig with
explicit startup validation for LAMATIC_API_KEY, LAMATIC_PROJECT_ID, and
LAMATIC_API_URL; throw a clear error identifying any missing variable before
constructing the configuration, then expose validated string values.

In `@kits/sentinel-iq/apps/package.json`:
- Around line 10-22: Add lamatic, shadcn/ui-required dependencies,
react-hook-form, zod, and lucide-react to the appropriate dependency section in
the package manifest, using versions compatible with the existing Next.js and
React versions; ensure the kit app code imports these packages where required.

In `@kits/sentinel-iq/apps/tailwind.config.ts`:
- Around line 1-16: Upgrade the sentinel-iq kit’s tailwindcss dependency in
package.json to v4+, replace the v3 directives in app/globals.css with `@import`
"tailwindcss" and define p1–p4 under an `@theme` block, and remove the obsolete
tailwind.config.ts or retain only settings required for compatibility.

In `@kits/sentinel-iq/constitutions/default.md`:
- Around line 4-6: Correct the typos in the constitution guardrails: update “te
reference table” to “the reference table” in the ATT&CK technique rule, remove
“it” so the sparse-alert rule says “reduce the confidence,” and change “to taken
an action” to “to have taken an action” in the action-claim rule.

In `@kits/sentinel-iq/lamatic.config.ts`:
- Around line 2-4: Correct the metadata typos in the kit configuration: update
the `name` value from “SentinalIQ” to “SentinelIQ” and change the description
wording from “intosevernity” to “into severity” in the exported configuration
object.
- Around line 14-17: In the sentinel-triage step configuration, update the
property name from envkey to envKey to match the contract expected by
getFlowId() in lamatic-client.ts, and correct the environment variable value
from SENTINAL_TRIAGE_FLOW_ID to SENTINEL_TRIAGE_FLOW_ID so it matches
orchestrate.ts and .example.env.

In `@kits/sentinel-iq/prompts/sentinel-triage_llm-node_system.md`:
- Around line 1-31: Add a top-level Markdown heading before the existing
SentinelIQ prompt content, preserving the prompt text and JSON schema unchanged,
and ensure the file ends with exactly one trailing newline to satisfy
markdownlint rules MD041 and MD047.
- Line 22: Clarify the confidence value in the prompt schema and align it with
the downstream TriageResult type in page.tsx. Choose one
representation—preferably a numeric value for a 0–100 score or explicitly a
string—and update both the prompt example and TriageResult.confidence
consistently, preserving the percentage rendering in the selected result
display.

In `@kits/sentinel-iq/README.md`:
- Line 5: Update the Live demo URL in the README to the canonical deployment
https://sentinel-iq-plum.vercel.app instead of the current URL.
- Line 9: Resolve Markdown lint failures in README.md by adding blank lines
after the What it does, Setup, Flow, and quota headings, and ensure the file
ends with exactly one newline.
- Line 23: Unify the flow ID environment variable name across the kit: update
the misspelled SENTINAL_TRIAGE_FLOW_ID declaration in lamatic.config.ts to
SENTINEL_TRIAGE_FLOW_ID, matching the README and apps/actions/orchestrate.ts
references.
- Line 18: Resolve the environment template naming mismatch in the Sentinel IQ
setup documentation: provide the template as apps/.env.example, matching the
existing cp .env.example .env.local command and kit convention. Update the
referenced template file or configuration accordingly, without changing the
command.

In `@kits/sentinel-iq/scripts/sentinel-triage_code-node.ts`:
- Line 2: Update the ipRegex declaration to validate each IPv4 octet is within
0–255 instead of accepting any one-to-three-digit value, while preserving
matching of complete dotted IPv4 addresses and global scanning behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4f3e7ce1-c656-465c-95ca-7009cb930022

📥 Commits

Reviewing files that changed from the base of the PR and between dafde4c and 639d2ee.

⛔ Files ignored due to path filters (2)
  • kits/sentinel-iq/apps/package-lock.json is excluded by !**/package-lock.json
  • kits/sentinel-iq/assets/dashboard.png is excluded by !**/*.png
📒 Files selected for processing (21)
  • kits/sentinel-iq/.gitignore
  • kits/sentinel-iq/README.md
  • kits/sentinel-iq/agent.md
  • kits/sentinel-iq/apps/.example.env
  • kits/sentinel-iq/apps/.gitignore
  • kits/sentinel-iq/apps/actions/orchestrate.ts
  • kits/sentinel-iq/apps/app/globals.css
  • kits/sentinel-iq/apps/app/layout.tsx
  • kits/sentinel-iq/apps/app/page.tsx
  • kits/sentinel-iq/apps/lib/lamatic-client.ts
  • kits/sentinel-iq/apps/next-env.d.ts
  • kits/sentinel-iq/apps/next.config.mjs
  • kits/sentinel-iq/apps/package.json
  • kits/sentinel-iq/apps/postcss.config.mjs
  • kits/sentinel-iq/apps/tailwind.config.ts
  • kits/sentinel-iq/apps/tsconfig.json
  • kits/sentinel-iq/constitutions/default.md
  • kits/sentinel-iq/lamatic.config.ts
  • kits/sentinel-iq/prompts/sentinel-triage_llm-node_system.md
  • kits/sentinel-iq/prompts/sentinel-triage_llm-node_user.md
  • kits/sentinel-iq/scripts/sentinel-triage_code-node.ts

Comment thread kits/sentinel-iq/.gitignore
Comment thread kits/sentinel-iq/agent.md
Comment thread kits/sentinel-iq/agent.md
Comment thread kits/sentinel-iq/apps/.gitignore Outdated
Comment thread kits/sentinel-iq/apps/actions/orchestrate.ts
Comment thread kits/sentinel-iq/README.md
Comment thread kits/sentinel-iq/README.md
Comment thread kits/sentinel-iq/README.md
Comment thread kits/sentinel-iq/README.md
Comment thread kits/sentinel-iq/scripts/sentinel-triage_code-node.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kits/sentinel-iq/flows/sentinel-triage.ts`:
- Around line 12-15: Remove the personal email value from the meta.author.email
field in the sentinel triage metadata, or replace it with a non-personal
project/team identifier while preserving the author metadata structure.
- Around line 49-65: Remove the empty sticky note node identified by id
"sticky-note-542" from the flow definition, including its associated position
and data fields.
- Line 42: Update both references to sentinel_triage_code_node_123_code in the
sentinel-triage flow to point to `@scripts/sentinel-triage_code-node.ts`, matching
the existing script filename.

In
`@kits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.ts`:
- Around line 9-10: Replace the hardcoded account-specific credentialId in the
sentinel-triage model configuration with the cloned kit’s Lamatic credential
reference, using the project’s standard credential configuration mechanism
rather than embedding a fixed UUID.

In `@kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.md`:
- Around line 1-16: The SentinelIQ system prompt lacks a defined format for the
required confidence field. Update the prompt’s severity guidance to include an
explicit “Confidence: low | medium | high” line, ensuring outputs match the
schema expected by the sentinel triage flow.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a8ccc454-1487-4e37-9489-9c26166cf50a

📥 Commits

Reviewing files that changed from the base of the PR and between 639d2ee and b51e696.

📒 Files selected for processing (5)
  • kits/sentinel-iq/apps/.env.example
  • kits/sentinel-iq/flows/sentinel-triage.ts
  • kits/sentinel-iq/model-configs/sentinel-triage_instructor-llmnode-808_generative-model-name.ts
  • kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_system_0.md
  • kits/sentinel-iq/prompts/sentinel-triage_instructor-llmnode-808_user_1.md

Comment thread kits/sentinel-iq/flows/sentinel-triage.ts
Comment thread kits/sentinel-iq/flows/sentinel-triage.ts
Comment thread kits/sentinel-iq/flows/sentinel-triage.ts Outdated
@github-actions

Copy link
Copy Markdown
Contributor

Hi @amareshhebbar! 👋

Before this PR can be reviewed by maintainers, please resolve all comments and requested changes from the CodeRabbit automated review.

Steps to follow:

  1. Read through all CodeRabbit comments carefully
  2. Address each issue raised (or reply explaining why you disagree)
  3. Push your fixes as new commits
  4. Once all issues are resolved, comment here so we can re-review

This helps keep the review process efficient for everyone. Thank you! 🙏

@amareshhebbar

Copy link
Copy Markdown
Author

Fixed everything from this round... added the script file that didn't get committed earlier, fixed the typo and duplicate email in lamatic.config.ts, fixed the step id mismatch, removed the empty sticky note, and added the confidence format line to the prompt.

Studio check is passing now.

Let me know if anything else is needed.And it;s ready for reviewing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant