Engineered for institutional review.
OmniSentient is a Security Operating System for the software supply chain — not a scanner, not an alert pipe. This page documents the structural commitments that make that true. Every claim below is enforced in code, not policy.
From webhook to ledger — six hops, fully traced.
Every repository event flows through this pipeline. Each hop writes to the audit ledger before the next stage executes. There is no "fast path" that bypasses a stage.
GitHub Webhook
Push, workflow_job, check_run. Signature-verified at the edge, enqueued for the telemetry layer in <50ms.
Telemetry Pipeline
Normalizes and timestamps events, writes to the Audit Ledger before any downstream system reads them. Emits health signals to the dashboard.
Detection Engine
Correlates events across repositories, computes risk posture, and elevates anomalies into incidents. Read-only — never writes to code.
Incident Command
Structured lifecycle: OPEN → TRIAGED → CONTAINED → REMEDIATING → VERIFIED → CLOSED. Every transition logged.
Audit Ledger
Immutable, chronological event record. Every actor — system or human — produces an entry, correlation-linked across incidents, repos, and modules.
Security Insights
Aggregates ledger data into investigative views: posture trends, hotspot ranking, compliance evidence — all drillable to source events.
Core services that enforce the contract.
Five services run on every request. Each has a single responsibility and a single failure mode: deny. There is no privileged path that bypasses any of them.
| Service | Responsibility | Contract |
|---|---|---|
| AuditService | Sovereign forensic query layer. Centralizes ledger reads with canonical filter contract (cid, repo, mod, res, range). | 24h default scope · 100-row pagination · TTL-cached health signal. |
| AuthGuard | Endpoint authorization for all platform surfaces. JWT verification, RBAC resolution, CSRF enforcement. | Server-authoritative. Viewer mutations BLOCKED pre-handler. UI suppression is cosmetic only. |
| TelemetryMonitor | Evaluates pipeline health by checking freshness of the latest audit event. Emits status: healthy / delayed / stale. | 60-second TTL cache. No background threads — evaluated at request time. |
| DetectionEngine | Risk scoring, posture computation, anomaly correlation. Feeds the Sentinel Intelligence surface. | Non-mutative read path only. Never writes to repository code. |
| RemediationEngine | Generates structured remediation proposals as Pull Requests. Evaluates delta, constructs patch, opens PR via GitHub API. | Zero-write principle: no force-pushes, no merges. HUMAN APPROVAL required. |
Role resolution is the only authority.
Roles are resolved server-side from verified JWT claims — never from request bodies, never from cookies. Every mutation is gated. Below: who can do what, and how to interrogate the audit trail.
| Role | Mutations | Audit access |
|---|---|---|
| owner | Full | Full |
| admin | Full | Full |
| developer | Scoped | Limited |
| security_lead | Incident-scoped | Full |
| viewer | BLOCKED | Read-only |
| auditor | BLOCKED | Full (read) |
| Parameter | Resolves to |
|---|---|
| ?cid= | Correlation ID — links incident to all its audit events |
| ?repo= | Repository full name filter |
| ?mod= | Module origin filter (detection, remediation, etc.) |
| ?res= | Result filter (success, denied, mutated) |
| ?range= | Time window (24h, 7d, 30d) |
Same parameters work identically on every forensic endpoint — the deep-link schema is part of the public contract.
Six principles, encoded in the platform.
These are not aspirations. Each principle is enforced at the infrastructure layer and is observable in the audit ledger.
Zero-Write Principle
OmniSentient never commits code directly. All remediation arrives as a Pull Request and requires human approval before merge.
Read-Only Ingestion
The telemetry pipeline reads dependency manifests only. Source code is never accessed outside identified vulnerability paths.
Fail-Closed Authorization
Any authorization failure defaults to denial. DB errors, malformed JWTs, missing claims — all resolve to 401/403, never to escalated privilege.
Org-Scoped Isolation
Every database query is scoped by org_id at the query layer. Cross-tenant data access is structurally impossible — not just policy-guarded.
Non-Repudiable Audit
Every state transition records UTC timestamp, actor identity, and module origin. Records are append-only — no edits, no soft-deletes.
Anti-Enumeration
Unauthorized access to any org or project returns 403, not 404. This prevents timing-based or response-based enumeration of tenant existence.
Audit Ledger Stream
Sample · live demoIllustrative format — real ledger entries are accessible via the Audit Ledger Spec. Pause scroll on hover.
Ready for institutional review?
The Trust Center carries our security model, data handling policy, and compliance profile. The audit ledger spec covers verification methodology.