Sentinel Gateway adds tool-scoped execution controls for agents

• Sentinel Gateway's Reddit launch post framed agent security as an execution-layer problem, and the linked Sentinel live demo shows that idea as scoped tokens plus per-tool enforcement.
• Agent v0's launch post shipped the same basic posture in a terminal orchestrator, with the GitHub README listing OS sandboxing, YAML permission policies, and hash-chained audit logs.
• NeoLogic_Dev's LocalLLM post pushed the pattern all the way onto a phone, and the NeoBild repo documents a four-agent Termux loop running Qwen2.5-Coder-1.5B through MNN Chat.
• In practice the three projects converge on the same boring, useful idea: constrain what agents can do, log what they tried, and keep the risky work close to the machine you control, as Sentinel's thread and Agent v0's feature list both make explicit.

You can try Sentinel's browser demo, browse Agent v0's security architecture, and inspect NeoBild's Termux orchestrator. The overlap is unusually clean. Sentinel limits tool calls with short-lived scoped tokens, Agent v0 wraps agents in OS sandboxes and policy checks, and NeoBild runs a four-persona CVE loop fully local on a Redmi phone.

According to Sentinel's post, prompt injection is not something an agent can reason its way out of after the fact. The control point is the tool layer: if delete, write, or outbound actions are out of scope, the model never gets to improvise its way into them.

The live demo page makes that concrete. Demo agents only get file_read, web_read, and agent_talk; write, delete, email, calendar, and database actions are disabled, every run requires a 120-second scoped token, and the page says blocked as well as executed actions land in an audit log.

Agent v0's README reads like a security checklist for multi-agent terminal tooling. The repo says agents run inside Linux namespaces with seccomp and Bubblewrap, secrets sit in an Argon2id-protected keystore, and each action is appended to a SHA-256 hash chain.

It also exposes the orchestration shape as a list, not a black box:

• A central orchestrator decomposes tasks.
• Specialized agents run subtasks concurrently.
• A gateway router handles model calls, rate limits, and fallback routing.
• YAML policies govern filesystem, network, API, and inter-agent access.
• Telegram, Discord, and WhatsApp adapters can submit jobs remotely.

NeoLogic_Dev's post claimed 336 overnight rounds on a Redmi Note 14 Pro+ with 8 GB RAM. The NeoBild repository fills in the stack: Qwen2.5-Coder-1.5B-Instruct in MNN format, MNN Chat serving an OpenAI-compatible endpoint on Termux, and four chained personas named Dominus, Axiom, Cipher, and Vector.

The repo adds two details that did not show up in the post itself. It pulls startup topics from the CISA Known Exploited Vulnerabilities catalog, and it writes both a full discourse log and a best_findings.md file when Cipher spots high-signal terms like CVE, bypass, injection, or exfiltrate.