Cyprus Official Distributor for Cyprus

Sentinel Documentation

Sentinel Pro and Sentinel Savant Rubi Bridge

Sentinel Pro is a homeowner-first monitoring and controlled-operations platform

Sentinel Pro 4.3 Beta 4.3 Beta Date: 2026-04-01
Protocol and API Security Whitepaper Deployment Runbook Back to Sentinel Pro

Sentinel Pro and Sentinel Savant Rubi Bridge

Copyright (c) Savant Cyprus 2026

>

Bridge & App microsite link: [Savant Sentinel Pro](https://savantcyprus.com/sentinel-pro.html)

Master Engineering Whitepaper (v4.3 Beta / v4.3b1-pro)

Date: 2026-04-01 Document owner: Sentinel Engineering Applies to: Sentinel Pro iPhone/iPad/Apple TV app and Sentinel Savant Rubi Bridge

1. Executive Summary

Sentinel Pro is a homeowner-first monitoring and controlled-operations platform for Savant homes. It combines:

  • A local bridge runtime on the Savant host (v4.3b1-pro)
  • Multi-target Apple clients (iPhone, iPad, Apple TV)
  • Governance controls that preserve homeowner authority over integrator access
  • High-state telemetry harvesting from StateCenter with scalable rendering in

    • the app

The v4.3 beta cycle focuses on production-hardening themes:

  • improved state discovery and mapping behavior for large homes
  • bridge PID lifecycle improvements for safer update/restart workflows
  • stronger installer/homeowner access governance
  • expanded diagnostics and tools model
  • website and beta-handoff documentation maturity

2. Product Scope

Sentinel is designed as an operations and trust-control surface, not just a read-only dashboard.

2.1 Core Goals

  1. Provide always-available operational visibility for homeowners and

    2. integrators.

  2. Maintain local-first operation over LAN/VPN with no mandatory cloud

    3. dependency for bridge telemetry.

  3. Enforce role and acknowledgment gates before privileged actions are allowed.
  4. Scale to high state counts while maintaining responsive UX.
  5. Preserve forensic accountability through structured audit logging.

2.2 Out-of-Scope by Design

  • Unrestricted shell-level remote administration for all roles.
  • Raw unfiltered host-data export at API level.
  • Implicit integrator persistence after homeowner revocation.

3. System Architecture

Sentinel uses a layered architecture with explicit data/control separation.

3.1 Layers

  1. Savant host sources
  2. Sentinel bridge runtime (Ruby WEBrick service)
  3. Sentinel app client layer (SwiftUI)
  4. User governance and audit persistence

3.2 Data Plane

StateCenter paths and runtime host signals are normalized through the bridge and sent to apps as scoped JSON.

Pipeline:

StateCenter + runtime probes -> harvest and normalization -> cached payloads -> app widgets and dashboards

3.3 Control Plane

Any control action passes through:

authentication -> session checks -> role + ACL checks -> acknowledgment gates -> action-level guardrails -> audit

3.4 Deployment Topologies

  • ProHosts default runtime root:

    • /Users/Shared/Savant/Library/Application Support/RacePointMedia/Sentinel

  • SmartHosts default runtime root:

    • /home/RPM/Sentinel

Port and bind defaults:

  • Bind host: 0.0.0.0
  • Port: 42042

4. Bridge Runtime Design (v4.3b1-pro)

Bridge file:

  • savant_network_sentinel_clean_rubi_bridge_v4_3b1_pro.rb

Runtime constants of note:

  • VERSION = "4.3b1-pro"
  • STORE_SCHEMA_VERSION = 5
  • PASSWORD_ITERATIONS = 210000
  • AUDIT_RETENTION_DAYS = 90

4.1 Service Runtime Model

The bridge runs as a WEBrick API service with internal worker behaviors:

  • API request serving thread
  • periodic harvest loop
  • host-runtime cache refresh logic
  • audit log prune cycle
  • terminal session lifecycle management

4.2 PID and Process Management

The bridge persists process identity for operator tooling:

  • PID file path defaults near users_file as sentinel_bridge.pid
  • /health and /api/v1/site/config expose both PID and PID file path
  • bridge cleans PID file on controlled shutdown

This enables deterministic restart/replace logic during scripted updates.

4.3 Transport Model

The bridge supports both HTTP and HTTPS operation:

  • HTTPS controlled by use_https
  • local cert/key paths configurable via Blueprint
  • SHA-256 fingerprint exposed for client pinning workflows

4.4 Harvest Model

The bridge resolves and harvests state paths using:

  • explicit configured lists
  • generated/auto manifest strategies
  • StateCenter discovery seeds
  • capped harvest lists (harvest_max_states)
  • batched rotating read slices to reduce host pressure

Defaults:

  • harvest_poll_seconds = 15
  • harvest_max_states = 7000 when unset/invalid

4.5 Runtime Catalog and Discovery

Bridge builds and serves a dynamic catalog:

  • services, devices, states, actions
  • monitoring profile overlays
  • manifest source diagnostics

This model supports configuration-agnostic UI mapping in app widgets.

5. App Architecture and UX Model

Sentinel app targets:

  • iPhone: mobile operations and incident response
  • iPad: dense operational panels and mixed dashboards
  • Apple TV: always-on wallboard mode for household visibility

5.1 Data Flow

The app consumes bridge APIs and composes:

  • home-level status snapshots
  • service-level rollups
  • room and device summaries
  • operational tools and diagnostics

5.2 Governance-First UX

The app enforces workflow gates tied to bridge policy:

  • forced password rotation for bootstrap/temporary credentials
  • role acknowledgment requirement for home roles
  • monitoring acknowledgment requirement for integrator/home admin flows
  • explicit homeowner authorization for integrator pairing completion

5.3 Performance Patterns for Large Homes

For high-state homes, app behavior emphasizes responsiveness:

  • progressive rendering
  • state indexing and caching
  • reduced animation cost in heavy layouts
  • loading overlays and status progress indicators
  • widget composition based on available service catalog

6. Identity, Roles, and Governance

Supported primary roles:

  • integrator
  • home_admin
  • home_user

6.1 Pairing and Activation Path

Typical lifecycle:

  1. Integrator bootstrap login and password rotation
  2. Home admin activation issuance
  3. Home admin role and monitoring acknowledgments
  4. Home admin authorization of integrator pairing
  5. Ongoing role-based operations

6.2 Homeowner Authority Controls

Homeowner-centric controls include:

  • permanent integrator revocation (/api/v1/home/revoke-integrator)
  • temporary integrator enable/disable (/api/v1/home/integrator-access)
  • immediate closure of integrator sessions when temporary disable is applied

6.3 New User Onboarding

v4.3 beta includes temporary-password support for user creation:

  • admin can request generated temporary credentials
  • temporary credentials can be delivered via host email workflow or manual path
  • first successful login can be forced through password change policy

7. API and Protocol Layer

Sentinel uses JSON over HTTP/HTTPS with bearer token authentication.

Major endpoint groups:

  • Health and root metadata
  • Authentication and session introspection
  • Pairing and acknowledgments
  • Site status/config/discovery/runtime
  • Tools (terminal, reboot, doorbell operations)
  • Admin (users, activation, monitoring profile, catalog, audit)

Detailed endpoint contract is provided in:

  • 02-Bridge-Protocol-and-API-Spec-v4.3beta.md

8. Security Architecture

Sentinel security model combines cryptographic controls and governance gates.

8.1 Cryptography Highlights

  • Password storage: PBKDF2-HMAC-SHA256 with per-user random salts
  • Session token generation: cryptographically random hex tokens
  • TLS certificate fingerprint reporting for client trust pinning

8.2 Policy Gates

Action allow path includes:

  • authentication validity
  • role permissions
  • acknowledgment completion
  • pairing completion where required
  • action-level command restrictions

8.3 Auditing

Bridge emits structured JSONL audit logs with:

  • auth events
  • admin changes
  • access events
  • tool operations
  • pairing/revocation actions

Retention policy:

  • 90-day retention with periodic pruning

Detailed security content is provided in:

  • 03-Security-Cryptography-and-Privacy-Whitepaper-v4.3beta.md

9. Tools and Controlled Host Operations

The tools surface is intentionally guard-railed.

9.1 Terminal Tool

  • session open/run/close model
  • role-gated
  • command filters deny destructive command families
  • execution timeout behavior
  • audit events for open/run/close actions

9.2 Host Reboot Tool

  • requires explicit double confirmation and sudo password
  • returns 202 when accepted
  • logs actor and mode

9.3 Doorbell Audio Tool

  • status discovery and reference extraction
  • sample preview and apply
  • custom upload with strict codec compatibility checks
  • rollback-friendly patch flow with backup paths
  • soft reboot recommendation when live service reload is unavailable

10. Privacy and Data Handling

Sentinel privacy model is homeowner-centric and local-first.

10.1 Principles

  1. Homeowner authority over access lifecycle
  2. Minimal necessary telemetry exposure
  3. Local storage for policy/audit/user data
  4. Transparent event logging
  5. Explicit governance checkpoints for privileged operations

10.2 Data Residency

Primary operational state remains host-local and app-local:

  • users/policy files
  • audit logs
  • generated manifests and catalogs
  • cached host runtime details

No mandatory external cloud dependency is required for bridge telemetry itself.

11. Operational Model

Install and update model is split by host family:

  • ProHosts installers and update scripts
  • SmartHosts installers and update scripts

Validation primitives:

  • /health and /api/v1/site/config version checks
  • PID file checks
  • bridge logs and audit logs
  • Blueprint state verification

Detailed operator runbook is provided in:

  • 04-Deployment-Operations-and-Runbook-v4.3beta.md

12. Beta 4.3 Focus Areas and Risk Notes

12.1 Focus Areas

  • high-state scalability and UI responsiveness
  • cross-home service mapping consistency
  • homeowner ACL and onboarding reliability
  • tool reliability in constrained host environments

12.2 Residual Risk Areas

  • operator misconfiguration around TLS pinning and trust onboarding
  • stale VPN/network session handling in long-lived app sessions
  • SmartHost/ProHost path confusion when scripts are mixed
  • bridge/API drift if host runtime file set is partially updated

13. Validation Strategy

Recommended release gates for 4.3 beta:

  1. Functional API checks against every endpoint family.
  2. Role/ACL validation across integrator, home_admin, home_user.
  3. Large-home rendering and scroll responsiveness checks.
  4. Doorbell sample preview/apply validation from app and raw API.
  5. Installer and update script verification for both host families.
  6. Pairing and revocation lifecycle tests with audit event assertions.

14. Conclusion

Sentinel Pro v4.3 beta represents a hardened local-first control plane for Savant homes, blending:

  • robust bridge runtime behavior
  • high-fidelity multi-platform app experiences
  • homeowner-governed trust controls
  • auditable, guarded operations tooling

This architecture provides a strong base for beta expansion while preserving safety, performance, and governance in production estates.

Protocol and API Security Whitepaper Deployment Runbook All Downloads Back to Sentinel Pro