Sentinel Logo

Introduction

Learn about Cyberpath Sentinel, a filesystem-backed document DBMS designed for trust, transparency, and compliance.

Cyberpath Sentinel is a filesystem-backed document DBMS written in Rust that stores all data as files on disk. In a world where databases hide your data behind proprietary formats and complex abstractions, Sentinel takes a radically different approach: every piece of data is stored as a plain JSON file that you can inspect, edit, version, and audit with standard tools.

Modern databases prioritize raw throughput and query performance. Sentinel prioritizes trust, transparency, and compliance. If your organization needs to know exactly what data you have, who changed it, and when, then, Sentinel gives you that visibility without any black boxes.

Why Sentinel?

Traditional databases store your data in opaque binary formats. You need specialized tools to inspect it, vendor-specific utilities to back it up, and proprietary knowledge to troubleshoot issues. When auditors come knocking, you need complex export procedures to show them what you have.

Sentinel flips this model entirely. Your data lives as files on a filesystem:

  • Inspect with cat: Every document is pretty-printed JSON
  • Backup with tar or rsync: Standard UNIX tools work perfectly
  • Version with git: Your entire database can be a Git repository
  • Audit with grep: Find what you need with familiar commands
  • Delete with rm: GDPR right-to-delete is literally a file deletion

This approach brings unprecedented transparency to your data. No more wondering what’s inside your database—you can see it all, right there in the filesystem.

Perfect For

Sentinel shines in environments where auditability and compliance are non-negotiable:

  • Audit Logs: Every entry is a file, every change is trackable with Git
  • Certificate Management: Secure, inspectable, protected by OS-level ACLs
  • Compliance Rules & Policies: GDPR, SOC 2, HIPAA compliance built into the architecture
  • Encryption Key Management: Keys stored as encrypted files with filesystem security
  • Regulatory Reporting: All data is immediately forensic-friendly
  • Edge Devices & Disconnected Systems: No server required, works offline with Git sync
  • Zero-Trust Infrastructure: Inspect everything before trusting it

Not For

Sentinel makes honest trade-offs. It’s not designed for:

  • Real-time bidding systems requiring microsecond latency, and will never compete there
  • High-frequency trading platforms with millions of transactions per second
  • Streaming analytics pipelines processing continuous data flows
  • Multi-million row transactional systems requiring complex joins

If you need raw throughput over transparency, traditional databases like PostgreSQL, MongoDB, or DuckDB are better choices. Sentinel is for when you need to trust your data completely and raw speed is secondary.

Architecture Overview

Sentinel follows a simple, hierarchical model with three primary layers:

Store
└── Collection (directory)
    └── Document (JSON file)

A Store is the top-level container that manages all your collections, handles cryptographic signing, and provides the entry point for all database operations. Each Collection is represented as a directory containing your documents. Every Document is an individual JSON file with embedded metadata including versioning, timestamps, BLAKE3 hashes, and optional Ed25519 digital signatures.

data/
├── users/
│   ├── user-123.json
│   ├── user-456.json
│   └── .deleted/               # Soft-deleted documents
├── audit_logs/
│   ├── audit-2026-01-01.json
│   └── audit-2026-01-02.json
└── certificates/
    ├── cert-abc123.json
    └── cert-def456.json

Key Features

Cryptographic Security

Sentinel provides built-in cryptographic operations for data integrity and tamper evidence:

  • BLAKE3 Hashing: Every document automatically includes a cryptographic hash of its data for integrity verification
  • Ed25519 Signing: Optional digital signatures provide tamper-evident storage
  • Multiple Encryption Algorithms: Choose from XChaCha20-Poly1305, AES-256-GCM-SIV, or Ascon-128
  • Key Derivation: Argon2id or PBKDF2 for secure passphrase-to-key conversion

Streaming Operations

Sentinel uses async streams throughout for memory-efficient processing:

  • Streaming Queries: Process large datasets without loading everything into memory
  • Lazy Evaluation: Filters and queries process documents on-demand
  • Early Termination: Limit and offset applied during streaming, not after collection

Verification Modes

Flexible verification options let you balance security and performance:

  • Strict Mode: Fail immediately on verification errors (production default)
  • Warn Mode: Log warnings but continue processing (auditing scenarios)
  • Silent Mode: Skip verification entirely (performance-critical scenarios)
  • Configurable Verification: Control hash and signature verification independently

Flexible Querying

Built-in query builder for complex data retrieval:

  • Multiple Operators: Equals, comparison, contains, starts/ends with, in-list, exists
  • Sorting: Order results by any field in ascending or descending order
  • Pagination: Control result sets with limit and offset
  • Field Projection: Select only the fields you need to reduce data transfer
  • Logical Combining: AND and OR filters for complex queries

Core Design Principles

Sentinel is built on five fundamental principles:

  1. Filesystem is the Database: We leverage the reliability and tooling of battle-tested filesystems rather than inventing our own storage layer.

  2. Transparency by Default: Every document is human-readable JSON. There are no binary formats, no compression, no obfuscation by default.

  3. Security First: Documents are automatically hashed for integrity verification. Optional Ed25519 signatures provide tamper-evident storage.

  4. UNIX Philosophy: Do one thing well. Compose with standard tools. Work the way developers expect.

  5. Zero Lock-In: Your data is pure JSON. You can migrate to any other system at any time using standard tools.

Getting Started

Ready to try Sentinel? Here’s your path forward:

  1. Installation: Add Sentinel to your Rust project
  2. Quick Start: Create your first store and documents in minutes
  3. Core Concepts: Understand stores, collections, and documents

Project Structure

Sentinel is organized as a Cargo workspace with multiple crates:

cyberpath-sentinel/
├── Cargo.toml                      # Workspace configuration
├── crates/
│   ├── sentinel/                     # Core DBMS library
│   ├── sentinel-crypto/              # Cryptographic operations
│   └── cli/                        # Command-line interface
├── docs/                           # Documentation
└── tests/                          # Integration tests

Each crate focuses on a specific concern:

  • sentinel: Document storage, collections, querying, and verification
  • sentinel-crypto: Hashing, signing, encryption, and key derivation
  • cli: Command-line tool for database management

Ecosystem

Sentinel is designed to work seamlessly with the Rust ecosystem:

  • Tokio: Async runtime for efficient I/O operations
  • Serde: Serialization framework for JSON handling
  • Tracing: Structured logging and diagnostics
  • Async-stream: Stream utilities for lazy evaluation
  • RustCrypto: Audited cryptographic primitives

Sentinel is open source under the Apache 2.0 license. You can find the source code, report issues, and contribute on GitHub.

Related Pages

Installation
Install Cyberpath Sentinel in your Rust project using Cargo.
Quick Start
Create your first Sentinel store, collection, and documents in minutes.