Sentinel
Automated QA sweep plugin for Claude Code. Catches console errors, layout problems, RBAC violations, API schema drift, and missing i18n keys in web applications.
v1.8.5 | Python + TypeScript + Rust + Go + PHP | 14 backend frameworks + GraphQL/gRPC/tRPC | 5 auth methods | Playwright MCP
Table of Contents
Installation
From GitHub
claude plugin marketplace add https://github.com/michelabboud/sentinel-sweep
claude plugin install sentinel
From local path
claude plugin marketplace add /path/to/sentinel-sweep
claude plugin install sentinel
Prerequisites
- Claude Code v2.1.16+
- Node.js 18+ (for Playwright)
- A web application with a running dev server
Verify installation
/sentinel setup
This checks your environment, detects frameworks, verifies Playwright, and shows a readiness report.
Uninstall
claude plugin uninstall sentinel
Quick Start
# 1. Start your dev server (frontend + API)
docker-compose up -d
# 2. Check everything is ready
/sentinel setup
# 3. Run a full sweep
/sentinel sweep
# 4. View the report
/sentinel report
First time? Start with /sentinel api (no browser needed) to verify your endpoints, then graduate to /sentinel sweep for full browser + API coverage.
Commands
| Command | Description |
|---|
/sentinel setup | Check environment, install Playwright, detect framework, configure settings |
/sentinel sweep | Full browser + API sweep (generates manifest, runs both sweepers in parallel) |
/sentinel sweep --sandbox | Include high/critical actions with per-action approval (dev only) |
/sentinel sweep --dry-run | Generate manifest and show test plan without executing sweeps |
/sentinel api | API-only sweep — endpoint health, RBAC, CRUD flows, schema contracts |
/sentinel api --dry-run | Show what would be tested without executing |
/sentinel api --reuse-manifest | Reuse manifest from the last run (skip codebase analysis) |
/sentinel sweep --safe-only | Read-only sweep — only GET requests, nothing gets modified |
/sentinel sweep --risk-level high | Override risk policy at runtime (safe, medium, high, critical) |
/sentinel report | View the most recent sweep report |
/sentinel report --list | List all past sweep runs |
/sentinel report --severity error | Filter report to show only errors and critical issues |
/sentinel diff | Compare latest two runs — shows new, fixed, and regressed findings |
/sentinel fix | Auto-suggest and apply code patches for common findings |
/sentinel clean | Remove old sweep runs, keeping the 5 most recent (or specify N) |
/sentinel manifest | Generate and inspect the manifest without sweeping |
/sentinel trends | Show pass-rate and finding trends across recent runs |
How It Works
/sentinel sweep
|
[1] Generate manifest
Reads your codebase: router files, API endpoints,
Pydantic schemas, auth config, database models
|
[2] Risk assessment
Scores every route and endpoint (0-100)
Classifies as safe / medium / high / critical
|
[3] Execute sweeps (in parallel)
API sweeper: curl-based endpoint testing
Browser sweeper: Playwright navigation + screenshots
|
[4] Collect and deduplicate findings
Merges results, removes duplicates, keeps highest severity
|
[5] Generate report
Terminal summary + markdown report + task list
What gets tested
| Category | API Sweep | Browser Sweep |
|---|
| Endpoint health (2xx responses) | Yes | - |
| RBAC enforcement (role-based access) | Yes | Yes |
| CRUD flow correctness | Yes | - |
| Response schema validation | Yes | - |
| Console errors | - | Yes |
| Network failures | - | Yes |
| Layout issues (empty containers) | - | Yes |
| Responsive breakpoints | - | Yes |
| Missing i18n keys | - | Yes |
Configuration
Settings are in settings.json at the plugin root. All fields have sensible defaults — you only need to change what matters for your project.
