How SENTINEL Attestation Chains Work

Jun 8, 2026 · By Lawenots Team · 8 min read

Most uptime dashboards show a green dot and call it a day. When a board member or auditor asks how you know the site was healthy on March 14 at 03:00 UTC, a screenshot doesn't cut it. SENTINEL attaches every scan result to a SHA-256 attestation hash — a deterministic fingerprint you can archive, compare, and verify independently.

What gets hashed

Each attestation is computed from five fields concatenated and hashed with SHA-256:

• Scan ID — unique report identifier (e.g. free-1717789200-a3f2b1)
• Service ID — monitored target or free-scan for public scanner
• Status — aggregate pass / warn / fail
• Score — numeric health score (0–100)
• Timestamp — ISO-8601 generation time
• Previous hash — optional chain link to prior attestation

The formula lives in lib/sentinel/attestation.js — no proprietary black box. Anyone with the inputs can reproduce the hash.

Why chains matter

A single hash proves one point in time. Chaining hashes — where each new attestation includes the previous hash as input — creates a tamper-evident sequence. If someone alters a historical scan record, the downstream hashes won't match.

For Flomisma portfolio services, the latest attestation hash appears on the public audit page with a link to verify against the Flomisma pipeline verifier. Compliance teams archive these exports alongside smoke-test stdout.

Free scanner vs. monitored services

The free passive scanner generates attestation hashes on every run — same algorithm, no account required. Results are stored in your browser's scan history for local audit trails.

Monitored portfolio services run on a schedule via the SENTINEL worker: PING, DNS, SSL, optional Lighthouse, and GIT integrity checks. Each cycle produces scans stored in PostgreSQL with attestation metadata when DATABASE_URL is configured.

If no database is seeded, the status dashboard and audit API fall back to live public scans of www.lawenots.com — so you always see real attestation output, not an empty page.

Reading an audit report

On /security/audit, each service block shows:

• Latest attestation hash and timestamp
• Per-scan rows with type, status, score, and individual attestation fragments
• Open incidents ranked by severity

Click Verify on Flomisma to cross-check the pipeline root hash against Flomisma's public verifier endpoint.

Operational requirements

Production attestation for portfolio entities requires:

• DATABASE_URL — PostgreSQL via Prisma
• SENTINEL_INTERNAL_KEY — authenticates the tick endpoint (fail-closed if unset)
• SENTINEL worker — processes Lighthouse jobs and scheduled scans

Without these, public fallback scans still produce valid hashes — useful for demos and self-service prospects.