English | 简体中文 | 日本語 | 한국어 | Français | Deutsch | Русский
</div> <p align="center"> <img src="docs/images/docsentinel-mascot.png" width="200" alt="DocSentinel mascot"/> </p> <p align="center"> <strong>DocSentinel</strong><br/> <em>AI-powered SSDLC platform — Secure your software from requirements to operations</em> </p> <p align="center"> <a href="https://github.com/arthurpanhku/DocSentinel/releases"><img src="https://img.shields.io/github/v/release/arthurpanhku/DocSentinel?include_prereleases" alt="Latest release"/></a> <a href="https://github.com/arthurpanhku/DocSentinel/blob/main/LICENSE"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"/></a> <a href="https://www.python.org/downloads/"><img src="https://img.shields.io/badge/python-3.10+-blue.svg" alt="Python 3.10+"/></a> <a href="https://github.com/arthurpanhku/DocSentinel"><img src="https://img.shields.io/badge/GitHub-arthurpanhku%2FDocSentinel--Agent-24292e?logo=github" alt="GitHub repo"/></a> <a href="docs/06-agent-integration.md"><img src="https://img.shields.io/badge/MCP-Ready-green?logo=anthropic" alt="MCP Ready"/></a> <a href="docs/06-agent-integration.md"><img src="https://img.shields.io/badge/A2A-1.0-blueviolet" alt="A2A 1.0"/></a> <a href="SECURITY.md"><img src="https://img.shields.io/badge/Human_Review-Required-0f766e" alt="Human review required"/></a> <a href="https://python.langchain.com/"><img src="https://img.shields.io/badge/LangChain-Powered-orange" alt="LangChain"/></a> <a href="https://langchain-ai.github.io/langgraph/"><img src="https://img.shields.io/badge/LangGraph-Orchestrated-blue" alt="LangGraph"/></a> </p> <p align="center"> <a href="https://glama.ai/mcp/servers/arthurpanhku/DocSentinel"> <img width="380" height="200" src="https://glama.ai/mcp/servers/arthurpanhku/DocSentinel/badge" /> </a> </p>What is DocSentinel?
DocSentinel is an AI-powered SSDLC (Secure Software Development Lifecycle) platform for security teams. It automates security activities across all six phases of the software development lifecycle using intelligent AI agents orchestrated by LangGraph and powered by LangChain. It automates the review of security-related documents, forms, and reports — from requirements and design through development, testing, deployment, and operations — comparing inputs against your policy and knowledge base to produce structured assessment reports with risks, compliance gaps, and remediation suggestions.
Instead of only reviewing documents at the pre-release stage, DocSentinel embeds security from day one:
| SSDLC Phase | What DocSentinel Does |
|---|---|
| Requirements | Extract security requirements, identify compliance obligations (GDPR, PCI DSS, SOC2) |
| Design | Automated threat modeling (STRIDE/DREAD), security architecture review, SDR reports |
| Development | Secure coding assessment, SAST findings triage, coding guidance |
| Testing | SAST/DAST report analysis, penetration test review, vulnerability prioritization |
| Deployment | Configuration security review, hardening assessment, release sign-off |
| Operations | Vulnerability monitoring, incident response assistance, log audit |
Built as a React console + FastAPI service + MCP/A2A agent gateway, DocSentinel integrates into local security review workflows, CI/CD pipelines, AI agents, and multi-agent platforms without giving external agents approval authority.
- LangGraph orchestration: Stateful, graph-based agent workflows with conditional branching per SSDLC stage.
- Multi-format input: PDF, Word, Excel, PPT, text — parsed into a unified format for the LLM.
- Knowledge base (RAG): Upload policy and compliance documents; the agent uses them as reference when assessing.
- Multiple LLMs: Use OpenAI, Claude, Qwen, or Ollama (local) via a single interface.
- Structured output: JSON/Markdown reports with risk items, compliance gaps, and actionable remediations.
Ideal for enterprises that need to scale security assessments across many projects and SSDLC stages without proportionally scaling headcount.
Why DocSentinel?
| Pain Point | DocSentinel Solution |
|---|---|
| Fragmented SSDLC coverage<br>Most tools only address testing/deployment. | Full lifecycle agents cover all 6 SSDLC phases with dedicated AI personas. |
| Fragmented criteria<br>Policies, standards, and precedents are scattered. | Single knowledge base ensures consistent findings and traceability. |
| No automated threat modeling<br>Threat models are created ad-hoc. | Design Agent generates STRIDE/DREAD threat models from architecture docs. |
| Heavy questionnaire workflow<br>Endless review cycles. | Automated first-pass and gap analysis reduces manual back-and-forth rounds. |
| SAST/DAST report overload<br>Too many findings, too little context. | Testing Agent triages, prioritizes, and maps findings to threat models. |
| Pre-release review pressure<br>Everything lands on security at the end. | Shift-left approach catches issues early in requirements and design. Structured reports help reviewers focus on decision-making. |
| Scale vs. consistency<br>Manual reviews vary by reviewer. | LangGraph workflows and unified pipeline ensure consistent, auditable assessment across projects. |
| SSDLC coverage gaps<br>Security involvement is uneven across lifecycle stages; early stages get less scrutiny. | Stage-aware assessment covers all 6 SSDLC stages with dedicated skills and checklists. |
See the full problem statement and SSDLC phase details in SPEC.md.
Architecture
DocSentinel is built on a React Console plus FastAPI, MCP, and A2A access layer, with LangGraph for stateful agent orchestration and LangChain for unified LLM access. REST and agent protocols share one task lifecycle; MCP and A2A submissions always enter the human-review workflow.

flowchart TB
subgraph User["User / Security Staff"]
end
subgraph Access["Access Layer"]
Console["React Console<br/>(Vite + Tailwind)"]
API["REST API<br/>(FastAPI)"]
Gateway["Agent Gateway"]
MCP["MCP<br/>(stdio + HTTP)"]
A2A["A2A 1.0<br/>(JSON-RPC)"]
Tasks["Shared Assessment Service"]
end
subgraph Orchestration["SSDLC Orchestration (LangGraph)"]
Router["Phase Router"]
A1["Requirements Agent"]
A2["Design Agent"]
A3["Development Agent"]
A4["Testing Agent"]
A5["Deployment Agent"]
A6["Operations Agent"]
end
subgraph Core["Core Services"]
KB["Knowledge Base (RAG)"]
Parser["Parser"]
Skill["Skills"]
Mem["Memory"]
end
subgraph LLM["LLM Layer (LangChain)"]
Abst["LLM Abstraction"]
end
subgraph Backends["LLM Backends"]
Cloud["OpenAI / Claude / Qwen"]
Local["Ollama / vLLM"]
end
User --> Console
User --> API
Console --> API
User --> MCP & A2A
MCP & A2A --> Gateway
API & Gateway --> Tasks
Tasks --> Router
Router --> A1 & A2 & A3 & A4 & A5 & A6
A1 & A2 & A3 & A4 & A5 & A6 --> KB & Parser & Skill
A1 & A2 & A3 & A4 & A5 & A6 --> Abst
Abst --> Cloud & LocalData flow (simplified):
- User selects SSDLC phase(s) and uploads documents (or optionally lets the SSDLC Router auto-detect the stage).
- Parser converts files (PDF, Word, Excel, PPT, SAST/DAST reports, etc.) to text/Markdown.
- LangGraph Router dispatches to the appropriate Phase Agent(s), loading stage-specific skill + checklist.
- Phase Agent queries KB (phase-specific collections) and applies Skills; Policy+Evidence run in parallel, then Drafter+Reviewer.
- LLM (via LangChain) produces structured findings with cross-phase traceability.
- Returns assessment report (risks, threats, gaps, remediations, confidence, SSDLC stage).
Detailed architecture: ARCHITECTURE.md and docs/01-architecture-and-tech-stack.md.
Core Capabilities
SSDLC Full Lifecycle Coverage
Six dedicated AI agents, each with phase-specific skills, prompts, and knowledge base collections. Run individual phases or a full end-to-end SSDLC assessment:
- Requirements: Security requirements, compliance mapping, initial risk analysis.
- Design: Architecture review, STRIDE/DREAD threat modeling, SDR.
- Development: Secure coding standards, code review findings.
- Testing: SAST/DAST report triage, pen-test evaluation.
- Deployment: Release readiness, config security, hardening.
- Operations: Incident response, vulnerability monitoring, log audit.
Automated Security Assessment
Submit security questionnaires, design documents, or audit reports. DocSentinel analyzes them using configured LLMs and identifies:
- Security Risks: Classified by severity (Critical, High, Medium, Low).
- Compliance Gaps: Missing controls against frameworks like ISO 27001, PCI DSS.
- Remediation Steps: Actionable advice to fix identified issues.
Intelligent Agent Orchestration (LangGraph)
- Stateful workflows: LangGraph state machine maintains context across phases
- Cross-phase traceability: Threats from Design link to test cases in Testing and monitoring rules in Operations
- Conditional routing: Agents activate based on project risk level, compliance requirements, or user selection
- Human-in-the-loop: Interrupt points for human review at phase boundaries
- Checkpointing: Long-running assessments persist state and resume
RAG-Powered Knowledge Base
Upload your organization's security policies, standards, and past audits. Phase-specific collections ensure each agent retrieves the most relevant context:
- Requirements: compliance frameworks, security policies
- Design: threat catalogs, security patterns
- Development: secure coding standards (OWASP)
- Testing: vulnerability databases, remediation guides
- Deployment: CIS benchmarks, hardening guides
- Operations: CVE databases, incident playbooks
LangGraph Agent Orchestration
Powered by LangChain + LangGraph — stateful, graph-based agent workflows with conditional routing per SSDLC stage. Parallel execution of Policy and Evidence agents, followed by Drafter and Reviewer agents.
API-First, MCP & A2A Ready
Use the local React console for human review, integrate CI/CD pipelines through the REST API, or expose the same assessment capabilities to AI agents (Claude Desktop, Cursor, OpenClaw) through MCP. A2A-compatible platforms can delegate assessment tasks to DocSentinel as a specialist security agent.
Agent Integration (MCP + A2A)
Use MCP to expose bounded tools to Claude Desktop, Cursor, coding agents, and workflow platforms. Use A2A to expose DocSentinel as a remote specialist agent. REST, MCP, and A2A submissions share the same task lifecycle and activity log. Agent-created assessments always remain drafts until a human reviewer approves them in the console.
| Interface | Endpoint | Purpose |
|---|---|---|
| MCP stdio | python app/mcp_server.py | Local desktop and coding-agent integration |
| MCP Streamable HTTP | POST /mcp/ | Remote tool discovery and invocation |
| A2A Agent Card | GET /.well-known/agent-card.json | Standards-based agent discovery |
| A2A JSON-RPC | POST /a2a | Remote task delegation |
| Integration status | GET /api/v1/integrations/agents/status | Non-secret protocol and capability status |
| Console | /console/integrations | Human-readable integration state |
MCP exposes five governed tools:
- `submit
…