Sentinel

July 10, 2026 · View on GitHub

  ███████╗███████╗███╗   ██╗████████╗██╗███╗   ██╗███████╗██╗
  ██╔════╝██╔════╝████╗  ██║╚══██╔══╝██║████╗  ██║██╔════╝██║
  ███████╗█████╗  ██╔██╗ ██║   ██║   ██║██╔██╗ ██║█████╗  ██║
  ╚════██║██╔══╝  ██║╚██╗██║   ██║   ██║██║╚██╗██║██╔══╝  ██║
  ███████║███████╗██║ ╚████║   ██║   ██║██║ ╚████║███████╗███████╗
  ╚══════╝╚══════╝╚═╝  ╚═══╝   ╚═╝   ╚═╝╚═╝  ╚═══╝╚══════╝╚══════╝

Enterprise-grade Git pre-commit secret detector, Gitleaks alternative, and high-performance credentials scanner written in Go.

CI Release Go Version Go Reference Stars Downloads License Platforms Mentioned in Awesome Go


What is Sentinel?

Sentinel is a statically compiled, zero-dependency Git pre-commit hook and credentials scanner written in Go. It automatically blocks accidental commits of API keys, SSH private keys, cloud credentials, database connection strings, and other sensitive material before they enter version control.

It is a lightweight, developer-friendly alternative to Gitleaks and git-secrets, with broader detection coverage and significantly lower resource usage.

Sentinel uses a three-tier detection pipeline built for speed and near-zero false positives:

TierEnginePurpose
1 — PATTERNAho-Corasick automatonMatches 80+ known secret signatures in O(n) time, zero allocations
2 — ENTROPYShannon entropy analysisCatches unknown secrets by measuring information density
3 — CONTEXTContext classifierSuppresses false positives from comments, test files, and placeholders

A finding must survive all three tiers before it is reported.


Quick Start

Install and protect your repository in under 60 seconds:

# 1. Install
go install github.com/sentinel-cli/sentinel/v2/cmd/sentinel@latest

# 2. Protect the current repository
sentinel install

# 3. Verify — Sentinel will now scan every commit automatically
git add . && git commit -m "test"

Or scan any directory right now, without a hook:

sentinel scan --recursive ./src

That is all. No configuration file required. No runtime dependencies. Works on Linux, macOS, Windows, and Android/Termux.


Terminal Demo

asciinema play https://sentinel-cli.github.io/sentinel/demo.cast

Sentinel Demo


Table of Contents


Performance

Measured on real-world repositories with Sentinel against the two most popular alternatives.

Filesystem Scan Results (Standard Mode)
RepositoryToolExecution TimePeak RAMCPU%Findings
sample_secretsSentinel171 ms11.1 MB32%2
Gitleaks v8.30.1324 ms37.1 MB66%1
TruffleHog v3.95.87.39 s204.7 MB98%2
truffleHogRegexesSentinel268 ms11.5 MB23%3
Gitleaks v8.30.1452 ms37.7 MB73%1
TruffleHog v3.95.86.69 s207.3 MB105%0
Git History Scan Results (History Mode)
RepositoryToolExecution TimePeak RAMCPU%Findings
sample_secretsSentinel395 ms9.8 MB22%5
Gitleaks v8.30.1431 ms38.7 MB68%5
TruffleHog v3.95.87.26 s206.2 MB99%2
truffleHogRegexesSentinel171 ms10.1 MB40%5
Gitleaks v8.30.1248 ms39.7 MB142%8
TruffleHog v3.95.86.79 s207.2 MB104%0

Summary:

Metricvs Gitleaksvs TruffleHog
Speed1.1x to 1.9x faster18x to 43x faster
Memory3.3x to 3.9x less RAM18x to 21x less RAM
Recall (Accuracy)Finds obfuscated & encoded secrets ignored by othersSuperior noise filtering (Zero false positives)

Why Sentinel

FeatureSentinelgit-secretsdetect-secretsTruffleHog
Statically compiled, no runtime dependencies+— bash— Python— Python
ARM / Android / Termux native+partial
Aho-Corasick O(n) multi-pattern matching+
Shannon entropy analysis+++
Context-aware false-positive suppression+partialpartial
BIP-39 seed phrase detection+
Single-layer Base64 decoding+++
Concurrent file scanning+
SARIF output (GitHub Code Scanning)+++
JSON output+++
Global hook installation++
Custom user-defined signatures++
OTA self-updating binary+

Architecture

Detection Pipeline

  git commit (staged changes)
         |
  [Git Interop — internal/git]
   ListStagedFiles()   →  git diff --cached --name-status
   GetStagedDiff()     →  git diff --cached -- <path>  (modified files, added lines only)
   GetStagedContent()  →  git show :<path>              (new files, full content)
         |
  [Pre-flight Filters]
   - Binary detection: null-byte scan of first 8 KB (isBinaryFileFast)
   - Extension exclusion: case-insensitive match
   - Path exclusion: filepath.Match glob patterns
   - File size cap: files > 10 MB skipped
         |
  [Tier 1 — Aho-Corasick Trie  —  internal/trie/trie.go]
   Built once at startup via trie.Build() — allocation-free hot path
   Case-insensitive O(n) scan per line
   BIP-39 mnemonic detection: 12/15/18/21/24 words validated against 2048-word dictionary
   Single-layer Base64 decoding: re-feeds decoded value through trie (catches K8s secrets)
   Blob aggregation: 3+ consecutive high-entropy lines → single CRITICAL finding
         |
  [Tier 2 — Shannon Entropy  —  internal/entropy/entropy.go]
   Base64 tokens: entropy >= entropy_threshold (default 4.5 bits/symbol)
   Hex tokens:    entropy >= threshold × (4.0 / 6.0), min floor 3.0
   Skips: tokens < min_secret_length (default 20), all-identical chars, Java-style identifiers
         |
  [Tier 3 — Context Filter  —  internal/context/context.go]
   Checks (in order): test file path → commented line → unquoted RHS in source → UUID → version string
                    → env var placeholder → config placeholder → variable name → short alpha token
   Only Real decisions are forwarded to the reporter
         |
  [Reporter  —  internal/reporter/reporter.go]
   pretty / plain  → stderr    (human-readable, ANSI color)
   json / sarif    → stdout    (or directly to file if --output is used)
         |
  exit 0 (CLEAN)  |  exit 1 (BLOCKED)
Tier 1 — Aho-Corasick Pattern Matching (detailed)

Source: internal/trie/trie.go

The automaton is built once at startup via trie.Build(sigs) and shared across all goroutines without locks. Automaton.Search performs zero heap allocations on the hot path.

Construction is two-phase:

  1. All signature prefixes are inserted into a trie with lowercased keys.
  2. BFS computes failure links and merges output sets so overlapping prefixes (e.g. sk- and sk-proj-) are both reported in one pass.

The scanner applies additional logic on top of the raw trie results:

  • BIP-39 mnemonics — line is tested for 12/15/18/21/24 space-separated words, all validated against bip39.go.
  • Single-layer Base64 decoding — extracted values are decoded and re-fed through the trie to catch masked secrets (e.g. Kubernetes Secret manifests).
  • Blob aggregation — 3+ consecutive lines of the same entropy class are collapsed into one CRITICAL finding (massive-base64-blob / massive-hex-blob) to prevent alert fatigue.
  • Deduplication — if a generic and a specific signature match the same token, the generic finding is promoted to the specific signature's ID and severity.
Tier 2 — Shannon Entropy Analysis (detailed)

Source: internal/entropy/entropy.go

H(X) = - sum over i of P(xi) * log2(P(xi))
ScoreMeaning
0.0All bytes identical
~3.5English prose
~5.5 – 6.5Cryptographically random Base64 secret
8.0Perfectly uniform 256-symbol distribution

Sentinel extracts two token classes per line:

  • Base64 tokens — runs of A-Za-z0-9+/=_-; entropy must exceed entropy_threshold (default 4.5).
  • Hex tokens — runs of 0-9a-fA-F; must be even-length; threshold is scaled: entropy_threshold × (4.0 / 6.0), floor 3.0.

Pre-filters applied before entropy computation: Java-style identifiers (all letters/dots/underscores) and all-identical-character tokens are discarded.

Tier 3 — Context-Aware Filtering (detailed)

Source: internal/context/context.go

DecisionCondition
RealNone of the suppression checks matched
SafeCommentLine begins with // # * /* <!-- -- ; % !
SafeTestFilePath ends with _test.go _spec.rb .test.js .spec.ts .md .rst, or contains directory: test tests testdata fixtures __tests__ __mocks__ mock mocks sample samples docs doc
SafeVariableNameVariable name (left of = / :=) contains: dummy fake mock placeholder sample fixture stub lorem foobar your_ your- insert_ replace_ changeme redacted sanitized censored
SafePlaceholderToken matches $VAR, ${VAR}, <...>, [[...]], {{...}}, ${{...}}
SafeUUIDToken matches UUID v4 pattern xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
SafeVersionStringToken begins with digit.digit.digit
SafeSourceRHSToken on RHS of assignment in programming source files is bare/unquoted (e.g. Go struct types, function calls)

The scanner also rejects tokens that match a printf-style format verb, are identical to their signature prefix, contain regex metacharacters, or (for short prefixes ≤ 3 bytes) are pure PascalCase/CamelCase with no special characters.

Inline Suppression

Place sentinel:ignore on the flagged line or the preceding comment line:

// sentinel:ignore
apiKey := "sk_live_example_for_documentation"

apiKey := "sk_live_example_for_documentation" // sentinel:ignore
# sentinel:ignore
STRIPE_KEY="sk_live_example"
<!-- sentinel:ignore -->
<secret>sk-ant-api03-documented-example</secret>

A same-line annotation suppresses only that line. A comment-line annotation suppresses the immediately following line.


Signature Coverage

View all builtin signatures
CategorySignatures
GitHubClassic PAT (ghp_), OAuth (gho_), App Installation (ghs_), Refresh (ghr_), Fine-grained PAT (github_pat_)
GitLabPersonal Access Token (glpat-), Pipeline Trigger (glptt-), Runner Registration (GR1348941), Runner Token (glrt-)
AWSAccess Key ID (AKIA, validated AKIA[0-9A-Z]{16}), MFA Device (ABIA), STS Temporary Key (ASIA)
Google CloudService Account JSON ("type": "service_account"), API Key (AIzaSy), OAuth Client ID (.apps.googleusercontent.com), OAuth Client Secret (GOCSPX-)
SlackBot (xoxb-), User (xoxp-), Workspace (xoxa-), Refresh (xoxr-)
StripeLive Secret (sk_live_), Live Restricted (rk_live_), Test Secret (sk_test_)
OpenAIClassic (sk-), Project key (sk-proj-)
AnthropicAPI key (sk-ant-)
TwilioAccount SID (AC, regex-validated), Auth Token (SK, regex-validated)
SendGridAPI key (SG., regex-validated: SG.[a-zA-Z0-9_-]{22}.[a-zA-Z0-9_-]{43})
MailgunAPI key (key-)
npmAutomation/Publish token (npm_), Classic/Auth Token (_authToken=, _auth=)
JWTJSON Web Token (eyJ, strict 3-part dot-separated regex)
Private Keys & CertsRSA, EC, OpenSSH, PKCS#8, PGP, DSA — all -----BEGIN ... PRIVATE KEY----- variants, PuTTY Private Keys (PuTTY-User-Key-File-)
Databases & DSNsPostgreSQL (postgresql://, postgres://), MySQL (mysql://), MongoDB SRV (mongodb+srv://), MongoDB (mongodb://), Redis (redis://), RabbitMQ (amqp://, amqps://) — DSN connection strings with embedded passwords
PyPIUpload Token (pypi-)
SquareAccess Token (sq0atp-)
Basic AuthHTTPS (https://user:pass@), HTTP (http://user:pass@)
HashiCorp VaultService token (hvs.), Batch token (hvb.)
DigitalOceanPersonal Access Token (dop_v1_)
VercelAPI Token (vercel_)
CloudflareAPI Token (CF_)
HuggingFaceAPI Token (hf_)
ShopifyCustom App (shpca_), Private App (shppa_), Access Token (shpat_)
Genericpassword= secret= api_key= token= auth= and their YAML/JSON colon variants
DjangoSECRET_KEY =
WordPressAUTH_KEY SECURE_AUTH_KEY LOGGED_IN_KEY NONCE_KEY AUTH_SALT SECURE_AUTH_SALT LOGGED_IN_SALT NONCE_SALT
Crypto WalletsBIP-39 mnemonic (12/15/18/21/24 words, validated against 2048-word dictionary)

Custom signatures can be added in .sentinel.yaml and are compiled into the same automaton at startup — no performance overhead.


Installation

Download the binary for your platform from the Releases page:

# Replace <version> and <arch>  e.g.  linux-amd64  linux-arm64  darwin-amd64  darwin-arm64
wget https://github.com/sentinel-cli/sentinel/releases/download/<version>/sentinel-<version>-<arch> -O sentinel
chmod +x sentinel
mv sentinel /usr/local/bin/       # Linux / macOS
# mv sentinel $PREFIX/bin/        # Termux (Android)
sentinel version

Go Install

go install github.com/sentinel-cli/sentinel/v2/cmd/sentinel@latest

Build from Source

git clone https://github.com/sentinel-cli/sentinel.git
cd sentinel
make build            # outputs to dist/sentinel
./dist/sentinel version

Git Hook Setup

Protect the current repository:

sentinel install          # installs .git/hooks/pre-commit
sentinel install --force  # overwrites an existing hook

Protect every repository on this machine (global):

sentinel install --global
# Creates ~/.config/sentinel/hooks/pre-commit
# Runs: git config --global core.hooksPath ~/.config/sentinel/hooks

Remove global hook:

git config --global --unset core.hooksPath

Full uninstall — removes binary, hooks, and config directory:

sentinel uninstall

Native pre-commit Framework

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/sentinel-cli/sentinel
    rev: v2.0.6 # Replace with the latest release version
    hooks:
      - id: sentinel

Configuration

Sentinel searches for .sentinel.yaml in this order:

  1. --config / -c flag value
  2. .sentinel.yaml in the current working directory (repository root)
  3. ~/.sentinel.yaml in the home directory

With no config file, built-in defaults apply. The file is merged on top of defaults, so omitted fields keep their default values.

Full configuration reference
# Shannon entropy threshold (bits/symbol). Range: 0.0 to 8.0.
# Raise to reduce false positives. Lower to increase sensitivity.
# Default: 4.5
entropy_threshold: 4.5

# Minimum token length for entropy analysis.
# Tokens shorter than this produce unreliable scores.
# Default: 20
min_secret_length: 20

# Maximum file size to scan. Files exceeding this are skipped.
# Default: 10485760 (10 MB)
max_file_size_bytes: 10485760

# Whether to scan binary files (detected by null-byte in first 8 KB).
# Default: false
scan_binary_files: false

# Glob patterns (relative to repo root) to skip entirely.
# Default list below:
exclude_paths:
  - "vendor/**"
  - "node_modules/**"
  - "*.lock"
  - "go.sum"
  - "package-lock.json"
  - "**/locales/**"
  - "**/i18n/**"

# File extensions to skip (case-insensitive).
# Default includes images, fonts, audio, video, archives, binaries, office documents.
exclude_extensions:
  - ".png"
  - ".jpg"
  - ".jpeg"
  - ".gif"
  - ".bmp"
  - ".ico"
  - ".svg"
  - ".woff"
  - ".woff2"
  - ".ttf"
  - ".eot"
  - ".mp4"
  - ".webm"
  - ".mp3"
  - ".ogg"
  - ".zip"
  - ".tar"
  - ".gz"
  - ".bz2"
  - ".xz"
  - ".7z"
  - ".pdf"
  - ".doc"
  - ".docx"
  - ".xls"
  - ".xlsx"
  - ".exe"
  - ".dll"
  - ".so"
  - ".dylib"
  - ".a"
  - ".o"
  - ".css"
  - ".scss"
  - ".csv"
  - ".hex"
  - ".eml"
  - ".msg"
  - ".mbox"
  - ".vcf"
  - ".ics"

# Allowlist: findings whose token matches are silently ignored.
# Supports exact strings and filepath.Match glob patterns.
allowlist_patterns:
  - "AKIAIOSFODNN7EXAMPLE"
  - "sk_test_*"
  - "*-dummy-token-*"

# Disable individual detection tiers. Use with caution.
disable_tiers:
  trie: false     # disables Tier 1 Aho-Corasick matching
  entropy: false  # disables Tier 2 entropy analysis
  context: false  # disables Tier 3 suppression — expect many false positives

# Stop after the first finding. Useful in CI fail-fast loops.
fail_fast: false

# Print debug output to stderr.
verbose: false

# Custom signatures compiled into the Aho-Corasick automaton alongside builtins.
# Severity must be one of: CRITICAL, HIGH, MEDIUM, LOW  (defaults to HIGH if omitted).
custom_signatures:
  - id: "internal-api-key"
    description: "Proprietary internal service credential"
    prefix: "mycompany_key_"
    severity: "CRITICAL"
    regex: "^mycompany_key_[a-zA-Z0-9]{32}$"

Entropy Threshold Reference

ValueBehavior
3.0Very sensitive — may flag base32 identifiers
3.5High sensitivity — catches most secrets, slightly elevated noise
4.5Default — cryptographically random secrets, low false-positive rate
5.0+Strict — may miss weak passwords; minimal noise

Usage

Automatic (Pre-commit Hook)

After sentinel install, the hook fires on every git commit and scans only staged content:

  • New files — full content via git show :<path>
  • Modified files — added lines only via git diff --cached -- <path>

Ad-hoc Scanning

# Single file
sentinel scan config/production.yaml

# Directory (non-recursive)
sentinel scan ./config

# Directory, recursive (skips .git, build, node_modules automatically)
sentinel scan -r ./src

# Full Git history audit (streams git log --all -p; deduplicates by token)
sentinel scan --history .

# JSON output — written to stdout for piping
sentinel scan -f json -r ./src | jq '.findings[] | select(.severity == "CRITICAL")'

# SARIF output saved directly to file (keeps pretty terminal logs)
sentinel scan -f sarif -o sentinel.sarif .

In ad-hoc mode, files are processed concurrently using max(runtime.NumCPU(), 4) goroutines. In history mode, the Git log is streamed with a 10 MB line buffer; unique findings are deduplicated by token value.

CI Integration

GitHub Actions (Official Reusable Action)

The easiest way to integrate Sentinel into your GitHub Actions workflow is by using our official reusable action. It handles Go installation, compilation cache, and scanning automatically:

- name: Run Sentinel Git Secrets Scanner
  uses: sentinel-cli/sentinel@v2
  with:
    version: 'latest' # Optional: specific version to use (e.g. 'v2.x.x')
    args: '.'         # Optional: arguments to pass (e.g. "." or "--history .")
    sarif: 'true'     # Optional: set to 'true' to export findings as a SARIF report

To upload the results to GitHub Advanced Security (Code Scanning Alerts), configure the upload step:

- name: Upload SARIF report
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: sentinel-results.sarif

Tip

You can inspect the official action.yml file in the root of this repository to use as a template or reference for building your own custom GitHub Actions.

# GitLab CI
sentinel-scan:
  stage: test
  image: golang:1.22
  before_script:
    - go install github.com/sentinel-cli/sentinel/v2/cmd/sentinel@latest
  script:
    # Run scan; output JSON to file and print pretty results to console
    - sentinel scan -f pretty -o sentinel-report.json .
  artifacts:
    when: always
    paths:
      - sentinel-report.json

Command Reference

sentinel run — pre-commit hook entry point

Scans staged changes only. Invoked automatically by the Git hook.

FlagDefaultDescription
-c, --configauto-detectedPath to .sentinel.yaml
-f, --formatprettypretty json plain sarif
--fail-fastfalseStop after the first finding
-v, --verbosefalseDebug output to stderr
sentinel scan [path...] — ad-hoc scanner
FlagDefaultDescription
-c, --configauto-detectedPath to .sentinel.yaml
-f, --formatprettypretty json plain sarif
-o, --outputWrite report directly to file, preserving pretty stdout logs
-r, --recursivefalseWalk subdirectories
--historyfalseScan entire Git commit history
--fail-fastfalseStop after the first finding
-v, --verbosefalseDebug output to stderr
sentinel install — hook installer
FlagDefaultDescription
--globalfalseInstall globally via core.hooksPath
--repo.Target repository root
-f, --forcefalseOverwrite existing hook
sentinel update — OTA self-updater

Downloads the latest stable release for the current OS/arch from the GitHub Releases API, verifies the binary, and atomically replaces the running executable. Falls back to go install if no pre-compiled binary matches the platform.

FlagDefaultDescription
--betafalseAllow updating to pre-release (beta) versions

A background check runs on each invocation, querying the API at most once per 24 hours. The result is cached at ~/.config/sentinel/last_check.json. A notice is printed to stderr if a newer version is available.


Output Reference

Clean (exit 0):

  SENTINEL CLEAN  --  4 file(s) scanned in 3.2ms

Blocked (exit 1):

   CRITICAL   cmd/main.go:12
               [PATTERN] GitHub Personal Access Token (classic)
               Token:  ghp_AB****************************cdef
               -> token := "ghp_AB...cdef"

   HIGH       config/settings.go:8
               [ENTROPY] High-entropy BASE64 string (entropy=6.23)
               Token:  wJalrX****************************EY
               -> AWS_SECRET = "wJalrX...EY"

---------------------------------------------------------------------
  Files scanned : 4  |  Elapsed : 5.1ms
  CRITICAL:1   HIGH:1   MEDIUM:0   LOW:0
---------------------------------------------------------------------
  COMMIT BLOCKED -- remove the secrets above and try again.

JSON schema (-f json — written to stdout):

{
  "sentinel_version": "v2.x.x",
  "status": "blocked",
  "scanned_files": 4,
  "elapsed_ms": 5,
  "findings": [
    {
      "file_path": "cmd/main.go",
      "line": 12,
      "severity": "CRITICAL",
      "tier": "PATTERN",
      "signature_id": "github-pat-classic",
      "description": "GitHub Personal Access Token (classic)",
      "token": "ghp_AB****************************cdef",
      "entropy": 5.23,
      "line_snippet": "token := \"ghp_AB...cdef\""
    }
  ]
}

When clean: "status": "clean", "findings": [].

SARIF (-f sarif — written to stdout): SARIF 2.1.0, compatible with GitHub Advanced Security Code Scanning.


False Positive Handling

Tier 3 automatically eliminates the vast majority of false positives. For persistent cases:

MethodWhen to use
sentinel:ignore commentOne-off suppression for a specific line
Safe variable name (dummy_, fake_, mock_)Test or documentation values that look like secrets
Automatic Mock Value FilterAutomatically ignores generic token rules if values contain mock/fake/test/dummy
Key File Entropy BypassSkips raw line-by-line entropy checks on key extensions (.pem, .key, .rsa, .crt, .pub)
Function Call ProtectionAutomatically filters out code function calls and methods containing parentheses
Source RHS Quote EnforcementAutomatically skips unquoted RHS tokens (variables, struct types, function calls) in source code files
allowlist_patterns in configKnown safe tokens used repeatedly across the codebase
Move to test file pathValues in tests/, testdata/, *_test.go, .md are suppressed automatically
${ENV_VAR} reference syntaxReplaced at runtime — not a hardcoded secret
exclude_paths in configEntire directories that should never be scanned
Raise entropy_thresholdCodebase has many long high-entropy non-secret identifiers
# .sentinel.yaml
allowlist_patterns:
  - "AKIAIOSFODNN7EXAMPLE"   # exact match
  - "sk_test_*"              # all Stripe test keys
  - "*-placeholder-*"

Running Tests

make test     # all tests with race detector
make bench    # benchmarks
make cover    # HTML coverage report → coverage.html
make lint     # staticcheck

Representative benchmark output (shows zero allocations on the hot scan path):

BenchmarkAutomatonBuild-8        3     195,234 ns/op    327,680 B/op
BenchmarkSearch-8             3000     341,012 ns/op          0 B/op   <- 0 allocs
BenchmarkSearchWithHit-8      2000     412,887 ns/op      3,456 B/op
BenchmarkShannonSmall-8    5000000         234 ns/op          0 B/op
BenchmarkFullPipeline-8         500   2,341,201 ns/op     12,340 B/op

Contributing

Contributions are welcome. All contributors must agree to the Contributor License Agreement. By submitting a pull request you confirm that you transfer copyright of the contribution to Khaled Hani. This protects the project's dual-licensing model.


Author

Developed by Khaled Hanihttps://t.me/A245F


License

GNU Affero General Public License v3.0.

Commercial SaaS deployment or distribution of a modified version without releasing the source under AGPL-3.0 is prohibited. See LICENSE for full terms.


Designed for security. Engineered for efficiency.