added BE and requisites tab under endpoint agent

.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cp \"/Users/adarsh/Desktop/Screenshot 2026-04-19 at 12.35.53 PM.heic\" /tmp/ss1.heic)",
+      "Bash(cp \"/Users/adarsh/Desktop/Screenshot 2026-04-19 at 12.36.53 PM.heic\" /tmp/ss2.heic)",
+      "Bash(cp \"/Users/adarsh/Desktop/Screenshot 2026-04-19 at 12.47.26 PM.heic\" /tmp/ss3.heic)"
+    ]
+  }
+}

docs/browser-agent/_category_.json

@@ -0,0 +1,11 @@
+{
+  "label": "Browser Agent",
+  "position": 5,
+  "link": {
+    "type": "generated-index",
+    "description": "Browser extension capabilities for DLP policy enforcement, clipboard monitoring, file indexing configuration, and agent lifecycle control."
+  },
+  "customProps": {
+    "icon": "Globe"
+  }
+}

docs/browser-agent/agent-kill-switch/architecture.md

@@ -0,0 +1,81 @@
+---
+sidebar_position: 2
+sidebar_custom_props:
+  icon: Layers
+---
+
+# Architecture
+
+How the browser extension disables and re-enables the Sentinel endpoint agent at runtime — without a process restart, with state persisted across reboots.
+
+<ArchitectureDiagram
+  source={{
+    label: "Browser Extension",
+    code: `// Sent from Agent Settings in the extension
+{ "disable_agent": true  }  // disable
+{ "disable_agent": false }  // re-enable`,
+  }}
+  gateway={{
+    label: "QuilrAI Kill Switch",
+    phases: [
+      {
+        label: "Receive",
+        stages: [
+          { label: "Native Messaging", items: ["Extension sends disable signal", "Delivered over stdio pipe", "Routed to kill-switch handler"] },
+        ],
+      },
+      {
+        label: "Persist",
+        stages: [
+          { label: "State Storage", items: ["disable_agent flag written to local DB", "Survives process restarts", "Read at every agent startup"] },
+        ],
+      },
+      {
+        label: "Apply",
+        stages: [
+          { label: "Kill", items: ["All DLP event chains removed", "All services stopped", "Re-enable chain preserved"] },
+          { label: "Revive", items: ["All DLP event chains restored", "All services restarted", "Full DLP coverage resumes"] },
+        ],
+      },
+    ],
+    footer: "Persisted State  ·  No Restart Required  ·  Re-enable Always Available",
+  }}
+  destination={{
+    label: "Endpoint Agent",
+    items: ["DLP chains removed / restored", "Services stopped / started", "Re-enable always accepted", "State persists across reboots"],
+  }}
+/>
+
+## Pipeline Stages
+
+Every kill switch transition flows through these stages in order.
+
+| Stage | Description |
+|-------|-------------|
+| **Native Messaging** | The extension sends `{ "disable_agent": true }` or `{ "disable_agent": false }` over the Native Messaging pipe to the Sentinel agent. |
+| **State Storage** | The agent persists the flag to its local database immediately. The state is restored on every subsequent startup — no re-disable needed after a reboot. |
+| **Kill** | All DLP event chains are removed from the event broker and all services (clipboard monitor, file indexer) are stopped. The re-enable chain remains active. |
+| **Revive** | All DLP event chains are restored and all services are restarted. The agent resumes full operation without a process restart. |
+
+## Always-On Re-enable
+
+One channel is never removed, even when the agent is fully disabled:
+
+> `AgentUpdate:Configuration:Disable` — accepts re-enable signals from the extension at all times.
+
+This guarantees the extension can always reach the agent to restore it, even after a managed disable pushed via MDM or GPO.
+
+## Startup Enforcement
+
+When the Sentinel agent starts with the disabled flag set:
+
+| Flag | Startup Behaviour |
+|------|------------------|
+| **Enabled** | All services and DLP chains registered normally |
+| **Disabled** | All service and chain registration skipped; only the re-enable channel is active |
+
+Nothing is created and torn down — services and chains simply never come into existence in the disabled startup path.
+
+## Observability
+
+Every kill and revive transition is logged with timestamp and trigger source. Check **Agent Status** in the dashboard to verify the current state.

docs/browser-agent/agent-kill-switch/quick-start.md

@@ -0,0 +1,80 @@
+---
+sidebar_position: 1
+sidebar_custom_props:
+  icon: Rocket
+---
+
+# Quick Start
+
+Disable and re-enable the Sentinel endpoint agent from the browser extension in 4 steps.
+
+<StepFlow steps={[
+  {
+    label: "Open Agent Settings",
+    items: [
+      "Extension: Agent Settings",
+      "Status: Active",
+      "Toggle: Disable Agent",
+    ],
+  },
+  {
+    label: "Agent Disables",
+    items: [
+      "State: persisted to disk",
+      "Services: stopped",
+      "DLP chains: removed",
+    ],
+  },
+  {
+    label: "Re-enable Channel Active",
+    items: [
+      "Re-enable: always accepted",
+      "Survives reboots: ✓",
+      "No other events processed",
+    ],
+  },
+  {
+    label: "Re-enable Agent",
+    items: [
+      "Toggle: Enable Agent",
+      "Services: restarted",
+      "DLP chains: restored ✓",
+    ],
+  },
+]} />
+
+## 1. Disable the Agent
+
+Open the browser extension, navigate to **Agent Settings**, and toggle **Disable Agent**. The extension sends the disable signal to the Sentinel agent over the Native Messaging pipe.
+
+The agent responds immediately — no process restart is required.
+
+## 2. What Happens on the Endpoint
+
+| Step | Result |
+|------|--------|
+| **Flag persisted** | Disabled state written to local database — survives reboots |
+| **Services stopped** | Clipboard monitoring and file indexing pause immediately |
+| **DLP chains removed** | No clipboard, file, or network DLP events are processed |
+| **Confirmed** | Extension receives confirmation; **Agent Status** updates to Disabled |
+
+## 3. Re-enable Channel
+
+While disabled, the agent ignores all events except re-enable signals. The re-enable channel is permanently preserved and cannot be removed — the extension can always reach the agent to restore it.
+
+If the endpoint reboots while disabled, the agent starts in the disabled state automatically. No action is required to maintain the disabled state across restarts.
+
+## 4. Re-enable the Agent
+
+Toggle **Enable Agent** in the extension. All services and DLP chains are restored without a process restart.
+
+| Step | Result |
+|------|--------|
+| **Flag cleared** | Enabled state written to local database |
+| **Services restarted** | Clipboard monitoring and file indexing resume |
+| **DLP chains restored** | Full event processing resumes immediately |
+| **Confirmed** | Extension receives confirmation; **Agent Status** updates to Active |
+
+---
+
+**Next step:** See the [Architecture](./architecture) for the full disable and startup enforcement details.

docs/browser-agent/clipboard/_category_.json

@@ -0,0 +1,11 @@
+{
+  "label": "Clipboard Monitor",
+  "position": 1,
+  "link": {
+    "type": "generated-index",
+    "description": "Intercept OS clipboard copy events, forward content metadata to the browser extension policy engine, and enforce allow, block, or prompt decisions in real time."
+  },
+  "customProps": {
+    "icon": "Clipboard"
+  }
+}

docs/browser-agent/clipboard/architecture.md

@@ -0,0 +1,82 @@
+---
+sidebar_position: 2
+sidebar_custom_props:
+  icon: Layers
+---
+
+# Architecture
+
+How the QuilrAI Clipboard Monitor intercepts clipboard events on the endpoint, enforces DLP policies from the browser extension, and takes action without interrupting the user.
+
+<ArchitectureDiagram
+  source={{
+    label: "Endpoint Clipboard",
+    code: `# Clipboard monitoring settings
+Monitor text:   ✓ enabled
+Monitor files:  — disabled
+Monitor images: — disabled
+Debounce:       100 ms
+Max payload:    10 KB`,
+  }}
+  gateway={{
+    label: "QuilrAI Clipboard Monitor",
+    phases: [
+      {
+        label: "Detect",
+        stages: [
+          { label: "OS Hook", items: ["WinAPI notification (Windows)", "NSPasteboard polling (macOS)", "Text / file / image types"] },
+          { label: "Filter", items: ["Debounce window", "Content-type gates", "Payload size cap"] },
+        ],
+      },
+      {
+        label: "Inspect",
+        stages: [
+          { label: "Forward to Extension", items: ["Content metadata + type", "Size-capped payload", "Native Messaging pipe"] },
+          { label: "Policy Evaluation", items: ["DLP rule match", "Allow / Block / Prompt", "User identity context"] },
+        ],
+      },
+      {
+        label: "Enforce",
+        stages: [
+          { label: "Allow", items: ["Clipboard operation completes", "Event logged silently"] },
+          { label: "Block", items: ["Clipboard cleared on endpoint", "User notified"] },
+          { label: "Prompt", items: ["Native OS dialog shown", "Justification captured and logged"] },
+        ],
+      },
+    ],
+    footer: "Logging  ·  Debounce  ·  Cross-platform  ·  Native Messaging",
+  }}
+  destination={{
+    label: "Browser Extension",
+    items: ["DLP Rule Evaluation", "Allow", "Block", "Prompt", "Audit Logs"],
+  }}
+/>
+
+## Pipeline Stages
+
+Every clipboard event flows through these stages in order. Each stage is independently configurable from the dashboard.
+
+| Stage | Description |
+|-------|-------------|
+| **OS Hook** | Intercepts native clipboard-change notifications on Windows and macOS. |
+| **Filter** | Suppresses events within the debounce window and applies content-type gates and payload size cap. |
+| **Forward to Extension** | Sends content metadata to the browser extension over the Native Messaging pipe for policy evaluation. |
+| **Policy Evaluation** | The extension evaluates DLP rules against the clipboard payload and returns Allow, Block, or Prompt. |
+| **Enforce** | The endpoint executes the decision — clears clipboard on block, shows a native dialog on prompt. |
+
+## Response Path
+
+Policy decisions from the browser extension flow back through the **enforcement layer** before any action is taken. The same DLP rule set applies to all content types (text, files, images).
+
+## Platform Support
+
+| Platform | Hook Mechanism | Justification UI |
+|----------|---------------|-----------------|
+| **macOS** | NSPasteboard change-count polling | Native Cocoa dialog |
+| **Windows** | WinAPI clipboard-change notification | Windows message-based dialog |
+
+macOS requires **Accessibility permission** for the Sentinel process.
+
+## Observability
+
+Every clipboard event is logged with content type, policy decision, and enforcement outcome. Check **Logs under Clipboard Monitor** to review activity.

docs/browser-agent/clipboard/quick-start.md

@@ -0,0 +1,92 @@
+---
+sidebar_position: 1
+sidebar_custom_props:
+  icon: Rocket
+---
+
+# Quick Start
+
+Get up and running with Clipboard Monitoring in 4 steps.
+
+<StepFlow steps={[
+  {
+    label: "Enable Monitor",
+    items: [
+      "Platform: macOS / Windows",
+      "Content: text enabled",
+      "Status: active ✓",
+    ],
+  },
+  {
+    label: "Choose Content Types",
+    items: [
+      "Text: ✓ monitored",
+      "Files: — off by default",
+      "Images: — off by default",
+    ],
+  },
+  {
+    label: "Set DLP Policies",
+    items: [
+      "PII detected: block",
+      "Credentials: block",
+      "Custom rules: configurable",
+    ],
+  },
+  {
+    label: "Monitor Events",
+    items: [
+      "Events forwarded: 142",
+      "Blocked: 3",
+      "Prompted: 1",
+    ],
+  },
+]} />
+
+## 1. Enable the Monitor
+
+The clipboard monitor runs as part of the Sentinel endpoint agent and starts automatically on deployment.
+
+| Platform | Requirement |
+|----------|------------|
+| **macOS** | Grant **Accessibility permission** to the Sentinel process in System Settings → Privacy & Security |
+| **Windows** | No additional permissions required |
+
+Deploy the Sentinel agent via MDM or GPO. The clipboard monitor activates immediately.
+
+## 2. Choose Content Types
+
+Navigate to **Clipboard Monitor → Settings** in the dashboard to configure which clipboard operations to intercept.
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| **Monitor text** | On | Captures plain text and rich-text clipboard copies |
+| **Monitor files** | Off | Captures file-path clipboard events |
+| **Monitor images** | Off | Captures image clipboard events |
+| **Debounce window** | 100 ms | Suppresses repeated events within this window |
+| **Max payload size** | 10 KB | Payload forwarded to the extension is capped at this size |
+
+Changes are pushed to the endpoint agent and take effect on the next agent restart.
+
+## 3. Set DLP Policies
+
+Define rules in the browser extension under **DLP Policies → Clipboard**. Rules match on content category, size, or custom regex patterns.
+
+| Action | What Happens |
+|--------|-------------|
+| **Allow** | Clipboard operation completes silently; event is logged |
+| **Block** | Endpoint clears the clipboard; user is notified |
+| **Prompt** | Native OS dialog asks the user for a justification before continuing |
+
+## 4. Monitor Events
+
+Check **Logs under Clipboard Monitor** to verify events are flowing and policies are being enforced.
+
+- **Event volume**: clipboard events detected and forwarded per hour
+- **Policy decisions**: allow, block, and prompt counts by content type
+- **Justification text**: user responses to prompted events
+- **Enforcement outcomes**: confirmation of block and clear actions on the endpoint
+
+---
+
+**Next step:** See the [Architecture](./architecture) for the full detection and enforcement pipeline.

docs/browser-agent/indexing/_category_.json

@@ -0,0 +1,11 @@
+{
+  "label": "File Indexing",
+  "position": 2,
+  "link": {
+    "type": "generated-index",
+    "description": "Configure and manage the endpoint file index from the browser extension. Drives DLP file-path resolution for upload and download scanning."
+  },
+  "customProps": {
+    "icon": "Database"
+  }
+}