UEDF Sentinel v5.0

Real-time command and control platform for the Unified Eswatini Defence Force. Drone fleet supervision, threat detection, predictive analytics, operator-grade RBAC with 2FA, and a tamper-evident audit log. PHP 8 + MySQL on the data plane, Node.js WebSocket shim for telemetry, browser-based operator console.

Sister project to agentic-uav-stack — the C2 layer for the autonomous platform. Both subscribe to the same NATS namespace (uav.v1.*).

Pre-production. A structural security audit on 2026-05-21 found 3 Critical and 6 High findings. None are exploited, but the system must not be deployed until they are resolved. See SECURITY.md and SECURITY-AUDIT-2026-05-21.md.

---

Architecture

flowchart TB
  subgraph CLIENT["Operator client"]
    UI["Browser console<br/>Tactical map · charts · alerts"]
    MOB["Mobile client<br/>(future)"]
  end

  subgraph EDGE["Edge / API tier"]
    REST["PHP 8 REST<br/>api/*.php"]
    WS["Node WebSocket shim<br/>server/<br/>(mysql2 + ws)"]
    AUTH["Auth · RBAC · 2FA<br/>src/Auth.php<br/>session + Bearer"]
    AUDIT["Audit log middleware<br/>tamper-evident JSONL"]
  end

  subgraph DATA["Data tier"]
    DB[("MySQL 8<br/>uedf_sentinel<br/>operators, drones,<br/>missions, alerts,<br/>audit_log")]
    FS[("Disk<br/>uploads/ logs/ reports/")]
  end

  subgraph INTEG["Integration"]
    NATS["NATS JetStream<br/>uav.v1.* subjects"]
    AUS["agentic-uav-stack<br/>brain daemon"]
    FLEET["Drone fleet<br/>MAVLink / DDS"]
  end

  UI -->|REST| REST
  UI -->|WSS| WS
  MOB -.->|REST| REST
  REST --> AUTH
  WS --> AUTH
  REST --> AUDIT
  WS --> AUDIT
  AUTH --> DB
  AUDIT --> DB
  REST --> DB
  REST --> FS
  WS -.->|telemetry| NATS
  NATS -.-> AUS
  NATS -.-> FLEET

  classDef client fill:#0a1e2e,stroke:#06b6d4,color:#e2e8f0
  classDef edge fill:#1c0a13,stroke:#ff006e,color:#e2e8f0
  classDef data fill:#0d1525,stroke:#a78bfa,color:#e2e8f0
  classDef integ fill:#0a1e2e,stroke:#06b6d4,color:#e2e8f0
  class CLIENT,UI,MOB client
  class EDGE,REST,WS,AUTH,AUDIT edge
  class DATA,DB,FS data
  class INTEG,NATS,AUS,FLEET integ

Loading

---

Features

Identity, access, audit

• RBAC — Commander, Operator, Analyst, Viewer (least-privilege defaults).
• 2FA — TOTP per user; recovery codes; mandatory for Commander role.
• Session policy — IP whitelist per role; configurable session timeout.
• Audit log — every privileged action lands in audit_log and on disk (logs/audit-YYYY-MM-DD.jsonl). Tamper-evident by hash chaining.

Drone fleet

• Fleet inventory + per-drone state (online/offline, battery, position, last-seen).
• Real-time tactical map (live position; geofence overlays).
• Telemetry monitoring + alarm thresholds.
• Drone recording library (video assets indexed in DB, files on disk).

Threat management

• Real-time threat detection feed.
• Threat heatmap visualisation.
• Emergency alert system (operator-broadcast to all logged-in clients).
• Investigation workflow with notes, attachments, escalation chain.

Analytics

• Predictive analytics (ML v2.1) — incident-rate forecasting per region.
• Real-time charts for fleet health and operations tempo.
• Report generation (PDF / CSV / JSON) — daily, weekly, monthly cadences.

Administration

• User management UI for Commander role.
• System settings panel.
• Audit log viewer with filters.
• Backup / restore tooling (scripts/backup.sh, scripts/restore.sh).

---

System requirements

Component	Minimum	Recommended
Web server	Apache 2.4 / Nginx 1.18	Nginx 1.24 + PHP-FPM
PHP	8.1	8.3
MySQL / MariaDB	MySQL 5.7 / MariaDB 10.2	MySQL 8.0 / MariaDB 10.11
Node.js (server shim)	18	20 LTS
RAM	2 GB	8 GB
Storage	5 GB	50 GB (logs + recordings)
Browser	Chrome 90 / Firefox 88 / Edge 90	Chrome 120 / Firefox 121

Required PHP extensions: pdo, pdo_mysql, json, session, openssl, gd, curl, mbstring.

---

Installation

Automated installer

git clone https://github.com/CBahtaria/sentinel
cd sentinel
# Edit config/settings.php — DB credentials, base URL, debug flag
# Edit api/config.php — env-loaded secrets only (no literals)
# Visit http://your-server/sentinel/install.php and follow the wizard

Wizard steps:

1. System requirements check
2. Database configuration (creates uedf_sentinel database and tables)
3. Admin account setup
4. Initial seed (operators, default settings)
5. Installation complete + post-install security checklist

Manual installation

# 1. Create the database
mysql -u root -p < database/schema.sql

# 2. Copy config templates and fill secrets
cp config/settings.php.example config/settings.php
cp api/config.php.example api/config.php
# Edit both — set DB creds, API base URL, mobile API key

# 3. Install Node shim dependencies
cd server && npm ci && cd ..

# 4. Start the WebSocket shim
cd server && node index.js &

# 5. Point your web server at the project root
# (Apache: <Directory> + DocumentRoot; Nginx: location / { try_files })

Post-install security checklist

Before opening to non-VPN traffic, run through SECURITY-AUDIT-2026-05-21.md:

• Rotate the 4 default seeded users (commander/operator/analyst/viewer).
• Move uedf-sentinel-mobile-2026 API key into .env.
• Remove the localhost + empty-password PDO fallback.
• Replace Access-Control-Allow-Origin: * with an explicit allowlist.
• Grep for $db->query( with $ interpolation; convert to prepared statements.
• Add session_regenerate_id(true) to login().
• display_errors=0 in production.
• Add CSP/STS/XCTO/XFO headers middleware to api/*.php.
• Verify login lockout enforces (6 failed attempts → 429).

---

Project layout

sentinel/
├── api/                   REST endpoints (PHP)
├── modules/               Page-specific PHP handlers
├── src/                   Class hierarchy (Auth, DB, etc.)
├── includes/              Shared functions, bootstrap
├── config/                Environment + runtime config
├── database/              Schema + migrations
├── cron/                  Scheduled jobs (daily report etc.)
├── server/                Node WebSocket shim (mysql2 + ws)
├── assets/                Icons, CSS, client JS
├── uploads/               User uploads (gitignored)
├── logs/                  Runtime + audit logs (gitignored)
├── scripts/               Backup/restore + ops utilities
├── tests/                 PHPUnit tests
└── .github/               CI, dependabot, banner asset

---

Operational mode

UEDF Sentinel is command-and-control software for an active defence force. Threat model assumes:

• Network-resident adversaries (nation-state and criminal).
• Insider risk (privileged user misuse).
• Supply-chain risk on every dependency.

Configuration defaults are conservative: 2FA mandatory for privileged roles, IP whitelist on Commander sessions, all writes audit-logged, no third-party trackers, no telemetry.

---

Roadmap

• Core RBAC + 2FA + audit
• Drone fleet inventory + tactical map
• Real-time threat feed + heatmap
• Report generation (PDF / CSV / JSON)
• WebSocket telemetry shim
• Resolve all 9 audit findings (blocker for production)
• CSP / security headers middleware
• Composer.json + PHPUnit harness
• Mobile client integration
• SIEM integration (OpenSearch / Splunk forwarder)

---

Contributing

This is mission software for a real defence force. External contributions are not accepted by default. Internal contributors: see the audit document for the immediate work queue, and use feature branches off develop. Code review is mandatory; nothing goes direct to main.

Security issues — see SECURITY.md. Do not open public issues for vulnerabilities.

---

License

Proprietary — Unified Eswatini Defence Force. All rights reserved.

---

Related

• agentic-uav-stack — the autonomous platform Sentinel commands.
• CBahtaria — solo-engineer portfolio.