T3 · SRE / platform — the deterministic-core pattern at its sharpest. Approved overrides merge into the baseline (RFC 7396), the live config diffs against THAT (RFC 6902), blake3 fingerprints the evidence — and the LLM’s only job is explaining the patch to a human at 3am.
The job
« Did anyone change prod config without telling us? » Pure-diff monitors page you for every sanctioned change too — alert fatigue. This sentinel knows what was approved: it reconstructs the EXPECTED state first, so the diff contains only the drift nobody signed off on.The shape
The file
t3-config-drift-sentinel.nika.yaml
How it works
RFC 7396 reconstructs the sanctioned state
nika:json_merge_patch applies the approved overrides to the
baseline — null deletes a key, exactly per the RFC. This is the
builtin jq’s recursive merge can’t replace.RFC 6902 names what actually changed
nika:json_diff returns a standard JSON Patch — machine-readable
operations, not a text diff. Empty patch = healthy prod = total
silence.Constructs you just used
Make it yours
- Run it every 15 minutes from your scheduler; the
recordevent stream becomes your drift history. - Watch N services: lift the URL + baseline into a list and
for_eachthe whole sentinel body. - Auto-remediate the SAFE class: a
when:branch that opens a revert PR via your MCP git server.
Next · PR review fan-out
One read-only agent per changed file — the swarm pattern, with a
deterministic grep sweep beside it.