Guardian Core

What this core is for

Network security monitor

Behavior in the current codebase

• Builds a network inventory from the selected network integration. UniFi Network is supported now, and the selector is ready for future network providers.
• Can also use local passive ARP cache discovery as an optional source when Tater runs on the same network.
• Tracks online, offline, untrusted, and critical devices, plus source health, scan freshness, and recent Guardian events.
• Records events for newly observed unknown devices and monitored devices going offline.
• Lets operators edit device names, notes, trust state, and critical-device flags from the Guardian WebUI tab.
• Runs optional TCP watch checks for important endpoints such as routers, DNS, servers, WAN dependencies, or local infrastructure.
• Computes a Guardian posture score from stale inventory data, source errors, offline critical devices, untrusted devices, unknown devices, and failed watch checks.
• Uses LLM calls where they improve the feature: posture interpretation, risk level, findings, device suggestions, watch-target suggestions, and follow-up questions.
• Does not use a local deterministic fallback for the AI analysis path; if model processing fails, the old analysis is preserved and the error is shown.
• Adds a guided Confirm tab where the user answers only Guardian's active questions with quick choices and optional typed context.
• Processes confirmations through the model, stores the human answers, and folds that context into the next Guardian analysis.
• Injects compact Guardian context into Hydra prompts, including stats, findings, offline/untrusted devices, source health, recent events, and human confirmations.
• Includes dark Tater-themed Guardian UI cards for Network Posture/Security Map, AI Threat Brief, and the Guardian Question Queue.
• Tunnel integrations were intentionally removed; Guardian does not manage Tailscale, WireGuard, or Cloudflare Tunnel.

Direct core support

This runtime component mainly handles orchestration rather than exposing its own direct Verba target.

Configuration schema

• AI Analysis Interval Seconds number

  How often Guardian asks the LLM to analyze network posture after local facts are refreshed.

  Key: ai_analysis_interval_seconds Default: 300
• Use ARP Cache checkbox

  Read the local ARP cache as passive fallback discovery.

  Key: enable_arp_cache Default: True
• Use TCP Watch Checks checkbox

  Run configured TCP checks for WAN, DNS, or important hosts.

  Key: enable_tcp_checks Default: False
• Event Retention number

  Maximum Guardian events to keep in Redis.

  Key: event_retention Default: 1000
• Network Integration select

  Choose which network integration Guardian should poll for client and device inventory.

  Key: network_integration_provider Default: unifi_network Options: unifi_network, none
• Offline Device Events checkbox

  Record events when monitored devices change to offline.

  Key: offline_device_alerts Default: True
• Poll Interval Seconds number

  How often Guardian Core refreshes network inventory.

  Key: poll_interval_seconds Default: 60
• Prompt Context Enabled checkbox

  Inject compact Guardian context into Hydra system prompts.

  Key: prompt_context_enabled Default: True
• Prompt Context Max Characters number

  Maximum Guardian context characters added to Hydra system prompts.

  Key: prompt_context_max_chars Default: 2400
• Stale After Minutes number

  How old inventory data can be before Guardian marks it stale.

  Key: stale_after_minutes Default: 15
• TCP Check Timeout (ms) number

  Connection timeout for TCP watch checks.

  Key: tcp_check_timeout_ms Default: 1500
• Unknown Device Events checkbox

  Record events when newly observed devices are not trusted yet.

  Key: unknown_device_alerts Default: True
• Watch Targets textarea

  Optional TCP checks, one per line: Label|host|port.

  Key: watch_targets