@misterhuydo/sentinel 1.0.0 → 1.0.1

package/lib/generate.js

@@ -5,15 +5,21 @@ const path = require('path');
 
 // ── Per-project files ─────────────────────────────────────────────────────────
 
-function writeExampleProject(projectDir, codeDir, pythonBin) {
+function writeExampleProject(projectDir, codeDir, pythonBin, anthropicKey = '') {
   const configDir = path.join(projectDir, 'config', 'log-configs');
   const repoDir   = path.join(projectDir, 'config', 'repo-configs');
   fs.ensureDirSync(configDir);
   fs.ensureDirSync(repoDir);
 
-  // Copy example config templates from bundled python/
   const tplDir = path.join(__dirname, '..', 'templates');
-  fs.copySync(path.join(tplDir, 'sentinel.properties'),     path.join(projectDir, 'config', 'sentinel.properties'));
+  // Inject API key into sentinel.properties if provided
+  let sentinelProps = fs.readFileSync(path.join(tplDir, 'sentinel.properties'), 'utf8');
+  if (anthropicKey) {
+    sentinelProps += `\n# Anthropic API key for Claude Code (headless server auth)\nANTHROPIC_API_KEY=${anthropicKey}\n`;
+  } else {
+    sentinelProps += `\n# Anthropic API key — set this if using API key auth, or leave blank for OAuth\n# ANTHROPIC_API_KEY=sk-ant-...\n`;
+  }
+  fs.writeFileSync(path.join(projectDir, 'config', 'sentinel.properties'), sentinelProps);
   fs.copySync(path.join(tplDir, 'log-configs', '_example.properties'), path.join(configDir, '_example.properties'));
   fs.copySync(path.join(tplDir, 'repo-configs', '_example.properties'), path.join(repoDir,   '_example.properties'));
 

package/lib/init.js

@@ -23,6 +23,22 @@ module.exports = async function init() {
       initial: path.join(os.homedir(), 'sentinel'),
       format: v => v.replace(/^~/, os.homedir()),
     },
+    {
+      type: 'select',
+      name: 'authMode',
+      message: 'How will Claude Code authenticate?',
+      choices: [
+        { title: 'API key  (Anthropic API account — recommended for servers)', value: 'apikey' },
+        { title: 'Claude Pro / OAuth  (will give you a URL to open in any browser)', value: 'oauth' },
+        { title: 'Skip  (I will configure this later)', value: 'skip' },
+      ],
+    },
+    {
+      type: prev => prev === 'apikey' ? 'password' : null,
+      name: 'anthropicKey',
+      message: 'Anthropic API key (sk-ant-...)',
+      validate: v => v.startsWith('sk-ant-') ? true : 'Key should start with sk-ant-',
+    },
     {
       type: 'confirm',
       name: 'example',
@@ -37,7 +53,7 @@ module.exports = async function init() {
     },
   ], { onCancel: () => process.exit(0) });
 
-  const { workspace, example, systemd } = answers;
+  const { workspace, authMode, anthropicKey, example, systemd } = answers;
   const codeDir = path.join(workspace, 'code');
 
   // ── Python ──────────────────────────────────────────────────────────────────
@@ -80,6 +96,18 @@ module.exports = async function init() {
   installNpmGlobal('@misterhuydo/cairn-mcp', 'cairn');
   installNpmGlobal('@anthropic-ai/claude-code', 'claude');
 
+  // ── Claude Code auth ─────────────────────────────────────────────────────────
+  step('Claude Code authentication…');
+  if (authMode === 'apikey' && anthropicKey) {
+    ok('API key will be written to each project\'s sentinel.properties');
+  } else if (authMode === 'oauth') {
+    console.log(chalk.yellow('\n  Claude Code will print a URL — open it in any browser to complete login.\n'));
+    spawnSync('claude', ['--print', 'hi'], { stdio: 'inherit', env: process.env });
+    ok('Claude Code authenticated (OAuth token stored in ~/.claude/)');
+  } else {
+    warn('Skipping auth — run "claude" manually on this server to authenticate when ready');
+  }
+
   // ── Workspace structure ─────────────────────────────────────────────────────
   step('Creating workspace…');
   fs.ensureDirSync(workspace);
@@ -89,7 +117,7 @@ module.exports = async function init() {
   if (example) {
     step('Creating example project…');
     const exampleDir = path.join(workspace, 'my-project');
-    writeExampleProject(exampleDir, codeDir, pythonBin);
+    writeExampleProject(exampleDir, codeDir, pythonBin, anthropicKey || '');
     ok(`Example project: ${exampleDir}`);
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -1,174 +1,176 @@
-"""
-config_loader.py — Load and hot-reload all .properties config files.
-"""
-
-import logging
-import signal
-from dataclasses import dataclass, field
-from pathlib import Path
-from typing import Optional
-
-logger = logging.getLogger(__name__)
-
-
-def _parse_properties(path: str) -> dict[str, str]:
-    result = {}
-    with open(path, encoding="utf-8") as f:
-        for raw in f:
-            line = raw.strip()
-            if not line or line.startswith("#"):
-                continue
-            if "=" not in line:
-                continue
-            key, _, val = line.partition("=")
-            key = key.strip()
-            val = val.partition("#")[0].strip()
-            if key:
-                result[key] = val
-    return result
-
-
-def _csv(val: str) -> list[str]:
-    return [v.strip() for v in val.split(",") if v.strip()]
-
-
-# ── Typed config objects ──────────────────────────────────────────────────────
-
-@dataclass
-class SentinelConfig:
-    poll_interval_seconds: int = 120
-    smtp_host: str = ""
-    smtp_port: int = 587
-    smtp_user: str = ""
-    smtp_password: str = ""
-    report_recipients: list[str] = field(default_factory=list)
-    report_interval_hours: int = 6
-    state_db: str = "./sentinel.db"
-    workspace_dir: str = "./workspace"
-    claude_code_bin: str = "claude"
-    github_token: str = ""
-    fix_confidence_threshold: float = 0.7
-    log_retention_hours: int = 48
-
-
-@dataclass
-class LogSourceConfig:
-    name: str = ""        # derived from filename stem
-    source_type: str = "ssh"
-    # SSH
-    key: str = ""
-    hosts: list[str] = field(default_factory=list)
-    logs: list[str] = field(default_factory=list)
-    remote_service_user: str = ""
-    grep_filter: str = ""
-    grep_exclude: str = ""
-    tail: Optional[int] = None
-    head: Optional[int] = None
-    # Cloudflare
-    cf_url: str = ""
-    cf_token: str = ""
-
-
-@dataclass
-class RepoConfig:
-    repo_name: str = ""   # derived from filename stem
-    repo_url: str = ""
-    local_path: str = ""
-    branch: str = "main"
-    auto_publish: bool = False
-    cicd_type: str = ""
-    cicd_job_url: str = ""
-    cicd_token: str = ""
-
-
-# ── Loader ────────────────────────────────────────────────────────────────────
-
-class ConfigLoader:
-    def __init__(self, config_dir: str = "./config"):
-        self.config_dir = Path(config_dir)
-        self.sentinel: SentinelConfig = SentinelConfig()
-        self.log_sources: dict[str, LogSourceConfig] = {}
-        self.repos: dict[str, RepoConfig] = {}
-        self.load()
-        self._register_sighup()
-
-    def load(self):
-        self._load_sentinel()
-        self._load_log_sources()
-        self._load_repos()
-        logger.info(
-            "Config loaded: %d log-config(s), %d repo-config(s)",
-            len(self.log_sources), len(self.repos),
-        )
-
-    def _load_sentinel(self):
-        path = self.config_dir / "sentinel.properties"
-        if not path.exists():
-            logger.warning("sentinel.properties not found at %s", path)
-            return
-        d = _parse_properties(str(path))
-        c = SentinelConfig()
-        c.poll_interval_seconds = int(d.get("POLL_INTERVAL_SECONDS", 120))
-        c.smtp_host = d.get("SMTP_HOST", "")
-        c.smtp_port = int(d.get("SMTP_PORT", 587))
-        c.smtp_user = d.get("SMTP_USER", "")
-        c.smtp_password = d.get("SMTP_PASSWORD", "")
-        c.report_recipients = _csv(d.get("REPORT_RECIPIENTS", ""))
-        c.report_interval_hours = int(d.get("REPORT_INTERVAL_HOURS", 6))
-        c.state_db = d.get("STATE_DB", "./sentinel.db")
-        c.workspace_dir = d.get("WORKSPACE_DIR", "./workspace")
-        c.claude_code_bin = d.get("CLAUDE_CODE_BIN", "claude")
-        c.github_token = d.get("GITHUB_TOKEN", "")
-        c.fix_confidence_threshold = float(d.get("FIX_CONFIDENCE_THRESHOLD", 0.7))
-        c.log_retention_hours = int(d.get("LOG_RETENTION_HOURS", 48))
-        self.sentinel = c
-
-    def _load_log_sources(self):
-        sources_dir = self.config_dir / "log-configs"
-        if not sources_dir.exists():
-            return
-        self.log_sources = {}
-        for path in sorted(sources_dir.glob("*.properties")):
-            d = _parse_properties(str(path))
-            s = LogSourceConfig()
-            s.name = path.stem
-            s.source_type = d.get("SOURCE_TYPE", "ssh").lower()
-            s.key = d.get("KEY", "")
-            s.hosts = _csv(d.get("HOSTS", ""))
-            s.logs = _csv(d.get("LOGS", ""))
-            s.remote_service_user = d.get("REMOTE_SERVICE_USER", path.stem)
-            s.grep_filter = d.get("GREP_FILTER", "")
-            s.grep_exclude = d.get("GREP_EXCLUDE", "")
-            s.tail = int(d["TAIL"]) if "TAIL" in d else None
-            s.head = int(d["HEAD"]) if "HEAD" in d else None
-            s.cf_url = d.get("CF_URL", "")
-            s.cf_token = d.get("CF_TOKEN", "")
-            self.log_sources[s.name] = s
-
-    def _load_repos(self):
-        repos_dir = self.config_dir / "repo-configs"
-        if not repos_dir.exists():
-            return
-        self.repos = {}
-        for path in sorted(repos_dir.glob("*.properties")):
-            d = _parse_properties(str(path))
-            r = RepoConfig()
-            r.repo_name = path.stem
-            r.repo_url = d.get("REPO_URL", "")
-            r.local_path = d.get("LOCAL_PATH", "")
-            r.branch = d.get("BRANCH", "main")
-            r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
-            r.cicd_type = d.get("CICD_TYPE", "")
-            r.cicd_job_url = d.get("CICD_JOB_URL", "")
-            r.cicd_token = d.get("CICD_TOKEN", "")
-            self.repos[r.repo_name] = r
-
-    def _register_sighup(self):
-        try:
-            signal.signal(signal.SIGHUP, self._on_sighup)
-        except (OSError, AttributeError):
-            pass
-
-    def _on_sighup(self, *_):
-        logger.info("SIGHUP received — reloading config")
-        self.load()
+"""
+config_loader.py — Load and hot-reload all .properties config files.
+"""
+
+import logging
+import signal
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+
+logger = logging.getLogger(__name__)
+
+
+def _parse_properties(path: str) -> dict[str, str]:
+    result = {}
+    with open(path, encoding="utf-8") as f:
+        for raw in f:
+            line = raw.strip()
+            if not line or line.startswith("#"):
+                continue
+            if "=" not in line:
+                continue
+            key, _, val = line.partition("=")
+            key = key.strip()
+            val = val.partition("#")[0].strip()
+            if key:
+                result[key] = val
+    return result
+
+
+def _csv(val: str) -> list[str]:
+    return [v.strip() for v in val.split(",") if v.strip()]
+
+
+# ── Typed config objects ──────────────────────────────────────────────────────
+
+@dataclass
+class SentinelConfig:
+    poll_interval_seconds: int = 120
+    smtp_host: str = ""
+    smtp_port: int = 587
+    smtp_user: str = ""
+    smtp_password: str = ""
+    report_recipients: list[str] = field(default_factory=list)
+    report_interval_hours: int = 6
+    state_db: str = "./sentinel.db"
+    workspace_dir: str = "./workspace"
+    claude_code_bin: str = "claude"
+    github_token: str = ""
+    fix_confidence_threshold: float = 0.7
+    log_retention_hours: int = 48
+    anthropic_api_key: str = ""
+
+
+@dataclass
+class LogSourceConfig:
+    name: str = ""        # derived from filename stem
+    source_type: str = "ssh"
+    # SSH
+    key: str = ""
+    hosts: list[str] = field(default_factory=list)
+    logs: list[str] = field(default_factory=list)
+    remote_service_user: str = ""
+    grep_filter: str = ""
+    grep_exclude: str = ""
+    tail: Optional[int] = None
+    head: Optional[int] = None
+    # Cloudflare
+    cf_url: str = ""
+    cf_token: str = ""
+
+
+@dataclass
+class RepoConfig:
+    repo_name: str = ""   # derived from filename stem
+    repo_url: str = ""
+    local_path: str = ""
+    branch: str = "main"
+    auto_publish: bool = False
+    cicd_type: str = ""
+    cicd_job_url: str = ""
+    cicd_token: str = ""
+
+
+# ── Loader ────────────────────────────────────────────────────────────────────
+
+class ConfigLoader:
+    def __init__(self, config_dir: str = "./config"):
+        self.config_dir = Path(config_dir)
+        self.sentinel: SentinelConfig = SentinelConfig()
+        self.log_sources: dict[str, LogSourceConfig] = {}
+        self.repos: dict[str, RepoConfig] = {}
+        self.load()
+        self._register_sighup()
+
+    def load(self):
+        self._load_sentinel()
+        self._load_log_sources()
+        self._load_repos()
+        logger.info(
+            "Config loaded: %d log-config(s), %d repo-config(s)",
+            len(self.log_sources), len(self.repos),
+        )
+
+    def _load_sentinel(self):
+        path = self.config_dir / "sentinel.properties"
+        if not path.exists():
+            logger.warning("sentinel.properties not found at %s", path)
+            return
+        d = _parse_properties(str(path))
+        c = SentinelConfig()
+        c.poll_interval_seconds = int(d.get("POLL_INTERVAL_SECONDS", 120))
+        c.smtp_host = d.get("SMTP_HOST", "")
+        c.smtp_port = int(d.get("SMTP_PORT", 587))
+        c.smtp_user = d.get("SMTP_USER", "")
+        c.smtp_password = d.get("SMTP_PASSWORD", "")
+        c.report_recipients = _csv(d.get("REPORT_RECIPIENTS", ""))
+        c.report_interval_hours = int(d.get("REPORT_INTERVAL_HOURS", 6))
+        c.state_db = d.get("STATE_DB", "./sentinel.db")
+        c.workspace_dir = d.get("WORKSPACE_DIR", "./workspace")
+        c.claude_code_bin = d.get("CLAUDE_CODE_BIN", "claude")
+        c.github_token = d.get("GITHUB_TOKEN", "")
+        c.fix_confidence_threshold = float(d.get("FIX_CONFIDENCE_THRESHOLD", 0.7))
+        c.log_retention_hours = int(d.get("LOG_RETENTION_HOURS", 48))
+        c.anthropic_api_key = d.get("ANTHROPIC_API_KEY", "")
+        self.sentinel = c
+
+    def _load_log_sources(self):
+        sources_dir = self.config_dir / "log-configs"
+        if not sources_dir.exists():
+            return
+        self.log_sources = {}
+        for path in sorted(sources_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            s = LogSourceConfig()
+            s.name = path.stem
+            s.source_type = d.get("SOURCE_TYPE", "ssh").lower()
+            s.key = d.get("KEY", "")
+            s.hosts = _csv(d.get("HOSTS", ""))
+            s.logs = _csv(d.get("LOGS", ""))
+            s.remote_service_user = d.get("REMOTE_SERVICE_USER", path.stem)
+            s.grep_filter = d.get("GREP_FILTER", "")
+            s.grep_exclude = d.get("GREP_EXCLUDE", "")
+            s.tail = int(d["TAIL"]) if "TAIL" in d else None
+            s.head = int(d["HEAD"]) if "HEAD" in d else None
+            s.cf_url = d.get("CF_URL", "")
+            s.cf_token = d.get("CF_TOKEN", "")
+            self.log_sources[s.name] = s
+
+    def _load_repos(self):
+        repos_dir = self.config_dir / "repo-configs"
+        if not repos_dir.exists():
+            return
+        self.repos = {}
+        for path in sorted(repos_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            r = RepoConfig()
+            r.repo_name = path.stem
+            r.repo_url = d.get("REPO_URL", "")
+            r.local_path = d.get("LOCAL_PATH", "")
+            r.branch = d.get("BRANCH", "main")
+            r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
+            r.cicd_type = d.get("CICD_TYPE", "")
+            r.cicd_job_url = d.get("CICD_JOB_URL", "")
+            r.cicd_token = d.get("CICD_TOKEN", "")
+            self.repos[r.repo_name] = r
+
+    def _register_sighup(self):
+        try:
+            signal.signal(signal.SIGHUP, self._on_sighup)
+        except (OSError, AttributeError):
+            pass
+
+    def _on_sighup(self, *_):
+        logger.info("SIGHUP received — reloading config")
+        self.load()

package/python/sentinel/fix_engine.py

@@ -1,123 +1,127 @@
-"""
-fix_engine.py — Generate code fixes via Claude Code (headless).
-
-Invokes: claude --print "<prompt>" 2>&1
-
-Cairn MCP context is fetched automatically by Claude Code via its MCP tool
-connection — Sentinel does not need to query or inject it explicitly.
-"""
-
-import logging
-import re
-import subprocess
-import textwrap
-from pathlib import Path
-
-from .config_loader import RepoConfig, SentinelConfig
-from .log_parser import ErrorEvent
-
-logger = logging.getLogger(__name__)
-
-SUBPROCESS_TIMEOUT = 120
-MAX_FILES_IN_PATCH = 5
-MAX_LINES_IN_PATCH = 200
-
-_DIFF_BLOCK = re.compile(r"```(?:diff|patch)?\n(.*?)```", re.DOTALL)
-_DIFF_HEADER = re.compile(r"^diff --git|^---\s+\S+|^\+\+\+\s+\S+", re.MULTILINE)
-
-
-def _build_prompt(event: ErrorEvent, repo: RepoConfig, log_file: Path) -> str:
-    return textwrap.dedent(f"""\
-        You are fixing a production bug in the repository at {repo.local_path}.
-        Repository: {repo.repo_name}
-
-        LOG FILE: {log_file}
-        Read this file first. It contains the last 48h of logs from {event.source} —
-        use it to understand the frequency, surrounding context, and any warnings
-        that preceded this error.
-
-        ERROR fingerprint to fix (from {event.source}):
-        {event.full_text()}
-
-        Task:
-        1. Read the log file above to understand what led up to this error.
-        2. Use your available tools to explore the codebase and identify the root cause.
-        3. Output ONLY a unified diff patch (git diff format) fixing the issue.
-        4. Do not explain. Output only the patch.
-        5. If you cannot determine a safe fix, output: SKIP: <reason>
-    """)
-
-
-def _extract_patch(output: str) -> str | None:
-    m = _DIFF_BLOCK.search(output)
-    if m:
-        return m.group(1).strip()
-    if _DIFF_HEADER.search(output):
-        return output.strip()
-    return None
-
-
-def _validate_patch(patch: str) -> tuple[bool, str]:
-    files_changed = len(re.findall(r"^diff --git", patch, re.MULTILINE))
-    lines_changed = len([
-        l for l in patch.splitlines()
-        if l.startswith(("+", "-")) and not l.startswith(("+++", "---"))
-    ])
-    if files_changed > MAX_FILES_IN_PATCH:
-        return False, f"Patch touches {files_changed} files (limit {MAX_FILES_IN_PATCH})"
-    if lines_changed > MAX_LINES_IN_PATCH:
-        return False, f"Patch changes {lines_changed} lines (limit {MAX_LINES_IN_PATCH})"
-    return True, ""
-
-
-def generate_fix(
-    event: ErrorEvent,
-    repo: RepoConfig,
-    cfg: SentinelConfig,
-    patches_dir: Path,
-) -> tuple[str, Path | None]:
-    """
-    Generate a fix for the given error event.
-
-    Returns:
-        (status, patch_path)
-        status: "patch" | "skip" | "error"
-    """
-    log_file = Path(cfg.workspace_dir) / "fetched" / f"{event.source}.log"
-    prompt = _build_prompt(event, repo, log_file)
-
-    logger.info("Invoking Claude Code for %s (fp=%s)", event.source, event.fingerprint)
-    try:
-        result = subprocess.run(
-            [cfg.claude_code_bin, "--print", prompt],
-            capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT,
-        )
-    except subprocess.TimeoutExpired:
-        logger.error("Claude Code timed out for %s", event.fingerprint)
-        return "error", None
-    except FileNotFoundError:
-        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
-        return "error", None
-
-    output = (result.stdout or "") + (result.stderr or "")
-
-    if output.strip().upper().startswith("SKIP:"):
-        reason = output.strip()[5:].strip()
-        logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
-        return "skip", None
-
-    patch = _extract_patch(output)
-    if not patch:
-        logger.warning("No patch found in Claude output for %s", event.fingerprint)
-        return "error", None
-
-    ok, reason = _validate_patch(patch)
-    if not ok:
-        logger.warning("Patch rejected for %s: %s", event.fingerprint, reason)
-        return "skip", None
-
-    patches_dir.mkdir(parents=True, exist_ok=True)
-    patch_path = patches_dir / f"{event.fingerprint}.diff"
-    patch_path.write_text(patch, encoding="utf-8")
-    logger.info("Patch written to %s", patch_path)
-    return "patch", patch_path
+"""
+fix_engine.py — Generate code fixes via Claude Code (headless).
+
+Invokes: claude --print "<prompt>" 2>&1
+
+Cairn MCP context is fetched automatically by Claude Code via its MCP tool
+connection — Sentinel does not need to query or inject it explicitly.
+"""
+
+import logging
+import re
+import subprocess
+import textwrap
+from pathlib import Path
+
+from .config_loader import RepoConfig, SentinelConfig
+from .log_parser import ErrorEvent
+
+logger = logging.getLogger(__name__)
+
+SUBPROCESS_TIMEOUT = 120
+MAX_FILES_IN_PATCH = 5
+MAX_LINES_IN_PATCH = 200
+
+_DIFF_BLOCK = re.compile(r"```(?:diff|patch)?\n(.*?)```", re.DOTALL)
+_DIFF_HEADER = re.compile(r"^diff --git|^---\s+\S+|^\+\+\+\s+\S+", re.MULTILINE)
+
+
+def _build_prompt(event: ErrorEvent, repo: RepoConfig, log_file: Path) -> str:
+    return textwrap.dedent(f"""\
+        You are fixing a production bug in the repository at {repo.local_path}.
+        Repository: {repo.repo_name}
+
+        LOG FILE: {log_file}
+        Read this file first. It contains the last 48h of logs from {event.source} —
+        use it to understand the frequency, surrounding context, and any warnings
+        that preceded this error.
+
+        ERROR fingerprint to fix (from {event.source}):
+        {event.full_text()}
+
+        Task:
+        1. Read the log file above to understand what led up to this error.
+        2. Use your available tools to explore the codebase and identify the root cause.
+        3. Output ONLY a unified diff patch (git diff format) fixing the issue.
+        4. Do not explain. Output only the patch.
+        5. If you cannot determine a safe fix, output: SKIP: <reason>
+    """)
+
+
+def _extract_patch(output: str) -> str | None:
+    m = _DIFF_BLOCK.search(output)
+    if m:
+        return m.group(1).strip()
+    if _DIFF_HEADER.search(output):
+        return output.strip()
+    return None
+
+
+def _validate_patch(patch: str) -> tuple[bool, str]:
+    files_changed = len(re.findall(r"^diff --git", patch, re.MULTILINE))
+    lines_changed = len([
+        l for l in patch.splitlines()
+        if l.startswith(("+", "-")) and not l.startswith(("+++", "---"))
+    ])
+    if files_changed > MAX_FILES_IN_PATCH:
+        return False, f"Patch touches {files_changed} files (limit {MAX_FILES_IN_PATCH})"
+    if lines_changed > MAX_LINES_IN_PATCH:
+        return False, f"Patch changes {lines_changed} lines (limit {MAX_LINES_IN_PATCH})"
+    return True, ""
+
+
+def generate_fix(
+    event: ErrorEvent,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+    patches_dir: Path,
+) -> tuple[str, Path | None]:
+    """
+    Generate a fix for the given error event.
+
+    Returns:
+        (status, patch_path)
+        status: "patch" | "skip" | "error"
+    """
+    log_file = Path(cfg.workspace_dir) / "fetched" / f"{event.source}.log"
+    prompt = _build_prompt(event, repo, log_file)
+
+    logger.info("Invoking Claude Code for %s (fp=%s)", event.source, event.fingerprint)
+    import os as _os
+    env = _os.environ.copy()
+    if cfg.anthropic_api_key:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key
+    try:
+        result = subprocess.run(
+            [cfg.claude_code_bin, "--print", prompt],
+            capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT, env=env,
+        )
+    except subprocess.TimeoutExpired:
+        logger.error("Claude Code timed out for %s", event.fingerprint)
+        return "error", None
+    except FileNotFoundError:
+        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
+        return "error", None
+
+    output = (result.stdout or "") + (result.stderr or "")
+
+    if output.strip().upper().startswith("SKIP:"):
+        reason = output.strip()[5:].strip()
+        logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
+        return "skip", None
+
+    patch = _extract_patch(output)
+    if not patch:
+        logger.warning("No patch found in Claude output for %s", event.fingerprint)
+        return "error", None
+
+    ok, reason = _validate_patch(patch)
+    if not ok:
+        logger.warning("Patch rejected for %s: %s", event.fingerprint, reason)
+        return "skip", None
+
+    patches_dir.mkdir(parents=True, exist_ok=True)
+    patch_path = patches_dir / f"{event.fingerprint}.diff"
+    patch_path.write_text(patch, encoding="utf-8")
+    logger.info("Patch written to %s", patch_path)
+    return "patch", patch_path