npm - @misterhuydo/sentinel - Versions diffs - 1.0.0 → 1.0.2 - Mend

@misterhuydo/sentinel 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/lib/generate.js +20 -4
package/lib/init.js +46 -2
package/package.json +1 -1
package/python/sentinel/config_loader.py +176 -174
package/python/sentinel/fix_engine.py +127 -123

package/lib/generate.js CHANGED Viewed

@@ -5,15 +5,21 @@ const path = require('path');
 // ── Per-project files ─────────────────────────────────────────────────────────
-function writeExampleProject(projectDir, codeDir, pythonBin) {
+function writeExampleProject(projectDir, codeDir, pythonBin, anthropicKey = '') {
   const configDir = path.join(projectDir, 'config', 'log-configs');
   const repoDir   = path.join(projectDir, 'config', 'repo-configs');
   fs.ensureDirSync(configDir);
   fs.ensureDirSync(repoDir);
-  // Copy example config templates from bundled python/
   const tplDir = path.join(__dirname, '..', 'templates');
-  fs.copySync(path.join(tplDir, 'sentinel.properties'),     path.join(projectDir, 'config', 'sentinel.properties'));
+  // Inject API key into sentinel.properties if provided
+  let sentinelProps = fs.readFileSync(path.join(tplDir, 'sentinel.properties'), 'utf8');
+  if (anthropicKey) {
+    sentinelProps += `\n# Anthropic API key for Claude Code (headless server auth)\nANTHROPIC_API_KEY=${anthropicKey}\n`;
+  } else {
+    sentinelProps += `\n# Anthropic API key — set this if using API key auth, or leave blank for OAuth\n# ANTHROPIC_API_KEY=sk-ant-...\n`;
+  }
+  fs.writeFileSync(path.join(projectDir, 'config', 'sentinel.properties'), sentinelProps);
   fs.copySync(path.join(tplDir, 'log-configs', '_example.properties'), path.join(configDir, '_example.properties'));
   fs.copySync(path.join(tplDir, 'repo-configs', '_example.properties'), path.join(repoDir,   '_example.properties'));
@@ -25,7 +31,17 @@ function generateProjectScripts(projectDir, codeDir, pythonBin) {
   // init.sh
   fs.writeFileSync(path.join(projectDir, 'init.sh'), `#!/usr/bin/env bash
-# First-time setup: clone repos, test SSH, send test email
+# First-time setup for this Sentinel project instance.
+#
+# What this does:
+#   - Clones any repos defined in config/repo-configs/ that don't exist locally yet
+#     (skips repos that are already cloned — safe to run multiple times)
+#   - Indexes each repo with Cairn MCP for codebase context
+#   - Tests SSH connectivity to each configured log source
+#   - Sends a test email to verify SMTP settings
+#
+# Note: ongoing repo management (git pull, conflict resolution) is handled
+# automatically by Sentinel on each fix cycle — you don't need to do it manually.
 set -euo pipefail
 cd "$(dirname "$0")"
 PYTHONPATH="${codeDir}" "${pythonBin}" -m sentinel.main --config ./config --init

package/lib/init.js CHANGED Viewed

@@ -23,6 +23,22 @@ module.exports = async function init() {
       initial: path.join(os.homedir(), 'sentinel'),
       format: v => v.replace(/^~/, os.homedir()),
     },
+    {
+      type: 'select',
+      name: 'authMode',
+      message: 'How will Claude Code authenticate?',
+      choices: [
+        { title: 'API key  (Anthropic API account — recommended for servers)', value: 'apikey' },
+        { title: 'Claude Pro / OAuth  (will give you a URL to open in any browser)', value: 'oauth' },
+        { title: 'Skip  (I will configure this later)', value: 'skip' },
+      ],
+    },
+    {
+      type: prev => prev === 'apikey' ? 'password' : null,
+      name: 'anthropicKey',
+      message: 'Anthropic API key (sk-ant-...)',
+      validate: v => v.startsWith('sk-ant-') ? true : 'Key should start with sk-ant-',
+    },
     {
       type: 'confirm',
       name: 'example',
@@ -37,7 +53,7 @@ module.exports = async function init() {
     },
   ], { onCancel: () => process.exit(0) });
-  const { workspace, example, systemd } = answers;
+  const { workspace, authMode, anthropicKey, example, systemd } = answers;
   const codeDir = path.join(workspace, 'code');
   // ── Python ──────────────────────────────────────────────────────────────────
@@ -80,6 +96,26 @@ module.exports = async function init() {
   installNpmGlobal('@misterhuydo/cairn-mcp', 'cairn');
   installNpmGlobal('@anthropic-ai/claude-code', 'claude');
+  // ── Claude Code auth ─────────────────────────────────────────────────────────
+  step('Claude Code authentication…');
+  if (authMode === 'apikey' && anthropicKey) {
+    ok('API key will be written to each project\'s sentinel.properties');
+  } else if (authMode === 'oauth') {
+    console.log(chalk.yellow(
+      '\n  Claude Code OAuth requires an interactive step.\n' +
+      '  After setup completes, run this command on the server:\n\n' +
+      chalk.bold('      claude\n\n') +
+      '  It will print a URL like:\n' +
+      '    https://claude.ai/oauth/authorize?...\n\n' +
+      '  Open that URL in any browser, log in with your Claude Pro account,\n' +
+      '  and the server will be authenticated. The token is stored in ~/.claude/\n' +
+      '  and persists across restarts.\n'
+    ));
+    warn('OAuth not completed yet — run "claude" after setup to authenticate');
+  } else {
+    warn('Skipping auth — set ANTHROPIC_API_KEY in sentinel.properties or run "claude" to authenticate');
+  }
   // ── Workspace structure ─────────────────────────────────────────────────────
   step('Creating workspace…');
   fs.ensureDirSync(workspace);
@@ -89,7 +125,7 @@ module.exports = async function init() {
   if (example) {
     step('Creating example project…');
     const exampleDir = path.join(workspace, 'my-project');
-    writeExampleProject(exampleDir, codeDir, pythonBin);
+    writeExampleProject(exampleDir, codeDir, pythonBin, anthropicKey || '');
     ok(`Example project: ${exampleDir}`);
   }
@@ -132,6 +168,14 @@ module.exports = async function init() {
      ${chalk.cyan('journalctl -u sentinel -f')}
 `);
   }
+  if (authMode === 'oauth') {
+    console.log(
+      chalk.bold.yellow('  ⚠ Complete Claude Code login now:\n') +
+      `     ${chalk.bold.cyan('claude')}\n` +
+      '     Open the URL it prints in any browser → log in with Claude Pro.\n'
+    );
+  }
   console.log(`  Add another project anytime:
      ${chalk.cyan('sentinel add <project-name>')}
 `);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py CHANGED Viewed

@@ -1,174 +1,176 @@
-"""
-config_loader.py — Load and hot-reload all .properties config files.
-"""
-import logging
-import signal
-from dataclasses import dataclass, field
-from pathlib import Path
-from typing import Optional
-logger = logging.getLogger(__name__)
-def _parse_properties(path: str) -> dict[str, str]:
-    result = {}
-    with open(path, encoding="utf-8") as f:
-        for raw in f:
-            line = raw.strip()
-            if not line or line.startswith("#"):
-                continue
-            if "=" not in line:
-                continue
-            key, _, val = line.partition("=")
-            key = key.strip()
-            val = val.partition("#")[0].strip()
-            if key:
-                result[key] = val
-    return result
-def _csv(val: str) -> list[str]:
-    return [v.strip() for v in val.split(",") if v.strip()]
-# ── Typed config objects ──────────────────────────────────────────────────────
-@dataclass
-class SentinelConfig:
-    poll_interval_seconds: int = 120
-    smtp_host: str = ""
-    smtp_port: int = 587
-    smtp_user: str = ""
-    smtp_password: str = ""
-    report_recipients: list[str] = field(default_factory=list)
-    report_interval_hours: int = 6
-    state_db: str = "./sentinel.db"
-    workspace_dir: str = "./workspace"
-    claude_code_bin: str = "claude"
-    github_token: str = ""
-    fix_confidence_threshold: float = 0.7
-    log_retention_hours: int = 48
-@dataclass
-class LogSourceConfig:
-    name: str = ""        # derived from filename stem
-    source_type: str = "ssh"
-    # SSH
-    key: str = ""
-    hosts: list[str] = field(default_factory=list)
-    logs: list[str] = field(default_factory=list)
-    remote_service_user: str = ""
-    grep_filter: str = ""
-    grep_exclude: str = ""
-    tail: Optional[int] = None
-    head: Optional[int] = None
-    # Cloudflare
-    cf_url: str = ""
-    cf_token: str = ""
-@dataclass
-class RepoConfig:
-    repo_name: str = ""   # derived from filename stem
-    repo_url: str = ""
-    local_path: str = ""
-    branch: str = "main"
-    auto_publish: bool = False
-    cicd_type: str = ""
-    cicd_job_url: str = ""
-    cicd_token: str = ""
-# ── Loader ────────────────────────────────────────────────────────────────────
-class ConfigLoader:
-    def __init__(self, config_dir: str = "./config"):
-        self.config_dir = Path(config_dir)
-        self.sentinel: SentinelConfig = SentinelConfig()
-        self.log_sources: dict[str, LogSourceConfig] = {}
-        self.repos: dict[str, RepoConfig] = {}
-        self.load()
-        self._register_sighup()
-    def load(self):
-        self._load_sentinel()
-        self._load_log_sources()
-        self._load_repos()
-        logger.info(
-            "Config loaded: %d log-config(s), %d repo-config(s)",
-            len(self.log_sources), len(self.repos),
-        )
-    def _load_sentinel(self):
-        path = self.config_dir / "sentinel.properties"
-        if not path.exists():
-            logger.warning("sentinel.properties not found at %s", path)
-            return
-        d = _parse_properties(str(path))
-        c = SentinelConfig()
-        c.poll_interval_seconds = int(d.get("POLL_INTERVAL_SECONDS", 120))
-        c.smtp_host = d.get("SMTP_HOST", "")
-        c.smtp_port = int(d.get("SMTP_PORT", 587))
-        c.smtp_user = d.get("SMTP_USER", "")
-        c.smtp_password = d.get("SMTP_PASSWORD", "")
-        c.report_recipients = _csv(d.get("REPORT_RECIPIENTS", ""))
-        c.report_interval_hours = int(d.get("REPORT_INTERVAL_HOURS", 6))
-        c.state_db = d.get("STATE_DB", "./sentinel.db")
-        c.workspace_dir = d.get("WORKSPACE_DIR", "./workspace")
-        c.claude_code_bin = d.get("CLAUDE_CODE_BIN", "claude")
-        c.github_token = d.get("GITHUB_TOKEN", "")
-        c.fix_confidence_threshold = float(d.get("FIX_CONFIDENCE_THRESHOLD", 0.7))
-        c.log_retention_hours = int(d.get("LOG_RETENTION_HOURS", 48))
-        self.sentinel = c
-    def _load_log_sources(self):
-        sources_dir = self.config_dir / "log-configs"
-        if not sources_dir.exists():
-            return
-        self.log_sources = {}
-        for path in sorted(sources_dir.glob("*.properties")):
-            d = _parse_properties(str(path))
-            s = LogSourceConfig()
-            s.name = path.stem
-            s.source_type = d.get("SOURCE_TYPE", "ssh").lower()
-            s.key = d.get("KEY", "")
-            s.hosts = _csv(d.get("HOSTS", ""))
-            s.logs = _csv(d.get("LOGS", ""))
-            s.remote_service_user = d.get("REMOTE_SERVICE_USER", path.stem)
-            s.grep_filter = d.get("GREP_FILTER", "")
-            s.grep_exclude = d.get("GREP_EXCLUDE", "")
-            s.tail = int(d["TAIL"]) if "TAIL" in d else None
-            s.head = int(d["HEAD"]) if "HEAD" in d else None
-            s.cf_url = d.get("CF_URL", "")
-            s.cf_token = d.get("CF_TOKEN", "")
-            self.log_sources[s.name] = s
-    def _load_repos(self):
-        repos_dir = self.config_dir / "repo-configs"
-        if not repos_dir.exists():
-            return
-        self.repos = {}
-        for path in sorted(repos_dir.glob("*.properties")):
-            d = _parse_properties(str(path))
-            r = RepoConfig()
-            r.repo_name = path.stem
-            r.repo_url = d.get("REPO_URL", "")
-            r.local_path = d.get("LOCAL_PATH", "")
-            r.branch = d.get("BRANCH", "main")
-            r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
-            r.cicd_type = d.get("CICD_TYPE", "")
-            r.cicd_job_url = d.get("CICD_JOB_URL", "")
-            r.cicd_token = d.get("CICD_TOKEN", "")
-            self.repos[r.repo_name] = r
-    def _register_sighup(self):
-        try:
-            signal.signal(signal.SIGHUP, self._on_sighup)
-        except (OSError, AttributeError):
-            pass
-    def _on_sighup(self, *_):
-        logger.info("SIGHUP received — reloading config")
-        self.load()
+"""
+config_loader.py — Load and hot-reload all .properties config files.
+"""
+import logging
+import signal
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+logger = logging.getLogger(__name__)
+def _parse_properties(path: str) -> dict[str, str]:
+    result = {}
+    with open(path, encoding="utf-8") as f:
+        for raw in f:
+            line = raw.strip()
+            if not line or line.startswith("#"):
+                continue
+            if "=" not in line:
+                continue
+            key, _, val = line.partition("=")
+            key = key.strip()
+            val = val.partition("#")[0].strip()
+            if key:
+                result[key] = val
+    return result
+def _csv(val: str) -> list[str]:
+    return [v.strip() for v in val.split(",") if v.strip()]
+# ── Typed config objects ──────────────────────────────────────────────────────
+@dataclass
+class SentinelConfig:
+    poll_interval_seconds: int = 120
+    smtp_host: str = ""
+    smtp_port: int = 587
+    smtp_user: str = ""
+    smtp_password: str = ""
+    report_recipients: list[str] = field(default_factory=list)
+    report_interval_hours: int = 6
+    state_db: str = "./sentinel.db"
+    workspace_dir: str = "./workspace"
+    claude_code_bin: str = "claude"
+    github_token: str = ""
+    fix_confidence_threshold: float = 0.7
+    log_retention_hours: int = 48
+    anthropic_api_key: str = ""
+@dataclass
+class LogSourceConfig:
+    name: str = ""        # derived from filename stem
+    source_type: str = "ssh"
+    # SSH
+    key: str = ""
+    hosts: list[str] = field(default_factory=list)
+    logs: list[str] = field(default_factory=list)
+    remote_service_user: str = ""
+    grep_filter: str = ""
+    grep_exclude: str = ""
+    tail: Optional[int] = None
+    head: Optional[int] = None
+    # Cloudflare
+    cf_url: str = ""
+    cf_token: str = ""
+@dataclass
+class RepoConfig:
+    repo_name: str = ""   # derived from filename stem
+    repo_url: str = ""
+    local_path: str = ""
+    branch: str = "main"
+    auto_publish: bool = False
+    cicd_type: str = ""
+    cicd_job_url: str = ""
+    cicd_token: str = ""
+# ── Loader ────────────────────────────────────────────────────────────────────
+class ConfigLoader:
+    def __init__(self, config_dir: str = "./config"):
+        self.config_dir = Path(config_dir)
+        self.sentinel: SentinelConfig = SentinelConfig()
+        self.log_sources: dict[str, LogSourceConfig] = {}
+        self.repos: dict[str, RepoConfig] = {}
+        self.load()
+        self._register_sighup()
+    def load(self):
+        self._load_sentinel()
+        self._load_log_sources()
+        self._load_repos()
+        logger.info(
+            "Config loaded: %d log-config(s), %d repo-config(s)",
+            len(self.log_sources), len(self.repos),
+        )
+    def _load_sentinel(self):
+        path = self.config_dir / "sentinel.properties"
+        if not path.exists():
+            logger.warning("sentinel.properties not found at %s", path)
+            return
+        d = _parse_properties(str(path))
+        c = SentinelConfig()
+        c.poll_interval_seconds = int(d.get("POLL_INTERVAL_SECONDS", 120))
+        c.smtp_host = d.get("SMTP_HOST", "")
+        c.smtp_port = int(d.get("SMTP_PORT", 587))
+        c.smtp_user = d.get("SMTP_USER", "")
+        c.smtp_password = d.get("SMTP_PASSWORD", "")
+        c.report_recipients = _csv(d.get("REPORT_RECIPIENTS", ""))
+        c.report_interval_hours = int(d.get("REPORT_INTERVAL_HOURS", 6))
+        c.state_db = d.get("STATE_DB", "./sentinel.db")
+        c.workspace_dir = d.get("WORKSPACE_DIR", "./workspace")
+        c.claude_code_bin = d.get("CLAUDE_CODE_BIN", "claude")
+        c.github_token = d.get("GITHUB_TOKEN", "")
+        c.fix_confidence_threshold = float(d.get("FIX_CONFIDENCE_THRESHOLD", 0.7))
+        c.log_retention_hours = int(d.get("LOG_RETENTION_HOURS", 48))
+        c.anthropic_api_key = d.get("ANTHROPIC_API_KEY", "")
+        self.sentinel = c
+    def _load_log_sources(self):
+        sources_dir = self.config_dir / "log-configs"
+        if not sources_dir.exists():
+            return
+        self.log_sources = {}
+        for path in sorted(sources_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            s = LogSourceConfig()
+            s.name = path.stem
+            s.source_type = d.get("SOURCE_TYPE", "ssh").lower()
+            s.key = d.get("KEY", "")
+            s.hosts = _csv(d.get("HOSTS", ""))
+            s.logs = _csv(d.get("LOGS", ""))
+            s.remote_service_user = d.get("REMOTE_SERVICE_USER", path.stem)
+            s.grep_filter = d.get("GREP_FILTER", "")
+            s.grep_exclude = d.get("GREP_EXCLUDE", "")
+            s.tail = int(d["TAIL"]) if "TAIL" in d else None
+            s.head = int(d["HEAD"]) if "HEAD" in d else None
+            s.cf_url = d.get("CF_URL", "")
+            s.cf_token = d.get("CF_TOKEN", "")
+            self.log_sources[s.name] = s
+    def _load_repos(self):
+        repos_dir = self.config_dir / "repo-configs"
+        if not repos_dir.exists():
+            return
+        self.repos = {}
+        for path in sorted(repos_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            r = RepoConfig()
+            r.repo_name = path.stem
+            r.repo_url = d.get("REPO_URL", "")
+            r.local_path = d.get("LOCAL_PATH", "")
+            r.branch = d.get("BRANCH", "main")
+            r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
+            r.cicd_type = d.get("CICD_TYPE", "")
+            r.cicd_job_url = d.get("CICD_JOB_URL", "")
+            r.cicd_token = d.get("CICD_TOKEN", "")
+            self.repos[r.repo_name] = r
+    def _register_sighup(self):
+        try:
+            signal.signal(signal.SIGHUP, self._on_sighup)
+        except (OSError, AttributeError):
+            pass
+    def _on_sighup(self, *_):
+        logger.info("SIGHUP received — reloading config")
+        self.load()

package/python/sentinel/fix_engine.py CHANGED Viewed

@@ -1,123 +1,127 @@
-"""
-fix_engine.py — Generate code fixes via Claude Code (headless).
-Invokes: claude --print "<prompt>" 2>&1
-Cairn MCP context is fetched automatically by Claude Code via its MCP tool
-connection — Sentinel does not need to query or inject it explicitly.
-"""
-import logging
-import re
-import subprocess
-import textwrap
-from pathlib import Path
-from .config_loader import RepoConfig, SentinelConfig
-from .log_parser import ErrorEvent
-logger = logging.getLogger(__name__)
-SUBPROCESS_TIMEOUT = 120
-MAX_FILES_IN_PATCH = 5
-MAX_LINES_IN_PATCH = 200
-_DIFF_BLOCK = re.compile(r"```(?:diff|patch)?\n(.*?)```", re.DOTALL)
-_DIFF_HEADER = re.compile(r"^diff --git|^---\s+\S+|^\+\+\+\s+\S+", re.MULTILINE)
-def _build_prompt(event: ErrorEvent, repo: RepoConfig, log_file: Path) -> str:
-    return textwrap.dedent(f"""\
-        You are fixing a production bug in the repository at {repo.local_path}.
-        Repository: {repo.repo_name}
-        LOG FILE: {log_file}
-        Read this file first. It contains the last 48h of logs from {event.source} —
-        use it to understand the frequency, surrounding context, and any warnings
-        that preceded this error.
-        ERROR fingerprint to fix (from {event.source}):
-        {event.full_text()}
-        Task:
-        1. Read the log file above to understand what led up to this error.
-        2. Use your available tools to explore the codebase and identify the root cause.
-        3. Output ONLY a unified diff patch (git diff format) fixing the issue.
-        4. Do not explain. Output only the patch.
-        5. If you cannot determine a safe fix, output: SKIP: <reason>
-    """)
-def _extract_patch(output: str) -> str | None:
-    m = _DIFF_BLOCK.search(output)
-    if m:
-        return m.group(1).strip()
-    if _DIFF_HEADER.search(output):
-        return output.strip()
-    return None
-def _validate_patch(patch: str) -> tuple[bool, str]:
-    files_changed = len(re.findall(r"^diff --git", patch, re.MULTILINE))
-    lines_changed = len([
-        l for l in patch.splitlines()
-        if l.startswith(("+", "-")) and not l.startswith(("+++", "---"))
-    ])
-    if files_changed > MAX_FILES_IN_PATCH:
-        return False, f"Patch touches {files_changed} files (limit {MAX_FILES_IN_PATCH})"
-    if lines_changed > MAX_LINES_IN_PATCH:
-        return False, f"Patch changes {lines_changed} lines (limit {MAX_LINES_IN_PATCH})"
-    return True, ""
-def generate_fix(
-    event: ErrorEvent,
-    repo: RepoConfig,
-    cfg: SentinelConfig,
-    patches_dir: Path,
-) -> tuple[str, Path | None]:
-    """
-    Generate a fix for the given error event.
-    Returns:
-        (status, patch_path)
-        status: "patch" | "skip" | "error"
-    """
-    log_file = Path(cfg.workspace_dir) / "fetched" / f"{event.source}.log"
-    prompt = _build_prompt(event, repo, log_file)
-    logger.info("Invoking Claude Code for %s (fp=%s)", event.source, event.fingerprint)
-    try:
-        result = subprocess.run(
-            [cfg.claude_code_bin, "--print", prompt],
-            capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT,
-        )
-    except subprocess.TimeoutExpired:
-        logger.error("Claude Code timed out for %s", event.fingerprint)
-        return "error", None
-    except FileNotFoundError:
-        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
-        return "error", None
-    output = (result.stdout or "") + (result.stderr or "")
-    if output.strip().upper().startswith("SKIP:"):
-        reason = output.strip()[5:].strip()
-        logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
-        return "skip", None
-    patch = _extract_patch(output)
-    if not patch:
-        logger.warning("No patch found in Claude output for %s", event.fingerprint)
-        return "error", None
-    ok, reason = _validate_patch(patch)
-    if not ok:
-        logger.warning("Patch rejected for %s: %s", event.fingerprint, reason)
-        return "skip", None
-    patches_dir.mkdir(parents=True, exist_ok=True)
-    patch_path = patches_dir / f"{event.fingerprint}.diff"
-    patch_path.write_text(patch, encoding="utf-8")
-    logger.info("Patch written to %s", patch_path)
-    return "patch", patch_path
+"""
+fix_engine.py — Generate code fixes via Claude Code (headless).
+Invokes: claude --print "<prompt>" 2>&1
+Cairn MCP context is fetched automatically by Claude Code via its MCP tool
+connection — Sentinel does not need to query or inject it explicitly.
+"""
+import logging
+import re
+import subprocess
+import textwrap
+from pathlib import Path
+from .config_loader import RepoConfig, SentinelConfig
+from .log_parser import ErrorEvent
+logger = logging.getLogger(__name__)
+SUBPROCESS_TIMEOUT = 120
+MAX_FILES_IN_PATCH = 5
+MAX_LINES_IN_PATCH = 200
+_DIFF_BLOCK = re.compile(r"```(?:diff|patch)?\n(.*?)```", re.DOTALL)
+_DIFF_HEADER = re.compile(r"^diff --git|^---\s+\S+|^\+\+\+\s+\S+", re.MULTILINE)
+def _build_prompt(event: ErrorEvent, repo: RepoConfig, log_file: Path) -> str:
+    return textwrap.dedent(f"""\
+        You are fixing a production bug in the repository at {repo.local_path}.
+        Repository: {repo.repo_name}
+        LOG FILE: {log_file}
+        Read this file first. It contains the last 48h of logs from {event.source} —
+        use it to understand the frequency, surrounding context, and any warnings
+        that preceded this error.
+        ERROR fingerprint to fix (from {event.source}):
+        {event.full_text()}
+        Task:
+        1. Read the log file above to understand what led up to this error.
+        2. Use your available tools to explore the codebase and identify the root cause.
+        3. Output ONLY a unified diff patch (git diff format) fixing the issue.
+        4. Do not explain. Output only the patch.
+        5. If you cannot determine a safe fix, output: SKIP: <reason>
+    """)
+def _extract_patch(output: str) -> str | None:
+    m = _DIFF_BLOCK.search(output)
+    if m:
+        return m.group(1).strip()
+    if _DIFF_HEADER.search(output):
+        return output.strip()
+    return None
+def _validate_patch(patch: str) -> tuple[bool, str]:
+    files_changed = len(re.findall(r"^diff --git", patch, re.MULTILINE))
+    lines_changed = len([
+        l for l in patch.splitlines()
+        if l.startswith(("+", "-")) and not l.startswith(("+++", "---"))
+    ])
+    if files_changed > MAX_FILES_IN_PATCH:
+        return False, f"Patch touches {files_changed} files (limit {MAX_FILES_IN_PATCH})"
+    if lines_changed > MAX_LINES_IN_PATCH:
+        return False, f"Patch changes {lines_changed} lines (limit {MAX_LINES_IN_PATCH})"
+    return True, ""
+def generate_fix(
+    event: ErrorEvent,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+    patches_dir: Path,
+) -> tuple[str, Path | None]:
+    """
+    Generate a fix for the given error event.
+    Returns:
+        (status, patch_path)
+        status: "patch" | "skip" | "error"
+    """
+    log_file = Path(cfg.workspace_dir) / "fetched" / f"{event.source}.log"
+    prompt = _build_prompt(event, repo, log_file)
+    logger.info("Invoking Claude Code for %s (fp=%s)", event.source, event.fingerprint)
+    import os as _os
+    env = _os.environ.copy()
+    if cfg.anthropic_api_key:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key
+    try:
+        result = subprocess.run(
+            [cfg.claude_code_bin, "--print", prompt],
+            capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT, env=env,
+        )
+    except subprocess.TimeoutExpired:
+        logger.error("Claude Code timed out for %s", event.fingerprint)
+        return "error", None
+    except FileNotFoundError:
+        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
+        return "error", None
+    output = (result.stdout or "") + (result.stderr or "")
+    if output.strip().upper().startswith("SKIP:"):
+        reason = output.strip()[5:].strip()
+        logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
+        return "skip", None
+    patch = _extract_patch(output)
+    if not patch:
+        logger.warning("No patch found in Claude output for %s", event.fingerprint)
+        return "error", None
+    ok, reason = _validate_patch(patch)
+    if not ok:
+        logger.warning("Patch rejected for %s: %s", event.fingerprint, reason)
+        return "skip", None
+    patches_dir.mkdir(parents=True, exist_ok=True)
+    patch_path = patches_dir / f"{event.fingerprint}.diff"
+    patch_path.write_text(patch, encoding="utf-8")
+    logger.info("Patch written to %s", patch_path)
+    return "patch", patch_path