@misterhuydo/sentinel 1.0.0

package/python/sentinel/config_loader.py

@@ -0,0 +1,174 @@
+"""
+config_loader.py — Load and hot-reload all .properties config files.
+"""
+
+import logging
+import signal
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Optional
+
+logger = logging.getLogger(__name__)
+
+
+def _parse_properties(path: str) -> dict[str, str]:
+    result = {}
+    with open(path, encoding="utf-8") as f:
+        for raw in f:
+            line = raw.strip()
+            if not line or line.startswith("#"):
+                continue
+            if "=" not in line:
+                continue
+            key, _, val = line.partition("=")
+            key = key.strip()
+            val = val.partition("#")[0].strip()
+            if key:
+                result[key] = val
+    return result
+
+
+def _csv(val: str) -> list[str]:
+    return [v.strip() for v in val.split(",") if v.strip()]
+
+
+# ── Typed config objects ──────────────────────────────────────────────────────
+
+@dataclass
+class SentinelConfig:
+    poll_interval_seconds: int = 120
+    smtp_host: str = ""
+    smtp_port: int = 587
+    smtp_user: str = ""
+    smtp_password: str = ""
+    report_recipients: list[str] = field(default_factory=list)
+    report_interval_hours: int = 6
+    state_db: str = "./sentinel.db"
+    workspace_dir: str = "./workspace"
+    claude_code_bin: str = "claude"
+    github_token: str = ""
+    fix_confidence_threshold: float = 0.7
+    log_retention_hours: int = 48
+
+
+@dataclass
+class LogSourceConfig:
+    name: str = ""        # derived from filename stem
+    source_type: str = "ssh"
+    # SSH
+    key: str = ""
+    hosts: list[str] = field(default_factory=list)
+    logs: list[str] = field(default_factory=list)
+    remote_service_user: str = ""
+    grep_filter: str = ""
+    grep_exclude: str = ""
+    tail: Optional[int] = None
+    head: Optional[int] = None
+    # Cloudflare
+    cf_url: str = ""
+    cf_token: str = ""
+
+
+@dataclass
+class RepoConfig:
+    repo_name: str = ""   # derived from filename stem
+    repo_url: str = ""
+    local_path: str = ""
+    branch: str = "main"
+    auto_publish: bool = False
+    cicd_type: str = ""
+    cicd_job_url: str = ""
+    cicd_token: str = ""
+
+
+# ── Loader ────────────────────────────────────────────────────────────────────
+
+class ConfigLoader:
+    def __init__(self, config_dir: str = "./config"):
+        self.config_dir = Path(config_dir)
+        self.sentinel: SentinelConfig = SentinelConfig()
+        self.log_sources: dict[str, LogSourceConfig] = {}
+        self.repos: dict[str, RepoConfig] = {}
+        self.load()
+        self._register_sighup()
+
+    def load(self):
+        self._load_sentinel()
+        self._load_log_sources()
+        self._load_repos()
+        logger.info(
+            "Config loaded: %d log-config(s), %d repo-config(s)",
+            len(self.log_sources), len(self.repos),
+        )
+
+    def _load_sentinel(self):
+        path = self.config_dir / "sentinel.properties"
+        if not path.exists():
+            logger.warning("sentinel.properties not found at %s", path)
+            return
+        d = _parse_properties(str(path))
+        c = SentinelConfig()
+        c.poll_interval_seconds = int(d.get("POLL_INTERVAL_SECONDS", 120))
+        c.smtp_host = d.get("SMTP_HOST", "")
+        c.smtp_port = int(d.get("SMTP_PORT", 587))
+        c.smtp_user = d.get("SMTP_USER", "")
+        c.smtp_password = d.get("SMTP_PASSWORD", "")
+        c.report_recipients = _csv(d.get("REPORT_RECIPIENTS", ""))
+        c.report_interval_hours = int(d.get("REPORT_INTERVAL_HOURS", 6))
+        c.state_db = d.get("STATE_DB", "./sentinel.db")
+        c.workspace_dir = d.get("WORKSPACE_DIR", "./workspace")
+        c.claude_code_bin = d.get("CLAUDE_CODE_BIN", "claude")
+        c.github_token = d.get("GITHUB_TOKEN", "")
+        c.fix_confidence_threshold = float(d.get("FIX_CONFIDENCE_THRESHOLD", 0.7))
+        c.log_retention_hours = int(d.get("LOG_RETENTION_HOURS", 48))
+        self.sentinel = c
+
+    def _load_log_sources(self):
+        sources_dir = self.config_dir / "log-configs"
+        if not sources_dir.exists():
+            return
+        self.log_sources = {}
+        for path in sorted(sources_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            s = LogSourceConfig()
+            s.name = path.stem
+            s.source_type = d.get("SOURCE_TYPE", "ssh").lower()
+            s.key = d.get("KEY", "")
+            s.hosts = _csv(d.get("HOSTS", ""))
+            s.logs = _csv(d.get("LOGS", ""))
+            s.remote_service_user = d.get("REMOTE_SERVICE_USER", path.stem)
+            s.grep_filter = d.get("GREP_FILTER", "")
+            s.grep_exclude = d.get("GREP_EXCLUDE", "")
+            s.tail = int(d["TAIL"]) if "TAIL" in d else None
+            s.head = int(d["HEAD"]) if "HEAD" in d else None
+            s.cf_url = d.get("CF_URL", "")
+            s.cf_token = d.get("CF_TOKEN", "")
+            self.log_sources[s.name] = s
+
+    def _load_repos(self):
+        repos_dir = self.config_dir / "repo-configs"
+        if not repos_dir.exists():
+            return
+        self.repos = {}
+        for path in sorted(repos_dir.glob("*.properties")):
+            d = _parse_properties(str(path))
+            r = RepoConfig()
+            r.repo_name = path.stem
+            r.repo_url = d.get("REPO_URL", "")
+            r.local_path = d.get("LOCAL_PATH", "")
+            r.branch = d.get("BRANCH", "main")
+            r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
+            r.cicd_type = d.get("CICD_TYPE", "")
+            r.cicd_job_url = d.get("CICD_JOB_URL", "")
+            r.cicd_token = d.get("CICD_TOKEN", "")
+            self.repos[r.repo_name] = r
+
+    def _register_sighup(self):
+        try:
+            signal.signal(signal.SIGHUP, self._on_sighup)
+        except (OSError, AttributeError):
+            pass
+
+    def _on_sighup(self, *_):
+        logger.info("SIGHUP received — reloading config")
+        self.load()

package/python/sentinel/fix_engine.py

@@ -0,0 +1,123 @@
+"""
+fix_engine.py — Generate code fixes via Claude Code (headless).
+
+Invokes: claude --print "<prompt>" 2>&1
+
+Cairn MCP context is fetched automatically by Claude Code via its MCP tool
+connection — Sentinel does not need to query or inject it explicitly.
+"""
+
+import logging
+import re
+import subprocess
+import textwrap
+from pathlib import Path
+
+from .config_loader import RepoConfig, SentinelConfig
+from .log_parser import ErrorEvent
+
+logger = logging.getLogger(__name__)
+
+SUBPROCESS_TIMEOUT = 120
+MAX_FILES_IN_PATCH = 5
+MAX_LINES_IN_PATCH = 200
+
+_DIFF_BLOCK = re.compile(r"```(?:diff|patch)?\n(.*?)```", re.DOTALL)
+_DIFF_HEADER = re.compile(r"^diff --git|^---\s+\S+|^\+\+\+\s+\S+", re.MULTILINE)
+
+
+def _build_prompt(event: ErrorEvent, repo: RepoConfig, log_file: Path) -> str:
+    return textwrap.dedent(f"""\
+        You are fixing a production bug in the repository at {repo.local_path}.
+        Repository: {repo.repo_name}
+
+        LOG FILE: {log_file}
+        Read this file first. It contains the last 48h of logs from {event.source} —
+        use it to understand the frequency, surrounding context, and any warnings
+        that preceded this error.
+
+        ERROR fingerprint to fix (from {event.source}):
+        {event.full_text()}
+
+        Task:
+        1. Read the log file above to understand what led up to this error.
+        2. Use your available tools to explore the codebase and identify the root cause.
+        3. Output ONLY a unified diff patch (git diff format) fixing the issue.
+        4. Do not explain. Output only the patch.
+        5. If you cannot determine a safe fix, output: SKIP: <reason>
+    """)
+
+
+def _extract_patch(output: str) -> str | None:
+    m = _DIFF_BLOCK.search(output)
+    if m:
+        return m.group(1).strip()
+    if _DIFF_HEADER.search(output):
+        return output.strip()
+    return None
+
+
+def _validate_patch(patch: str) -> tuple[bool, str]:
+    files_changed = len(re.findall(r"^diff --git", patch, re.MULTILINE))
+    lines_changed = len([
+        l for l in patch.splitlines()
+        if l.startswith(("+", "-")) and not l.startswith(("+++", "---"))
+    ])
+    if files_changed > MAX_FILES_IN_PATCH:
+        return False, f"Patch touches {files_changed} files (limit {MAX_FILES_IN_PATCH})"
+    if lines_changed > MAX_LINES_IN_PATCH:
+        return False, f"Patch changes {lines_changed} lines (limit {MAX_LINES_IN_PATCH})"
+    return True, ""
+
+
+def generate_fix(
+    event: ErrorEvent,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+    patches_dir: Path,
+) -> tuple[str, Path | None]:
+    """
+    Generate a fix for the given error event.
+
+    Returns:
+        (status, patch_path)
+        status: "patch" | "skip" | "error"
+    """
+    log_file = Path(cfg.workspace_dir) / "fetched" / f"{event.source}.log"
+    prompt = _build_prompt(event, repo, log_file)
+
+    logger.info("Invoking Claude Code for %s (fp=%s)", event.source, event.fingerprint)
+    try:
+        result = subprocess.run(
+            [cfg.claude_code_bin, "--print", prompt],
+            capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT,
+        )
+    except subprocess.TimeoutExpired:
+        logger.error("Claude Code timed out for %s", event.fingerprint)
+        return "error", None
+    except FileNotFoundError:
+        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
+        return "error", None
+
+    output = (result.stdout or "") + (result.stderr or "")
+
+    if output.strip().upper().startswith("SKIP:"):
+        reason = output.strip()[5:].strip()
+        logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
+        return "skip", None
+
+    patch = _extract_patch(output)
+    if not patch:
+        logger.warning("No patch found in Claude output for %s", event.fingerprint)
+        return "error", None
+
+    ok, reason = _validate_patch(patch)
+    if not ok:
+        logger.warning("Patch rejected for %s: %s", event.fingerprint, reason)
+        return "skip", None
+
+    patches_dir.mkdir(parents=True, exist_ok=True)
+    patch_path = patches_dir / f"{event.fingerprint}.diff"
+    patch_path.write_text(patch, encoding="utf-8")
+    logger.info("Patch written to %s", patch_path)
+    return "patch", patch_path

package/python/sentinel/git_manager.py

@@ -0,0 +1,227 @@
+"""
+git_manager.py — Git operations and GitHub PR creation.
+
+Supports two modes (driven by repo.auto_publish):
+  True  → apply fix directly to main branch and push
+  False → push to sentinel/fix-<fp> branch and open a GitHub PR
+"""
+
+import logging
+import os
+import subprocess
+from pathlib import Path
+
+import requests
+
+from .config_loader import RepoConfig, SentinelConfig
+from .log_parser import ErrorEvent
+
+logger = logging.getLogger(__name__)
+
+GIT_TIMEOUT = 60
+PR_BRANCH_PREFIX = "sentinel/fix-"
+
+# Files that must never be modified by Sentinel
+_PROTECTED_PATHS = {".github/", "Jenkinsfile", "pom.xml"}
+
+
+def _git(args: list[str], cwd: str, env: dict | None = None, timeout: int = GIT_TIMEOUT) -> subprocess.CompletedProcess:
+    return subprocess.run(
+        ["git"] + args,
+        cwd=cwd,
+        capture_output=True,
+        text=True,
+        timeout=timeout,
+        env=env or os.environ.copy(),
+    )
+
+
+def _git_env(repo: RepoConfig) -> dict:
+    # GIT_SSH_COMMAND can be set externally for SSH-based repos
+    return os.environ.copy()
+
+
+def _check_protected_paths(patch_path: Path) -> bool:
+    text = patch_path.read_text(encoding="utf-8", errors="replace")
+    for line in text.splitlines():
+        if line.startswith(("--- a/", "+++ b/")):
+            file_path = line[6:]
+            for protected in _PROTECTED_PATHS:
+                if file_path.startswith(protected) or file_path == protected.rstrip("/"):
+                    logger.warning("Patch touches protected path %s — skipping", file_path)
+                    return True
+    return False
+
+
+def apply_and_commit(
+    event: ErrorEvent,
+    patch_path: Path,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+) -> tuple[str, str]:
+    """
+    Pull, apply patch, run tests, commit.
+
+    Returns:
+        (status, commit_hash)
+        status: "committed" | "failed"
+    """
+    env = _git_env(repo)
+    local_path = repo.local_path
+
+    if _check_protected_paths(patch_path):
+        return "failed", ""
+
+    r = _git(["pull", "--rebase", "origin", repo.branch], cwd=local_path, env=env)
+    if r.returncode != 0:
+        logger.error("git pull failed for %s:\n%s", repo.repo_name, r.stderr)
+        return "failed", ""
+
+    r = _git(["apply", "--check", str(patch_path)], cwd=local_path, env=env)
+    if r.returncode != 0:
+        logger.error("Patch dry-run failed for %s:\n%s", event.fingerprint, r.stderr)
+        return "failed", ""
+
+    r = _git(["apply", str(patch_path)], cwd=local_path, env=env)
+    if r.returncode != 0:
+        logger.error("git apply failed for %s:\n%s", event.fingerprint, r.stderr)
+        return "failed", ""
+
+    if not _run_tests(repo, local_path):
+        _git(["checkout", "."], cwd=local_path, env=env)
+        return "failed", ""
+
+    summary = event.short_summary()[:60]
+    commit_msg = f"fix(sentinel): {summary} [auto]\n\nError fingerprint: {event.fingerprint}\nSource: {event.source}"
+    r = _git(["commit", "-am", commit_msg], cwd=local_path, env=env)
+    if r.returncode != 0:
+        logger.error("git commit failed:\n%s", r.stderr)
+        _git(["checkout", "."], cwd=local_path, env=env)
+        return "failed", ""
+
+    commit_hash = _git(["rev-parse", "HEAD"], cwd=local_path, env=env).stdout.strip()
+    logger.info("Committed %s for %s", commit_hash[:8], event.fingerprint)
+
+    _append_changelog(repo, event, commit_hash)
+    return "committed", commit_hash
+
+
+def _run_tests(repo: RepoConfig, local_path: str) -> bool:
+    """Run the repo's test suite. Return True if passing."""
+    if (Path(local_path) / "pom.xml").exists():
+        cmd = ["mvn", "test", "-q", "--no-transfer-progress"]
+    elif (Path(local_path) / "package.json").exists():
+        cmd = ["npm", "test", "--", "--watchAll=false"]
+    elif (Path(local_path) / "build.gradle").exists() or (Path(local_path) / "build.gradle.kts").exists():
+        cmd = ["./gradlew", "test", "-q"]
+    else:
+        logger.info("No recognised build file in %s — skipping tests", repo.repo_name)
+        return True
+
+    logger.info("Running tests for %s: %s", repo.repo_name, " ".join(cmd))
+    r = subprocess.run(cmd, cwd=local_path, capture_output=True, text=True, timeout=300)
+    if r.returncode != 0:
+        logger.error("Tests failed:\n%s", r.stdout[-2000:] + r.stderr[-1000:])
+        return False
+    logger.info("Tests passed")
+    return True
+
+
+def _append_changelog(repo: RepoConfig, event: ErrorEvent, commit_hash: str):
+    changelog = Path(repo.local_path) / "CHANGELOG.md"
+    entry = (
+        f"\n## [{commit_hash[:8]}] Sentinel auto-fix\n"
+        f"- Source: {event.source}\n"
+        f"- Error: {event.short_summary()}\n"
+        f"- Fingerprint: `{event.fingerprint}`\n"
+    )
+    with open(changelog, "a", encoding="utf-8") as f:
+        f.write(entry)
+    env = _git_env(repo)
+    _git(["add", "CHANGELOG.md"], cwd=repo.local_path, env=env)
+    _git(["commit", "--amend", "--no-edit"], cwd=repo.local_path, env=env)
+
+
+def publish(
+    event: ErrorEvent,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+    commit_hash: str,
+) -> tuple[str, str]:
+    """
+    Push the fix and (if AUTO_PUBLISH=false) open a PR.
+
+    Returns:
+        (branch, pr_url)  — pr_url is "" when AUTO_PUBLISH=true
+    """
+    env = _git_env(repo)
+    local_path = repo.local_path
+
+    if repo.auto_publish:
+        r = _git(["push", "origin", repo.branch], cwd=local_path, env=env)
+        if r.returncode != 0:
+            logger.error("git push failed:\n%s", r.stderr)
+        return repo.branch, ""
+    else:
+        branch = f"{PR_BRANCH_PREFIX}{event.fingerprint[:8]}"
+        _git(["checkout", "-B", branch], cwd=local_path, env=env)
+        r = _git(["push", "-u", "origin", branch], cwd=local_path, env=env)
+        if r.returncode != 0:
+            logger.error("git push branch failed:\n%s", r.stderr)
+            _git(["checkout", repo.branch], cwd=local_path, env=env)
+            return branch, ""
+        _git(["checkout", repo.branch], cwd=local_path, env=env)
+        pr_url = _open_github_pr(event, repo, cfg, branch, commit_hash)
+        return branch, pr_url
+
+
+def _open_github_pr(
+    event: ErrorEvent,
+    repo: RepoConfig,
+    cfg: SentinelConfig,
+    branch: str,
+    commit_hash: str,
+) -> str:
+    if not cfg.github_token:
+        logger.warning("GITHUB_TOKEN not set — cannot open PR")
+        return ""
+
+    repo_url = repo.repo_url
+    if repo_url.startswith("git@"):
+        owner_repo = repo_url.split(":")[-1].removesuffix(".git")
+    else:
+        owner_repo = "/".join(repo_url.rstrip("/").split("/")[-2:]).removesuffix(".git")
+
+    title = f"[Sentinel] fix({event.source}): {event.short_summary()[:60]}"
+    stack_preview = "\n".join(event.stack_trace[:8])
+    body = (
+        f"## Auto-generated fix by Sentinel\n\n"
+        f"**Error fingerprint**: `{event.fingerprint}`  \n"
+        f"**Source**: `{event.source}` / `{event.log_file}`  \n"
+        f"**First seen**: {event.timestamp}\n\n"
+        f"### Error\n```\n{event.message}\n{stack_preview}\n```\n\n"
+        f"### Commits in this fix\n"
+        f"| SHA (short) | Description |\n|---|---|\n"
+        f"| `{commit_hash[:8]}` | fix(sentinel): {event.short_summary()[:60]} |\n\n"
+        f"---\n"
+        f"_To apply: merge this PR. To reject: close it. "
+        f"Sentinel will not retry this fingerprint for 24 h._"
+    )
+
+    resp = requests.post(
+        f"https://api.github.com/repos/{owner_repo}/pulls",
+        json={"title": title, "body": body, "head": branch, "base": repo.branch},
+        headers={
+            "Authorization": f"Bearer {cfg.github_token}",
+            "Accept": "application/vnd.github+json",
+        },
+        timeout=30,
+    )
+
+    if resp.status_code == 201:
+        pr_url = resp.json().get("html_url", "")
+        logger.info("PR opened: %s", pr_url)
+        return pr_url
+    else:
+        logger.error("Failed to open PR (%s): %s", resp.status_code, resp.text[:300])
+        return ""