@misterhuydo/sentinel 1.0.53 → 1.0.55

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-22T11:21:17.183Z
+2026-03-22T12:03:28.852Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-22T11:32:35.191Z",
-  "checkpoint_at": "2026-03-22T11:32:35.192Z",
+  "message": "Auto-checkpoint at 2026-03-22T12:06:59.426Z",
+  "checkpoint_at": "2026-03-22T12:06:59.427Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.0.53",
+  "version": "1.0.55",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -61,6 +61,7 @@ class SentinelConfig:
     slack_app_token: str = ""        # xapp-... (Socket Mode)
     slack_channel: str = ""          # optional: restrict to one channel ID or name
     slack_watch_bot_ids: list[str] = field(default_factory=list)   # pre-configured bot IDs to watch passively
+    slack_allowed_users: list[str] = field(default_factory=list)  # if set, only these Slack user IDs can talk to Boss
     project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")
 
 
@@ -155,6 +156,7 @@ class ConfigLoader:
         c.slack_app_token = d.get("SLACK_APP_TOKEN", "")
         c.slack_channel = d.get("SLACK_CHANNEL", "")
         c.slack_watch_bot_ids = _csv(d.get("SLACK_WATCH_BOT_IDS", ""))
+        c.slack_allowed_users = _csv(d.get("SLACK_ALLOWED_USERS", ""))
         c.project_name = d.get("PROJECT_NAME", "")
         self.sentinel = c
 

package/python/sentinel/sentinel_boss.py

@@ -95,6 +95,10 @@ What you can do (tools available):
                         they are delivering to.
                         e.g. "which bots are you watching?", "list monitored bots"
 
+18. upgrade_sentinel — Pull the latest Sentinel agent code, update Python deps, and restart the
+                       process. Safe to run at any time — no restart if already up to date.
+                       e.g. "upgrade sentinel", "update sentinel", "upgrade yourself"
+
 When someone asks what you can do, what you support, what your capabilities are, or how you can help,
 reply with a short summary grouped by category:
 
@@ -126,6 +130,9 @@ reply with a short summary grouped by category:
 • `unwatch_bot` — stop monitoring a bot — "stop watching @errorbot"
 • `list_watched_bots` — show all bots currently being monitored — "which bots are you watching?"
 
+*Self-management*
+• `upgrade_sentinel` — git pull + pip install + restart — "upgrade sentinel", "update yourself"
+
 Tone: direct, professional, like a senior engineer who owns the system.
 Don't pad responses. Don't say "Great question!" or "Certainly!".
 If you don't know something, use a tool to find out before saying you don't know.
@@ -409,6 +416,17 @@ _TOOLS = [
         ),
         "input_schema": {"type": "object", "properties": {}},
     },
+    {
+        "name": "upgrade_sentinel",
+        "description": (
+            "Upgrade the Sentinel agent itself: git pull the latest code, update Python deps, "
+            "then restart the process. Safe to call at any time — if already up to date, "
+            "no restart is triggered. "
+            "Use for: 'upgrade sentinel', 'update sentinel', 'upgrade yourself', "
+            "'pull latest sentinel code', 'restart sentinel after upgrade'."
+        ),
+        "input_schema": {"type": "object", "properties": {}},
+    },
 ]
 
 
@@ -854,6 +872,73 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
             ],
         })
 
+    if name == "upgrade_sentinel":
+        import threading
+        import signal as _sig
+
+        code_dir    = Path(__file__).resolve().parent.parent  # sentinel repo root
+        project_dir = Path(".").resolve()
+        steps: list[dict] = []
+
+        # Step 1: git pull the sentinel agent code
+        pull = _git_pull(code_dir)
+        steps.append({"step": "git_pull", **pull})
+        already_latest = "already up to date" in pull.get("detail", "").lower()
+
+        if pull["status"] == "error":
+            return json.dumps({"status": "error", "steps": steps,
+                                "note": "git pull failed — check network / SSH key"})
+
+        # Step 2: pip install (update Python deps)
+        venv_pip = code_dir / ".venv" / "bin" / "pip"
+        pip_cmd  = str(venv_pip) if venv_pip.exists() else "pip3"
+        req_file = code_dir / "requirements.txt"
+        if req_file.exists():
+            try:
+                r = subprocess.run(
+                    [pip_cmd, "install", "-q", "-r", str(req_file)],
+                    capture_output=True, text=True, timeout=120,
+                )
+                steps.append({
+                    "step":   "pip_install",
+                    "status": "ok" if r.returncode == 0 else "warn",
+                    "detail": (r.stderr or "").strip()[:200],
+                })
+            except Exception as e:
+                steps.append({"step": "pip_install", "status": "warn", "detail": str(e)})
+
+        if already_latest:
+            return json.dumps({
+                "status": "already_latest",
+                "steps":  steps,
+                "note":   "Sentinel is already up to date. No restart needed.",
+            })
+
+        # Step 3: restart — schedule after response is sent
+        stop_sh  = project_dir / "stop.sh"
+        start_sh = project_dir / "start.sh"
+        if stop_sh.exists() and start_sh.exists():
+            def _restart_scripts():
+                import time; time.sleep(2)
+                subprocess.Popen(
+                    f"bash {stop_sh} && sleep 2 && bash {start_sh}",
+                    shell=True,
+                )
+            threading.Thread(target=_restart_scripts, daemon=True).start()
+            restart_method = "stop.sh + start.sh"
+        else:
+            # SIGTERM self — systemd (Restart=always) will bring it back up
+            threading.Timer(2.0, lambda: os.kill(os.getpid(), _sig.SIGTERM)).start()
+            restart_method = "SIGTERM → systemd restart"
+
+        steps.append({"step": "restart", "status": "scheduled", "method": restart_method})
+        logger.info("Boss: upgrade_sentinel complete, restarting via %s", restart_method)
+        return json.dumps({
+            "status": "ok",
+            "steps":  steps,
+            "note":   "Upgrade complete. Sentinel is restarting — give it a few seconds then I'll be back.",
+        })
+
     return json.dumps({"error": f"unknown tool: {name}"})
 
 

package/python/sentinel/slack_bot.py

@@ -293,6 +293,12 @@ async def _dispatch(event: dict, client, cfg_loader, store) -> None:
     if not text:
         return
 
+    # Allowlist check — if SLACK_ALLOWED_USERS is configured, silently ignore everyone else
+    allowed = cfg_loader.sentinel.slack_allowed_users
+    if allowed and user_id not in allowed:
+        logger.warning("Boss: ignoring message from unauthorised user %s", user_id)
+        return
+
     user_name = await _resolve_name(client, user_id)
 
     status, pos, session = await _queue.try_activate(user_id, user_name, channel)

package/templates/sentinel.properties

@@ -36,6 +36,12 @@ WORKSPACE_DIR=./workspace
 # Note: requires conversations:read scope on the Slack App if using channel name
 # SLACK_CHANNEL=devops-sentinel
 
+# Allowlist of Slack user IDs permitted to give Sentinel Boss commands (RECOMMENDED).
+# If set, all other users are silently ignored — even in the configured channel.
+# Find a user ID in Slack: click their profile → ⋯ More → Copy member ID (starts with U).
+# Comma-separated. Leave unset to allow anyone who can reach the bot (less secure).
+# SLACK_ALLOWED_USERS=U01AB2CD3EF, U09GH8IJ7KL
+
 # Passive bot watcher — seed the watch list on startup with known bot IDs.
 # Sentinel will passively queue every message from these bots as issues (no @mention needed).
 # You can also add bots at runtime: "@Sentinel listen to @alertbot for project 1881"