@misterhuydo/sentinel 1.0.54 → 1.0.56

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-22T12:03:28.852Z
+2026-03-22T14:06:29.625Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-22T11:59:57.164Z",
-  "checkpoint_at": "2026-03-22T11:59:57.165Z",
+  "message": "Auto-checkpoint at 2026-03-22T14:06:41.424Z",
+  "checkpoint_at": "2026-03-22T14:06:41.425Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.0.54",
+  "version": "1.0.56",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -61,6 +61,7 @@ class SentinelConfig:
     slack_app_token: str = ""        # xapp-... (Socket Mode)
     slack_channel: str = ""          # optional: restrict to one channel ID or name
     slack_watch_bot_ids: list[str] = field(default_factory=list)   # pre-configured bot IDs to watch passively
+    slack_allowed_users: list[str] = field(default_factory=list)  # if set, only these Slack user IDs can talk to Boss
     project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")
 
 
@@ -155,6 +156,7 @@ class ConfigLoader:
         c.slack_app_token = d.get("SLACK_APP_TOKEN", "")
         c.slack_channel = d.get("SLACK_CHANNEL", "")
         c.slack_watch_bot_ids = _csv(d.get("SLACK_WATCH_BOT_IDS", ""))
+        c.slack_allowed_users = _csv(d.get("SLACK_ALLOWED_USERS", ""))
         c.project_name = d.get("PROJECT_NAME", "")
         self.sentinel = c
 

package/python/sentinel/sentinel_boss.py

@@ -919,7 +919,7 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
         start_sh = project_dir / "start.sh"
         if stop_sh.exists() and start_sh.exists():
             def _restart_scripts():
-                import time; time.sleep(2)
+                import time; time.sleep(10)
                 subprocess.Popen(
                     f"bash {stop_sh} && sleep 2 && bash {start_sh}",
                     shell=True,
@@ -928,7 +928,8 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
             restart_method = "stop.sh + start.sh"
         else:
             # SIGTERM self — systemd (Restart=always) will bring it back up
-            threading.Timer(2.0, lambda: os.kill(os.getpid(), _sig.SIGTERM)).start()
+            # 10s delay gives Claude time to generate + post the reply before we die
+            threading.Timer(10.0, lambda: os.kill(os.getpid(), _sig.SIGTERM)).start()
             restart_method = "SIGTERM → systemd restart"
 
         steps.append({"step": "restart", "status": "scheduled", "method": restart_method})
@@ -1032,6 +1033,8 @@ async def _handle_with_cli(
     reply   = _ACTION_RE.sub("", output).strip()
     is_done = "[DONE]" in reply
     reply   = reply.replace("[DONE]", "").strip()
+    if not reply:
+        reply = "Done."
 
     history.append({"role": "user",      "content": message})
     history.append({"role": "assistant", "content": reply})
@@ -1114,6 +1117,8 @@ async def handle_message(
             reply   = " ".join(text_parts).strip()
             is_done = "[DONE]" in reply
             reply   = reply.replace("[DONE]", "").strip()
+            if not reply:
+                reply = "Done."
             history.append({"role": "assistant", "content": response.content})
             return reply, is_done
 

package/python/sentinel/slack_bot.py

@@ -293,6 +293,12 @@ async def _dispatch(event: dict, client, cfg_loader, store) -> None:
     if not text:
         return
 
+    # Allowlist check — if SLACK_ALLOWED_USERS is configured, silently ignore everyone else
+    allowed = cfg_loader.sentinel.slack_allowed_users
+    if allowed and user_id not in allowed:
+        logger.warning("Boss: ignoring message from unauthorised user %s", user_id)
+        return
+
     user_name = await _resolve_name(client, user_id)
 
     status, pos, session = await _queue.try_activate(user_id, user_name, channel)
@@ -318,6 +324,8 @@ async def _run_turn(session: _Session, message: str, client, cfg_loader, store)
     # Typing indicator
     await _post(client, channel, "_thinking..._")
 
+    reply = ""
+    is_done = True
     try:
         reply, is_done = await handle_message(
             message, session.history, cfg_loader, store,
@@ -325,8 +333,7 @@ async def _run_turn(session: _Session, message: str, client, cfg_loader, store)
         )
     except Exception as e:
         logger.exception("Sentinel Boss error: %s", e)
-        await _post(client, channel, f":warning: Unhandled error: {e}")
-        is_done = True
+        reply = f":warning: Unhandled error: {e}"
 
     await _post(client, channel, reply)
 
@@ -347,6 +354,8 @@ async def _run_turn(session: _Session, message: str, client, cfg_loader, store)
 # ── Helpers ───────────────────────────────────────────────────────────────────
 
 async def _post(client, channel: str, text: str) -> None:
+    if not text:
+        return
     try:
         await client.chat_postMessage(channel=channel, text=text)
     except Exception as e:

package/templates/sentinel.properties

@@ -36,6 +36,12 @@ WORKSPACE_DIR=./workspace
 # Note: requires conversations:read scope on the Slack App if using channel name
 # SLACK_CHANNEL=devops-sentinel
 
+# Allowlist of Slack user IDs permitted to give Sentinel Boss commands (RECOMMENDED).
+# If set, all other users are silently ignored — even in the configured channel.
+# Find a user ID in Slack: click their profile → ⋯ More → Copy member ID (starts with U).
+# Comma-separated. Leave unset to allow anyone who can reach the bot (less secure).
+# SLACK_ALLOWED_USERS=U01AB2CD3EF, U09GH8IJ7KL
+
 # Passive bot watcher — seed the watch list on startup with known bot IDs.
 # Sentinel will passively queue every message from these bots as issues (no @mention needed).
 # You can also add bots at runtime: "@Sentinel listen to @alertbot for project 1881"