@misterhuydo/sentinel 1.0.77 → 1.0.83

package/lib/upgrade.js

@@ -1,3 +1,41 @@
+
+function ensureClaudePermissions() {
+  const settingsPath = require('path').join(require('os').homedir(), '.claude', 'settings.json');
+  const required = ['Read(**)', 'Write(**)', 'Edit(**)', 'Bash(**)'];
+  let settings = {};
+  try {
+    if (fs.existsSync(settingsPath)) {
+      settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+    }
+  } catch (e) {
+    warn('Could not read ' + settingsPath + ': ' + e.message);
+    return;
+  }
+  if (!settings.permissions) settings.permissions = {};
+  if (!Array.isArray(settings.permissions.allow)) settings.permissions.allow = [];
+  const existing = new Set(settings.permissions.allow);
+  const added = [];
+  for (const perm of required) {
+    if (!existing.has(perm)) {
+      settings.permissions.allow.push(perm);
+      added.push(perm);
+    }
+  }
+  if (added.length === 0) {
+    ok('Claude Code permissions already configured');
+    return;
+  }
+  try {
+    const path = require('path');
+    fs.ensureDirSync(path.dirname(settingsPath));
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '
+');
+    ok('Claude Code permissions patched: ' + added.join(', '));
+  } catch (e) {
+    warn('Could not write ' + settingsPath + ': ' + e.message);
+  }
+}
+
 'use strict';
 
 const fs = require('fs-extra');
@@ -67,6 +105,8 @@ module.exports = async function upgrade() {
     if (shFiles.length) spawnSync('chmod', ['+x', ...shFiles], { stdio: 'inherit' });
   }
   ok('Python source updated');
+  info('Patching Claude Code permissions…');
+  ensureClaudePermissions();
 
   // Print new version
   const { version: latest } = require(path.join(pkgDir, 'package.json'));

package/package.json

@@ -1,21 +1,21 @@
-{
-  "name": "@misterhuydo/sentinel",
-  "version": "1.0.77",
-  "description": "Sentinel — Autonomous DevOps Agent installer and manager",
-  "bin": {
-    "sentinel": "./bin/sentinel.js"
-  },
-  "scripts": {
-    "prepublishOnly": "node scripts/bundle.js"
-  },
-  "dependencies": {
-    "chalk": "^4.1.2",
-    "fs-extra": "^11.2.0",
-    "prompts": "^2.4.2"
-  },
-  "engines": {
-    "node": ">=16"
-  },
-  "author": "misterhuydo",
-  "license": "MIT"
-}
+{
+  "name": "@misterhuydo/sentinel",
+  "version": "1.0.83",
+  "description": "Sentinel — Autonomous DevOps Agent installer and manager",
+  "bin": {
+    "sentinel": "./bin/sentinel.js"
+  },
+  "scripts": {
+    "prepublishOnly": "node scripts/bundle.js"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "fs-extra": "^11.2.0",
+    "prompts": "^2.4.2"
+  },
+  "engines": {
+    "node": ">=16"
+  },
+  "author": "misterhuydo",
+  "license": "MIT"
+}

package/python/scripts/patch_notify.js

@@ -0,0 +1,200 @@
+'use strict';
+const fs = require('fs');
+
+// ── fix_engine.py ─────────────────────────────────────────────────────────────
+{
+  const f = 'sentinel/fix_engine.py';
+  let c = fs.readFileSync(f, 'utf8').replace(/\r\n/g, '\n');
+
+  // 1. Add notify import
+  const OLD_IMPORT = 'from .config_loader import RepoConfig, SentinelConfig\nfrom .log_parser import ErrorEvent';
+  const NEW_IMPORT = 'from .config_loader import RepoConfig, SentinelConfig\nfrom .log_parser import ErrorEvent\nfrom .notify import alert_if_rate_limited, slack_alert';
+  if (!c.includes(OLD_IMPORT)) { console.error('fix_engine import not found'); process.exit(1); }
+  c = c.replace(OLD_IMPORT, NEW_IMPORT);
+
+  // 2. Only inject ANTHROPIC_API_KEY when claude_pro_for_tasks is False
+  //    (so when both are configured, heavy tasks use Claude Pro OAuth)
+  const OLD_ENV = `    import os as _os
+    env = _os.environ.copy()
+    if cfg.anthropic_api_key:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  const NEW_ENV = `    import os as _os
+    env = _os.environ.copy()
+    # Inject API key only when Claude Pro is NOT preferred for tasks
+    # (when claude_pro_for_tasks=True and API key is set, let claude CLI use OAuth/Pro)
+    if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  if (!c.includes(OLD_ENV)) { console.error('fix_engine env block not found'); process.exit(1); }
+  c = c.replace(OLD_ENV, NEW_ENV);
+
+  // 3. After getting output, check for rate limits and alert Slack
+  const OLD_OUTPUT = `    output = (result.stdout or "") + (result.stderr or "")
+
+    if output.strip().upper().startswith("SKIP:"):`;
+  const NEW_OUTPUT = `    output = (result.stdout or "") + (result.stderr or "")
+
+    # Alert Slack immediately on rate-limit / auth failure — never stay silent
+    alert_if_rate_limited(
+        cfg.slack_bot_token,
+        cfg.slack_channel,
+        source=f"fix_engine/{event.fingerprint}",
+        output=output,
+    )
+
+    if output.strip().upper().startswith("SKIP:"):`;
+  if (!c.includes(OLD_OUTPUT)) { console.error('fix_engine output block not found'); process.exit(1); }
+  c = c.replace(OLD_OUTPUT, NEW_OUTPUT);
+
+  // 4. Also alert on FileNotFoundError (claude CLI missing)
+  const OLD_NOTFOUND = `    except FileNotFoundError:
+        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
+        return "error", None, ""`;
+  const NEW_NOTFOUND = '    except FileNotFoundError:\n'
+    + '        msg = (\n'
+    + '            f":warning: *Sentinel \u2014 Claude CLI not found*\\n"\n'
+    + '            f"`{cfg.claude_code_bin}` not found. Run: `npm install -g @anthropic-ai/claude-code`\\n"\n'
+    + '            f"Fix engine is disabled until this is resolved."\n'
+    + '        )\n'
+    + '        logger.error("Claude Code binary not found at \'%s\'", cfg.claude_code_bin)\n'
+    + '        slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)\n'
+    + '        return "error", None, ""';
+  if (!c.includes(OLD_NOTFOUND)) { console.error('fix_engine notfound block not found'); process.exit(1); }
+  c = c.replace(OLD_NOTFOUND, NEW_NOTFOUND);
+
+  fs.writeFileSync(f, c, 'utf8');
+  console.log('fix_engine.py done. Lines:', c.split('\n').length);
+}
+
+// ── sentinel_boss.py ──────────────────────────────────────────────────────────
+{
+  const f = 'sentinel/sentinel_boss.py';
+  let c = fs.readFileSync(f, 'utf8').replace(/\r\n/g, '\n');
+
+  // 1. Add notify import
+  const OLD_IMPORT = 'logger = logging.getLogger(__name__)';
+  const NEW_IMPORT = 'from .notify import alert_if_rate_limited, slack_alert, is_rate_limited\n\nlogger = logging.getLogger(__name__)';
+  if (!c.includes(OLD_IMPORT)) { console.error('boss import anchor not found'); process.exit(1); }
+  c = c.replace(OLD_IMPORT, NEW_IMPORT);
+
+  // 2. Revert auth priority: API key first, CLI fallback
+  //    Replace current handle_message body
+  const OLD_HM_BODY =
+`    # 1st priority: Claude Pro / OAuth via CLI
+    cli_reply, cli_done = await _handle_with_cli(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )
+    if not cli_reply.startswith(":warning:"):
+        return cli_reply, cli_done
+
+    # CLI failed — try ANTHROPIC_API_KEY fallback
+    try:
+        import anthropic  # noqa: F401
+    except ImportError:
+        return (
+            ":warning: \`anthropic\` package not installed. Run: \`pip install anthropic\`",
+            True,
+        )
+
+    api_key = cfg_loader.sentinel.anthropic_api_key or os.environ.get("ANTHROPIC_API_KEY", "")
+    if not api_key:
+        return cli_reply, cli_done  # No fallback available
+
+    logger.info("Boss: CLI path failed (%s…), falling back to ANTHROPIC_API_KEY", cli_reply[:60])
+    return await _handle_with_api(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )`;
+
+  const NEW_HM_BODY =
+`    api_key = cfg_loader.sentinel.anthropic_api_key or os.environ.get("ANTHROPIC_API_KEY", "")
+
+    # 1st priority: ANTHROPIC_API_KEY — full structured tools, cheap per-token for Boss queries
+    if api_key:
+        try:
+            import anthropic  # noqa: F401
+            return await _handle_with_api(
+                message, history, cfg_loader, store, slack_client=slack_client,
+                user_name=user_name, user_id=user_id, attachments=attachments,
+            )
+        except Exception as api_err:
+            err_str = str(api_err)
+            # Detect rate-limit / auth failure and alert Slack before falling through
+            cfg = cfg_loader.sentinel
+            if is_rate_limited(err_str):
+                from .notify import rate_limit_message
+                alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                                      "sentinel_boss/api", err_str)
+            logger.warning("Boss: API key path failed (%s), trying CLI fallback", err_str[:80])
+
+    # 2nd priority: Claude Pro / OAuth via CLI (limited tools but no API key needed)
+    cli_reply, cli_done = await _handle_with_cli(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )
+    if not cli_reply.startswith(":warning:"):
+        return cli_reply, cli_done
+
+    # Both paths failed — alert Slack and return error
+    cfg = cfg_loader.sentinel
+    err_output = cli_reply
+    alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                          "sentinel_boss/cli", err_output)
+    if not api_key:
+        # No auth at all configured
+        no_auth_msg = (
+            ":warning: *Sentinel Boss — no Claude auth configured*\\n"
+            "Configure at least one of:\\n"
+            "\u2022 \`ANTHROPIC_API_KEY\` in \`sentinel.properties\` \u2014 full features\\n"
+            "\u2022 Claude Pro OAuth: run \`claude login\` on the server \u2014 required for fix_engine\\n"
+            "See: https://github.com/misterhuydo/Sentinel#authentication"
+        )
+        slack_alert(cfg.slack_bot_token, cfg.slack_channel, no_auth_msg)
+        return ":warning: No Claude authentication configured. See Slack for details.", True
+    return cli_reply, cli_done`;
+
+  if (!c.includes(OLD_HM_BODY)) { console.error('handle_message body not found'); process.exit(1); }
+  c = c.replace(OLD_HM_BODY, NEW_HM_BODY);
+
+  // 3. In _handle_with_cli, alert Slack on rate-limit detected in CLI output
+  const OLD_CLI_FAIL =
+`        if result.returncode != 0 and not output:
+            return f":warning: \`claude --print\` failed (exit {result.returncode}): {(result.stderr or '').strip()[:300]}", True`;
+  const NEW_CLI_FAIL =
+`        raw_err = (result.stderr or "").strip()
+        if result.returncode != 0 and not output:
+            full_err = f"exit {result.returncode}: {raw_err[:300]}"
+            cfg = cfg_loader.sentinel
+            alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                                  "sentinel_boss/cli", raw_err or full_err)
+            return f":warning: \`claude --print\` failed ({full_err})", True`;
+  if (!c.includes(OLD_CLI_FAIL)) { console.error('cli fail block not found'); process.exit(1); }
+  c = c.replace(OLD_CLI_FAIL, NEW_CLI_FAIL);
+
+  // 4. Also alert in ask_codebase when claude --print fails
+  const OLD_ASK_FAIL = `                if r.returncode != 0 and not output:
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {(r.stderr or '')[:200]}"}`;
+  const NEW_ASK_FAIL = `                if r.returncode != 0 and not output:
+                    raw_err = (r.stderr or "")
+                    alert_if_rate_limited(
+                        cfg.slack_bot_token, cfg.slack_channel,
+                        f"ask_codebase/{repo_name}", raw_err,
+                    )
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {raw_err[:200]}"}`;
+  if (!c.includes(OLD_ASK_FAIL)) { console.error('ask_codebase fail block not found'); process.exit(1); }
+  c = c.replace(OLD_ASK_FAIL, NEW_ASK_FAIL);
+
+  // 5. ask_codebase: respect claude_pro_for_tasks (don't inject API key when Pro preferred)
+  const OLD_ASK_ENV = `        env = os.environ.copy()
+        if cfg.anthropic_api_key:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  const NEW_ASK_ENV = `        env = os.environ.copy()
+        # Only inject API key when Claude Pro is NOT preferred for heavy tasks
+        if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  if (!c.includes(OLD_ASK_ENV)) { console.error('ask_codebase env not found'); process.exit(1); }
+  c = c.replace(OLD_ASK_ENV, NEW_ASK_ENV);
+
+  fs.writeFileSync(f, c, 'utf8');
+  console.log('sentinel_boss.py done. Lines:', c.split('\n').length);
+}

package/python/sentinel/config_loader.py

@@ -63,6 +63,11 @@ class SentinelConfig:
     slack_watch_bot_ids: list[str] = field(default_factory=list)   # pre-configured bot IDs to watch passively
     slack_allowed_users: list[str] = field(default_factory=list)  # if set, only these Slack user IDs can talk to Boss
     project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")
+    # Auth strategy:
+    #   ANTHROPIC_API_KEY  — used by Sentinel Boss conversation (structured tools, cheap per-token)
+    #   Claude Pro / OAuth — used by fix_engine + ask_codebase when CLAUDE_PRO_FOR_TASKS=true
+    #   At least one must be configured. Both = ideal split (Boss=API key, heavy tasks=Pro).
+    claude_pro_for_tasks: bool = True  # when True + API key set, fix_engine/ask_codebase use claude CLI (Pro billing)
 
 
 @dataclass
@@ -158,6 +163,7 @@ class ConfigLoader:
         c.slack_watch_bot_ids = _csv(d.get("SLACK_WATCH_BOT_IDS", ""))
         c.slack_allowed_users = _csv(d.get("SLACK_ALLOWED_USERS", ""))
         c.project_name = d.get("PROJECT_NAME", "")
+        c.claude_pro_for_tasks = d.get("CLAUDE_PRO_FOR_TASKS", "true").lower() != "false"
         self.sentinel = c
 
     def _load_log_sources(self):