@misterhuydo/sentinel 1.0.82 → 1.0.84

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-22T17:57:09.109Z
+2026-03-23T05:01:48.297Z

package/.cairn/minify-map.json

@@ -4,11 +4,5 @@
     "state": "compressed",
     "minifiedAt": 1774128147034.2527,
     "readCount": 1
-  },
-  "J:\\Projects\\Sentinel\\cli\\lib\\init.js": {
-    "tempPath": "J:\\Projects\\Sentinel\\cli\\.cairn\\views\\2a85cc_init.js",
-    "state": "compressed",
-    "minifiedAt": 1774189651415.41,
-    "readCount": 1
   }
 }

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-22T17:52:08.090Z",
-  "checkpoint_at": "2026-03-22T17:52:08.091Z",
+  "message": "Auto-checkpoint at 2026-03-23T05:23:48.069Z",
+  "checkpoint_at": "2026-03-23T05:23:48.071Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/generate.js

@@ -96,7 +96,7 @@ rm -f "$PID_FILE"
 
 // ── Workspace-level startAll / stopAll ────────────────────────────────────────
 
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}) {
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}) {
   // Write shared sentinel.properties once (never overwrite existing)
   const workspaceProps = path.join(workspace, 'sentinel.properties');
   if (!fs.existsSync(workspaceProps)) {
@@ -108,6 +108,20 @@ function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {})
     if (smtpConfig.password) tpl = tpl.replace('SMTP_PASSWORD=<app-password>',      'SMTP_PASSWORD=' + smtpConfig.password);
     fs.writeFileSync(workspaceProps, tpl);
   }
+  // Always upsert auth config so re-runs persist it
+  if (authConfig.apiKey || authConfig.claudeProForTasks !== undefined) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (authConfig.apiKey) {
+      const replaced = props.replace(/^#?\s*ANTHROPIC_API_KEY=.*/m, 'ANTHROPIC_API_KEY=' + authConfig.apiKey);
+      props = replaced !== props ? replaced : props.trimEnd() + '\nANTHROPIC_API_KEY=' + authConfig.apiKey + '\n';
+    }
+    if (authConfig.claudeProForTasks !== undefined) {
+      const val = authConfig.claudeProForTasks ? 'true' : 'false';
+      const replaced = props.replace(/^CLAUDE_PRO_FOR_TASKS=.*/m, 'CLAUDE_PRO_FOR_TASKS=' + val);
+      props = replaced !== props ? replaced : props.trimEnd() + '\nCLAUDE_PRO_FOR_TASKS=' + val + '\n';
+    }
+    fs.writeFileSync(workspaceProps, props);
+  }
   // Always upsert Slack tokens so re-runs persist them
   if (slackConfig.botToken || slackConfig.appToken) {
     let props = fs.readFileSync(workspaceProps, 'utf8');

package/lib/init.js

@@ -33,15 +33,26 @@ module.exports = async function init() {
     {
       type: 'select',
       name: 'authMode',
-      message: 'How will Claude Code authenticate?',
+      message: 'Claude authentication strategy',
+      hint: 'Boss = Slack AI; Fix Engine = autonomous code repair',
       choices: [
-        { title: 'API key  (Anthropic API account — recommended for servers)', value: 'apikey' },
-        { title: 'Claude Pro / OAuth  (will give you a URL to open in any browser)', value: 'oauth' },
-        { title: 'Skip  (I will configure this later)', value: 'skip' },
+        {
+          title: 'Both  (RECOMMENDED) — API key for Boss, Claude Pro for Fix Engine',
+          value: 'both',
+        },
+        {
+          title: 'API key only  — full Boss tools; Fix Engine billed per token',
+          value: 'apikey',
+        },
+        {
+          title: 'Claude Pro / OAuth only  — run `claude login`; Boss has limited tools',
+          value: 'oauth',
+        },
+        { title: 'Skip  (configure manually in sentinel.properties)', value: 'skip' },
       ],
     },
     {
-      type: prev => prev === 'apikey' ? 'password' : null,
+      type: prev => (prev === 'apikey' || prev === 'both') ? 'password' : null,
       name: 'anthropicKey',
       message: 'Anthropic API key (sk-ant-...)',
       validate: v => v.startsWith('sk-ant-') ? true : 'Key should start with sk-ant-',
@@ -147,12 +158,22 @@ module.exports = async function init() {
 
   // ── Claude Code auth ─────────────────────────────────────────────────────────
   step('Claude Code authentication…');
-  if (authMode === 'apikey' && anthropicKey) {
-    ok('API key will be written to each project\'s sentinel.properties');
+  if (authMode === 'both' && anthropicKey) {
+    ok('API key → Sentinel Boss (full tools, structured responses)');
+    ok('Claude Pro → Fix Engine + Ask Codebase (heavy coding, Pro subscription)');
+    info('Run `claude login` on this server now (or before starting projects)');
+    info('CLAUDE_PRO_FOR_TASKS=true written to workspace sentinel.properties');
+  } else if (authMode === 'apikey' && anthropicKey) {
+    ok('API key → all Claude usage (Boss + Fix Engine billed to your API quota)');
+    info('CLAUDE_PRO_FOR_TASKS=false written — Fix Engine will use API key');
+    warn('Heavy fix tasks will consume API tokens. Claude Pro is cheaper for those.');
   } else if (authMode === 'oauth') {
-    info('OAuth selected — start.sh will prompt for login if not yet authenticated');
+    ok('Claude Pro / OAuth → Fix Engine + Ask Codebase');
+    warn('Boss will use CLI fallback — some tools unavailable without an API key');
+    info('Run `claude login` on this server to authenticate');
   } else {
-    info('Skipping auth — start.sh will prompt for login if needed');
+    warn('No auth configured — add ANTHROPIC_API_KEY or run `claude login` before starting');
+    info('See: workspace sentinel.properties for full auth documentation');
   }
 
   // ── Slack Bot ────────────────────────────────────────────────────────────────
@@ -179,7 +200,11 @@ module.exports = async function init() {
 
   // ── Workspace start/stop scripts ─────────────────────────────────────────────
   step('Generating scripts…');
-  generateWorkspaceScripts(workspace, { host: smtpHost, user: smtpUser, password: effectiveSmtpPassword }, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken });
+  const authConfig = {};
+  if (anthropicKey) authConfig.apiKey = anthropicKey;
+  if (authMode === 'both' || authMode === 'oauth') authConfig.claudeProForTasks = true;
+  if (authMode === 'apikey') authConfig.claudeProForTasks = false;
+  generateWorkspaceScripts(workspace, { host: smtpHost, user: smtpUser, password: effectiveSmtpPassword }, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken }, authConfig);
   ok(`${workspace}/startAll.sh`);
   ok(`${workspace}/stopAll.sh`);
 
@@ -316,8 +341,7 @@ function ensureClaudePermissions() {
   }
   try {
     fs.ensureDirSync(require('path').dirname(settingsPath));
-    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '
-');
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
     ok('Claude Code permissions patched: ' + added.join(', '));
   } catch (e) {
     warn('Could not write ' + settingsPath + ': ' + e.message);

package/lib/upgrade.js

@@ -28,8 +28,7 @@ function ensureClaudePermissions() {
   try {
     const path = require('path');
     fs.ensureDirSync(path.dirname(settingsPath));
-    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '
-');
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
     ok('Claude Code permissions patched: ' + added.join(', '));
   } catch (e) {
     warn('Could not write ' + settingsPath + ': ' + e.message);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.0.82",
+  "version": "1.0.84",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/scripts/patch_notify.js

@@ -0,0 +1,200 @@
+'use strict';
+const fs = require('fs');
+
+// ── fix_engine.py ─────────────────────────────────────────────────────────────
+{
+  const f = 'sentinel/fix_engine.py';
+  let c = fs.readFileSync(f, 'utf8').replace(/\r\n/g, '\n');
+
+  // 1. Add notify import
+  const OLD_IMPORT = 'from .config_loader import RepoConfig, SentinelConfig\nfrom .log_parser import ErrorEvent';
+  const NEW_IMPORT = 'from .config_loader import RepoConfig, SentinelConfig\nfrom .log_parser import ErrorEvent\nfrom .notify import alert_if_rate_limited, slack_alert';
+  if (!c.includes(OLD_IMPORT)) { console.error('fix_engine import not found'); process.exit(1); }
+  c = c.replace(OLD_IMPORT, NEW_IMPORT);
+
+  // 2. Only inject ANTHROPIC_API_KEY when claude_pro_for_tasks is False
+  //    (so when both are configured, heavy tasks use Claude Pro OAuth)
+  const OLD_ENV = `    import os as _os
+    env = _os.environ.copy()
+    if cfg.anthropic_api_key:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  const NEW_ENV = `    import os as _os
+    env = _os.environ.copy()
+    # Inject API key only when Claude Pro is NOT preferred for tasks
+    # (when claude_pro_for_tasks=True and API key is set, let claude CLI use OAuth/Pro)
+    if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+        env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  if (!c.includes(OLD_ENV)) { console.error('fix_engine env block not found'); process.exit(1); }
+  c = c.replace(OLD_ENV, NEW_ENV);
+
+  // 3. After getting output, check for rate limits and alert Slack
+  const OLD_OUTPUT = `    output = (result.stdout or "") + (result.stderr or "")
+
+    if output.strip().upper().startswith("SKIP:"):`;
+  const NEW_OUTPUT = `    output = (result.stdout or "") + (result.stderr or "")
+
+    # Alert Slack immediately on rate-limit / auth failure — never stay silent
+    alert_if_rate_limited(
+        cfg.slack_bot_token,
+        cfg.slack_channel,
+        source=f"fix_engine/{event.fingerprint}",
+        output=output,
+    )
+
+    if output.strip().upper().startswith("SKIP:"):`;
+  if (!c.includes(OLD_OUTPUT)) { console.error('fix_engine output block not found'); process.exit(1); }
+  c = c.replace(OLD_OUTPUT, NEW_OUTPUT);
+
+  // 4. Also alert on FileNotFoundError (claude CLI missing)
+  const OLD_NOTFOUND = `    except FileNotFoundError:
+        logger.error("Claude Code binary not found at '%s'", cfg.claude_code_bin)
+        return "error", None, ""`;
+  const NEW_NOTFOUND = '    except FileNotFoundError:\n'
+    + '        msg = (\n'
+    + '            f":warning: *Sentinel \u2014 Claude CLI not found*\\n"\n'
+    + '            f"`{cfg.claude_code_bin}` not found. Run: `npm install -g @anthropic-ai/claude-code`\\n"\n'
+    + '            f"Fix engine is disabled until this is resolved."\n'
+    + '        )\n'
+    + '        logger.error("Claude Code binary not found at \'%s\'", cfg.claude_code_bin)\n'
+    + '        slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)\n'
+    + '        return "error", None, ""';
+  if (!c.includes(OLD_NOTFOUND)) { console.error('fix_engine notfound block not found'); process.exit(1); }
+  c = c.replace(OLD_NOTFOUND, NEW_NOTFOUND);
+
+  fs.writeFileSync(f, c, 'utf8');
+  console.log('fix_engine.py done. Lines:', c.split('\n').length);
+}
+
+// ── sentinel_boss.py ──────────────────────────────────────────────────────────
+{
+  const f = 'sentinel/sentinel_boss.py';
+  let c = fs.readFileSync(f, 'utf8').replace(/\r\n/g, '\n');
+
+  // 1. Add notify import
+  const OLD_IMPORT = 'logger = logging.getLogger(__name__)';
+  const NEW_IMPORT = 'from .notify import alert_if_rate_limited, slack_alert, is_rate_limited\n\nlogger = logging.getLogger(__name__)';
+  if (!c.includes(OLD_IMPORT)) { console.error('boss import anchor not found'); process.exit(1); }
+  c = c.replace(OLD_IMPORT, NEW_IMPORT);
+
+  // 2. Revert auth priority: API key first, CLI fallback
+  //    Replace current handle_message body
+  const OLD_HM_BODY =
+`    # 1st priority: Claude Pro / OAuth via CLI
+    cli_reply, cli_done = await _handle_with_cli(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )
+    if not cli_reply.startswith(":warning:"):
+        return cli_reply, cli_done
+
+    # CLI failed — try ANTHROPIC_API_KEY fallback
+    try:
+        import anthropic  # noqa: F401
+    except ImportError:
+        return (
+            ":warning: \`anthropic\` package not installed. Run: \`pip install anthropic\`",
+            True,
+        )
+
+    api_key = cfg_loader.sentinel.anthropic_api_key or os.environ.get("ANTHROPIC_API_KEY", "")
+    if not api_key:
+        return cli_reply, cli_done  # No fallback available
+
+    logger.info("Boss: CLI path failed (%s…), falling back to ANTHROPIC_API_KEY", cli_reply[:60])
+    return await _handle_with_api(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )`;
+
+  const NEW_HM_BODY =
+`    api_key = cfg_loader.sentinel.anthropic_api_key or os.environ.get("ANTHROPIC_API_KEY", "")
+
+    # 1st priority: ANTHROPIC_API_KEY — full structured tools, cheap per-token for Boss queries
+    if api_key:
+        try:
+            import anthropic  # noqa: F401
+            return await _handle_with_api(
+                message, history, cfg_loader, store, slack_client=slack_client,
+                user_name=user_name, user_id=user_id, attachments=attachments,
+            )
+        except Exception as api_err:
+            err_str = str(api_err)
+            # Detect rate-limit / auth failure and alert Slack before falling through
+            cfg = cfg_loader.sentinel
+            if is_rate_limited(err_str):
+                from .notify import rate_limit_message
+                alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                                      "sentinel_boss/api", err_str)
+            logger.warning("Boss: API key path failed (%s), trying CLI fallback", err_str[:80])
+
+    # 2nd priority: Claude Pro / OAuth via CLI (limited tools but no API key needed)
+    cli_reply, cli_done = await _handle_with_cli(
+        message, history, cfg_loader, store, slack_client=slack_client, user_name=user_name,
+        user_id=user_id, attachments=attachments,
+    )
+    if not cli_reply.startswith(":warning:"):
+        return cli_reply, cli_done
+
+    # Both paths failed — alert Slack and return error
+    cfg = cfg_loader.sentinel
+    err_output = cli_reply
+    alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                          "sentinel_boss/cli", err_output)
+    if not api_key:
+        # No auth at all configured
+        no_auth_msg = (
+            ":warning: *Sentinel Boss — no Claude auth configured*\\n"
+            "Configure at least one of:\\n"
+            "\u2022 \`ANTHROPIC_API_KEY\` in \`sentinel.properties\` \u2014 full features\\n"
+            "\u2022 Claude Pro OAuth: run \`claude login\` on the server \u2014 required for fix_engine\\n"
+            "See: https://github.com/misterhuydo/Sentinel#authentication"
+        )
+        slack_alert(cfg.slack_bot_token, cfg.slack_channel, no_auth_msg)
+        return ":warning: No Claude authentication configured. See Slack for details.", True
+    return cli_reply, cli_done`;
+
+  if (!c.includes(OLD_HM_BODY)) { console.error('handle_message body not found'); process.exit(1); }
+  c = c.replace(OLD_HM_BODY, NEW_HM_BODY);
+
+  // 3. In _handle_with_cli, alert Slack on rate-limit detected in CLI output
+  const OLD_CLI_FAIL =
+`        if result.returncode != 0 and not output:
+            return f":warning: \`claude --print\` failed (exit {result.returncode}): {(result.stderr or '').strip()[:300]}", True`;
+  const NEW_CLI_FAIL =
+`        raw_err = (result.stderr or "").strip()
+        if result.returncode != 0 and not output:
+            full_err = f"exit {result.returncode}: {raw_err[:300]}"
+            cfg = cfg_loader.sentinel
+            alert_if_rate_limited(cfg.slack_bot_token, cfg.slack_channel,
+                                  "sentinel_boss/cli", raw_err or full_err)
+            return f":warning: \`claude --print\` failed ({full_err})", True`;
+  if (!c.includes(OLD_CLI_FAIL)) { console.error('cli fail block not found'); process.exit(1); }
+  c = c.replace(OLD_CLI_FAIL, NEW_CLI_FAIL);
+
+  // 4. Also alert in ask_codebase when claude --print fails
+  const OLD_ASK_FAIL = `                if r.returncode != 0 and not output:
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {(r.stderr or '')[:200]}"}`;
+  const NEW_ASK_FAIL = `                if r.returncode != 0 and not output:
+                    raw_err = (r.stderr or "")
+                    alert_if_rate_limited(
+                        cfg.slack_bot_token, cfg.slack_channel,
+                        f"ask_codebase/{repo_name}", raw_err,
+                    )
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {raw_err[:200]}"}`;
+  if (!c.includes(OLD_ASK_FAIL)) { console.error('ask_codebase fail block not found'); process.exit(1); }
+  c = c.replace(OLD_ASK_FAIL, NEW_ASK_FAIL);
+
+  // 5. ask_codebase: respect claude_pro_for_tasks (don't inject API key when Pro preferred)
+  const OLD_ASK_ENV = `        env = os.environ.copy()
+        if cfg.anthropic_api_key:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  const NEW_ASK_ENV = `        env = os.environ.copy()
+        # Only inject API key when Claude Pro is NOT preferred for heavy tasks
+        if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key`;
+  if (!c.includes(OLD_ASK_ENV)) { console.error('ask_codebase env not found'); process.exit(1); }
+  c = c.replace(OLD_ASK_ENV, NEW_ASK_ENV);
+
+  fs.writeFileSync(f, c, 'utf8');
+  console.log('sentinel_boss.py done. Lines:', c.split('\n').length);
+}

package/python/sentinel/config_loader.py

@@ -63,6 +63,11 @@ class SentinelConfig:
     slack_watch_bot_ids: list[str] = field(default_factory=list)   # pre-configured bot IDs to watch passively
     slack_allowed_users: list[str] = field(default_factory=list)  # if set, only these Slack user IDs can talk to Boss
     project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")
+    # Auth strategy:
+    #   ANTHROPIC_API_KEY  — used by Sentinel Boss conversation (structured tools, cheap per-token)
+    #   Claude Pro / OAuth — used by fix_engine + ask_codebase when CLAUDE_PRO_FOR_TASKS=true
+    #   At least one must be configured. Both = ideal split (Boss=API key, heavy tasks=Pro).
+    claude_pro_for_tasks: bool = True  # when True + API key set, fix_engine/ask_codebase use claude CLI (Pro billing)
 
 
 @dataclass
@@ -158,6 +163,7 @@ class ConfigLoader:
         c.slack_watch_bot_ids = _csv(d.get("SLACK_WATCH_BOT_IDS", ""))
         c.slack_allowed_users = _csv(d.get("SLACK_ALLOWED_USERS", ""))
         c.project_name = d.get("PROJECT_NAME", "")
+        c.claude_pro_for_tasks = d.get("CLAUDE_PRO_FOR_TASKS", "true").lower() != "false"
         self.sentinel = c
 
     def _load_log_sources(self):