@misterhuydo/sentinel 1.3.0 → 1.3.2

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-23T11:43:23.881Z
+2026-03-23T17:50:08.240Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-23T12:04:39.918Z",
-  "checkpoint_at": "2026-03-23T12:04:39.919Z",
+  "message": "Auto-checkpoint at 2026-03-23T17:56:42.485Z",
+  "checkpoint_at": "2026-03-23T17:56:42.486Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/add.js

@@ -175,14 +175,54 @@ function printDeployKeyInstructions(orgRepo, keyFile) {
   console.log('');
 }
 
+// ── repo discovery helpers ────────────────────────────────────────────────────
+
+function gitUrlToOrgRepo(gitUrl) {
+  return gitUrl
+    .replace(/^git@github\.com:/, '')
+    .replace(/^https?:\/\/github\.com\//, '')
+    .replace(/\.git$/, '');
+}
+
+function toHttpsUrl(gitUrl) {
+  return 'https://github.com/' + gitUrlToOrgRepo(gitUrl) + '.git';
+}
+
+function isPublicRepo(gitUrl) {
+  const r = spawnSync('git', ['ls-remote', '--heads', toHttpsUrl(gitUrl)], {
+    encoding: 'utf8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
+    env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
+  });
+  return r.status === 0;
+}
+
+function validateAccess(repoUrl, keyFile) {
+  const env = { ...process.env, GIT_TERMINAL_PROMPT: '0' };
+  if (keyFile) env.GIT_SSH_COMMAND = `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes`;
+  const r = spawnSync('git', ['ls-remote', '--heads', repoUrl], {
+    encoding: 'utf8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'], env,
+  });
+  return { ok: r.status === 0, stderr: (r.stderr || r.error?.message || '').trim() };
+}
+
+function discoverReposFromClone(cloneDir) {
+  const repoCfgDir = path.join(cloneDir, 'config', 'repo-configs');
+  if (!fs.existsSync(repoCfgDir)) return [];
+  return fs.readdirSync(repoCfgDir)
+    .filter(f => f.endsWith('.properties') && !f.startsWith('_'))
+    .map(f => {
+      const content = fs.readFileSync(path.join(repoCfgDir, f), 'utf8');
+      const match   = content.match(/^REPO_URL\s*=\s*(.+)$/m);
+      return match ? { file: f, propsPath: path.join(repoCfgDir, f), url: match[1].trim() } : null;
+    })
+    .filter(Boolean);
+}
+
 // ── addFromGit ────────────────────────────────────────────────────────────────
 
 async function addFromGit(gitUrl, workspace) {
   const repoSlug = gitUrl.replace(/\.git$/, '').split(/[:/]/).pop();
-  const orgRepo  = gitUrl
-    .replace(/^git@github\.com:/, '')
-    .replace(/^https:\/\/github\.com\//, '')
-    .replace(/\.git$/, '');
+  const orgRepo  = gitUrlToOrgRepo(gitUrl);
 
   const { name } = await prompts([{
     type: 'text',
@@ -192,19 +232,120 @@ async function addFromGit(gitUrl, workspace) {
     validate: v => VALID_NAME.test(v) || 'Use letters, numbers, hyphens only',
   }], { onCancel: () => process.exit(0) });
 
-  // ── 1. Generate SSH deploy key ──────────────────────────────────────────────
-  step('Setting up SSH deploy key');
+  // ── 1. Generate deploy key for the primary (config) repo ───────────────────
+  step(`[1/3] Setting up SSH access to ${repoSlug}`);
   ensureKnownHosts();
-  const { keyFile, sshHost } = generateDeployKey(repoSlug);
-  const sshUrl = `git@${sshHost}:${orgRepo}.git`;
+  const { keyFile } = generateDeployKey(repoSlug);
   printDeployKeyInstructions(orgRepo, keyFile);
 
-  // ── 2. Fix deployment mode ──────────────────────────────────────────────────
+  await prompts({
+    type: 'text', name: '_', format: () => '',
+    message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
+  }, { onCancel: () => process.exit(0) });
+
+  // Validate primary repo
+  const primary = validateAccess(gitUrl, keyFile);
+  if (!primary.ok) {
+    console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
+    if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
+    console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
+    process.exit(1);
+  }
+  ok(`${repoSlug}: reachable`);
+
+  // ── 2. Clone primary repo and discover additional repos ────────────────────
+  const localPath  = path.join(workspace, 'repos', repoSlug);
+  step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
+
+  if (!fs.existsSync(localPath)) {
+    const cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0',
+      GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` };
+    spawnSync('git', ['clone', '--depth', '1', gitUrl, localPath],
+      { stdio: 'inherit', env: cloneEnv });
+  }
+
+  const discovered = discoverReposFromClone(localPath);
+
+  // Classify each discovered repo
+  const privateRepos = [];
+  const publicRepos  = [];
+
+  if (discovered.length === 0) {
+    info('No repo-configs found — project will use example config.');
+  } else {
+    info(`Found ${discovered.length} repo(s) in config/repo-configs/:`);
+    for (const r of discovered) {
+      const slug    = r.file.replace('.properties', '');
+      const pub     = isPublicRepo(r.url);
+      const tag     = pub ? chalk.green('[public]') : chalk.yellow('[private]');
+      console.log(`    ${tag}  ${slug.padEnd(36)} ${r.url}`);
+      if (pub) publicRepos.push({ ...r, slug });
+      else     privateRepos.push({ ...r, slug });
+    }
+  }
+
+  // ── 3. Generate deploy keys for all private repos (batch) ─────────────────
+  if (privateRepos.length > 0) {
+    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
+
+    for (const r of privateRepos) {
+      const { keyFile: rKey } = generateDeployKey(r.slug);
+      r.keyFile = rKey;
+      const rOrgRepo = gitUrlToOrgRepo(r.url);
+      printDeployKeyInstructions(rOrgRepo, rKey);
+    }
+
+    if (publicRepos.length > 0) {
+      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+      for (const r of publicRepos) {
+        console.log(chalk.green(`      ${r.slug}`));
+      }
+      console.log('');
+    }
+
+    await prompts({
+      type: 'text', name: '_', format: () => '',
+      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
+    }, { onCancel: () => process.exit(0) });
+
+    // Validate each private repo
+    step('Validating repository access…');
+    for (const r of privateRepos) {
+      const v = validateAccess(r.url, r.keyFile);
+      if (!v.ok) {
+        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
+        process.exit(1);
+      }
+      ok(`${r.slug}: reachable`);
+    }
+    for (const r of publicRepos) {
+      ok(`${r.slug}: public, no key needed`);
+    }
+
+    // Write SSH_KEY_FILE into each private repo's .properties file
+    for (const r of privateRepos) {
+      let props = fs.readFileSync(r.propsPath, 'utf8');
+      if (/^#?\s*SSH_KEY_FILE\s*=/m.test(props)) {
+        props = props.replace(/^#?\s*SSH_KEY_FILE\s*=.*/m, `SSH_KEY_FILE=${r.keyFile}`);
+      } else {
+        props = props.trimEnd() + `\nSSH_KEY_FILE=${r.keyFile}\n`;
+      }
+      fs.writeFileSync(r.propsPath, props);
+      info(`SSH_KEY_FILE written to config/repo-configs/${r.file}`);
+    }
+  } else if (discovered.length > 0) {
+    step('[3/3] All repos are public — no deploy keys needed');
+    ok('All repos accessible without auth');
+  }
+
+  // ── Fix deployment mode ────────────────────────────────────────────────────
   const { autoPublish } = await prompts({
     type: 'select',
     name: 'autoPublish',
     message: 'How should Sentinel deploy fixes?',
-    hint: 'You can change this later in config/repo-configs/',
+    hint: 'You can change this per-repo in config/repo-configs/',
     choices: [
       {
         title: 'Open a PR for each fix  (AUTO_PUBLISH=false)  — recommended',
@@ -220,52 +361,65 @@ async function addFromGit(gitUrl, workspace) {
   }, { onCancel: () => process.exit(0) });
 
   if (autoPublish) {
-    warn('AUTO_PUBLISH=true: Sentinel will push fixes directly to main without review.');
-    warn('Make sure your repo has branch protection rules and CI that blocks bad pushes.');
+    warn('AUTO_PUBLISH=true: fixes push directly to main. Ensure CI blocks bad pushes.');
   }
 
-  // ── 3. Wait for user to add the key ────────────────────────────────────────
-  await prompts({
-    type: 'text',
-    name: '_',
-    message: chalk.bold('Press Enter once you\'ve added the deploy key to GitHub…'),
-    format: () => '',
-  }, { onCancel: () => process.exit(0) });
-
-  // ── 4. Validate access ──────────────────────────────────────────────────────
-  step('Validating repository access…');
-  info(`Testing SSH: ${sshUrl}`);
-  const result = spawnSync('git', ['ls-remote', '--heads', sshUrl],
-    {
-      encoding: 'utf8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
-      env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
-    });
+  // ── GitHub token ───────────────────────────────────────────────────────────
+  // AUTO_PUBLISH=false → required (open PRs via API)
+  // AUTO_PUBLISH=true  → optional (CI/CD triggers only)
+  const workspaceProps = path.join(workspace, 'sentinel.properties');
+  const existingToken  = fs.existsSync(workspaceProps)
+    ? (fs.readFileSync(workspaceProps, 'utf8').match(/^GITHUB_TOKEN\s*=\s*(.+)$/m) || [])[1]?.trim()
+    : '';
 
-  if (result.status !== 0) {
-    const errText = (result.stderr || result.error?.message || '').trim();
-    console.error(chalk.red('  ✖ Cannot reach repository'));
-    if (errText) console.error(chalk.red(`    ${errText}`));
-    console.error('');
-    console.error(chalk.yellow('  Check that the deploy key was added to the correct repo with write access.'));
-    console.error(chalk.yellow('  Then re-run: sentinel add ' + gitUrl));
-    process.exit(1);
+  if (!autoPublish) {
+    // PR mode — token is required
+    console.log('');
+    console.log(chalk.bold('  GitHub Personal Access Token (classic) — required for opening PRs'));
+    console.log(chalk.cyan('  github.com/settings/tokens/new  →  Tokens (classic)'));
+    console.log(chalk.cyan('  Note: "Expiration → No expiration"   Scope: ✓ repo'));
+    console.log('');
   }
 
-  const branches = (result.stdout || '').split('\n')
-    .filter(Boolean).map(l => l.split('\t')[1].replace('refs/heads/', ''));
-  const defaultBranch = branches.includes('main') ? 'main' : (branches[0] || 'main');
-  ok(`Repository is reachable  (default branch: ${defaultBranch})`);
+  const { githubToken } = await prompts({
+    type: (!autoPublish || !existingToken) ? 'password' : null,
+    name: 'githubToken',
+    message: existingToken
+      ? 'GitHub token  (press Enter to keep current)'
+      : autoPublish
+        ? 'GitHub token (classic, repo scope)  — optional, press Enter to skip'
+        : 'GitHub token (classic, repo scope)',
+    validate: v => {
+      if (!autoPublish && !v && !existingToken) return 'Token is required for PR mode';
+      if (v && !v.startsWith('ghp_') && !v.startsWith('github_pat_')) return 'Should start with ghp_ or github_pat_';
+      return true;
+    },
+  }, { onCancel: () => process.exit(0) });
+
+  const effectiveToken = githubToken || existingToken || '';
+  if (effectiveToken && fs.existsSync(workspaceProps)) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN\s*=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN\s*=.*/m, `GITHUB_TOKEN=${effectiveToken}`);
+    else
+      props = props.trimEnd() + `\nGITHUB_TOKEN=${effectiveToken}\n`;
+    fs.writeFileSync(workspaceProps, props);
+    ok('GITHUB_TOKEN saved to workspace sentinel.properties');
+  } else if (effectiveToken) {
+    info('GITHUB_TOKEN will be written when project files are created');
+  }
 
-  // ── 5. Preview + confirm ────────────────────────────────────────────────────
+  // ── Preview + confirm ──────────────────────────────────────────────────────
   const projectDir = path.join(workspace, name);
-  const localPath  = path.join(workspace, 'repos', repoSlug);
 
   step('Dry-run preview');
   info(`Will create: ${projectDir}/`);
-  info(`  config/repo-configs/${repoSlug}.properties`);
-  info(`    REPO_URL=${sshUrl}`);
-  info(`    BRANCH=${defaultBranch}`);
-  info(`    AUTO_PUBLISH=${autoPublish}`);
+  if (discovered.length > 0) {
+    info(`  Using ${discovered.length} repo-config(s) from ${repoSlug}`);
+  } else {
+    info(`  config/repo-configs/${repoSlug}.properties`);
+  }
+  info(`  AUTO_PUBLISH=${autoPublish} (applies to all repos without an explicit setting)`);
   info('  init.sh, start.sh, stop.sh');
 
   const { confirm } = await prompts({
@@ -274,29 +428,53 @@ async function addFromGit(gitUrl, workspace) {
   }, { onCancel: () => process.exit(0) });
   if (!confirm) { info('Aborted.'); return; }
 
-  if (fs.existsSync(projectDir)) {
+  if (fs.existsSync(projectDir) && projectDir !== localPath) {
     console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
     process.exit(1);
   }
 
-  // ── 6. Write files ──────────────────────────────────────────────────────────
+  // ── Write project files ────────────────────────────────────────────────────
   const codeDir   = requireCodeDir(workspace);
   const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
-  writeExampleProject(projectDir, codeDir, pythonBin);
-  const repoDir = path.join(projectDir, 'config', 'repo-configs');
-  writePropertiesFile(path.join(repoDir, `${repoSlug}.properties`), {
-    REPO_NAME:         repoSlug,
-    REPO_URL:          sshUrl,
-    LOCAL_PATH:        localPath,
-    BRANCH:            defaultBranch,
-    AUTO_PUBLISH:      autoPublish ? 'true' : 'false',
-    CAIRN_MCP_ENABLED: 'true',
-  });
-  const example = path.join(repoDir, '_example.properties');
-  if (fs.existsSync(example)) fs.removeSync(example);
-  generateWorkspaceScripts(workspace);
-  ok(`Project "${name}" created at ${projectDir}`);
-  printNextSteps(projectDir, autoPublish);
+
+  if (discovered.length > 0) {
+    // Config already exists in the cloned repo — just generate scripts
+    generateProjectScripts(localPath, codeDir, pythonBin);
+    // Write SSH_KEY_FILE for primary repo itself
+    const primaryProps = path.join(localPath, 'config', 'repo-configs', `${repoSlug}.properties`);
+    if (!fs.existsSync(primaryProps)) {
+      writePropertiesFile(primaryProps, {
+        REPO_NAME:    repoSlug,
+        REPO_URL:     gitUrl,
+        LOCAL_PATH:   localPath,
+        BRANCH:       'main',
+        AUTO_PUBLISH: autoPublish ? 'true' : 'false',
+        SSH_KEY_FILE: keyFile,
+        CAIRN_MCP_ENABLED: 'true',
+      });
+    }
+    ok(`Project "${name}" ready at ${localPath}`);
+    printNextSteps(localPath, autoPublish);
+  } else {
+    // No existing repo-configs — scaffold fresh project
+    fs.ensureDirSync(projectDir);
+    writeExampleProject(projectDir, codeDir, pythonBin);
+    const repoDir = path.join(projectDir, 'config', 'repo-configs');
+    writePropertiesFile(path.join(repoDir, `${repoSlug}.properties`), {
+      REPO_NAME:    repoSlug,
+      REPO_URL:     gitUrl,
+      LOCAL_PATH:   localPath,
+      BRANCH:       'main',
+      AUTO_PUBLISH: autoPublish ? 'true' : 'false',
+      SSH_KEY_FILE: keyFile,
+      CAIRN_MCP_ENABLED: 'true',
+    });
+    const example = path.join(repoDir, '_example.properties');
+    if (fs.existsSync(example)) fs.removeSync(example);
+    generateWorkspaceScripts(workspace, {}, {}, {}, effectiveToken);
+    ok(`Project "${name}" created at ${projectDir}`);
+    printNextSteps(projectDir, autoPublish);
+  }
 }
 
 // ── addFromName ───────────────────────────────────────────────────────────────

package/lib/generate.js

@@ -96,7 +96,7 @@ rm -f "$PID_FILE"
 
 // ── Workspace-level startAll / stopAll ────────────────────────────────────────
 
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}) {
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
   // Write shared sentinel.properties once (never overwrite existing)
   const workspaceProps = path.join(workspace, 'sentinel.properties');
   if (!fs.existsSync(workspaceProps)) {
@@ -126,6 +126,15 @@ function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {},
     }
     fs.writeFileSync(workspaceProps, props);
   }
+  // Always upsert GitHub token so re-runs persist it
+  if (githubToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
+    else
+      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
+    fs.writeFileSync(workspaceProps, props);
+  }
   // Always upsert Slack tokens so re-runs persist them
   if (slackConfig.botToken || slackConfig.appToken) {
     let props = fs.readFileSync(workspaceProps, 'utf8');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.3.0",
+  "version": "1.3.2",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -106,6 +106,7 @@ class RepoConfig:
     cicd_job_url: str = ""
     health_url: str = ""     # optional: HTTP endpoint returning {"Status": "true"}
     cicd_token: str = ""
+    ssh_key_file: str = ""   # path to SSH private key; sets GIT_SSH_COMMAND when present
 
 
 # ── Loader ────────────────────────────────────────────────────────────────────
@@ -224,6 +225,7 @@ class ConfigLoader:
             r.cicd_job_url = d.get("CICD_JOB_URL", "")
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
+            r.ssh_key_file = os.path.expanduser(d.get("SSH_KEY_FILE", ""))
             self.repos[r.repo_name] = r
 
     def _register_sighup(self):

package/python/sentinel/git_manager.py

@@ -37,8 +37,10 @@ def _git(args: list[str], cwd: str, env: dict | None = None, timeout: int = GIT_
 
 
 def _git_env(repo: RepoConfig) -> dict:
-    # GIT_SSH_COMMAND can be set externally for SSH-based repos
-    return os.environ.copy()
+    env = os.environ.copy()
+    if repo.ssh_key_file:
+        env["GIT_SSH_COMMAND"] = f"ssh -i {repo.ssh_key_file} -o StrictHostKeyChecking=no -o BatchMode=yes"
+    return env
 
 
 def _check_protected_paths(patch_path: Path) -> bool: