@misterhuydo/sentinel 1.3.1 → 1.3.3

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-23T17:50:08.240Z
+2026-03-23T18:20:09.151Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-23T17:39:48.232Z",
-  "checkpoint_at": "2026-03-23T17:39:48.233Z",
+  "message": "Auto-checkpoint at 2026-03-23T18:08:05.159Z",
+  "checkpoint_at": "2026-03-23T18:08:05.160Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/add.js

@@ -129,7 +129,7 @@ function ensureKnownHosts() {
   const content = fs.existsSync(knownHosts) ? fs.readFileSync(knownHosts, 'utf8') : '';
   if (content.includes('github.com')) return;
   info('Adding GitHub to known_hosts…');
-  const r = spawnSync('ssh-keyscan', ['github.com'], { encoding: 'utf8', timeout: 10000 });
+  const r = spawnSync('ssh-keyscan', ['github.com'], { encoding: 'utf8', timeout: 10000, env: gitEnv() });
   if (r.stdout) fs.appendFileSync(knownHosts, r.stdout);
 }
 
@@ -175,6 +175,15 @@ function printDeployKeyInstructions(orgRepo, keyFile) {
   console.log('');
 }
 
+// Ensure git/ssh are findable regardless of how Node was launched
+function gitEnv(extra = {}) {
+  const PATH = [
+    process.env.PATH || '',
+    '/usr/bin', '/usr/local/bin', '/bin', '/usr/sbin',
+  ].filter(Boolean).join(':');
+  return { ...process.env, PATH, GIT_TERMINAL_PROMPT: '0', ...extra };
+}
+
 // ── repo discovery helpers ────────────────────────────────────────────────────
 
 function gitUrlToOrgRepo(gitUrl) {
@@ -191,16 +200,18 @@ function toHttpsUrl(gitUrl) {
 function isPublicRepo(gitUrl) {
   const r = spawnSync('git', ['ls-remote', '--heads', toHttpsUrl(gitUrl)], {
     encoding: 'utf8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
-    env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
+    env: gitEnv(),
   });
   return r.status === 0;
 }
 
 function validateAccess(repoUrl, keyFile) {
-  const env = { ...process.env, GIT_TERMINAL_PROMPT: '0' };
-  if (keyFile) env.GIT_SSH_COMMAND = `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes`;
+  const extra = keyFile
+    ? { GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }
+    : {};
   const r = spawnSync('git', ['ls-remote', '--heads', repoUrl], {
-    encoding: 'utf8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'], env,
+    encoding: 'utf8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
+    env: gitEnv(extra),
   });
   return { ok: r.status === 0, stderr: (r.stderr || r.error?.message || '').trim() };
 }
@@ -258,10 +269,10 @@ async function addFromGit(gitUrl, workspace) {
   step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
 
   if (!fs.existsSync(localPath)) {
-    const cloneEnv = { ...process.env, GIT_TERMINAL_PROMPT: '0',
-      GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` };
-    spawnSync('git', ['clone', '--depth', '1', gitUrl, localPath],
-      { stdio: 'inherit', env: cloneEnv });
+    spawnSync('git', ['clone', '--depth', '1', gitUrl, localPath], {
+      stdio: 'inherit',
+      env: gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }),
+    });
   }
 
   const discovered = discoverReposFromClone(localPath);
@@ -364,6 +375,51 @@ async function addFromGit(gitUrl, workspace) {
     warn('AUTO_PUBLISH=true: fixes push directly to main. Ensure CI blocks bad pushes.');
   }
 
+  // ── GitHub token ───────────────────────────────────────────────────────────
+  // AUTO_PUBLISH=false → required (open PRs via API)
+  // AUTO_PUBLISH=true  → optional (CI/CD triggers only)
+  const workspaceProps = path.join(workspace, 'sentinel.properties');
+  const existingToken  = fs.existsSync(workspaceProps)
+    ? (fs.readFileSync(workspaceProps, 'utf8').match(/^GITHUB_TOKEN\s*=\s*(.+)$/m) || [])[1]?.trim()
+    : '';
+
+  if (!autoPublish) {
+    // PR mode — token is required
+    console.log('');
+    console.log(chalk.bold('  GitHub Personal Access Token (classic) — required for opening PRs'));
+    console.log(chalk.cyan('  github.com/settings/tokens/new  →  Tokens (classic)'));
+    console.log(chalk.cyan('  Note: "Expiration → No expiration"   Scope: ✓ repo'));
+    console.log('');
+  }
+
+  const { githubToken } = await prompts({
+    type: (!autoPublish || !existingToken) ? 'password' : null,
+    name: 'githubToken',
+    message: existingToken
+      ? 'GitHub token  (press Enter to keep current)'
+      : autoPublish
+        ? 'GitHub token (classic, repo scope)  — optional, press Enter to skip'
+        : 'GitHub token (classic, repo scope)',
+    validate: v => {
+      if (!autoPublish && !v && !existingToken) return 'Token is required for PR mode';
+      if (v && !v.startsWith('ghp_') && !v.startsWith('github_pat_')) return 'Should start with ghp_ or github_pat_';
+      return true;
+    },
+  }, { onCancel: () => process.exit(0) });
+
+  const effectiveToken = githubToken || existingToken || '';
+  if (effectiveToken && fs.existsSync(workspaceProps)) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN\s*=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN\s*=.*/m, `GITHUB_TOKEN=${effectiveToken}`);
+    else
+      props = props.trimEnd() + `\nGITHUB_TOKEN=${effectiveToken}\n`;
+    fs.writeFileSync(workspaceProps, props);
+    ok('GITHUB_TOKEN saved to workspace sentinel.properties');
+  } else if (effectiveToken) {
+    info('GITHUB_TOKEN will be written when project files are created');
+  }
+
   // ── Preview + confirm ──────────────────────────────────────────────────────
   const projectDir = path.join(workspace, name);
 
@@ -426,7 +482,7 @@ async function addFromGit(gitUrl, workspace) {
     });
     const example = path.join(repoDir, '_example.properties');
     if (fs.existsSync(example)) fs.removeSync(example);
-    generateWorkspaceScripts(workspace);
+    generateWorkspaceScripts(workspace, {}, {}, {}, effectiveToken);
     ok(`Project "${name}" created at ${projectDir}`);
     printNextSteps(projectDir, autoPublish);
   }

package/lib/generate.js

@@ -96,7 +96,7 @@ rm -f "$PID_FILE"
 
 // ── Workspace-level startAll / stopAll ────────────────────────────────────────
 
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}) {
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
   // Write shared sentinel.properties once (never overwrite existing)
   const workspaceProps = path.join(workspace, 'sentinel.properties');
   if (!fs.existsSync(workspaceProps)) {
@@ -126,6 +126,15 @@ function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {},
     }
     fs.writeFileSync(workspaceProps, props);
   }
+  // Always upsert GitHub token so re-runs persist it
+  if (githubToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
+    else
+      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
+    fs.writeFileSync(workspaceProps, props);
+  }
   // Always upsert Slack tokens so re-runs persist them
   if (slackConfig.botToken || slackConfig.appToken) {
     let props = fs.readFileSync(workspaceProps, 'utf8');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.3.1",
+  "version": "1.3.3",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"