@misterhuydo/sentinel 1.3.5 → 1.3.7

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-23T18:20:09.151Z
+2026-03-24T06:20:19.272Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-23T18:27:21.579Z",
-  "checkpoint_at": "2026-03-23T18:27:21.580Z",
+  "message": "Auto-checkpoint at 2026-03-24T06:16:50.325Z",
+  "checkpoint_at": "2026-03-24T06:16:50.326Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/.cairn/views/244a09_generate.js

@@ -34,7 +34,7 @@ if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
   exit 0
 fi
 # Kill any orphaned sentinel processes for this project (stale PIDs not in PID file)
-pkill -f "sentinel.main --config ${DIR}/config" 2>/dev/null || true
+pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
 rm -f "$PID_FILE"
 # Check Claude Code authentication
 AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
@@ -75,7 +75,7 @@ fi
 rm -f "$PID_FILE"
 `, { mode: 0o755 });
 }
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}) {
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
   const workspaceProps = path.join(workspace, 'sentinel.properties');
   if (!fs.existsSync(workspaceProps)) {
     const tplDir = path.join(__dirname, '..', 'templates');
@@ -86,122 +86,54 @@ function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {})
     if (smtpConfig.password) tpl = tpl.replace('SMTP_PASSWORD=<app-password>',      'SMTP_PASSWORD=' + smtpConfig.password);
     fs.writeFileSync(workspaceProps, tpl);
   }
+  if (authConfig.apiKey || authConfig.claudeProForTasks !== undefined) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (authConfig.apiKey) {
+      if (/^#?\s*ANTHROPIC_API_KEY=/m.test(props))
+        props = props.replace(/^#?\s*ANTHROPIC_API_KEY=.*/mg, 'ANTHROPIC_API_KEY=' + authConfig.apiKey);
+      else
+        props = props.trimEnd() + '\nANTHROPIC_API_KEY=' + authConfig.apiKey + '\n';
+    }
+    if (authConfig.claudeProForTasks !== undefined) {
+      const val = authConfig.claudeProForTasks ? 'true' : 'false';
+      if (/^#?\s*CLAUDE_PRO_FOR_TASKS=/m.test(props))
+        props = props.replace(/^#?\s*CLAUDE_PRO_FOR_TASKS=.*/mg, 'CLAUDE_PRO_FOR_TASKS=' + val);
+      else
+        props = props.trimEnd() + '\nCLAUDE_PRO_FOR_TASKS=' + val + '\n';
+    }
+    fs.writeFileSync(workspaceProps, props);
+  }
+  if (githubToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
+    else
+      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
+    fs.writeFileSync(workspaceProps, props);
+  }
   if (slackConfig.botToken || slackConfig.appToken) {
     let props = fs.readFileSync(workspaceProps, 'utf8');
     if (slackConfig.botToken) {
-      const replaced = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/m, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
-      props = replaced !== props ? replaced : props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
+      if (/^#?\s*SLACK_BOT_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/mg, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
+      else
+        props = props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
     }
     if (slackConfig.appToken) {
-      const replaced = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/m, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
-      props = replaced !== props ? replaced : props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
+      if (/^#?\s*SLACK_APP_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/mg, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
+      else
+        props = props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
     }
     fs.writeFileSync(workspaceProps, props);
   }
   fs.writeFileSync(path.join(workspace, 'startAll.sh'), `#!/usr/bin/env bash
 # Start all valid Sentinel project instances.
-# A valid project must have config/repo-configs; do
-  name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
-  # Auto-generate start.sh / stop.sh if missing (codeDir = $WORKSPACE/code)
-  if [[ ! -f "$project_dir/start.sh" ]]; then
-    code_dir="$WORKSPACE/code"
-    python_bin="$code_dir/.venv/bin/python3"
-    sed -e "s|__NAME__|$name|g" -e "s|__CODE_DIR__|$code_dir|g" -e "s|__PYTHON_BIN__|$python_bin|g" << 'STARTSH' > "$project_dir/start.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
-  echo "[sentinel] __NAME__ already running (PID $(cat "$PID_FILE"))"
-  exit 0
-fi
-pkill -f "sentinel.main --config ${DIR}/config" 2>/dev/null || true
-rm -f "$PID_FILE"
-AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
-if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
-  echo "[sentinel] Claude Code is not authenticated. Run: claude then /login"
-  exit 1
-fi
-mkdir -p "$DIR/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
-cd "$DIR"
-PYTHONPATH="__CODE_DIR__" "__PYTHON_BIN__" -m sentinel.main --config ./config \
-  >> "$DIR/logs/sentinel.log" 2>&1 &
-echo $! > "$PID_FILE"
-echo "[sentinel] __NAME__ started (PID $!)"
-STARTSH
-    chmod +x "$project_dir/start.sh"
-    echo "[sentinel] Auto-generated start.sh for $name"
-  fi
-  if [[ ! -f "$project_dir/stop.sh" ]]; then
-    sed -e "s|__NAME__|$name|g" << 'STOPSH' > "$project_dir/stop.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ ! -f "$PID_FILE" ]]; then
-  echo "[sentinel] __NAME__ — no PID file, not running"
-  exit 0
-fi
-PID=$(cat "$PID_FILE")
-if kill -0 "$PID" 2>/dev/null; then
-  kill "$PID"
-  echo "[sentinel] __NAME__ stopped (PID $PID)"
-else
-  echo "[sentinel] __NAME__ — PID $PID not running"
-fi
-rm -f "$PID_FILE"
-STOPSH
-    chmod +x "$project_dir/stop.sh"
-    echo "[sentinel] Auto-generated stop.sh for $name"
-  fi
-  # Must have at least one repo-config with a valid GitHub REPO_URL
-  repo_configs_dir="$project_dir/config/repo-configs"
-  if [[ ! -d "$repo_configs_dir" ]]; then
-    echo "[sentinel] Skipping $name — config/repo-configs/ directory not found"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  has_config=false
-  valid_repo=false
-  for props in "$repo_configs_dir/"*.properties; do
-    [[ -f "$props" ]] || continue
-    [[ "$(basename "$props")" == _* ]] && continue
-    has_config=true
-    if grep -qE "^REPO_URL[[:space:]]*=[[:space:]]*(git@github\.com:|https://github\.com/)" "$props"; then
-      valid_repo=true
-      break
-    else
-      repo_url=$(grep -E "^REPO_URL[[:space:]]*=" "$props" | head -1 | cut -d= -f2- | xargs 2>/dev/null || true)
-      if [[ -z "$repo_url" ]]; then
-        echo "[sentinel] Skipping $name — REPO_URL not set in $(basename \"$props\")"
-      else
-        echo "[sentinel] Skipping $name — REPO_URL in $(basename \"$props\") is not a GitHub URL: $repo_url"
-      fi
-    fi
-  done
-  if [[ "$has_config" == "false" ]]; then
-    echo "[sentinel] Skipping $name — no .properties files in config/repo-configs/ (only _example?)"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  if [[ "$valid_repo" == "false" ]]; then
-    skipped=$((skipped + 1))
-    continue
-  fi
-  bash "$project_dir/start.sh"
-  started=$((started + 1))
-done
-echo "[sentinel] $started project(s) started, $skipped skipped"
-`, { mode: 0o755 });
-  // stopAll.sh
-  fs.writeFileSync(path.join(workspace, 'stopAll.sh'), `#!/usr/bin/env bash
-# Stop all Sentinel project instances
-WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
-stopped=0
-for project_dir in "$WORKSPACE"/*/; do
+# A valid project must have config/repo-configs "$WORKSPACE"/repos "$WORKSPACE"/repos/*/; do
+  [[ -d "$project_dir" ]] || continue
   name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
+  [[ "$name" == "code" ]]  && continue
+  [[ "$name" == "repos" ]] && continue
   [[ -f "$project_dir/stop.sh" ]] || continue
   bash "$project_dir/stop.sh"
   stopped=$((stopped + 1))

package/.cairn/views/2a85cc_init.js

@@ -0,0 +1,339 @@
+'use strict';
+const fs = require('fs-extra');
+const path = require('path');
+const os = require('os');
+const { execSync, spawnSync } = require('child_process');
+const prompts = require('prompts');
+const chalk = require('chalk');
+const { generateProjectScripts, generateWorkspaceScripts, writeExampleProject } = require('./generate');
+const ok   = msg => console.log(chalk.green('  ✔'), msg);
+const info = msg => console.log(chalk.cyan('  →'), msg);
+const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
+const step = msg => console.log('\n' + chalk.bold.white(msg));
+module.exports = async function init() {
+  const defaultWorkspace = path.join(os.homedir(), 'sentinel');
+  const existing = readExistingConfig(defaultWorkspace);
+  if (Object.keys(existing).length) {
+    console.log(chalk.cyan('\n  → Existing workspace config found — showing current values as defaults\n'));
+  }
+  const answers = await prompts([
+    {
+      type: 'text',
+      name: 'workspace',
+      message: 'Workspace directory (each project lives here as a subdirectory)',
+      initial: path.join(os.homedir(), 'sentinel'),
+      format: v => v.replace(/^~/, os.homedir()),
+    },
+    {
+      type: 'select',
+      name: 'authMode',
+      message: 'Claude authentication strategy',
+      hint: 'Boss = Slack AI; Fix Engine = autonomous code repair',
+      choices: [
+        {
+          title: 'Both  (RECOMMENDED) — API key for Boss, Claude Pro for Fix Engine',
+          value: 'both',
+        },
+        {
+          title: 'API key only  — full Boss tools; Fix Engine billed per token',
+          value: 'apikey',
+        },
+        {
+          title: 'Claude Pro / OAuth only  — run `claude login`; Boss has limited tools',
+          value: 'oauth',
+        },
+        { title: 'Skip  (configure manually in sentinel.properties)', value: 'skip' },
+      ],
+    },
+    {
+      type: prev => (prev === 'apikey' || prev === 'both') ? 'password' : null,
+      name: 'anthropicKey',
+      message: existing.ANTHROPIC_API_KEY
+        ? 'Anthropic API key  (press Enter to keep current)'
+        : 'Anthropic API key (sk-ant-...)',
+      validate: v => !v || v.startsWith('sk-ant-') ? true : 'Key should start with sk-ant-',
+    },
+    {
+      type: 'confirm',
+      name: 'example',
+      message: 'Create an example project to show how to configure?',
+      initial: true,
+    },
+    {
+      type: 'confirm',
+      name: 'systemd',
+      message: 'Set up systemd service for auto-start on reboot?',
+      initial: process.platform === 'linux',
+    },
+    {
+      type: 'text',
+      name: 'smtpUser',
+      message: 'SMTP sender address',
+      initial: existing.SMTP_USER || 'sentinel@yourdomain.com',
+    },
+    {
+      type: prev => prev ? 'password' : null,
+      name: 'smtpPassword',
+      message: existing.SMTP_PASSWORD ? 'SMTP password / app password  (press Enter to keep current)' : 'SMTP password / app password',
+    },
+    {
+      type: prev => prev ? 'text' : null,
+      name: 'smtpHost',
+      message: 'SMTP host',
+      initial: existing.SMTP_HOST || 'smtp.gmail.com',
+    },
+    {
+      type: 'confirm',
+      name: 'setupSlack',
+      message: 'Set up Slack Bot (Sentinel Boss — conversational AI interface)?',
+      initial: !!(existing.SLACK_BOT_TOKEN),
+    },
+    {
+      type: prev => prev ? 'password' : null,
+      name: 'slackBotToken',
+      message: existing.SLACK_BOT_TOKEN ? 'Slack Bot Token  (press Enter to keep current)' : 'Slack Bot Token  (xoxb-...)',
+      validate: v => !v || v.startsWith('xoxb-') ? true : 'Should start with xoxb-',
+    },
+    {
+      type: (_, { setupSlack }) => setupSlack ? 'password' : null,
+      name: 'slackAppToken',
+      message: existing.SLACK_APP_TOKEN ? 'Slack App-Level Token  (press Enter to keep current)' : 'Slack App-Level Token  (xapp-...)',
+      validate: v => !v || v.startsWith('xapp-') ? true : 'Should start with xapp-',
+    },
+  ], { onCancel: () => process.exit(0) });
+  const { workspace, authMode, anthropicKey, example, systemd, smtpUser, smtpPassword, smtpHost, setupSlack, slackBotToken, slackAppToken } = answers;
+  const effectiveAnthropicKey  = anthropicKey  || existing.ANTHROPIC_API_KEY || '';
+  const effectiveSmtpPassword  = smtpPassword  || existing.SMTP_PASSWORD     || '';
+  const effectiveSlackBotToken = slackBotToken || existing.SLACK_BOT_TOKEN   || '';
+  const effectiveSlackAppToken = slackAppToken || existing.SLACK_APP_TOKEN   || '';
+  const codeDir = path.join(workspace, 'code');
+  step('Checking Python…');
+  const python = findPython();
+  if (!python) {
+    console.error(chalk.red('  ✖ python3 not found. Install it first:'));
+    console.error('      sudo apt-get install -y python3 python3-pip python3-venv');
+    process.exit(1);
+  }
+  ok(`Python: ${run(python, ['--version']).trim()}`);
+  step('Installing Sentinel code…');
+  const bundledPython = path.join(__dirname, '..', 'python');
+  if (!fs.existsSync(bundledPython)) {
+    console.error(chalk.red('  ✖ Bundled Python source not found (run npm publish from the Sentinel repo)'));
+    process.exit(1);
+  }
+  fs.ensureDirSync(codeDir);
+  fs.copySync(bundledPython, codeDir, { overwrite: true });
+  ok(`Sentinel code → ${codeDir}`);
+  step('Setting up Python environment…');
+  const venv = path.join(codeDir, '.venv');
+  if (!fs.existsSync(venv)) {
+    info('Creating virtual environment…');
+    runLive(python, ['-m', 'venv', venv]);
+  }
+  const pip = path.join(venv, 'bin', 'pip3');
+  const pythonBin = path.join(venv, 'bin', 'python3');
+  info('Installing Python packages…');
+  runLive(pip, ['install', '--quiet', '--upgrade', 'pip']);
+  runLive(pip, ['install', '--quiet', '-r', path.join(codeDir, 'requirements.txt')]);
+  ok('Python packages installed');
+  step('Installing Node tools…');
+  installNpmGlobal('@misterhuydo/cairn-mcp', 'cairn');
+  installNpmGlobal('@anthropic-ai/claude-code', 'claude');
+  info('Hooking Cairn MCP into Claude Code…');
+  runLive('cairn', ['install']);
+  step('Patching Claude Code permissions…');
+  ensureClaudePermissions();
+  step('Claude Code authentication…');
+  if (authMode === 'both' && effectiveAnthropicKey) {
+    ok('API key → Sentinel Boss (full tools, structured responses)');
+    ok('Claude Pro → Fix Engine + Ask Codebase (heavy coding, Pro subscription)');
+    info('Run `claude login` on this server now (or before starting projects)');
+    info('CLAUDE_PRO_FOR_TASKS=true written to workspace sentinel.properties');
+  } else if (authMode === 'apikey' && effectiveAnthropicKey) {
+    ok('API key → all Claude usage (Boss + Fix Engine billed to your API quota)');
+    info('CLAUDE_PRO_FOR_TASKS=false written — Fix Engine will use API key');
+    warn('Heavy fix tasks will consume API tokens. Claude Pro is cheaper for those.');
+  } else if (authMode === 'oauth') {
+    ok('Claude Pro / OAuth → Fix Engine + Ask Codebase');
+    warn('Boss will use CLI fallback — some tools unavailable without an API key');
+    info('Run `claude login` on this server to authenticate');
+  } else {
+    warn('No auth configured — add ANTHROPIC_API_KEY or run `claude login` before starting');
+    info('See: workspace sentinel.properties for full auth documentation');
+  }
+  if (effectiveSlackBotToken && effectiveSlackAppToken) {
+    step('Slack Bot (Sentinel Boss)…');
+    ok('Tokens will be written to workspace sentinel.properties');
+    info('Sentinel Boss starts automatically when the project starts');
+  } else if (setupSlack) {
+    warn('Slack tokens not provided — add them to config/sentinel.properties later');
+  }
+  step('Creating workspace…');
+  fs.ensureDirSync(workspace);
+  ok(`Workspace: ${workspace}`);
+  if (example) {
+    step('Creating example project…');
+    const exampleDir = path.join(workspace, 'my-project');
+    writeExampleProject(exampleDir, codeDir, pythonBin, effectiveAnthropicKey, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken });
+    ok(`Example project: ${exampleDir}`);
+  }
+  step('Generating scripts…');
+  const authConfig = {};
+  if (effectiveAnthropicKey) authConfig.apiKey = effectiveAnthropicKey;
+  if (authMode === 'both' || authMode === 'oauth') authConfig.claudeProForTasks = true;
+  if (authMode === 'apikey') authConfig.claudeProForTasks = false;
+  generateWorkspaceScripts(workspace, { host: smtpHost, user: smtpUser, password: effectiveSmtpPassword }, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken }, authConfig);
+  ok(`${workspace}/startAll.sh`);
+  ok(`${workspace}/stopAll.sh`);
+  if (systemd) {
+    step('Setting up systemd…');
+    setupSystemd(workspace);
+  }
+  console.log('\n' + chalk.bold.green('══ Done! ══') + '\n');
+  console.log(`${chalk.bold('Next steps:')}`);
+  if (example) {
+    console.log(`
+  1. Configure your first project:
+     ${chalk.cyan(`${workspace}/my-project/config/sentinel.properties`)}
+     ${chalk.cyan(`${workspace}/my-project/config/log-configs/`)}
+     ${chalk.cyan(`${workspace}/my-project/config/repo-configs/`)}
+  2. Start all projects (Sentinel clones repos, indexes, and monitors automatically):
+     ${chalk.cyan(`${workspace}/startAll.sh`)}
+  3. Stop all projects:
+     ${chalk.cyan(`${workspace}/stopAll.sh`)}
+`);
+  }
+  if (systemd) {
+    console.log(`  Auto-start is enabled. To manage:
+     ${chalk.cyan('sudo systemctl start sentinel')}
+     ${chalk.cyan('sudo systemctl status sentinel')}
+     ${chalk.cyan('journalctl -u sentinel -f')}
+`);
+  }
+  console.log(`  Add another project anytime:
+     ${chalk.cyan('sentinel add <project-name>')}
+`);
+};
+function readExistingConfig(workspace) {
+  const result = {};
+  _parsePropsInto(path.join(workspace, 'sentinel.properties'), result);
+  if (!result.SLACK_BOT_TOKEN || !result.SLACK_APP_TOKEN) {
+    try {
+      for (const entry of fs.readdirSync(workspace)) {
+        const p = path.join(workspace, entry, 'config', 'sentinel.properties');
+        const proj = {};
+        _parsePropsInto(p, proj);
+        if (!result.SLACK_BOT_TOKEN && proj.SLACK_BOT_TOKEN) result.SLACK_BOT_TOKEN = proj.SLACK_BOT_TOKEN;
+        if (!result.SLACK_APP_TOKEN && proj.SLACK_APP_TOKEN) result.SLACK_APP_TOKEN = proj.SLACK_APP_TOKEN;
+        if (result.SLACK_BOT_TOKEN && result.SLACK_APP_TOKEN) break;
+      }
+    } catch (_) {}
+  }
+  return result;
+}
+function _parsePropsInto(propsPath, result) {
+  if (!fs.existsSync(propsPath)) return;
+  try {
+    const lines = fs.readFileSync(propsPath, 'utf8').split(/\r?\n/);
+    for (const raw of lines) {
+      const line = raw.trim();
+      if (!line || line.startsWith('#')) continue;
+      const idx = line.indexOf('=');
+      if (idx === -1) continue;
+      result[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
+    }
+  } catch (_) {}
+}
+function findPython() {
+  for (const bin of ['python3', 'python']) {
+    try {
+      execSync(`${bin} --version`, { stdio: 'pipe' });
+      return bin;
+    } catch (_) {}
+  }
+  return null;
+}
+function run(bin, args) {
+  const r = spawnSync(bin, args, { encoding: 'utf8' });
+  return (r.stdout || '') + (r.stderr || '');
+}
+function runLive(bin, args) {
+  const r = spawnSync(bin, args, { stdio: 'inherit' });
+  if (r.status !== 0) {
+    console.error(chalk.red(`  ✖ Command failed: ${bin} ${args.join(' ')}`));
+    process.exit(1);
+  }
+}
+function installNpmGlobal(pkg, checkBin) {
+  try {
+    execSync(`${checkBin} --version`, { stdio: 'pipe' });
+    ok(`${pkg} already installed`);
+  } catch (_) {
+    info(`Installing ${pkg}…`);
+    runLive('npm', ['install', '-g', pkg]);
+    ok(`${pkg} installed`);
+  }
+}
+function ensureClaudePermissions() {
+  const settingsPath = require('path').join(require('os').homedir(), '.claude', 'settings.json');
+  const required = ['Read(**)', 'Write(**)', 'Edit(**)', 'Bash(**)'];
+  let settings = {};
+  try {
+    if (fs.existsSync(settingsPath)) {
+      settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+    }
+  } catch (e) {
+    warn('Could not read ' + settingsPath + ': ' + e.message);
+    return;
+  }
+  if (!settings.permissions) settings.permissions = {};
+  if (!Array.isArray(settings.permissions.allow)) settings.permissions.allow = [];
+  const existing = new Set(settings.permissions.allow);
+  const added = [];
+  for (const perm of required) {
+    if (!existing.has(perm)) {
+      settings.permissions.allow.push(perm);
+      added.push(perm);
+    }
+  }
+  if (added.length === 0) {
+    ok('Claude Code permissions already configured');
+    return;
+  }
+  try {
+    fs.ensureDirSync(require('path').dirname(settingsPath));
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+    ok('Claude Code permissions patched: ' + added.join(', '));
+  } catch (e) {
+    warn('Could not write ' + settingsPath + ': ' + e.message);
+  }
+}
+function setupSystemd(workspace) {
+  const user = os.userInfo().username;
+  const svc = `/etc/systemd/system/sentinel.service`;
+  const content = `[Unit]
+Description=Sentinel — Autonomous DevOps Agent
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=forking
+User=${user}
+WorkingDirectory=${workspace}
+ExecStart=${workspace}/startAll.sh
+ExecStop=${workspace}/stopAll.sh
+Restart=on-failure
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+`;
+  try {
+    fs.writeFileSync('/tmp/sentinel.service', content);
+    execSync(`sudo mv /tmp/sentinel.service ${svc}`);
+    execSync('sudo systemctl daemon-reload');
+    execSync('sudo systemctl enable sentinel');
+    ok('sentinel.service enabled');
+  } catch (e) {
+    warn(`Could not write systemd service (need sudo): ${e.message}`);
+    warn(`Manually create ${svc} to auto-start on reboot`);
+  }
+}

package/lib/add.js

@@ -283,17 +283,17 @@ async function addFromGit(gitUrl, workspace) {
   ok(`${repoSlug}: reachable`);
 
   // ── 2. Clone primary repo and discover additional repos ────────────────────
-  const localPath  = path.join(workspace, 'repos', repoSlug);
+  const projectDir = path.join(workspace, name);
   step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
 
-  if (!fs.existsSync(localPath)) {
-    spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, localPath], {
+  if (!fs.existsSync(projectDir)) {
+    spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, projectDir], {
       stdio: 'inherit',
       env: gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }),
     });
   }
 
-  const discovered = discoverReposFromClone(localPath);
+  const discovered = discoverReposFromClone(projectDir);
 
   // Classify each discovered repo
   const privateRepos = [];
@@ -439,8 +439,6 @@ async function addFromGit(gitUrl, workspace) {
   }
 
   // ── Preview + confirm ──────────────────────────────────────────────────────
-  const projectDir = path.join(workspace, name);
-
   step('Dry-run preview');
   info(`Will create: ${projectDir}/`);
   if (discovered.length > 0) {
@@ -457,7 +455,7 @@ async function addFromGit(gitUrl, workspace) {
   }, { onCancel: () => process.exit(0) });
   if (!confirm) { info('Aborted.'); return; }
 
-  if (fs.existsSync(projectDir) && projectDir !== localPath) {
+  if (fs.existsSync(projectDir) && !fs.existsSync(path.join(projectDir, '.git'))) {
     console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
     process.exit(1);
   }
@@ -468,32 +466,29 @@ async function addFromGit(gitUrl, workspace) {
 
   if (discovered.length > 0) {
     // Config already exists in the cloned repo — just generate scripts
-    generateProjectScripts(localPath, codeDir, pythonBin);
-    // Write SSH_KEY_FILE for primary repo itself
-    const primaryProps = path.join(localPath, 'config', 'repo-configs', `${repoSlug}.properties`);
+    generateProjectScripts(projectDir, codeDir, pythonBin);
+    // Write SSH_KEY_FILE for primary repo itself (no LOCAL_PATH — derived automatically)
+    const primaryProps = path.join(projectDir, 'config', 'repo-configs', `${repoSlug}.properties`);
     if (!fs.existsSync(primaryProps)) {
       writePropertiesFile(primaryProps, {
         REPO_NAME:    repoSlug,
         REPO_URL:     gitUrl,
-        LOCAL_PATH:   localPath,
         BRANCH:       'main',
         AUTO_PUBLISH: autoPublish ? 'true' : 'false',
         SSH_KEY_FILE: keyFile,
         CAIRN_MCP_ENABLED: 'true',
       });
     }
-    ok(`Project "${name}" ready at ${localPath}`);
-    printNextSteps(localPath, autoPublish);
-    await offerToStart(localPath);
+    ok(`Project "${name}" ready at ${projectDir}`);
+    printNextSteps(projectDir, autoPublish);
+    await offerToStart(projectDir);
   } else {
     // No existing repo-configs — scaffold fresh project
-    fs.ensureDirSync(projectDir);
     writeExampleProject(projectDir, codeDir, pythonBin);
     const repoDir = path.join(projectDir, 'config', 'repo-configs');
     writePropertiesFile(path.join(repoDir, `${repoSlug}.properties`), {
       REPO_NAME:    repoSlug,
       REPO_URL:     gitUrl,
-      LOCAL_PATH:   localPath,
       BRANCH:       'main',
       AUTO_PUBLISH: autoPublish ? 'true' : 'false',
       SSH_KEY_FILE: keyFile,
@@ -649,8 +644,6 @@ async function addFromUrl(url, workspace) {
   printNextSteps(projectDir);
 }
 
-// ── printNextSteps ────────────────────────────────────────────────────────────
-
 function printNextSteps(projectDir, autoPublish) {
   const logFile = path.join(projectDir, 'logs', 'sentinel.log');
   const mode = autoPublish === true
@@ -682,8 +675,6 @@ async function offerToStart(projectDir) {
   }
 }
 
-// ── entry point ───────────────────────────────────────────────────────────────
-
 module.exports = async function add(arg) {
   const type = detectInputType(arg);
   const workspace = await resolveWorkspace();

package/lib/generate.js

@@ -160,8 +160,10 @@ WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
 started=0
 skipped=0
 for project_dir in "$WORKSPACE"/*/; do
+  [[ -d "$project_dir" ]] || continue
   name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
+  [[ "$name" == "code" ]]  && continue
+  [[ "$name" == "repos" ]] && continue
   # Auto-generate start.sh / stop.sh if missing (codeDir = $WORKSPACE/code)
   if [[ ! -f "$project_dir/start.sh" ]]; then
     code_dir="$WORKSPACE/code"
@@ -265,8 +267,10 @@ echo "[sentinel] $started project(s) started, $skipped skipped"
 WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
 stopped=0
 for project_dir in "$WORKSPACE"/*/; do
+  [[ -d "$project_dir" ]] || continue
   name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
+  [[ "$name" == "code" ]]  && continue
+  [[ "$name" == "repos" ]] && continue
   [[ -f "$project_dir/stop.sh" ]] || continue
   bash "$project_dir/stop.sh"
   stopped=$((stopped + 1))

package/lib/init.js

@@ -153,9 +153,10 @@ module.exports = async function init() {
   // ── Node tools ──────────────────────────────────────────────────────────────
   step('Installing Node tools…');
   installNpmGlobal('@misterhuydo/cairn-mcp', 'cairn');
-  installNpmGlobal('@anthropic-ai/claude-code', 'claude');
-  info('Hooking Cairn MCP into Claude Code…');
+  step('Hooking Cairn MCP into Claude Code…');
   runLive('cairn', ['install']);
+  ok('cairn install complete');
+  installNpmGlobal('@anthropic-ai/claude-code', 'claude');
   step('Patching Claude Code permissions…');
   ensureClaudePermissions();
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.3.5",
+  "version": "1.3.7",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -172,7 +172,7 @@ class ConfigLoader:
         c.slack_watch_bot_ids = _csv(d.get("SLACK_WATCH_BOT_IDS", ""))
         c.slack_allowed_users = _csv(d.get("SLACK_ALLOWED_USERS", ""))
         c.slack_admin_users = _csv(d.get("SLACK_ADMIN_USERS", ""))
-        c.project_name = d.get("PROJECT_NAME", "")
+        c.project_name = d.get("PROJECT_NAME", "") or Path(self.config_dir).resolve().parent.name
         c.claude_pro_for_tasks = d.get("CLAUDE_PRO_FOR_TASKS", "true").lower() != "false"
         c.sync_enabled = d.get("SYNC_ENABLED", "true").lower() != "false"
         c.sync_interval_seconds = int(d.get("SYNC_INTERVAL_SECONDS", 300))
@@ -218,7 +218,7 @@ class ConfigLoader:
             r = RepoConfig()
             r.repo_name = path.stem
             r.repo_url = d.get("REPO_URL", "")
-            r.local_path = os.path.expanduser(d.get("LOCAL_PATH", ""))
+            r.local_path = str(Path(self.config_dir).parent / "repos" / r.repo_name)
             r.branch = d.get("BRANCH", "main")
             r.auto_publish = d.get("AUTO_PUBLISH", "false").lower() == "true"
             r.cicd_type = d.get("CICD_TYPE", "")

package/python/sentinel/fix_engine.py

@@ -135,7 +135,7 @@ def _claude_cmd(bin_path: str, prompt: str) -> list[str]:
     return [bin_path, "--print", prompt]
 
 
-def _run_claude_attempt(bin_path: str, prompt: str, env: dict) -> tuple[str, bool]:
+def _run_claude_attempt(bin_path: str, prompt: str, env: dict, cwd: str | None = None) -> tuple[str, bool]:
     """
     Run claude CLI with the given env. Returns (output, timed_out).
     Raises FileNotFoundError if binary is missing.
@@ -144,6 +144,7 @@ def _run_claude_attempt(bin_path: str, prompt: str, env: dict) -> tuple[str, boo
         result = subprocess.run(
             _claude_cmd(bin_path, prompt),
             capture_output=True, text=True, timeout=SUBPROCESS_TIMEOUT, env=env,
+            cwd=cwd or None,
         )
         return (result.stdout or "") + (result.stderr or ""), False
     except subprocess.TimeoutExpired:
@@ -216,7 +217,7 @@ def generate_fix(
             if env is None:
                 continue
             logger.info("fix_engine: trying %s for %s", label, event.fingerprint)
-            output, timed_out = _run_claude_attempt(cfg.claude_code_bin, prompt, env)
+            output, timed_out = _run_claude_attempt(cfg.claude_code_bin, prompt, env, cwd=repo.local_path)
             if timed_out:
                 logger.error("Claude Code timed out for %s", event.fingerprint)
                 return "error", None, ""

package/python/sentinel/git_manager.py

@@ -19,7 +19,6 @@ from .log_parser import ErrorEvent
 logger = logging.getLogger(__name__)
 
 GIT_TIMEOUT = 60
-PR_BRANCH_PREFIX = "sentinel/fix-"
 
 # Files that must never be modified by Sentinel
 _PROTECTED_PATHS = {".github/", "Jenkinsfile", "pom.xml"}
@@ -144,6 +143,13 @@ def _append_changelog(repo: RepoConfig, event: ErrorEvent, commit_hash: str):
     _git(["commit", "--amend", "--no-edit"], cwd=repo.local_path, env=env)
 
 
+def remote_fix_exists(repo: RepoConfig, fingerprint: str, cfg: SentinelConfig) -> bool:
+    """Return True if any Sentinel instance already pushed a fix branch for this fingerprint."""
+    pattern = f"refs/heads/*/fix-{fingerprint[:8]}"
+    r = _git(["ls-remote", "--heads", "origin", pattern], cwd=repo.local_path, env=_git_env(repo))
+    return r.returncode == 0 and bool(r.stdout.strip())
+
+
 def publish(
     event: ErrorEvent,
     repo: RepoConfig,
@@ -159,13 +165,21 @@ def publish(
     env = _git_env(repo)
     local_path = repo.local_path
 
+    if not repo.auto_publish:
+        if remote_fix_exists(repo, event.fingerprint, cfg):
+            logger.info(
+                "Remote fix branch already exists for %s — skipping duplicate push",
+                event.fingerprint[:8],
+            )
+            return "", ""
+
     if repo.auto_publish:
         r = _git(["push", "origin", repo.branch], cwd=local_path, env=env)
         if r.returncode != 0:
             logger.error("git push failed:\n%s", r.stderr)
         return repo.branch, ""
     else:
-        branch = f"{PR_BRANCH_PREFIX}{event.fingerprint[:8]}"
+        branch = f"{cfg.project_name or 'sentinel'}/fix-{event.fingerprint[:8]}"
         _git(["checkout", "-B", branch], cwd=local_path, env=env)
         r = _git(["push", "-u", "origin", branch], cwd=local_path, env=env)
         if r.returncode != 0:

package/templates/repo-configs/_example.properties

@@ -12,9 +12,6 @@
 # SSH clone URL of the GitHub repository
 REPO_URL=git@github.com:<org>/<repo>.git
 
-# Absolute path where Sentinel will clone/manage this repo on the local machine
-LOCAL_PATH=/home/<user>/sentinel/repos/<repo-name>
-
 # Branch to pull from and push fixes to
 BRANCH=main