@misterhuydo/sentinel 1.3.6 → 1.3.8

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-23T18:20:09.151Z
+2026-03-24T06:20:19.272Z

package/.cairn/minify-map.json

@@ -4,5 +4,11 @@
     "state": "compressed",
     "minifiedAt": 1774252515044.4768,
     "readCount": 1
+  },
+  "J:\\Projects\\Sentinel\\cli\\lib\\add.js": {
+    "tempPath": "J:\\Projects\\Sentinel\\cli\\.cairn\\views\\fc4a1a_add.js",
+    "state": "compressed",
+    "minifiedAt": 1774333679398.312,
+    "readCount": 1
   }
 }

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-23T18:43:04.420Z",
-  "checkpoint_at": "2026-03-23T18:43:04.421Z",
+  "message": "Auto-checkpoint at 2026-03-24T06:46:37.910Z",
+  "checkpoint_at": "2026-03-24T06:46:37.911Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/.cairn/views/244a09_generate.js

@@ -34,7 +34,7 @@ if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
   exit 0
 fi
 # Kill any orphaned sentinel processes for this project (stale PIDs not in PID file)
-pkill -f "sentinel.main --config ${DIR}/config" 2>/dev/null || true
+pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
 rm -f "$PID_FILE"
 # Check Claude Code authentication
 AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
@@ -75,7 +75,7 @@ fi
 rm -f "$PID_FILE"
 `, { mode: 0o755 });
 }
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}) {
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
   const workspaceProps = path.join(workspace, 'sentinel.properties');
   if (!fs.existsSync(workspaceProps)) {
     const tplDir = path.join(__dirname, '..', 'templates');
@@ -86,122 +86,54 @@ function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {})
     if (smtpConfig.password) tpl = tpl.replace('SMTP_PASSWORD=<app-password>',      'SMTP_PASSWORD=' + smtpConfig.password);
     fs.writeFileSync(workspaceProps, tpl);
   }
+  if (authConfig.apiKey || authConfig.claudeProForTasks !== undefined) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (authConfig.apiKey) {
+      if (/^#?\s*ANTHROPIC_API_KEY=/m.test(props))
+        props = props.replace(/^#?\s*ANTHROPIC_API_KEY=.*/mg, 'ANTHROPIC_API_KEY=' + authConfig.apiKey);
+      else
+        props = props.trimEnd() + '\nANTHROPIC_API_KEY=' + authConfig.apiKey + '\n';
+    }
+    if (authConfig.claudeProForTasks !== undefined) {
+      const val = authConfig.claudeProForTasks ? 'true' : 'false';
+      if (/^#?\s*CLAUDE_PRO_FOR_TASKS=/m.test(props))
+        props = props.replace(/^#?\s*CLAUDE_PRO_FOR_TASKS=.*/mg, 'CLAUDE_PRO_FOR_TASKS=' + val);
+      else
+        props = props.trimEnd() + '\nCLAUDE_PRO_FOR_TASKS=' + val + '\n';
+    }
+    fs.writeFileSync(workspaceProps, props);
+  }
+  if (githubToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
+    else
+      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
+    fs.writeFileSync(workspaceProps, props);
+  }
   if (slackConfig.botToken || slackConfig.appToken) {
     let props = fs.readFileSync(workspaceProps, 'utf8');
     if (slackConfig.botToken) {
-      const replaced = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/m, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
-      props = replaced !== props ? replaced : props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
+      if (/^#?\s*SLACK_BOT_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/mg, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
+      else
+        props = props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
     }
     if (slackConfig.appToken) {
-      const replaced = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/m, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
-      props = replaced !== props ? replaced : props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
+      if (/^#?\s*SLACK_APP_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/mg, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
+      else
+        props = props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
     }
     fs.writeFileSync(workspaceProps, props);
   }
   fs.writeFileSync(path.join(workspace, 'startAll.sh'), `#!/usr/bin/env bash
 # Start all valid Sentinel project instances.
-# A valid project must have config/repo-configs; do
-  name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
-  # Auto-generate start.sh / stop.sh if missing (codeDir = $WORKSPACE/code)
-  if [[ ! -f "$project_dir/start.sh" ]]; then
-    code_dir="$WORKSPACE/code"
-    python_bin="$code_dir/.venv/bin/python3"
-    sed -e "s|__NAME__|$name|g" -e "s|__CODE_DIR__|$code_dir|g" -e "s|__PYTHON_BIN__|$python_bin|g" << 'STARTSH' > "$project_dir/start.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
-  echo "[sentinel] __NAME__ already running (PID $(cat "$PID_FILE"))"
-  exit 0
-fi
-pkill -f "sentinel.main --config ${DIR}/config" 2>/dev/null || true
-rm -f "$PID_FILE"
-AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
-if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
-  echo "[sentinel] Claude Code is not authenticated. Run: claude then /login"
-  exit 1
-fi
-mkdir -p "$DIR/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
-cd "$DIR"
-PYTHONPATH="__CODE_DIR__" "__PYTHON_BIN__" -m sentinel.main --config ./config \
-  >> "$DIR/logs/sentinel.log" 2>&1 &
-echo $! > "$PID_FILE"
-echo "[sentinel] __NAME__ started (PID $!)"
-STARTSH
-    chmod +x "$project_dir/start.sh"
-    echo "[sentinel] Auto-generated start.sh for $name"
-  fi
-  if [[ ! -f "$project_dir/stop.sh" ]]; then
-    sed -e "s|__NAME__|$name|g" << 'STOPSH' > "$project_dir/stop.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ ! -f "$PID_FILE" ]]; then
-  echo "[sentinel] __NAME__ — no PID file, not running"
-  exit 0
-fi
-PID=$(cat "$PID_FILE")
-if kill -0 "$PID" 2>/dev/null; then
-  kill "$PID"
-  echo "[sentinel] __NAME__ stopped (PID $PID)"
-else
-  echo "[sentinel] __NAME__ — PID $PID not running"
-fi
-rm -f "$PID_FILE"
-STOPSH
-    chmod +x "$project_dir/stop.sh"
-    echo "[sentinel] Auto-generated stop.sh for $name"
-  fi
-  # Must have at least one repo-config with a valid GitHub REPO_URL
-  repo_configs_dir="$project_dir/config/repo-configs"
-  if [[ ! -d "$repo_configs_dir" ]]; then
-    echo "[sentinel] Skipping $name — config/repo-configs/ directory not found"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  has_config=false
-  valid_repo=false
-  for props in "$repo_configs_dir/"*.properties; do
-    [[ -f "$props" ]] || continue
-    [[ "$(basename "$props")" == _* ]] && continue
-    has_config=true
-    if grep -qE "^REPO_URL[[:space:]]*=[[:space:]]*(git@github\.com:|https://github\.com/)" "$props"; then
-      valid_repo=true
-      break
-    else
-      repo_url=$(grep -E "^REPO_URL[[:space:]]*=" "$props" | head -1 | cut -d= -f2- | xargs 2>/dev/null || true)
-      if [[ -z "$repo_url" ]]; then
-        echo "[sentinel] Skipping $name — REPO_URL not set in $(basename \"$props\")"
-      else
-        echo "[sentinel] Skipping $name — REPO_URL in $(basename \"$props\") is not a GitHub URL: $repo_url"
-      fi
-    fi
-  done
-  if [[ "$has_config" == "false" ]]; then
-    echo "[sentinel] Skipping $name — no .properties files in config/repo-configs/ (only _example?)"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  if [[ "$valid_repo" == "false" ]]; then
-    skipped=$((skipped + 1))
-    continue
-  fi
-  bash "$project_dir/start.sh"
-  started=$((started + 1))
-done
-echo "[sentinel] $started project(s) started, $skipped skipped"
-`, { mode: 0o755 });
-  // stopAll.sh
-  fs.writeFileSync(path.join(workspace, 'stopAll.sh'), `#!/usr/bin/env bash
-# Stop all Sentinel project instances
-WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
-stopped=0
-for project_dir in "$WORKSPACE"/*/; do
+# A valid project must have config/repo-configs "$WORKSPACE"/repos "$WORKSPACE"/repos/*/; do
+  [[ -d "$project_dir" ]] || continue
   name=$(basename "$project_dir")
-  [[ "$name" == "code" ]] && continue
+  [[ "$name" == "code" ]]  && continue
+  [[ "$name" == "repos" ]] && continue
   [[ -f "$project_dir/stop.sh" ]] || continue
   bash "$project_dir/stop.sh"
   stopped=$((stopped + 1))

package/.cairn/views/2a85cc_init.js

@@ -0,0 +1,339 @@
+'use strict';
+const fs = require('fs-extra');
+const path = require('path');
+const os = require('os');
+const { execSync, spawnSync } = require('child_process');
+const prompts = require('prompts');
+const chalk = require('chalk');
+const { generateProjectScripts, generateWorkspaceScripts, writeExampleProject } = require('./generate');
+const ok   = msg => console.log(chalk.green('  ✔'), msg);
+const info = msg => console.log(chalk.cyan('  →'), msg);
+const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
+const step = msg => console.log('\n' + chalk.bold.white(msg));
+module.exports = async function init() {
+  const defaultWorkspace = path.join(os.homedir(), 'sentinel');
+  const existing = readExistingConfig(defaultWorkspace);
+  if (Object.keys(existing).length) {
+    console.log(chalk.cyan('\n  → Existing workspace config found — showing current values as defaults\n'));
+  }
+  const answers = await prompts([
+    {
+      type: 'text',
+      name: 'workspace',
+      message: 'Workspace directory (each project lives here as a subdirectory)',
+      initial: path.join(os.homedir(), 'sentinel'),
+      format: v => v.replace(/^~/, os.homedir()),
+    },
+    {
+      type: 'select',
+      name: 'authMode',
+      message: 'Claude authentication strategy',
+      hint: 'Boss = Slack AI; Fix Engine = autonomous code repair',
+      choices: [
+        {
+          title: 'Both  (RECOMMENDED) — API key for Boss, Claude Pro for Fix Engine',
+          value: 'both',
+        },
+        {
+          title: 'API key only  — full Boss tools; Fix Engine billed per token',
+          value: 'apikey',
+        },
+        {
+          title: 'Claude Pro / OAuth only  — run `claude login`; Boss has limited tools',
+          value: 'oauth',
+        },
+        { title: 'Skip  (configure manually in sentinel.properties)', value: 'skip' },
+      ],
+    },
+    {
+      type: prev => (prev === 'apikey' || prev === 'both') ? 'password' : null,
+      name: 'anthropicKey',
+      message: existing.ANTHROPIC_API_KEY
+        ? 'Anthropic API key  (press Enter to keep current)'
+        : 'Anthropic API key (sk-ant-...)',
+      validate: v => !v || v.startsWith('sk-ant-') ? true : 'Key should start with sk-ant-',
+    },
+    {
+      type: 'confirm',
+      name: 'example',
+      message: 'Create an example project to show how to configure?',
+      initial: true,
+    },
+    {
+      type: 'confirm',
+      name: 'systemd',
+      message: 'Set up systemd service for auto-start on reboot?',
+      initial: process.platform === 'linux',
+    },
+    {
+      type: 'text',
+      name: 'smtpUser',
+      message: 'SMTP sender address',
+      initial: existing.SMTP_USER || 'sentinel@yourdomain.com',
+    },
+    {
+      type: prev => prev ? 'password' : null,
+      name: 'smtpPassword',
+      message: existing.SMTP_PASSWORD ? 'SMTP password / app password  (press Enter to keep current)' : 'SMTP password / app password',
+    },
+    {
+      type: prev => prev ? 'text' : null,
+      name: 'smtpHost',
+      message: 'SMTP host',
+      initial: existing.SMTP_HOST || 'smtp.gmail.com',
+    },
+    {
+      type: 'confirm',
+      name: 'setupSlack',
+      message: 'Set up Slack Bot (Sentinel Boss — conversational AI interface)?',
+      initial: !!(existing.SLACK_BOT_TOKEN),
+    },
+    {
+      type: prev => prev ? 'password' : null,
+      name: 'slackBotToken',
+      message: existing.SLACK_BOT_TOKEN ? 'Slack Bot Token  (press Enter to keep current)' : 'Slack Bot Token  (xoxb-...)',
+      validate: v => !v || v.startsWith('xoxb-') ? true : 'Should start with xoxb-',
+    },
+    {
+      type: (_, { setupSlack }) => setupSlack ? 'password' : null,
+      name: 'slackAppToken',
+      message: existing.SLACK_APP_TOKEN ? 'Slack App-Level Token  (press Enter to keep current)' : 'Slack App-Level Token  (xapp-...)',
+      validate: v => !v || v.startsWith('xapp-') ? true : 'Should start with xapp-',
+    },
+  ], { onCancel: () => process.exit(0) });
+  const { workspace, authMode, anthropicKey, example, systemd, smtpUser, smtpPassword, smtpHost, setupSlack, slackBotToken, slackAppToken } = answers;
+  const effectiveAnthropicKey  = anthropicKey  || existing.ANTHROPIC_API_KEY || '';
+  const effectiveSmtpPassword  = smtpPassword  || existing.SMTP_PASSWORD     || '';
+  const effectiveSlackBotToken = slackBotToken || existing.SLACK_BOT_TOKEN   || '';
+  const effectiveSlackAppToken = slackAppToken || existing.SLACK_APP_TOKEN   || '';
+  const codeDir = path.join(workspace, 'code');
+  step('Checking Python…');
+  const python = findPython();
+  if (!python) {
+    console.error(chalk.red('  ✖ python3 not found. Install it first:'));
+    console.error('      sudo apt-get install -y python3 python3-pip python3-venv');
+    process.exit(1);
+  }
+  ok(`Python: ${run(python, ['--version']).trim()}`);
+  step('Installing Sentinel code…');
+  const bundledPython = path.join(__dirname, '..', 'python');
+  if (!fs.existsSync(bundledPython)) {
+    console.error(chalk.red('  ✖ Bundled Python source not found (run npm publish from the Sentinel repo)'));
+    process.exit(1);
+  }
+  fs.ensureDirSync(codeDir);
+  fs.copySync(bundledPython, codeDir, { overwrite: true });
+  ok(`Sentinel code → ${codeDir}`);
+  step('Setting up Python environment…');
+  const venv = path.join(codeDir, '.venv');
+  if (!fs.existsSync(venv)) {
+    info('Creating virtual environment…');
+    runLive(python, ['-m', 'venv', venv]);
+  }
+  const pip = path.join(venv, 'bin', 'pip3');
+  const pythonBin = path.join(venv, 'bin', 'python3');
+  info('Installing Python packages…');
+  runLive(pip, ['install', '--quiet', '--upgrade', 'pip']);
+  runLive(pip, ['install', '--quiet', '-r', path.join(codeDir, 'requirements.txt')]);
+  ok('Python packages installed');
+  step('Installing Node tools…');
+  installNpmGlobal('@misterhuydo/cairn-mcp', 'cairn');
+  installNpmGlobal('@anthropic-ai/claude-code', 'claude');
+  info('Hooking Cairn MCP into Claude Code…');
+  runLive('cairn', ['install']);
+  step('Patching Claude Code permissions…');
+  ensureClaudePermissions();
+  step('Claude Code authentication…');
+  if (authMode === 'both' && effectiveAnthropicKey) {
+    ok('API key → Sentinel Boss (full tools, structured responses)');
+    ok('Claude Pro → Fix Engine + Ask Codebase (heavy coding, Pro subscription)');
+    info('Run `claude login` on this server now (or before starting projects)');
+    info('CLAUDE_PRO_FOR_TASKS=true written to workspace sentinel.properties');
+  } else if (authMode === 'apikey' && effectiveAnthropicKey) {
+    ok('API key → all Claude usage (Boss + Fix Engine billed to your API quota)');
+    info('CLAUDE_PRO_FOR_TASKS=false written — Fix Engine will use API key');
+    warn('Heavy fix tasks will consume API tokens. Claude Pro is cheaper for those.');
+  } else if (authMode === 'oauth') {
+    ok('Claude Pro / OAuth → Fix Engine + Ask Codebase');
+    warn('Boss will use CLI fallback — some tools unavailable without an API key');
+    info('Run `claude login` on this server to authenticate');
+  } else {
+    warn('No auth configured — add ANTHROPIC_API_KEY or run `claude login` before starting');
+    info('See: workspace sentinel.properties for full auth documentation');
+  }
+  if (effectiveSlackBotToken && effectiveSlackAppToken) {
+    step('Slack Bot (Sentinel Boss)…');
+    ok('Tokens will be written to workspace sentinel.properties');
+    info('Sentinel Boss starts automatically when the project starts');
+  } else if (setupSlack) {
+    warn('Slack tokens not provided — add them to config/sentinel.properties later');
+  }
+  step('Creating workspace…');
+  fs.ensureDirSync(workspace);
+  ok(`Workspace: ${workspace}`);
+  if (example) {
+    step('Creating example project…');
+    const exampleDir = path.join(workspace, 'my-project');
+    writeExampleProject(exampleDir, codeDir, pythonBin, effectiveAnthropicKey, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken });
+    ok(`Example project: ${exampleDir}`);
+  }
+  step('Generating scripts…');
+  const authConfig = {};
+  if (effectiveAnthropicKey) authConfig.apiKey = effectiveAnthropicKey;
+  if (authMode === 'both' || authMode === 'oauth') authConfig.claudeProForTasks = true;
+  if (authMode === 'apikey') authConfig.claudeProForTasks = false;
+  generateWorkspaceScripts(workspace, { host: smtpHost, user: smtpUser, password: effectiveSmtpPassword }, { botToken: effectiveSlackBotToken, appToken: effectiveSlackAppToken }, authConfig);
+  ok(`${workspace}/startAll.sh`);
+  ok(`${workspace}/stopAll.sh`);
+  if (systemd) {
+    step('Setting up systemd…');
+    setupSystemd(workspace);
+  }
+  console.log('\n' + chalk.bold.green('══ Done! ══') + '\n');
+  console.log(`${chalk.bold('Next steps:')}`);
+  if (example) {
+    console.log(`
+  1. Configure your first project:
+     ${chalk.cyan(`${workspace}/my-project/config/sentinel.properties`)}
+     ${chalk.cyan(`${workspace}/my-project/config/log-configs/`)}
+     ${chalk.cyan(`${workspace}/my-project/config/repo-configs/`)}
+  2. Start all projects (Sentinel clones repos, indexes, and monitors automatically):
+     ${chalk.cyan(`${workspace}/startAll.sh`)}
+  3. Stop all projects:
+     ${chalk.cyan(`${workspace}/stopAll.sh`)}
+`);
+  }
+  if (systemd) {
+    console.log(`  Auto-start is enabled. To manage:
+     ${chalk.cyan('sudo systemctl start sentinel')}
+     ${chalk.cyan('sudo systemctl status sentinel')}
+     ${chalk.cyan('journalctl -u sentinel -f')}
+`);
+  }
+  console.log(`  Add another project anytime:
+     ${chalk.cyan('sentinel add <project-name>')}
+`);
+};
+function readExistingConfig(workspace) {
+  const result = {};
+  _parsePropsInto(path.join(workspace, 'sentinel.properties'), result);
+  if (!result.SLACK_BOT_TOKEN || !result.SLACK_APP_TOKEN) {
+    try {
+      for (const entry of fs.readdirSync(workspace)) {
+        const p = path.join(workspace, entry, 'config', 'sentinel.properties');
+        const proj = {};
+        _parsePropsInto(p, proj);
+        if (!result.SLACK_BOT_TOKEN && proj.SLACK_BOT_TOKEN) result.SLACK_BOT_TOKEN = proj.SLACK_BOT_TOKEN;
+        if (!result.SLACK_APP_TOKEN && proj.SLACK_APP_TOKEN) result.SLACK_APP_TOKEN = proj.SLACK_APP_TOKEN;
+        if (result.SLACK_BOT_TOKEN && result.SLACK_APP_TOKEN) break;
+      }
+    } catch (_) {}
+  }
+  return result;
+}
+function _parsePropsInto(propsPath, result) {
+  if (!fs.existsSync(propsPath)) return;
+  try {
+    const lines = fs.readFileSync(propsPath, 'utf8').split(/\r?\n/);
+    for (const raw of lines) {
+      const line = raw.trim();
+      if (!line || line.startsWith('#')) continue;
+      const idx = line.indexOf('=');
+      if (idx === -1) continue;
+      result[line.slice(0, idx).trim()] = line.slice(idx + 1).trim();
+    }
+  } catch (_) {}
+}
+function findPython() {
+  for (const bin of ['python3', 'python']) {
+    try {
+      execSync(`${bin} --version`, { stdio: 'pipe' });
+      return bin;
+    } catch (_) {}
+  }
+  return null;
+}
+function run(bin, args) {
+  const r = spawnSync(bin, args, { encoding: 'utf8' });
+  return (r.stdout || '') + (r.stderr || '');
+}
+function runLive(bin, args) {
+  const r = spawnSync(bin, args, { stdio: 'inherit' });
+  if (r.status !== 0) {
+    console.error(chalk.red(`  ✖ Command failed: ${bin} ${args.join(' ')}`));
+    process.exit(1);
+  }
+}
+function installNpmGlobal(pkg, checkBin) {
+  try {
+    execSync(`${checkBin} --version`, { stdio: 'pipe' });
+    ok(`${pkg} already installed`);
+  } catch (_) {
+    info(`Installing ${pkg}…`);
+    runLive('npm', ['install', '-g', pkg]);
+    ok(`${pkg} installed`);
+  }
+}
+function ensureClaudePermissions() {
+  const settingsPath = require('path').join(require('os').homedir(), '.claude', 'settings.json');
+  const required = ['Read(**)', 'Write(**)', 'Edit(**)', 'Bash(**)'];
+  let settings = {};
+  try {
+    if (fs.existsSync(settingsPath)) {
+      settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+    }
+  } catch (e) {
+    warn('Could not read ' + settingsPath + ': ' + e.message);
+    return;
+  }
+  if (!settings.permissions) settings.permissions = {};
+  if (!Array.isArray(settings.permissions.allow)) settings.permissions.allow = [];
+  const existing = new Set(settings.permissions.allow);
+  const added = [];
+  for (const perm of required) {
+    if (!existing.has(perm)) {
+      settings.permissions.allow.push(perm);
+      added.push(perm);
+    }
+  }
+  if (added.length === 0) {
+    ok('Claude Code permissions already configured');
+    return;
+  }
+  try {
+    fs.ensureDirSync(require('path').dirname(settingsPath));
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+    ok('Claude Code permissions patched: ' + added.join(', '));
+  } catch (e) {
+    warn('Could not write ' + settingsPath + ': ' + e.message);
+  }
+}
+function setupSystemd(workspace) {
+  const user = os.userInfo().username;
+  const svc = `/etc/systemd/system/sentinel.service`;
+  const content = `[Unit]
+Description=Sentinel — Autonomous DevOps Agent
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=forking
+User=${user}
+WorkingDirectory=${workspace}
+ExecStart=${workspace}/startAll.sh
+ExecStop=${workspace}/stopAll.sh
+Restart=on-failure
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+`;
+  try {
+    fs.writeFileSync('/tmp/sentinel.service', content);
+    execSync(`sudo mv /tmp/sentinel.service ${svc}`);
+    execSync('sudo systemctl daemon-reload');
+    execSync('sudo systemctl enable sentinel');
+    ok('sentinel.service enabled');
+  } catch (e) {
+    warn(`Could not write systemd service (need sudo): ${e.message}`);
+    warn(`Manually create ${svc} to auto-start on reboot`);
+  }
+}