@misterhuydo/sentinel 1.3.8 → 1.4.0

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-24T06:20:19.272Z
+2026-03-24T07:49:55.081Z

package/.cairn/minify-map.json

@@ -4,11 +4,5 @@
     "state": "compressed",
     "minifiedAt": 1774252515044.4768,
     "readCount": 1
-  },
-  "J:\\Projects\\Sentinel\\cli\\lib\\add.js": {
-    "tempPath": "J:\\Projects\\Sentinel\\cli\\.cairn\\views\\fc4a1a_add.js",
-    "state": "compressed",
-    "minifiedAt": 1774333679398.312,
-    "readCount": 1
   }
 }

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-24T06:46:37.910Z",
-  "checkpoint_at": "2026-03-24T06:46:37.911Z",
+  "message": "Auto-checkpoint at 2026-03-24T08:01:08.778Z",
+  "checkpoint_at": "2026-03-24T08:01:08.779Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/add.js

@@ -133,11 +133,20 @@ function ensureKnownHosts() {
   if (r.stdout) fs.appendFileSync(knownHosts, r.stdout);
 }
 
-function generateDeployKey(repoSlug) {
-  const sshDir  = path.join(os.homedir(), '.ssh');
-  const keyFile = path.join(sshDir, `${repoSlug}.key`);
-  fs.ensureDirSync(sshDir);
-  fs.chmodSync(sshDir, 0o700);
+function generateDeployKey(repoSlug, keyDir) {
+  // keyDir: project workspace -> key stored there, gitignored, never committed to config repo
+  //         omitted -> ~/.ssh/ for the bootstrap config-repo key (needs SSH config for git pull)
+  const useProjectDir = !!keyDir;
+  const dir     = keyDir || path.join(os.homedir(), '.ssh');
+  const keyFile = path.join(dir, `${repoSlug}.key`);
+
+  if (useProjectDir) {
+    fs.ensureDirSync(dir);
+  } else {
+    const sshDir = path.join(os.homedir(), '.ssh');
+    fs.ensureDirSync(sshDir);
+    fs.chmodSync(sshDir, 0o700);
+  }
 
   if (fs.existsSync(keyFile)) {
     info(`Using existing key: ${keyFile}`);
@@ -147,17 +156,21 @@ function generateDeployKey(repoSlug) {
     ok(`Deploy key generated: ${keyFile}`);
   }
 
-  const configFile = path.join(sshDir, 'config');
-  const sshHost    = `github-${repoSlug}`;
-  const existing   = fs.existsSync(configFile) ? fs.readFileSync(configFile, 'utf8') : '';
-  if (!existing.includes(`Host ${sshHost}`)) {
-    fs.appendFileSync(configFile,
-      `\nHost ${sshHost}\n    HostName github.com\n    User git\n    IdentityFile ${keyFile}\n    IdentitiesOnly yes\n`);
-    fs.chmodSync(configFile, 0o600);
-    ok('SSH config updated');
+  // Only update ~/.ssh/config for the bootstrap key — managed repo keys are picked up
+  // via GIT_SSH_COMMAND directly, so no SSH config alias is needed for them
+  if (!useProjectDir) {
+    const configFile = path.join(os.homedir(), '.ssh', 'config');
+    const sshHost    = `github-${repoSlug}`;
+    const existing   = fs.existsSync(configFile) ? fs.readFileSync(configFile, 'utf8') : '';
+    if (!existing.includes(`Host ${sshHost}`)) {
+      fs.appendFileSync(configFile,
+        `\nHost ${sshHost}\n    HostName github.com\n    User git\n    IdentityFile ${keyFile}\n    IdentitiesOnly yes\n`);
+      fs.chmodSync(configFile, 0o600);
+      ok('SSH config updated');
+    }
   }
 
-  return { keyFile, sshHost };
+  return { keyFile };
 }
 
 function printDeployKeyInstructions(orgRepo, keyFile) {
@@ -295,6 +308,18 @@ async function addFromGit(gitUrl, workspace) {
 
   const discovered = discoverReposFromClone(projectDir);
 
+  // Ensure SSH keys are gitignored — they must never be committed to the config repo
+  const gitignorePath = path.join(projectDir, '.gitignore');
+  const giContent = fs.existsSync(gitignorePath) ? fs.readFileSync(gitignorePath, 'utf8') : '';
+  const giLines = [];
+  if (!giContent.includes('*.key')) giLines.push('*.key');
+  if (!giContent.includes('*.pub')) giLines.push('*.pub');
+  if (giLines.length) {
+    fs.appendFileSync(gitignorePath, (giContent.endsWith('\n') ? '' : '\n') + giLines.join('\n') + '\n');
+    ok('.gitignore updated: *.key and *.pub excluded from git');
+  }
+
+
   // Classify each discovered repo
   const privateRepos = [];
   const publicRepos  = [];
@@ -318,7 +343,7 @@ async function addFromGit(gitUrl, workspace) {
     step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
 
     for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug);
+      const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
       r.keyFile = rKey;
       const rOrgRepo = gitUrlToOrgRepo(r.url);
       printDeployKeyInstructions(rOrgRepo, rKey);
@@ -353,16 +378,10 @@ async function addFromGit(gitUrl, workspace) {
       ok(`${r.slug}: public, no key needed`);
     }
 
-    // Write SSH_KEY_FILE into each private repo's .properties file
+    // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
+    // SSH_KEY_FILE is NOT written to git-tracked .properties files.
     for (const r of privateRepos) {
-      let props = fs.readFileSync(r.propsPath, 'utf8');
-      if (/^#?\s*SSH_KEY_FILE\s*=/m.test(props)) {
-        props = props.replace(/^#?\s*SSH_KEY_FILE\s*=.*/m, `SSH_KEY_FILE=${r.keyFile}`);
-      } else {
-        props = props.trimEnd() + `\nSSH_KEY_FILE=${r.keyFile}\n`;
-      }
-      fs.writeFileSync(r.propsPath, props);
-      info(`SSH_KEY_FILE written to config/repo-configs/${r.file}`);
+      info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
     }
   } else if (discovered.length > 0) {
     step('[3/3] All repos are public — no deploy keys needed');
@@ -475,7 +494,6 @@ async function addFromGit(gitUrl, workspace) {
         REPO_URL:     gitUrl,
         BRANCH:       'main',
         AUTO_PUBLISH: autoPublish ? 'true' : 'false',
-        SSH_KEY_FILE: keyFile,
         CAIRN_MCP_ENABLED: 'true',
       });
     }
@@ -491,7 +509,6 @@ async function addFromGit(gitUrl, workspace) {
       REPO_URL:     gitUrl,
       BRANCH:       'main',
       AUTO_PUBLISH: autoPublish ? 'true' : 'false',
-      SSH_KEY_FILE: keyFile,
       CAIRN_MCP_ENABLED: 'true',
     });
     const example = path.join(repoDir, '_example.properties');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.3.8",
+  "version": "1.4.0",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -226,6 +226,11 @@ class ConfigLoader:
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
             r.ssh_key_file = os.path.expanduser(d.get("SSH_KEY_FILE", ""))
+            # Auto-discover key in project dir if not set in properties
+            if not r.ssh_key_file:
+                auto_key = Path(self.config_dir).parent / f"{r.repo_name}.key"
+                if auto_key.exists():
+                    r.ssh_key_file = str(auto_key)
             self.repos[r.repo_name] = r
 
     def _register_sighup(self):

package/python/sentinel/sentinel_boss.py

@@ -31,20 +31,17 @@ and opens GitHub PRs for admin review (or pushes directly if AUTO_PUBLISH=true).
 Your job:
 - Understand what the DevOps engineer needs in natural language
 - Query Sentinel's live state (errors, fixes, open PRs) on their behalf
-- Deliver tasks/issues to the right project — you know all projects in this workspace
+- Deliver tasks/issues to this project — you are scoped exclusively to this project
 - Control Sentinel (pause/resume) when asked
 - Give honest, concise answers — you know this system inside out
-- If a project name is unclear or ambiguous, ask the engineer to clarify — never guess
 
 What you can do (tools available):
 
 1. get_status        — Show recent errors detected, fixes applied/pending, open PRs.
                        e.g. "what happened today?", "any issues?", "show open PRs"
 
-2. create_issue      — Deliver a fix/task to any project in this workspace by short name.
-                       You know all project names — use list_projects if you're unsure.
-                       If the project name is ambiguous or not found, ask to clarify.
-                       e.g. "tell 1881 to fix X", "look into Y in elprint", "investigate Z"
+2. create_issue      — Deliver a fix/task to this project.
+                       e.g. "fix X", "look into Y", "investigate Z"
 
 3. pause_sentinel    — Create SENTINEL_PAUSE file to halt all auto-fix activity.
                        e.g. "pause sentinel", "stop auto-fixing"
@@ -145,8 +142,8 @@ reply with a short summary grouped by category:
 • `check_auth_status` — Claude auth health, rate-limit circuit state, fix engine 24 h stats — "is Claude working?", "any rate limits?", "auth issues?"
 
 *Project & task delivery*
-• `list_projects` — all projects and repos Sentinel manages — "what projects do you manage?"
-• `create_issue` — deliver a task to any project by name — "tell 1881 to fix X"
+• `list_projects` — repos and log sources this Sentinel instance manages — "what repos do you watch?"
+• `create_issue` — deliver a fix/task to this project — "fix X", "investigate Y"
 • `trigger_poll` — run a log-fetch + fix cycle right now — "check now"
 • `pause_sentinel` / `resume_sentinel` — halt or resume all auto-fix activity — "pause Sentinel"
 
@@ -900,7 +897,8 @@ _TOOLS = [
 # ── Workspace helpers ─────────────────────────────────────────────────────────
 
 def _workspace_dir() -> Path:
-    return Path(".").resolve().parent
+    """Return the current project directory (each process is scoped to one project)."""
+    return Path(".").resolve()
 
 def _short_name(dir_name: str) -> str:
     """'sentinel-1881' → '1881', 'sentinel-elprint' → 'elprint', others unchanged."""
@@ -925,25 +923,21 @@ def _read_project_name(project_dir: Path) -> str:
     return _short_name(project_dir.name)
 
 def _find_project_dirs(target: str = "") -> list[Path]:
-    """Return project dirs matching target (PROJECT_NAME, short name, or full dir name), or all if target empty."""
-    workspace = _workspace_dir()
-    results = []
-    try:
-        for d in sorted(workspace.iterdir()):
-            if not d.is_dir() or d.name in ("code", ".git"):
-                continue
-            if not (d / "config").exists():
-                continue
-            if target:
-                t = target.lower()
-                if (t not in d.name.lower()
-                        and t not in _short_name(d.name).lower()
-                        and t not in _read_project_name(d).lower()):
-                    continue
-            results.append(d)
-    except Exception:
-        pass
-    return results
+    """Return the current project dir (optionally filtered by target name).
+    Each sentinel process is scoped to one project — cross-project visibility is
+    intentionally disabled to prevent information leakage across Slack workspaces.
+    """
+    current = Path(".").resolve()
+    if not (current / "config").exists():
+        return []
+    if target:
+        t = target.lower()
+        name = _read_project_name(current)
+        if (t not in current.name.lower()
+                and t not in _short_name(current.name).lower()
+                and t not in name.lower()):
+            return []
+    return [current]
 
 def _git_pull(path: Path) -> dict:
     try:

package/.cairn/views/fc4a1a_add.js

@@ -1,599 +0,0 @@
-'use strict';
-const fs = require('fs-extra');
-const path = require('path');
-const os = require('os');
-const { execSync, spawnSync } = require('child_process');
-const prompts = require('prompts');
-const chalk = require('chalk');
-const { writeExampleProject, generateWorkspaceScripts, generateProjectScripts } = require('./generate');
-const ok   = msg => console.log(chalk.green('  ✔'), msg);
-const info = msg => console.log(chalk.cyan('  →'), msg);
-const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
-const step = msg => console.log('\n' + chalk.bold.white(msg));
-function detectInputType(arg) {
-  if (!arg) return 'name';
-  if (/^git@/.test(arg) || (/^https?:\/\/github\.com\//.test(arg) && arg.endsWith('.git'))) return 'git';
-  if (/^https?:\/\//.test(arg)) return 'url';
-  if (arg.toLowerCase().endsWith('.json') || arg.includes('/') || arg.includes('\\')) return 'json';
-  return 'name';
-}
-async function resolveWorkspace(initial) {
-  const ans = await prompts([{
-    type: 'text',
-    name: 'workspace',
-    message: 'Workspace directory',
-    initial: initial || path.join(os.homedir(), 'sentinel'),
-    format: v => v.replace(/^~/, os.homedir()),
-  }], { onCancel: () => process.exit(0) });
-  return ans.workspace;
-}
-function requireCodeDir(workspace) {
-  const codeDir = path.join(workspace, 'code');
-  if (!fs.existsSync(codeDir)) {
-    console.error(chalk.red(`Sentinel code not found at ${codeDir}`));
-    console.error(chalk.red('Run "sentinel init" first.'));
-    process.exit(1);
-  }
-  return codeDir;
-}
-const VALID_NAME = /^[a-z0-9_-]+$/i;
-const GITHUB_URL = /^(git@github\.com:|https:\/\/github\.com\/).+\.git$/;
-function validateProjectJson(obj) {
-  const errors = [];
-  if (!obj.name || !VALID_NAME.test(obj.name)) {
-    errors.push('name must be letters, numbers, hyphens only');
-  }
-  if (!Array.isArray(obj.repos) || obj.repos.length === 0) {
-    errors.push('repos array is required and must be non-empty');
-  } else {
-    obj.repos.forEach((r, i) => {
-      if (!r.REPO_URL || !GITHUB_URL.test(r.REPO_URL)) {
-        errors.push(`repos[${i}].REPO_URL must be a valid GitHub URL`);
-      }
-      if (!r.name) errors.push(`repos[${i}].name is required`);
-    });
-  }
-  return errors;
-}
-function writePropertiesFile(filePath, obj) {
-  const lines = Object.entries(obj).map(([k, v]) => `${k}=${v}`);
-  fs.writeFileSync(filePath, lines.join('\n') + '\n');
-}
-function applyJsonToProject(projectDir, obj) {
-  const configDir  = path.join(projectDir, 'config');
-  const repoDir    = path.join(projectDir, 'config', 'repo-configs');
-  const logDir     = path.join(projectDir, 'config', 'log-configs');
-  fs.ensureDirSync(repoDir);
-  fs.ensureDirSync(logDir);
-  if (obj.sentinel) {
-    const propsPath = path.join(configDir, 'sentinel.properties');
-    const existing = fs.existsSync(propsPath) ? fs.readFileSync(propsPath, 'utf8') : '';
-    let updated = existing;
-    Object.entries(obj.sentinel).forEach(([k, v]) => {
-      const re = new RegExp(`^#?\\s*${k}\\s*=.*$`, 'm');
-      if (re.test(updated)) {
-        updated = updated.replace(re, `${k}=${v}`);
-      } else {
-        updated += `\n${k}=${v}`;
-      }
-    });
-    fs.writeFileSync(propsPath, updated);
-    ok('Updated sentinel.properties');
-  }
-  if (Array.isArray(obj.repos)) {
-    obj.repos.forEach(repo => {
-      const { name, ...props } = repo;
-      writePropertiesFile(path.join(repoDir, `${name}.properties`), props);
-      ok(`Created repo-configs/${name}.properties`);
-    });
-  }
-  if (Array.isArray(obj.log_sources)) {
-    obj.log_sources.forEach(src => {
-      const { name, ...props } = src;
-      writePropertiesFile(path.join(logDir, `${name}.properties`), props);
-      ok(`Created log-configs/${name}.properties`);
-    });
-  }
-}
-function fetchUrl(url) {
-  try {
-    const result = spawnSync('curl', ['-fsSL', '--max-time', '10', url], { encoding: 'utf8' });
-    if (result.status !== 0) throw new Error(result.stderr || 'curl failed');
-    return result.stdout;
-  } catch (_) {
-    const https = require('https');
-    const http  = require('http');
-    const lib   = url.startsWith('https') ? https : http;
-    return new Promise((resolve, reject) => {
-      lib.get(url, res => {
-        let data = '';
-        res.on('data', c => (data += c));
-        res.on('end', () => resolve(data));
-      }).on('error', reject);
-    });
-  }
-}
-function ensureKnownHosts() {
-  const knownHosts = path.join(os.homedir(), '.ssh', 'known_hosts');
-  const content = fs.existsSync(knownHosts) ? fs.readFileSync(knownHosts, 'utf8') : '';
-  if (content.includes('github.com')) return;
-  info('Adding GitHub to known_hosts…');
-  const r = spawnSync('ssh-keyscan', ['github.com'], { encoding: 'utf8', timeout: 10000, env: gitEnv() });
-  if (r.stdout) fs.appendFileSync(knownHosts, r.stdout);
-}
-function generateDeployKey(repoSlug) {
-  const sshDir  = path.join(os.homedir(), '.ssh');
-  const keyFile = path.join(sshDir, `${repoSlug}.key`);
-  fs.ensureDirSync(sshDir);
-  fs.chmodSync(sshDir, 0o700);
-  if (fs.existsSync(keyFile)) {
-    info(`Using existing key: ${keyFile}`);
-  } else {
-    spawnSync('ssh-keygen', ['-t', 'ed25519', '-C', `sentinel@${repoSlug}`, '-f', keyFile, '-N', ''],
-      { stdio: 'inherit' });
-    ok(`Deploy key generated: ${keyFile}`);
-  }
-  const configFile = path.join(sshDir, 'config');
-  const sshHost    = `github-${repoSlug}`;
-  const existing   = fs.existsSync(configFile) ? fs.readFileSync(configFile, 'utf8') : '';
-  if (!existing.includes(`Host ${sshHost}`)) {
-    fs.appendFileSync(configFile,
-      `\nHost ${sshHost}\n    HostName github.com\n    User git\n    IdentityFile ${keyFile}\n    IdentitiesOnly yes\n`);
-    fs.chmodSync(configFile, 0o600);
-    ok('SSH config updated');
-  }
-  return { keyFile, sshHost };
-}
-function printDeployKeyInstructions(orgRepo, keyFile) {
-  const pubKey = fs.readFileSync(`${keyFile}.pub`, 'utf8').trim();
-  const bar    = '─'.repeat(70);
-  console.log('');
-  console.log(chalk.bold.yellow(`  ┌${bar}┐`));
-  console.log(chalk.bold.yellow(`  │`) + chalk.bold(`  Add this deploy key to GitHub`) + chalk.bold.yellow(' '.repeat(40) + '│'));
-  console.log(chalk.bold.yellow(`  │`) + chalk.cyan(`  github.com/${orgRepo}`) + chalk.bold.yellow(' '.repeat(Math.max(0, 70 - 14 - orgRepo.length)) + '│'));
-  console.log(chalk.bold.yellow(`  │`) + `  Settings → Deploy keys → Add deploy key` + chalk.bold.yellow(' '.repeat(29) + '│'));
-  console.log(chalk.bold.yellow(`  │`) + `  Allow write access: ✓` + chalk.bold.yellow(' '.repeat(47) + '│'));
-  console.log(chalk.bold.yellow(`  └${bar}┘`));
-  console.log('');
-  console.log(chalk.green(pubKey));
-  console.log('');
-}
-function gitEnv(extra = {}) {
-  const PATH = [
-    process.env.PATH || '',
-    '/usr/bin', '/usr/local/bin', '/bin', '/usr/sbin', '/usr/local/sbin',
-  ].filter(Boolean).join(':');
-  return { ...process.env, PATH, GIT_TERMINAL_PROMPT: '0', ...extra };
-}
-function findBin(name) {
-  const candidates = [
-    `/usr/bin/${name}`, `/usr/local/bin/${name}`, `/bin/${name}`,
-  ];
-  for (const p of candidates) {
-    if (fs.existsSync(p)) return p;
-  }
-  const r = spawnSync('which', [name], { encoding: 'utf8', env: gitEnv() });
-  return (r.stdout || '').trim() || name;
-}
-let _gitBin;
-function gitBin() {
-  if (!_gitBin) _gitBin = findBin('git');
-  return _gitBin;
-}
-function gitUrlToOrgRepo(gitUrl) {
-  return gitUrl
-    .replace(/^git@github\.com:/, '')
-    .replace(/^https?:\/\/github\.com\//, '')
-    .replace(/\.git$/, '');
-}
-function toHttpsUrl(gitUrl) {
-  return 'https://github.com/' + gitUrlToOrgRepo(gitUrl) + '.git';
-}
-function isPublicRepo(gitUrl) {
-  const r = spawnSync(gitBin(), ['ls-remote', '--heads', toHttpsUrl(gitUrl)], {
-    encoding: 'utf8', timeout: 10000, stdio: ['pipe', 'pipe', 'pipe'],
-    env: gitEnv(),
-  });
-  return r.status === 0;
-}
-function validateAccess(repoUrl, keyFile) {
-  const extra = keyFile
-    ? { GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }
-    : {};
-  const r = spawnSync(gitBin(), ['ls-remote', '--heads', repoUrl], {
-    encoding: 'utf8', timeout: 15000, stdio: ['pipe', 'pipe', 'pipe'],
-    env: gitEnv(extra),
-  });
-  return { ok: r.status === 0, stderr: (r.stderr || r.error?.message || '').trim() };
-}
-function discoverReposFromClone(cloneDir) {
-  const repoCfgDir = path.join(cloneDir, 'config', 'repo-configs');
-  if (!fs.existsSync(repoCfgDir)) return [];
-  return fs.readdirSync(repoCfgDir)
-    .filter(f => f.endsWith('.properties') && !f.startsWith('_'))
-    .map(f => {
-      const content = fs.readFileSync(path.join(repoCfgDir, f), 'utf8');
-      const match   = content.match(/^REPO_URL\s*=\s*(.+)$/m);
-      return match ? { file: f, propsPath: path.join(repoCfgDir, f), url: match[1].trim() } : null;
-    })
-    .filter(Boolean);
-}
-async function addFromGit(gitUrl, workspace) {
-  const repoSlug = gitUrl.replace(/\.git$/, '').split(/[:/]/).pop();
-  const orgRepo  = gitUrlToOrgRepo(gitUrl);
-  const { name } = await prompts([{
-    type: 'text',
-    name: 'name',
-    message: 'Project name',
-    initial: repoSlug,
-    validate: v => VALID_NAME.test(v) || 'Use letters, numbers, hyphens only',
-  }], { onCancel: () => process.exit(0) });
-  step(`[1/3] Setting up SSH access to ${repoSlug}`);
-  ensureKnownHosts();
-  const { keyFile } = generateDeployKey(repoSlug);
-  printDeployKeyInstructions(orgRepo, keyFile);
-  await prompts({
-    type: 'text', name: '_', format: () => '',
-    message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
-  }, { onCancel: () => process.exit(0) });
-  const primary = validateAccess(gitUrl, keyFile);
-  if (!primary.ok) {
-    console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
-    if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
-    console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
-    process.exit(1);
-  }
-  ok(`${repoSlug}: reachable`);
-  const projectDir = path.join(workspace, name);
-  step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
-  if (!fs.existsSync(projectDir)) {
-    spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, projectDir], {
-      stdio: 'inherit',
-      env: gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }),
-    });
-  }
-  const discovered = discoverReposFromClone(projectDir);
-  const privateRepos = [];
-  const publicRepos  = [];
-  if (discovered.length === 0) {
-    info('No repo-configs found — project will use example config.');
-  } else {
-    info(`Found ${discovered.length} repo(s) in config/repo-configs/:`);
-    for (const r of discovered) {
-      const slug    = r.file.replace('.properties', '');
-      const pub     = isPublicRepo(r.url);
-      const tag     = pub ? chalk.green('[public]') : chalk.yellow('[private]');
-      console.log(`    ${tag}  ${slug.padEnd(36)} ${r.url}`);
-      if (pub) publicRepos.push({ ...r, slug });
-      else     privateRepos.push({ ...r, slug });
-    }
-  }
-  if (privateRepos.length > 0) {
-    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
-    for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug);
-      r.keyFile = rKey;
-      const rOrgRepo = gitUrlToOrgRepo(r.url);
-      printDeployKeyInstructions(rOrgRepo, rKey);
-    }
-    if (publicRepos.length > 0) {
-      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
-      for (const r of publicRepos) {
-        console.log(chalk.green(`      ${r.slug}`));
-      }
-      console.log('');
-    }
-    await prompts({
-      type: 'text', name: '_', format: () => '',
-      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
-    }, { onCancel: () => process.exit(0) });
-    step('Validating repository access…');
-    for (const r of privateRepos) {
-      const v = validateAccess(r.url, r.keyFile);
-      if (!v.ok) {
-        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
-        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
-        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
-        process.exit(1);
-      }
-      ok(`${r.slug}: reachable`);
-    }
-    for (const r of publicRepos) {
-      ok(`${r.slug}: public, no key needed`);
-    }
-    for (const r of privateRepos) {
-      let props = fs.readFileSync(r.propsPath, 'utf8');
-      if (/^#?\s*SSH_KEY_FILE\s*=/m.test(props)) {
-        props = props.replace(/^#?\s*SSH_KEY_FILE\s*=.*/m, `SSH_KEY_FILE=${r.keyFile}`);
-      } else {
-        props = props.trimEnd() + `\nSSH_KEY_FILE=${r.keyFile}\n`;
-      }
-      fs.writeFileSync(r.propsPath, props);
-      info(`SSH_KEY_FILE written to config/repo-configs/${r.file}`);
-    }
-  } else if (discovered.length > 0) {
-    step('[3/3] All repos are public — no deploy keys needed');
-    ok('All repos accessible without auth');
-  }
-  const { autoPublish } = await prompts({
-    type: 'select',
-    name: 'autoPublish',
-    message: 'How should Sentinel deploy fixes?',
-    hint: 'You can change this per-repo in config/repo-configs/',
-    choices: [
-      {
-        title: 'Open a PR for each fix  (AUTO_PUBLISH=false)  — recommended',
-        description: 'Sentinel pushes to a branch and opens a GitHub PR. You review and merge.',
-        value: false,
-      },
-      {
-        title: 'Push directly to main  (AUTO_PUBLISH=true)  — fully autonomous',
-        description: 'Sentinel commits and pushes fixes straight to your main branch.',
-        value: true,
-      },
-    ],
-  }, { onCancel: () => process.exit(0) });
-  if (autoPublish) {
-    warn('AUTO_PUBLISH=true: fixes push directly to main. Ensure CI blocks bad pushes.');
-  }
-  const workspaceProps = path.join(workspace, 'sentinel.properties');
-  const existingToken  = fs.existsSync(workspaceProps)
-    ? (fs.readFileSync(workspaceProps, 'utf8').match(/^GITHUB_TOKEN\s*=\s*(.+)$/m) || [])[1]?.trim()
-    : '';
-  if (!autoPublish) {
-    console.log('');
-    console.log(chalk.bold('  GitHub Personal Access Token (classic) — required for opening PRs'));
-    console.log(chalk.cyan('  github.com/settings/tokens/new  →  Tokens (classic)'));
-    console.log(chalk.cyan('  Note: "Expiration → No expiration"   Scope: ✓ repo'));
-    console.log('');
-  }
-  const { githubToken } = await prompts({
-    type: (!autoPublish || !existingToken) ? 'password' : null,
-    name: 'githubToken',
-    message: existingToken
-      ? 'GitHub token  (press Enter to keep current)'
-      : autoPublish
-        ? 'GitHub token (classic, repo scope)  — optional, press Enter to skip'
-        : 'GitHub token (classic, repo scope)',
-    validate: v => {
-      if (!autoPublish && !v && !existingToken) return 'Token is required for PR mode';
-      if (v && !v.startsWith('ghp_') && !v.startsWith('github_pat_')) return 'Should start with ghp_ or github_pat_';
-      return true;
-    },
-  }, { onCancel: () => process.exit(0) });
-  const effectiveToken = githubToken || existingToken || '';
-  if (effectiveToken && fs.existsSync(workspaceProps)) {
-    let props = fs.readFileSync(workspaceProps, 'utf8');
-    if (/^#?\s*GITHUB_TOKEN\s*=/m.test(props))
-      props = props.replace(/^#?\s*GITHUB_TOKEN\s*=.*/m, `GITHUB_TOKEN=${effectiveToken}`);
-    else
-      props = props.trimEnd() + `\nGITHUB_TOKEN=${effectiveToken}\n`;
-    fs.writeFileSync(workspaceProps, props);
-    ok('GITHUB_TOKEN saved to workspace sentinel.properties');
-  } else if (effectiveToken) {
-    info('GITHUB_TOKEN will be written when project files are created');
-  }
-  step('Dry-run preview');
-  info(`Will create: ${projectDir}/`);
-  if (discovered.length > 0) {
-    info(`  Using ${discovered.length} repo-config(s) from ${repoSlug}`);
-  } else {
-    info(`  config/repo-configs/${repoSlug}.properties`);
-  }
-  info(`  AUTO_PUBLISH=${autoPublish} (applies to all repos without an explicit setting)`);
-  info('  init.sh, start.sh, stop.sh');
-  const { confirm } = await prompts({
-    type: 'confirm', name: 'confirm',
-    message: `Create project "${name}"?`, initial: true,
-  }, { onCancel: () => process.exit(0) });
-  if (!confirm) { info('Aborted.'); return; }
-  if (fs.existsSync(projectDir) && !fs.existsSync(path.join(projectDir, '.git'))) {
-    console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
-    process.exit(1);
-  }
-  const codeDir   = requireCodeDir(workspace);
-  const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
-  if (discovered.length > 0) {
-    generateProjectScripts(projectDir, codeDir, pythonBin);
-    const primaryProps = path.join(projectDir, 'config', 'repo-configs', `${repoSlug}.properties`);
-    if (!fs.existsSync(primaryProps)) {
-      writePropertiesFile(primaryProps, {
-        REPO_NAME:    repoSlug,
-        REPO_URL:     gitUrl,
-        BRANCH:       'main',
-        AUTO_PUBLISH: autoPublish ? 'true' : 'false',
-        SSH_KEY_FILE: keyFile,
-        CAIRN_MCP_ENABLED: 'true',
-      });
-    }
-    ok(`Project "${name}" ready at ${projectDir}`);
-    printNextSteps(projectDir, autoPublish);
-    await offerToStart(projectDir);
-  } else {
-    writeExampleProject(projectDir, codeDir, pythonBin);
-    const repoDir = path.join(projectDir, 'config', 'repo-configs');
-    writePropertiesFile(path.join(repoDir, `${repoSlug}.properties`), {
-      REPO_NAME:    repoSlug,
-      REPO_URL:     gitUrl,
-      BRANCH:       'main',
-      AUTO_PUBLISH: autoPublish ? 'true' : 'false',
-      SSH_KEY_FILE: keyFile,
-      CAIRN_MCP_ENABLED: 'true',
-    });
-    const example = path.join(repoDir, '_example.properties');
-    if (fs.existsSync(example)) fs.removeSync(example);
-    generateWorkspaceScripts(workspace, {}, {}, {}, effectiveToken);
-    ok(`Project "${name}" created at ${projectDir}`);
-    printNextSteps(projectDir, autoPublish);
-    await offerToStart(projectDir);
-  }
-}
-async function addFromName(nameArg, workspace) {
-  const answers = await prompts([{
-    type: 'text',
-    name: 'name',
-    message: 'Project name',
-    initial: nameArg || 'my-project',
-    validate: v => VALID_NAME.test(v) || 'Use letters, numbers, hyphens only',
-  }], { onCancel: () => process.exit(0) });
-  const { name } = answers;
-  const projectDir = path.join(workspace, name);
-  step('Dry-run preview');
-  info(`Will create: ${projectDir}/`);
-  info('  config/sentinel.properties');
-  info('  config/repo-configs/_example.properties');
-  info('  config/log-configs/_example.properties');
-  info('  init.sh, start.sh, stop.sh');
-  const { confirm } = await prompts({
-    type: 'confirm', name: 'confirm',
-    message: `Create project "${name}"?`, initial: true,
-  }, { onCancel: () => process.exit(0) });
-  if (!confirm) { info('Aborted.'); return; }
-  if (fs.existsSync(projectDir)) {
-    console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
-    process.exit(1);
-  }
-  const codeDir  = requireCodeDir(workspace);
-  const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
-  writeExampleProject(projectDir, codeDir, pythonBin);
-  generateWorkspaceScripts(workspace);
-  ok(`Project "${name}" created at ${projectDir}`);
-  printNextSteps(projectDir);
-}
-async function addFromJson(jsonPath, workspace) {
-  step(`Reading ${jsonPath}`);
-  let obj;
-  try {
-    obj = JSON.parse(fs.readFileSync(jsonPath, 'utf8'));
-  } catch (e) {
-    console.error(chalk.red(`  ✖ Cannot parse ${jsonPath}: ${e.message}`));
-    process.exit(1);
-  }
-  const errors = validateProjectJson(obj);
-  if (errors.length) {
-    console.error(chalk.red('  ✖ Invalid project JSON:'));
-    errors.forEach(e => console.error(chalk.red(`    - ${e}`)));
-    process.exit(1);
-  }
-  ok('JSON is valid');
-  const { name } = obj;
-  const projectDir = path.join(workspace, name);
-  step('Dry-run preview');
-  info(`Will create: ${projectDir}/`);
-  (obj.repos || []).forEach(r => info(`  config/repo-configs/${r.name}.properties  (${r.REPO_URL})`));
-  (obj.log_sources || []).forEach(s => info(`  config/log-configs/${s.name}.properties  (${s.SOURCE_TYPE})`));
-  if (obj.sentinel) {
-    Object.entries(obj.sentinel).forEach(([k, v]) => info(`  sentinel.properties: ${k}=${v}`));
-  }
-  const { confirm } = await prompts({
-    type: 'confirm', name: 'confirm',
-    message: `Create project "${name}" from ${path.basename(jsonPath)}?`, initial: true,
-  }, { onCancel: () => process.exit(0) });
-  if (!confirm) { info('Aborted.'); return; }
-  if (fs.existsSync(projectDir)) {
-    console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
-    process.exit(1);
-  }
-  const codeDir   = requireCodeDir(workspace);
-  const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
-  writeExampleProject(projectDir, codeDir, pythonBin);
-  const repoDir = path.join(projectDir, 'config', 'repo-configs');
-  const logDir  = path.join(projectDir, 'config', 'log-configs');
-  if (fs.existsSync(path.join(repoDir, '_example.properties'))) fs.removeSync(path.join(repoDir, '_example.properties'));
-  if (fs.existsSync(path.join(logDir,  '_example.properties'))) fs.removeSync(path.join(logDir,  '_example.properties'));
-  applyJsonToProject(projectDir, obj);
-  generateWorkspaceScripts(workspace);
-  ok(`Project "${name}" created at ${projectDir}`);
-  printNextSteps(projectDir);
-}
-async function addFromUrl(url, workspace) {
-  step(`Fetching ${url}`);
-  let raw;
-  try {
-    raw = fetchUrl(url);
-    if (raw && typeof raw.then === 'function') raw = await raw;
-  } catch (e) {
-    console.error(chalk.red(`  ✖ Cannot fetch ${url}: ${e.message}`));
-    process.exit(1);
-  }
-  let obj;
-  try {
-    obj = JSON.parse(raw);
-  } catch (e) {
-    console.error(chalk.red(`  ✖ Response is not valid JSON: ${e.message}`));
-    process.exit(1);
-  }
-  const errors = validateProjectJson(obj);
-  if (errors.length) {
-    console.error(chalk.red('  ✖ Invalid project JSON at URL:'));
-    errors.forEach(e => console.error(chalk.red(`    - ${e}`)));
-    process.exit(1);
-  }
-  ok('JSON is valid');
-  const { name } = obj;
-  const projectDir = path.join(workspace, name);
-  step('Dry-run preview');
-  info(`Will create: ${projectDir}/`);
-  (obj.repos || []).forEach(r => info(`  config/repo-configs/${r.name}.properties  (${r.REPO_URL})`));
-  (obj.log_sources || []).forEach(s => info(`  config/log-configs/${s.name}.properties  (${s.SOURCE_TYPE})`));
-  if (obj.sentinel) {
-    Object.entries(obj.sentinel).forEach(([k, v]) => info(`  sentinel.properties: ${k}=${v}`));
-  }
-  const { confirm } = await prompts({
-    type: 'confirm', name: 'confirm',
-    message: `Create project "${name}" from ${url}?`, initial: true,
-  }, { onCancel: () => process.exit(0) });
-  if (!confirm) { info('Aborted.'); return; }
-  if (fs.existsSync(projectDir)) {
-    console.error(chalk.yellow(`Project "${name}" already exists at ${projectDir}`));
-    process.exit(1);
-  }
-  const codeDir   = requireCodeDir(workspace);
-  const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
-  writeExampleProject(projectDir, codeDir, pythonBin);
-  const repoDir = path.join(projectDir, 'config', 'repo-configs');
-  const logDir  = path.join(projectDir, 'config', 'log-configs');
-  if (fs.existsSync(path.join(repoDir, '_example.properties'))) fs.removeSync(path.join(repoDir, '_example.properties'));
-  if (fs.existsSync(path.join(logDir,  '_example.properties'))) fs.removeSync(path.join(logDir,  '_example.properties'));
-  applyJsonToProject(projectDir, obj);
-  generateWorkspaceScripts(workspace);
-  ok(`Project "${name}" created at ${projectDir}`);
-  printNextSteps(projectDir);
-}
-function printNextSteps(projectDir, autoPublish) {
-  const logFile = path.join(projectDir, 'logs', 'sentinel.log');
-  const mode = autoPublish === true
-    ? chalk.yellow('\n     ⚠  Fixes push directly to main — ensure CI blocks bad pushes')
-    : autoPublish === false
-    ? chalk.cyan('\n     →  Sentinel opens a GitHub PR for each fix — review and merge at github.com')
-    : '';
-  console.log(`
-  Config:   ${chalk.cyan(path.join(projectDir, 'config', ''))}
-  Start:    ${chalk.cyan(path.join(projectDir, 'start.sh'))}${mode}
-  Logs:     ${chalk.cyan(logFile)}
-            ${chalk.gray(`tail -f ${logFile}`)}
-`);
-}
-async function offerToStart(projectDir) {
-  const startSh = path.join(projectDir, 'start.sh');
-  if (!fs.existsSync(startSh)) return;
-  const { startNow } = await prompts({
-    type: 'confirm', name: 'startNow',
-    message: 'Start Sentinel now?', initial: true,
-  }, { onCancel: () => {} });
-  if (!startNow) return;
-  const { status } = spawnSync('bash', [startSh], { stdio: 'inherit', env: gitEnv() });
-  if (status === 0) {
-    const logFile = path.join(projectDir, 'logs', 'sentinel.log');
-    ok('Sentinel started');
-    info(`Logs: tail -f ${logFile}`);
-  }
-}
-module.exports = async function add(arg) {
-  const type = detectInputType(arg);
-  const workspace = await resolveWorkspace();
-  if (type === 'git')  return addFromGit(arg, workspace);
-  if (type === 'url')  return addFromUrl(arg, workspace);
-  if (type === 'json') return addFromJson(arg, workspace);
-  return addFromName(arg, workspace);
-};