@misterhuydo/sentinel 1.4.59 → 1.4.61

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-25T12:30:48.361Z
+2026-03-25T13:53:46.873Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-25T12:25:21.116Z",
-  "checkpoint_at": "2026-03-25T12:25:21.118Z",
+  "message": "Auto-checkpoint at 2026-03-25T14:05:08.341Z",
+  "checkpoint_at": "2026-03-25T14:05:08.342Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.59",
+  "version": "1.4.61",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/main.py

@@ -29,7 +29,7 @@ from .log_parser import parse_all, scan_all_for_markers, ErrorEvent
 from .issue_watcher import scan_issues, mark_done, IssueEvent
 from .repo_router import route
 from .reporter import build_and_send, send_fix_notification, send_failure_notification, send_confirmed_notification, send_regression_notification, send_startup_notification, send_upgrade_notification
-from .notify import notify_fix_blocked, notify_fix_applied, notify_missing_tool
+from .notify import notify_fix_blocked, notify_fix_applied, notify_missing_tool, notify_tool_installing
 from .health_checker import evaluate_repos
 from .state_store import StateStore
 
@@ -58,6 +58,93 @@ def _register_signals():
         pass
 
 
+# ── Safe auto-install ─────────────────────────────────────────────────────────
+
+# Whitelist: tool command → {pkg name for Claude, build files that prove the project needs it}
+_SAFE_TOOLS: dict[str, dict] = {
+    "mvn":    {"pkg": "maven",       "build_files": ["pom.xml"]},
+    "npm":    {"pkg": "npm",         "build_files": ["package.json"]},
+    "gradle": {"pkg": "gradle",      "build_files": ["build.gradle", "build.gradle.kts"]},
+    "pip3":   {"pkg": "python3-pip", "build_files": ["requirements.txt", "pyproject.toml", "setup.py"]},
+    "pip":    {"pkg": "python3-pip", "build_files": ["requirements.txt", "pyproject.toml", "setup.py"]},
+    "yarn":   {"pkg": "yarn",        "build_files": ["yarn.lock"]},
+    "make":   {"pkg": "make",        "build_files": ["Makefile"]},
+}
+
+
+def _auto_install_if_safe(
+    tool: str,
+    repo_path: str,
+    sentinel: SentinelConfig,
+    repo_name: str,
+    source: str,
+) -> bool:
+    """
+    Auto-install a missing build tool only when both conditions are met:
+      1. The tool is in _SAFE_TOOLS (known safe, no arbitrary installs)
+      2. Its expected build file exists in the repo (proves the project actually needs it)
+
+    Posts Slack notifications before (installing…) and after (success/failure).
+    Returns True if installation succeeded.
+    """
+    from .notify import slack_alert
+
+    spec = _SAFE_TOOLS.get(tool)
+    if not spec:
+        logger.info("Tool '%s' not in safe whitelist — skipping auto-install", tool)
+        return False
+
+    repo_p = Path(repo_path)
+    if not any((repo_p / bf).exists() for bf in spec["build_files"]):
+        logger.info(
+            "Tool '%s' is whitelisted but no matching build file found in %s — skipping",
+            tool, repo_path,
+        )
+        return False
+
+    pkg = spec["pkg"]
+    logger.info("Auto-installing '%s' (pkg: %s) required by %s", tool, pkg, repo_name)
+    notify_tool_installing(sentinel, tool, repo_name, source)
+
+    env = {**os.environ}
+    api_key = sentinel.anthropic_api_key or os.environ.get("ANTHROPIC_API_KEY", "")
+    if api_key:
+        env["ANTHROPIC_API_KEY"] = api_key
+
+    prompt = (
+        f"Install '{pkg}' on this server so it can be used as a build tool. "
+        f"Detect the OS and package manager (yum/dnf/apt), then run the appropriate install command. "
+        f"After installing, verify by running '{tool} --version' or the equivalent. "
+        f"Report the installed version. No explanations — just install and report."
+    )
+    try:
+        result = subprocess.run(
+            [sentinel.claude_code_bin, "--dangerously-skip-permissions", "--bare", "--print", prompt],
+            capture_output=True, text=True, timeout=300, env=env,
+        )
+        output = ((result.stdout or "") + (result.stderr or "")).strip()
+        success = result.returncode == 0
+        logger.info("Auto-install '%s': %s\n%s", tool, "OK" if success else "FAILED", output[-500:])
+        if success:
+            slack_alert(
+                sentinel.slack_bot_token,
+                sentinel.slack_channel,
+                f":white_check_mark: *`{tool}` installed* for *{repo_name}*\n"
+                f"```{output[-300:]}```\nRetrying fix now...",
+            )
+        else:
+            slack_alert(
+                sentinel.slack_bot_token,
+                sentinel.slack_channel,
+                f":x: *Auto-install of `{tool}` failed* for *{repo_name}*\n"
+                f"```{output[-300:]}```\nAdmin intervention required.",
+            )
+        return success
+    except (FileNotFoundError, subprocess.TimeoutExpired) as exc:
+        logger.error("Auto-install of '%s' failed: %s", tool, exc)
+        return False
+
+
 # ── Fix pipeline ──────────────────────────────────────────────────────────────
 
 async def _handle_error(event: ErrorEvent, cfg_loader: ConfigLoader, store: StateStore):
@@ -109,10 +196,19 @@ async def _handle_error(event: ErrorEvent, cfg_loader: ConfigLoader, store: Stat
     try:
         commit_status, commit_hash = apply_and_commit(event, patch_path, repo, sentinel)
     except MissingToolError as e:
-        logger.warning("Missing tool for %s: %s — notifying admin", event.source, e)
-        notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, "")
-        store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
-        return
+        logger.warning("Missing tool for %s: %s", event.source, e)
+        if _auto_install_if_safe(e.tool, repo.local_path, sentinel, repo.repo_name, event.source):
+            try:
+                commit_status, commit_hash = apply_and_commit(event, patch_path, repo, sentinel)
+            except MissingToolError as e2:
+                logger.error("Still missing tool after auto-install: %s", e2)
+                notify_missing_tool(sentinel, e2.tool, repo.repo_name, event.source, "")
+                store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+                return
+        else:
+            notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, "")
+            store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+            return
     if commit_status != "committed":
         store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
         send_failure_notification(sentinel, {
@@ -251,12 +347,50 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             cicd_trigger(repo, store, event.fingerprint)
 
     except MissingToolError as e:
-        logger.warning("Missing tool for %s: %s — notifying admin", event.source, e)
+        logger.warning("Missing tool for %s: %s", event.source, e)
         submitter_uid = getattr(event, "submitter_user_id", "")
-        notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, submitter_uid)
-        # Archive the issue — admin can re-raise it after installing the tool
-        store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+        if not _auto_install_if_safe(e.tool, repo.local_path, sentinel, repo.repo_name, event.source):
+            notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, submitter_uid)
+            store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+            mark_done(event.issue_file)
+            return
+        # Tool installed — retry apply_and_commit once
+        try:
+            commit_status, commit_hash = apply_and_commit(event, patch_path, repo, sentinel)
+        except MissingToolError as e2:
+            logger.error("Still missing tool after auto-install: %s", e2)
+            notify_missing_tool(sentinel, e2.tool, repo.repo_name, event.source, submitter_uid)
+            store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+            mark_done(event.issue_file)
+            return
+        if commit_status != "committed":
+            store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+            notify_fix_blocked(sentinel, event.source, event.message,
+                               reason="Patch was generated but commit/tests failed after tool install",
+                               repo_name=repo.repo_name, submitter_user_id=submitter_uid)
+            mark_done(event.issue_file)
+            return
+        branch, pr_url = publish(event, repo, sentinel, commit_hash)
+        store.record_fix(
+            event.fingerprint,
+            "applied" if repo.auto_publish else "pending",
+            patch_path=str(patch_path), commit_hash=commit_hash,
+            branch=branch, pr_url=pr_url, repo_name=repo.repo_name, sentinel_marker=marker,
+        )
+        send_fix_notification(sentinel, {
+            "source": event.source, "severity": "ERROR",
+            "fingerprint": event.fingerprint, "first_seen": event.timestamp,
+            "message": event.message, "stack_trace": event.body,
+            "repo_name": repo.repo_name, "commit_hash": commit_hash,
+            "branch": branch, "pr_url": pr_url,
+            "auto_publish": repo.auto_publish, "files_changed": [],
+        })
+        notify_fix_applied(sentinel, event.source, event.message,
+                           repo_name=repo.repo_name, branch=branch, pr_url=pr_url,
+                           submitter_user_id=submitter_uid)
         mark_done(event.issue_file)
+        if repo.auto_publish:
+            cicd_trigger(repo, store, event.fingerprint)
 
     except Exception:
         logger.exception("Unexpected error processing issue %s — archiving to prevent retry loop", event.source)

package/python/sentinel/notify.py

@@ -230,6 +230,22 @@ def notify_fix_blocked(
         logger.warning("notify_fix_blocked: email notification failed: %s", exc)
 
 
+def notify_tool_installing(cfg, tool: str, repo_name: str, source: str) -> None:
+    """
+    Post a brief Slack notice that Sentinel is auto-installing a whitelisted build tool.
+    Called before the install begins so admins know what's happening.
+    """
+    repo_line = f" for *{repo_name}*" if repo_name else ""
+    slack_alert(
+        cfg.slack_bot_token,
+        cfg.slack_channel,
+        f":gear: *Auto-installing `{tool}`{repo_line}*\n"
+        f"`{tool}` is required to run tests but not found on this server. "
+        f"It's a known safe build tool — installing automatically. "
+        f"Will retry the fix once done.",
+    )
+
+
 def notify_missing_tool(
     cfg,
     tool: str,

package/templates/sentinel.properties

@@ -60,8 +60,7 @@ WORKSPACE_DIR=./workspace
 # Comma-separated list of Slack bot IDs (starts with B, not U).
 # SLACK_WATCH_BOT_IDS=B12345678, B87654321
 
-# Boss conversation mode — controls how Boss handles off-topic requests (default: standard)
-#   standard  — professional DevOps agent; off-topic questions answered helpfully but concisely
-#   strict    — DevOps only; politely redirects off-topic requests (recommended for shared/enterprise workspaces)
-#   fun       — fully open; jokes, stories, SVGs, creative tasks — Boss engages enthusiastically
+# Boss mode override — overrides the workspace-level BOSS_MODE for this project only.
+# Options: standard (default) | strict | fun
+# See workspace sentinel.properties for full description.
 # BOSS_MODE=standard

package/templates/workspace-sentinel.properties

@@ -90,3 +90,10 @@ SYNC_MAX_FILE_MB=200
 #                 list_all_errors, export_db
 # These are powerful operations — restrict to trusted team members.
 # SLACK_ADMIN_USERS=U123ABC
+#
+# Boss conversation mode — controls how Boss handles off-topic (non-DevOps) requests.
+#   standard  — professional; off-topic questions answered helpfully but concisely (default)
+#   strict    — DevOps only; off-topic politely declined (recommended for shared/enterprise workspaces)
+#   fun       — fully open; jokes, stories, SVGs, creative tasks — Boss engages enthusiastically
+# Can be overridden per-project in config/sentinel.properties.
+# BOSS_MODE=standard