@misterhuydo/sentinel 1.4.68 → 1.4.69

package/lib/.cairn/minify-map.json

@@ -4,5 +4,17 @@
     "state": "edit-ready",
     "minifiedAt": 1774403831187.837,
     "readCount": 1
+  },
+  "J:\\Projects\\Sentinel\\cli\\lib\\upgrade.js": {
+    "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\fb78ac_upgrade.js",
+    "state": "edit-ready",
+    "minifiedAt": 1774409075884.3267,
+    "readCount": 1
+  },
+  "J:\\Projects\\Sentinel\\cli\\lib\\generate.js": {
+    "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\244a09_generate.js",
+    "state": "compressed",
+    "minifiedAt": 1774454098784.183,
+    "readCount": 1
   }
 }

package/lib/.cairn/views/244a09_generate.js

@@ -0,0 +1,274 @@
+'use strict';
+const fs = require('fs-extra');
+const path = require('path');
+function writeExampleProject(projectDir, codeDir, pythonBin, anthropicKey = '', slackTokens = {}) {
+  const configDir = path.join(projectDir, 'config', 'log-configs');
+  const repoDir   = path.join(projectDir, 'config', 'repo-configs');
+  fs.ensureDirSync(configDir);
+  fs.ensureDirSync(repoDir);
+  const tplDir = path.join(__dirname, '..', 'templates');
+  let sentinelProps = fs.readFileSync(path.join(tplDir, 'sentinel.properties'), 'utf8');
+  if (anthropicKey) {
+    sentinelProps = sentinelProps.replace(/^# ANTHROPIC_API_KEY=.*/m, `ANTHROPIC_API_KEY=${anthropicKey}`);
+  }
+  if (slackTokens.botToken) {
+    sentinelProps = sentinelProps.replace(/^# SLACK_BOT_TOKEN=.*/m, `SLACK_BOT_TOKEN=${slackTokens.botToken}`);
+  }
+  if (slackTokens.appToken) {
+    sentinelProps = sentinelProps.replace(/^# SLACK_APP_TOKEN=.*/m, `SLACK_APP_TOKEN=${slackTokens.appToken}`);
+  }
+  fs.writeFileSync(path.join(projectDir, 'config', 'sentinel.properties'), sentinelProps);
+  fs.copySync(path.join(tplDir, 'log-configs', '_example.properties'), path.join(configDir, '_example.properties'));
+  fs.copySync(path.join(tplDir, 'repo-configs', '_example.properties'), path.join(repoDir,   '_example.properties'));
+  generateProjectScripts(projectDir, codeDir, pythonBin);
+}
+function generateProjectScripts(projectDir, codeDir, pythonBin) {
+  const name = path.basename(projectDir);
+  fs.writeFileSync(path.join(projectDir, 'start.sh'), `#!/usr/bin/env bash
+# Start this Sentinel instance
+set -euo pipefail
+DIR="$(cd "$(dirname "$0")" && pwd)"
+PID_FILE="$DIR/sentinel.pid"
+if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
+  echo "[sentinel] ${name} already running (PID $(cat "$PID_FILE"))"
+  exit 0
+fi
+# Kill any orphaned sentinel processes for this project (stale PIDs not in PID file)
+pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
+rm -f "$PID_FILE"
+WORKSPACE="$(dirname "$DIR")"
+# Check Claude Code authentication — skip if CLAUDE_PRO_FOR_TASKS=false in either config
+_claude_pro=true
+for _conf in "$WORKSPACE/sentinel.properties" "$DIR/config/sentinel.properties"; do
+  if [[ -f "$_conf" ]]; then
+    _val=$(grep -iE "^CLAUDE_PRO_FOR_TASKS[[:space:]]*=" "$_conf" 2>/dev/null | tail -1 | cut -d= -f2- | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
+    [[ -n "$_val" ]] && _claude_pro="$_val"
+  fi
+done
+if [[ "$_claude_pro" != "false" ]]; then
+  AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
+  if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
+    echo ""
+    echo "[sentinel] Claude Code is not authenticated."
+    echo "  1. Open a new terminal and run: claude"
+    echo "  2. Type /login at the prompt"
+    echo "  3. Open the URL in any browser and log in"
+    echo "  4. Type /exit when done"
+    echo "  5. Re-run this script"
+    echo ""
+    exit 1
+  fi
+fi
+mkdir -p "$DIR/logs" "$WORKSPACE/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
+cd "$DIR"
+# Ensure npm-global bin (cairn-mcp, claude) and ~/.local/bin (auto-installed tools) are on PATH
+export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:$PATH"
+PYTHONPATH="${codeDir}" "${codeDir}/.venv/bin/python3" -m sentinel.main --config ./config \\
+  >> "$DIR/logs/sentinel.log" 2>&1 &
+echo $! > "$PID_FILE"
+echo "[sentinel] ${name} started (PID $!)"
+echo "  project log : $DIR/logs/sentinel.log"
+echo "  workspace log: $WORKSPACE/logs/sentinel.log"
+`, { mode: 0o755 });
+  fs.writeFileSync(path.join(projectDir, 'stop.sh'), `#!/usr/bin/env bash
+# Stop this Sentinel instance
+set -euo pipefail
+DIR="$(cd "$(dirname "$0")" && pwd)"
+PID_FILE="$DIR/sentinel.pid"
+if [[ ! -f "$PID_FILE" ]]; then
+  echo "[sentinel] ${name} — no PID file, not running"
+  exit 0
+fi
+PID=$(cat "$PID_FILE")
+if kill -0 "$PID" 2>/dev/null; then
+  kill "$PID"
+  echo "[sentinel] ${name} stopped (PID $PID)"
+else
+  echo "[sentinel] ${name} — PID $PID not running"
+fi
+rm -f "$PID_FILE"
+`, { mode: 0o755 });
+}
+function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
+  const workspaceProps = path.join(workspace, 'sentinel.properties');
+  if (!fs.existsSync(workspaceProps)) {
+    const tplDir = path.join(__dirname, '..', 'templates');
+    let tpl = fs.readFileSync(path.join(tplDir, 'workspace-sentinel.properties'), 'utf8');
+    if (smtpConfig.host)     tpl = tpl.replace('SMTP_HOST=smtp.gmail.com',          'SMTP_HOST=' + smtpConfig.host);
+    if (smtpConfig.port)     tpl = tpl.replace('SMTP_PORT=587',                     'SMTP_PORT=' + smtpConfig.port);
+    if (smtpConfig.user)     tpl = tpl.replace('SMTP_USER=sentinel@yourdomain.com', 'SMTP_USER=' + smtpConfig.user);
+    if (smtpConfig.password) tpl = tpl.replace('SMTP_PASSWORD=<app-password>',      'SMTP_PASSWORD=' + smtpConfig.password);
+    fs.writeFileSync(workspaceProps, tpl);
+  }
+  if (authConfig.apiKey || authConfig.claudeProForTasks !== undefined) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (authConfig.apiKey) {
+      if (/^#?\s*ANTHROPIC_API_KEY=/m.test(props))
+        props = props.replace(/^#?\s*ANTHROPIC_API_KEY=.*/mg, 'ANTHROPIC_API_KEY=' + authConfig.apiKey);
+      else
+        props = props.trimEnd() + '\nANTHROPIC_API_KEY=' + authConfig.apiKey + '\n';
+    }
+    if (authConfig.claudeProForTasks !== undefined) {
+      const val = authConfig.claudeProForTasks ? 'true' : 'false';
+      if (/^#?\s*CLAUDE_PRO_FOR_TASKS=/m.test(props))
+        props = props.replace(/^#?\s*CLAUDE_PRO_FOR_TASKS=.*/mg, 'CLAUDE_PRO_FOR_TASKS=' + val);
+      else
+        props = props.trimEnd() + '\nCLAUDE_PRO_FOR_TASKS=' + val + '\n';
+    }
+    fs.writeFileSync(workspaceProps, props);
+  }
+  if (githubToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
+      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
+    else
+      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
+    fs.writeFileSync(workspaceProps, props);
+  }
+  if (slackConfig.botToken || slackConfig.appToken) {
+    let props = fs.readFileSync(workspaceProps, 'utf8');
+    if (slackConfig.botToken) {
+      if (/^#?\s*SLACK_BOT_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/mg, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
+      else
+        props = props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
+    }
+    if (slackConfig.appToken) {
+      if (/^#?\s*SLACK_APP_TOKEN=/m.test(props))
+        props = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/mg, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
+      else
+        props = props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
+    }
+    fs.writeFileSync(workspaceProps, props);
+  }
+  fs.writeFileSync(path.join(workspace, 'startAll.sh'), `#!/usr/bin/env bash
+# Start all valid Sentinel project instances.
+# A valid project must have config/repo-configs; do
+  [[ -d "$project_dir" ]] || continue
+  name=$(basename "$project_dir")
+  echo " $NON_PROJECT " | grep -qw "$name" && continue
+  # Auto-generate start.sh / stop.sh if missing (codeDir = $WORKSPACE/code)
+  if [[ ! -f "$project_dir/start.sh" ]]; then
+    code_dir="$WORKSPACE/code"
+    python_bin="$code_dir/.venv/bin/python3"
+    sed -e "s|__NAME__|$name|g" -e "s|__CODE_DIR__|$code_dir|g" -e "s|__PYTHON_BIN__|$python_bin|g" << 'STARTSH' > "$project_dir/start.sh"
+#!/usr/bin/env bash
+set -euo pipefail
+DIR="$(cd "$(dirname "$0")" && pwd)"
+PID_FILE="$DIR/sentinel.pid"
+if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
+  echo "[sentinel] __NAME__ already running (PID $(cat "$PID_FILE"))"
+  exit 0
+fi
+pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
+rm -f "$PID_FILE"
+WORKSPACE="$(dirname "$DIR")"
+_claude_pro=true
+for _conf in "$WORKSPACE/sentinel.properties" "$DIR/config/sentinel.properties"; do
+  if [[ -f "$_conf" ]]; then
+    _val=$(grep -iE "^CLAUDE_PRO_FOR_TASKS[[:space:]]*=" "$_conf" 2>/dev/null | tail -1 | cut -d= -f2- | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
+    [[ -n "$_val" ]] && _claude_pro="$_val"
+  fi
+done
+if [[ "$_claude_pro" != "false" ]]; then
+  AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
+  if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
+    echo "[sentinel] Claude Code is not authenticated. Run: claude then /login"
+    exit 1
+  fi
+fi
+mkdir -p "$DIR/logs" "$WORKSPACE/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
+cd "$DIR"
+PYTHONPATH="__CODE_DIR__" "__PYTHON_BIN__" -m sentinel.main --config ./config \
+  > "$DIR/logs/sentinel.log" 2>&1 &
+echo $! > "$PID_FILE"
+echo "[sentinel] __NAME__ started (PID $!)"
+echo "  project log : $DIR/logs/sentinel.log"
+echo "  workspace log: $WORKSPACE/logs/sentinel.log"
+STARTSH
+    chmod +x "$project_dir/start.sh"
+    echo "[sentinel] Auto-generated start.sh for $name"
+  fi
+  if [[ ! -f "$project_dir/stop.sh" ]]; then
+    sed -e "s|__NAME__|$name|g" << 'STOPSH' > "$project_dir/stop.sh"
+#!/usr/bin/env bash
+set -euo pipefail
+DIR="$(cd "$(dirname "$0")" && pwd)"
+PID_FILE="$DIR/sentinel.pid"
+if [[ ! -f "$PID_FILE" ]]; then
+  echo "[sentinel] __NAME__ — no PID file, not running"
+  exit 0
+fi
+PID=$(cat "$PID_FILE")
+if kill -0 "$PID" 2>/dev/null; then
+  kill "$PID"
+  echo "[sentinel] __NAME__ stopped (PID $PID)"
+else
+  echo "[sentinel] __NAME__ — PID $PID not running"
+fi
+rm -f "$PID_FILE"
+STOPSH
+    chmod +x "$project_dir/stop.sh"
+    echo "[sentinel] Auto-generated stop.sh for $name"
+  fi
+  # Must have at least one repo-config with a valid GitHub REPO_URL
+  repo_configs_dir="$project_dir/config/repo-configs"
+  if [[ ! -d "$repo_configs_dir" ]]; then
+    echo "[sentinel] Skipping $name — config/repo-configs/ directory not found"
+    skipped=$((skipped + 1))
+    continue
+  fi
+  has_config=false
+  valid_repo=false
+  for props in "$repo_configs_dir/"*.properties; do
+    [[ -f "$props" ]] || continue
+    [[ "$(basename "$props")" == _* ]] && continue
+    has_config=true
+    if grep -qE "^REPO_URL[[:space:]]*=[[:space:]]*(git@github\.com:|https://github\.com/)" "$props"; then
+      valid_repo=true
+      break
+    else
+      repo_url=$(grep -E "^REPO_URL[[:space:]]*=" "$props" | head -1 | cut -d= -f2- | xargs 2>/dev/null || true)
+      if [[ -z "$repo_url" ]]; then
+        echo "[sentinel] Skipping $name — REPO_URL not set in $(basename \"$props\")"
+      else
+        echo "[sentinel] Skipping $name — REPO_URL in $(basename \"$props\") is not a GitHub URL: $repo_url"
+      fi
+    fi
+  done
+  if [[ "$has_config" == "false" ]]; then
+    echo "[sentinel] Skipping $name — no .properties files in config/repo-configs/ (only _example?)"
+    skipped=$((skipped + 1))
+    continue
+  fi
+  if [[ "$valid_repo" == "false" ]]; then
+    skipped=$((skipped + 1))
+    continue
+  fi
+  if bash "$project_dir/start.sh"; then
+    started=$((started + 1))
+  else
+    echo "[sentinel] Failed to start $name"
+    skipped=$((skipped + 1))
+  fi
+done
+echo "[sentinel] $started project(s) started, $skipped skipped"
+`, { mode: 0o755 });
+  // stopAll.sh
+  fs.writeFileSync(path.join(workspace, 'stopAll.sh'), `#!/usr/bin/env bash
+# Stop all Sentinel project instances
+WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
+stopped=0
+NON_PROJECT="code repos logs issues workspace"
+for project_dir in "$WORKSPACE"/*/; do
+  [[ -d "$project_dir" ]] || continue
+  name=$(basename "$project_dir")
+  echo " $NON_PROJECT " | grep -qw "$name" && continue
+  [[ -f "$project_dir/stop.sh" ]] || continue
+  bash "$project_dir/stop.sh"
+  stopped=$((stopped + 1))
+done
+echo "[sentinel] $stopped project(s) stopped"
+`, { mode: 0o755 });
+}
+module.exports = { writeExampleProject, generateProjectScripts, generateWorkspaceScripts };

package/lib/.cairn/views/fb78ac_upgrade.js

@@ -91,6 +91,21 @@ module.exports = async function upgrade() {
     if (shFiles.length) spawnSync('chmod', ['+x', ...shFiles], { stdio: 'inherit' });
   }
   ok('Python source updated');
+  info('Updating Python packages...');
+  const venv = path.join(codeDir, '.venv');
+  const pip  = fs.existsSync(path.join(venv, 'bin', 'pip'))         ? path.join(venv, 'bin', 'pip')
+             : fs.existsSync(path.join(venv, 'Scripts', 'pip.exe')) ? path.join(venv, 'Scripts', 'pip.exe')
+             : null;
+  if (pip) {
+    const pipResult = spawnSync(pip, ['install', '--upgrade', '-r', path.join(codeDir, 'requirements.txt')], { stdio: 'inherit' });
+    if (pipResult.status !== 0) {
+      warn('pip install failed — some Python packages may be missing');
+    } else {
+      ok('Python packages up to date');
+    }
+  } else {
+    warn('venv not found — skipping pip install (run: sentinel init)');
+  }
   info('Patching Claude Code permissions…');
   ensureClaudePermissions();
   const { version: latest } = require(path.join(pkgDir, 'package.json'));
@@ -98,7 +113,7 @@ module.exports = async function upgrade() {
   info('Regenerating scripts...');
   const { generateProjectScripts, generateWorkspaceScripts } = require('./generate');
   generateWorkspaceScripts(defaultWorkspace);
-  const pythonBin = fs.existsSync('/usr/bin/python3') ? '/usr/bin/python3' : 'python3';
+  const pythonBin = path.join(venv, 'bin', 'python3');
   const NON_PROJECT_DIRS = new Set(['logs', 'code', 'repos', 'workspace', 'issues']);
   let regenerated = 0;
   try {

package/lib/generate.js

@@ -75,8 +75,13 @@ if [[ "$_claude_pro" != "false" ]]; then
 fi
 mkdir -p "$DIR/logs" "$WORKSPACE/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
 cd "$DIR"
-# Ensure npm-global bin (cairn-mcp, claude) and ~/.local/bin (auto-installed tools) are on PATH
+# Auto-detect JAVA_HOME (needed for Maven)
+for _jdk in "$HOME"/jdk-* "$HOME"/.jdk /usr/lib/jvm/java-21-openjdk /usr/lib/jvm/java-11-openjdk; do
+  if [[ -d "$_jdk" ]] && [[ -x "$_jdk/bin/java" ]]; then export JAVA_HOME="$_jdk"; break; fi
+done
+# Ensure npm-global bin (cairn-mcp, claude), ~/.local/bin (auto-installed tools), and JAVA_HOME on PATH
 export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:$PATH"
+[[ -n "$JAVA_HOME" ]] && export PATH="$JAVA_HOME/bin:$PATH"
 PYTHONPATH="${codeDir}" "${codeDir}/.venv/bin/python3" -m sentinel.main --config ./config \\
   >> "$DIR/logs/sentinel.log" 2>&1 &
 echo $! > "$PID_FILE"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.68",
+  "version": "1.4.69",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/scripts/fix_ask_codebase_context.py

@@ -0,0 +1,249 @@
+#!/usr/bin/env python3
+"""
+Improve ask_codebase:
+1. Enrich prompt with project context (all repos Sentinel manages, their paths/URLs)
+2. Add optional 'mode' param: explore (default) | issues
+3. 'issues' mode: Claude outputs structured GitHub issue suggestions
+4. Tool description updated to mention project-level discussions and issue raising
+"""
+import ast, sys
+
+BOSS = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+with open(BOSS, 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+# ── 1. Update tool definition ─────────────────────────────────────────────────
+
+OLD_DEF = '''        "name": "ask_codebase",
+        "description": (
+            "Ask any natural-language question about a managed codebase. "
+            "Accepts a repo name (e.g. 'STS', 'elprint-sales') OR a project name (e.g. '1881', 'elprint') "
+            "— if a project name is given and it has multiple repos, all are queried. "
+            "Claude Code answers using its full codebase knowledge — no need to specify how. "
+            "Use for: 'what does 1881 do?', 'TODOs in 1881', 'find PIN validation in STS', "
+            "'security issues in elprint-sales?', 'summarize the cairn repo'."
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "repo": {
+                    "type": "string",
+                    "description": "Repo name (e.g. 'STS', 'elprint-sales') OR project name (e.g. '1881', 'elprint') — project name queries all its repos",
+                },
+                "question": {
+                    "type": "string",
+                    "description": "Natural language question about the codebase",
+                },
+            },
+            "required": ["repo", "question"],
+        },
+    },'''
+
+NEW_DEF = '''        "name": "ask_codebase",
+        "description": (
+            "Ask any natural-language question about a managed codebase — or discuss architecture, "
+            "extensions, and new features. Claude Code explores the repo(s) with full file access. "
+            "Accepts a repo name (e.g. 'STS', 'TypeLib') OR project name (e.g. '1881', 'Whydah') — "
+            "project name queries all its repos. "
+            "Use for: 'what does 1881 do?', 'describe the project structure', "
+            "'what should we implement next in STS?', 'find security issues in elprint-sales', "
+            "'what features could we add to TypeLib?', 'summarise the cairn architecture'. "
+            "Use mode=issues to make Claude output structured GitHub issue suggestions "
+            "(e.g. 'raise issues for improvements in STS', 'what bugs should we track in 1881?')."
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "repo": {
+                    "type": "string",
+                    "description": "Repo name (e.g. 'STS', 'TypeLib') OR project name (e.g. '1881', 'Whydah')",
+                },
+                "question": {
+                    "type": "string",
+                    "description": "Natural language question, task, or discussion prompt about the codebase",
+                },
+                "mode": {
+                    "type": "string",
+                    "enum": ["explore", "issues"],
+                    "description": (
+                        "explore (default): answer freely, describe structure, discuss architecture. "
+                        "issues: Claude outputs structured GitHub issue suggestions "
+                        "(title + description + labels) that can be raised on GitHub."
+                    ),
+                },
+            },
+            "required": ["repo", "question"],
+        },
+    },'''
+
+if OLD_DEF not in boss:
+    print("ERROR: ask_codebase tool definition not found")
+    sys.exit(1)
+boss = boss.replace(OLD_DEF, NEW_DEF, 1)
+print("Step 1 OK: tool definition updated")
+
+# ── 2. Update handler — richer prompt + mode support ─────────────────────────
+
+OLD_HANDLER = '''        cfg = cfg_loader.sentinel
+        env = os.environ.copy()
+        # Only inject API key when Claude Pro is NOT preferred for heavy tasks
+        if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key
+
+        def _ask_one(repo_name, repo_cfg) -> dict:
+            local_path = Path(repo_cfg.local_path)
+            if not local_path.exists():
+                return {"repo": repo_name, "error": f"not cloned yet at {local_path}"}
+            prompt = (
+                f"You are a code analyst. Answer the following question about the codebase at: {local_path}\\n\\n"
+                f"Question: {question}\\n\\n"
+                f"Use whatever tools you need to answer accurately. Be concise and direct. Plain text only."
+            )
+            try:
+                r = subprocess.run(
+                    ([cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]
+                    if os.getuid() != 0 else
+                    [cfg.claude_code_bin, "--print", prompt]),
+                    capture_output=True, text=True, timeout=180, env=env,
+                    cwd=str(local_path), stdin=subprocess.DEVNULL,
+                )
+                output = (r.stdout or "").strip()
+                logger.info("Boss ask_codebase %s rc=%d len=%d", repo_name, r.returncode, len(output))
+                if r.returncode != 0 and not output:
+                    raw_err = (r.stderr or "")
+                    alert_if_rate_limited(
+                        cfg.slack_bot_token, cfg.slack_channel,
+                        f"ask_codebase/{repo_name}", raw_err,
+                    )
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {raw_err[:200]}"}
+                return {"repo": repo_name, "answer": output[:3000]}
+            except subprocess.TimeoutExpired:
+                return {"repo": repo_name, "error": "timed out after 180s"}
+            except Exception as e:
+                return {"repo": repo_name, "error": str(e)}
+
+        if len(matched) == 1:
+            result = _ask_one(*matched[0])
+            # Unwrap single-repo result for cleaner response
+            return json.dumps(result)
+
+        # Multiple repos — query each and combine
+        results = [_ask_one(rn, r) for rn, r in matched]
+        return json.dumps({"project": target, "repos_queried": len(results), "results": results})'''
+
+NEW_HANDLER = '''        mode = inputs.get("mode", "explore")
+
+        cfg = cfg_loader.sentinel
+        env = os.environ.copy()
+        # Only inject API key when Claude Pro is NOT preferred for heavy tasks
+        if cfg.anthropic_api_key and not cfg.claude_pro_for_tasks:
+            env["ANTHROPIC_API_KEY"] = cfg.anthropic_api_key
+
+        # Build project context block (all repos this Sentinel instance manages)
+        _project_name = _read_project_name(Path("."))
+        _all_repos_lines = []
+        for _rn, _rc in cfg_loader.repos.items():
+            _url = getattr(_rc, "repo_url", "") or ""
+            _path = getattr(_rc, "local_path", "") or ""
+            _prefixes = getattr(_rc, "package_prefixes", "") or ""
+            _all_repos_lines.append(
+                f"  - {_rn}: path={_path}"
+                + (f", url={_url}" if _url else "")
+                + (f", packages={_prefixes}" if _prefixes else "")
+            )
+        _project_ctx = (
+            f"Project: {_project_name}\\n"
+            f"Repos managed by this Sentinel instance:\\n"
+            + "\\n".join(_all_repos_lines)
+        )
+
+        def _ask_one(repo_name, repo_cfg) -> dict:
+            local_path = Path(repo_cfg.local_path)
+            if not local_path.exists():
+                return {"repo": repo_name, "error": f"not cloned yet at {local_path}"}
+
+            if mode == "issues":
+                _mode_instruction = (
+                    "Output a structured list of GitHub issues to raise for this codebase.\\n"
+                    "For each issue include:\\n"
+                    "  TITLE: <concise issue title>\\n"
+                    "  LABELS: <bug|enhancement|tech-debt|security|performance>\\n"
+                    "  DESCRIPTION: <2-4 sentences: what, why, suggested approach>\\n"
+                    "---\\n"
+                    "Focus on: bugs, missing error handling, performance bottlenecks, "
+                    "security gaps, missing tests, tech-debt, and useful new features.\\n"
+                    "Output plain text only — no markdown headers."
+                )
+            else:
+                _mode_instruction = (
+                    "Explore the codebase freely — read files, search for patterns, examine structure.\\n"
+                    "Answer thoroughly. You may discuss architecture, suggest extensions, "
+                    "describe design patterns, or analyse any aspect of the code.\\n"
+                    "Plain text only. Be concise but complete."
+                )
+
+            prompt = (
+                f"{_project_ctx}\\n\\n"
+                f"You are now analysing: {repo_name} at {local_path}\\n\\n"
+                f"{_mode_instruction}\\n\\n"
+                f"Question / Task: {question}"
+            )
+            try:
+                r = subprocess.run(
+                    ([cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]
+                    if os.getuid() != 0 else
+                    [cfg.claude_code_bin, "--print", prompt]),
+                    capture_output=True, text=True, timeout=300, env=env,
+                    cwd=str(local_path), stdin=subprocess.DEVNULL,
+                )
+                output = (r.stdout or "").strip()
+                logger.info("Boss ask_codebase %s mode=%s rc=%d len=%d", repo_name, mode, r.returncode, len(output))
+                if r.returncode != 0 and not output:
+                    raw_err = (r.stderr or "")
+                    alert_if_rate_limited(
+                        cfg.slack_bot_token, cfg.slack_channel,
+                        f"ask_codebase/{repo_name}", raw_err,
+                    )
+                    return {"repo": repo_name, "error": f"claude --print failed (rc={r.returncode}): {raw_err[:200]}"}
+                return {"repo": repo_name, "answer": output[:4000]}
+            except subprocess.TimeoutExpired:
+                return {"repo": repo_name, "error": "timed out after 300s"}
+            except Exception as e:
+                return {"repo": repo_name, "error": str(e)}
+
+        if len(matched) == 1:
+            result = _ask_one(*matched[0])
+            # Unwrap single-repo result for cleaner response
+            return json.dumps(result)
+
+        # Multiple repos — query each and combine
+        results = [_ask_one(rn, r) for rn, r in matched]
+        return json.dumps({"project": target, "repos_queried": len(results), "results": results})'''
+
+if OLD_HANDLER not in boss:
+    print("ERROR: ask_codebase handler not found")
+    # Show context to help debug
+    idx = boss.find("def _ask_one")
+    if idx >= 0:
+        print(repr(boss[idx-200:idx+100]))
+    sys.exit(1)
+boss = boss.replace(OLD_HANDLER, NEW_HANDLER, 1)
+print("Step 2 OK: handler updated with richer prompt + mode support")
+
+with open(BOSS, 'w', encoding='utf-8') as f:
+    f.write(boss)
+print("Written OK")
+
+# ── Syntax check ──────────────────────────────────────────────────────────────
+with open(BOSS, 'r', encoding='utf-8') as f:
+    src = f.read()
+try:
+    ast.parse(src)
+    print("Syntax OK")
+except SyntaxError as e:
+    lines = src.splitlines()
+    print(f"SyntaxError at line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-5), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)

package/python/scripts/fix_ask_codebase_stdin.py

@@ -0,0 +1,49 @@
+#!/usr/bin/env python3
+"""Fix ask_codebase: add stdin=DEVNULL so claude --print doesn't hang waiting for stdin."""
+import ast, sys
+
+BOSS = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+with open(BOSS, 'r', encoding='utf-8') as f:
+    content = f.read()
+
+OLD = (
+    '                r = subprocess.run(\n'
+    '                    ([cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]\n'
+    '                    if os.getuid() != 0 else\n'
+    '                    [cfg.claude_code_bin, "--print", prompt]),\n'
+    '                    capture_output=True, text=True, timeout=180, env=env,\n'
+    '                    cwd=str(local_path),\n'
+    '                )'
+)
+
+NEW = (
+    '                r = subprocess.run(\n'
+    '                    ([cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]\n'
+    '                    if os.getuid() != 0 else\n'
+    '                    [cfg.claude_code_bin, "--print", prompt]),\n'
+    '                    capture_output=True, text=True, timeout=180, env=env,\n'
+    '                    cwd=str(local_path), stdin=subprocess.DEVNULL,\n'
+    '                )'
+)
+
+if OLD not in content:
+    print("ERROR: target block not found")
+    # Show context
+    idx = content.find('capture_output=True, text=True, timeout=180')
+    if idx >= 0:
+        print(repr(content[idx-200:idx+100]))
+    sys.exit(1)
+
+content = content.replace(OLD, NEW, 1)
+
+with open(BOSS, 'w', encoding='utf-8') as f:
+    f.write(content)
+print("Fixed: stdin=DEVNULL added to ask_codebase subprocess call")
+
+try:
+    ast.parse(content)
+    print("Syntax OK")
+except SyntaxError as e:
+    print(f"SyntaxError at line {e.lineno}: {e.msg}")
+    sys.exit(1)