@misterhuydo/sentinel 1.4.68 → 1.4.69

package/python/scripts/fix_knowledge_cache_staleness.py

@@ -0,0 +1,294 @@
+#!/usr/bin/env python3
+"""
+Make the knowledge cache commit-aware:
+- Store the repo's HEAD commit SHA when caching an answer
+- In get_knowledge, if a current_sha is passed and differs from stored sha → cache miss
+- In ask_codebase handler, read git HEAD before checking cache
+- Also: background refresh — _pr_check_loop detects HEAD changes and invalidates cache
+"""
+import ast, sys
+
+STORE = '/home/sentinel/sentinel/code/sentinel/state_store.py'
+BOSS  = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+# ── 1. Add commit_hash column to knowledge_cache migration ────────────────────
+
+with open(STORE, 'r', encoding='utf-8') as f:
+    store_src = f.read()
+
+OLD_KC_TABLE = '''             """CREATE TABLE IF NOT EXISTS knowledge_cache (
+                    cache_key    TEXT    PRIMARY KEY,
+                    repo_name    TEXT    NOT NULL,
+                    question     TEXT    NOT NULL,
+                    answer       TEXT    NOT NULL,
+                    source_tool  TEXT    DEFAULT 'ask_codebase',
+                    cached_at    TEXT    NOT NULL,
+                    expires_at   TEXT    NOT NULL,
+                    hit_count    INTEGER DEFAULT 0
+                )"""),'''
+
+NEW_KC_TABLE = '''             """CREATE TABLE IF NOT EXISTS knowledge_cache (
+                    cache_key    TEXT    PRIMARY KEY,
+                    repo_name    TEXT    NOT NULL,
+                    question     TEXT    NOT NULL,
+                    answer       TEXT    NOT NULL,
+                    source_tool  TEXT    DEFAULT 'ask_codebase',
+                    cached_at    TEXT    NOT NULL,
+                    expires_at   TEXT    NOT NULL,
+                    hit_count    INTEGER DEFAULT 0,
+                    commit_hash  TEXT    DEFAULT ''
+                )"""),
+            ("add_knowledge_commit_hash",
+             "ALTER TABLE knowledge_cache ADD COLUMN commit_hash TEXT DEFAULT ''"),'''
+
+if OLD_KC_TABLE not in store_src:
+    print("ERROR: knowledge_cache table definition not found")
+    sys.exit(1)
+store_src = store_src.replace(OLD_KC_TABLE, NEW_KC_TABLE, 1)
+print("Step 1 OK: commit_hash column added to knowledge_cache")
+
+# ── 2. Update get_knowledge to accept and check current_sha ───────────────────
+
+OLD_GET_KNOWLEDGE = '''    def get_knowledge(self, repo_name: str, question: str) -> str | None:
+        """Return a cached answer if it exists and has not expired."""
+        key = self._knowledge_key(repo_name, question)
+        now = _now()
+        with self._conn() as conn:
+            row = conn.execute(
+                "SELECT answer, expires_at, hit_count FROM knowledge_cache "
+                "WHERE cache_key=? AND expires_at > ?",
+                (key, now),
+            ).fetchone()
+            if row:
+                conn.execute(
+                    "UPDATE knowledge_cache SET hit_count=? WHERE cache_key=?",
+                    (row["hit_count"] + 1, key),
+                )
+                return row["answer"]
+        return None'''
+
+NEW_GET_KNOWLEDGE = '''    def get_knowledge(self, repo_name: str, question: str,
+                      current_sha: str = "") -> str | None:
+        """Return a cached answer if it exists, not expired, and commit hash matches."""
+        key = self._knowledge_key(repo_name, question)
+        now = _now()
+        with self._conn() as conn:
+            row = conn.execute(
+                "SELECT answer, expires_at, hit_count, commit_hash FROM knowledge_cache "
+                "WHERE cache_key=? AND expires_at > ?",
+                (key, now),
+            ).fetchone()
+            if not row:
+                return None
+            # If we know the current HEAD, verify cache was made from same commit
+            stored_sha = row["commit_hash"] or ""
+            if current_sha and stored_sha and current_sha != stored_sha:
+                logger.debug("Knowledge cache stale for %s (sha %s→%s)",
+                             repo_name, stored_sha[:8], current_sha[:8])
+                conn.execute("DELETE FROM knowledge_cache WHERE cache_key=?", (key,))
+                return None  # stale — fetch fresh
+            conn.execute(
+                "UPDATE knowledge_cache SET hit_count=? WHERE cache_key=?",
+                (row["hit_count"] + 1, key),
+            )
+            return row["answer"]'''
+
+if OLD_GET_KNOWLEDGE not in store_src:
+    print("ERROR: get_knowledge method not found")
+    sys.exit(1)
+store_src = store_src.replace(OLD_GET_KNOWLEDGE, NEW_GET_KNOWLEDGE, 1)
+print("Step 2 OK: get_knowledge checks commit_hash")
+
+# ── 3. Update save_knowledge to store commit_hash ─────────────────────────────
+
+OLD_SAVE_KNOWLEDGE = '''    def save_knowledge(self, repo_name: str, question: str, answer: str,
+                       ttl_hours: int = 24, source_tool: str = "ask_codebase") -> None:
+        """Cache an answer. Overwrites any existing entry for this key."""
+        from datetime import timedelta
+        key       = self._knowledge_key(repo_name, question)
+        now       = _now()
+        expires   = (datetime.now(timezone.utc) + timedelta(hours=ttl_hours)).isoformat()
+        with self._conn() as conn:
+            conn.execute(
+                "INSERT OR REPLACE INTO knowledge_cache "
+                "(cache_key, repo_name, question, answer, source_tool, cached_at, expires_at, hit_count) "
+                "VALUES (?,?,?,?,?,?,?,0)",
+                (key, repo_name, question, answer, source_tool, now, expires),
+            )'''
+
+NEW_SAVE_KNOWLEDGE = '''    def save_knowledge(self, repo_name: str, question: str, answer: str,
+                       ttl_hours: int = 24, source_tool: str = "ask_codebase",
+                       commit_hash: str = "") -> None:
+        """Cache an answer, optionally tagging it with the repo's HEAD SHA."""
+        from datetime import timedelta
+        key       = self._knowledge_key(repo_name, question)
+        now       = _now()
+        expires   = (datetime.now(timezone.utc) + timedelta(hours=ttl_hours)).isoformat()
+        with self._conn() as conn:
+            conn.execute(
+                "INSERT OR REPLACE INTO knowledge_cache "
+                "(cache_key, repo_name, question, answer, source_tool, "
+                " cached_at, expires_at, hit_count, commit_hash) "
+                "VALUES (?,?,?,?,?,?,?,0,?)",
+                (key, repo_name, question, answer, source_tool, now, expires, commit_hash),
+            )'''
+
+if OLD_SAVE_KNOWLEDGE not in store_src:
+    print("ERROR: save_knowledge method not found")
+    sys.exit(1)
+store_src = store_src.replace(OLD_SAVE_KNOWLEDGE, NEW_SAVE_KNOWLEDGE, 1)
+print("Step 3 OK: save_knowledge stores commit_hash")
+
+with open(STORE, 'w', encoding='utf-8') as f:
+    f.write(store_src)
+try:
+    ast.parse(store_src)
+    print("state_store.py Syntax OK")
+except SyntaxError as e:
+    lines = store_src.splitlines()
+    print(f"SyntaxError line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-4), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)
+
+# ── 4. Update ask_codebase to pass git HEAD to cache layer ────────────────────
+
+with open(BOSS, 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+OLD_ASK_CACHED = '''        def _ask_cached(repo_name, repo_cfg) -> dict:
+            # Check knowledge cache first (skip for issues mode — always fresh)
+            if mode != "issues":
+                cached = store.get_knowledge(repo_name, question)
+                if cached:
+                    logger.info("Boss ask_codebase %s: cache hit", repo_name)
+                    return {"repo": repo_name, "answer": cached, "cached": True}
+            result = _ask_one(repo_name, repo_cfg)
+            # Save to cache if we got a useful answer
+            if result.get("answer") and len(result["answer"]) > 50 and mode != "issues":
+                store.save_knowledge(repo_name, question, result["answer"], ttl_hours=24)
+            return result'''
+
+NEW_ASK_CACHED = '''        def _get_head_sha(repo_cfg) -> str:
+            """Get the current HEAD commit SHA from the local clone (fast, no network)."""
+            try:
+                import subprocess as _sp
+                r = _sp.run(
+                    ["git", "rev-parse", "--short", "HEAD"],
+                    cwd=str(Path(repo_cfg.local_path)),
+                    capture_output=True, text=True, timeout=5,
+                )
+                return r.stdout.strip() if r.returncode == 0 else ""
+            except Exception:
+                return ""
+
+        def _ask_cached(repo_name, repo_cfg) -> dict:
+            # Check knowledge cache first (skip for issues mode — always fresh)
+            if mode != "issues":
+                current_sha = _get_head_sha(repo_cfg)
+                cached = store.get_knowledge(repo_name, question, current_sha=current_sha)
+                if cached:
+                    logger.info("Boss ask_codebase %s: cache hit (sha=%s)", repo_name, current_sha[:8] if current_sha else "?")
+                    return {"repo": repo_name, "answer": cached, "cached": True}
+            else:
+                current_sha = ""
+            result = _ask_one(repo_name, repo_cfg)
+            # Save to cache if we got a useful answer
+            if result.get("answer") and len(result["answer"]) > 50 and mode != "issues":
+                store.save_knowledge(repo_name, question, result["answer"],
+                                     ttl_hours=24, commit_hash=current_sha)
+            return result'''
+
+if OLD_ASK_CACHED not in boss:
+    print("ERROR: _ask_cached block not found in boss")
+    sys.exit(1)
+boss = boss.replace(OLD_ASK_CACHED, NEW_ASK_CACHED, 1)
+print("Step 4 OK: ask_codebase passes HEAD SHA to cache")
+
+# ── 5. Add HEAD-change detection to _pr_check_loop ────────────────────────────
+
+with open(BOSS, 'w', encoding='utf-8') as f:
+    f.write(boss)
+try:
+    ast.parse(boss)
+    print("sentinel_boss.py Syntax OK (steps 1-4)")
+except SyntaxError as e:
+    lines = boss.splitlines()
+    print(f"SyntaxError line {e.lineno}: {e.msg}")
+    sys.exit(1)
+
+# ── 5 continues in main.py ────────────────────────────────────────────────────
+MAIN = '/home/sentinel/sentinel/code/sentinel/main.py'
+with open(MAIN, 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+OLD_CLOSE_PRS = '''                # Mark PRs in DB that are no longer open on GitHub
+                all_tracked = store.get_prs(repo_name=repo_name, state="open")
+                for tracked in all_tracked:
+                    if tracked["pr_number"] not in seen_nums:
+                        store.close_pr(repo_name, tracked["pr_number"], state="closed")
+                        logger.info("PR check: closed PR %s #%d (no longer open on GitHub)",
+                                    repo_name, tracked["pr_number"])
+
+            except Exception as _e:
+                logger.debug("PR check error for %s: %s", repo_name, _e)
+                continue'''
+
+NEW_CLOSE_PRS = '''                # Mark PRs in DB that are no longer open on GitHub
+                all_tracked = store.get_prs(repo_name=repo_name, state="open")
+                for tracked in all_tracked:
+                    if tracked["pr_number"] not in seen_nums:
+                        store.close_pr(repo_name, tracked["pr_number"], state="closed")
+                        logger.info("PR check: closed PR %s #%d (no longer open on GitHub)",
+                                    repo_name, tracked["pr_number"])
+
+                # Detect HEAD change on default branch → invalidate knowledge cache
+                try:
+                    import subprocess as _sp2
+                    _lp = getattr(repo_cfg, "local_path", None)
+                    if _lp:
+                        _r = _sp2.run(
+                            ["git", "fetch", "--quiet", "origin"],
+                            cwd=str(_lp), capture_output=True, timeout=30,
+                        )
+                        if _r.returncode == 0:
+                            _local = _sp2.run(
+                                ["git", "rev-parse", "--short", "HEAD"],
+                                cwd=str(_lp), capture_output=True, text=True, timeout=5,
+                            ).stdout.strip()
+                            _remote = _sp2.run(
+                                ["git", "rev-parse", "--short", f"origin/{repo_cfg.branch}"],
+                                cwd=str(_lp), capture_output=True, text=True, timeout=5,
+                            ).stdout.strip()
+                            if _local and _remote and _local != _remote:
+                                deleted = store.invalidate_knowledge(repo_name)
+                                if deleted:
+                                    logger.info("PR check: HEAD changed for %s (%s→%s), "
+                                                "invalidated %d knowledge cache entries",
+                                                repo_name, _local, _remote, deleted)
+                except Exception as _ce:
+                    logger.debug("Head-change check failed for %s: %s", repo_name, _ce)
+
+            except Exception as _e:
+                logger.debug("PR check error for %s: %s", repo_name, _e)
+                continue'''
+
+if OLD_CLOSE_PRS not in boss:
+    print("ERROR: close PRs block not found in boss")
+    sys.exit(1)
+boss = boss.replace(OLD_CLOSE_PRS, NEW_CLOSE_PRS, 1)
+print("Step 5 OK: _pr_check_loop detects HEAD changes and invalidates cache")
+
+with open(MAIN, 'w', encoding='utf-8') as f:
+    f.write(boss)
+print("Written OK")
+
+try:
+    ast.parse(boss)
+    print("main.py Syntax OK")
+except SyntaxError as e:
+    lines = boss.splitlines()
+    print(f"SyntaxError line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-5), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)

package/python/scripts/fix_merge_confirm.py

@@ -0,0 +1,295 @@
+#!/usr/bin/env python3
+"""
+Add confirmed=false/true confirmation step to merge_pr.
+On confirmed=false (default): fetch PR details, show plan, ask for confirmation.
+On confirmed=true: execute the merge.
+"""
+import ast, sys
+
+BOSS = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+with open(BOSS, 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+# ── 1. Update tool definition — add confirmed param ──────────────────────────
+
+OLD_DEF = '''        "name": "merge_pr",
+        "description": (
+            "ADMIN ONLY. Merge an open Sentinel PR into the main branch. "
+            "Use when AUTO_PUBLISH=false and you are satisfied with the fix after review. "
+            "Handles rebase conflicts automatically if possible. "
+            "e.g. 'merge the fix for Whydah-TypeLib', 'sync fix abc123 to main', "
+            "'merge the open PR for elprint-sales-core-service'"
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "repo_name": {
+                    "type": "string",
+                    "description": "Repository name (must match a repo in config/repos/)",
+                },
+                "fingerprint": {
+                    "type": "string",
+                    "description": "Optional 8-char fingerprint to target a specific fix PR. "
+                                   "If omitted, merges the most recent open PR for the repo.",
+                },
+                "pr_number": {
+                    "type": "integer",
+                    "description": "Merge a specific PR by number (e.g. a Renovate PR). "
+                                   "When set, repo_name is still required but fingerprint is ignored.",
+                },
+            },
+            "required": ["repo_name"],
+        },
+    },'''
+
+NEW_DEF = '''        "name": "merge_pr",
+        "description": (
+            "ADMIN ONLY. Merge a PR into the main branch. "
+            "ALWAYS call with confirmed=false first to show PR details for admin review — "
+            "never merge without showing the plan first. "
+            "Use for Sentinel fix PRs (AUTO_PUBLISH=false) or Renovate/external PRs by number. "
+            "confirmed=false fetches and shows PR details; confirmed=true executes the merge. "
+            "e.g. 'merge the fix for Whydah-TypeLib', 'merge TypeLib PR #247'"
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "repo_name": {
+                    "type": "string",
+                    "description": "Repository name (must match a repo in config/repos/)",
+                },
+                "fingerprint": {
+                    "type": "string",
+                    "description": "Optional 8-char fingerprint to target a specific Sentinel fix PR.",
+                },
+                "pr_number": {
+                    "type": "integer",
+                    "description": "Merge a specific PR by number (e.g. a Renovate PR). "
+                                   "When set, repo_name is still required but fingerprint is ignored.",
+                },
+                "confirmed": {
+                    "type": "boolean",
+                    "description": (
+                        "false (default) = fetch PR details and show plan for review, do NOT merge yet. "
+                        "true = execute the merge after admin has seen and approved the plan."
+                    ),
+                },
+            },
+            "required": ["repo_name"],
+        },
+    },'''
+
+if OLD_DEF not in boss:
+    print("ERROR: merge_pr tool definition not found")
+    sys.exit(1)
+boss = boss.replace(OLD_DEF, NEW_DEF, 1)
+
+# ── 2. Update handler — add plan phase before both paths ─────────────────────
+
+OLD_HANDLER_START = '''        if name == "merge_pr":
+            import re as _re
+            import requests as _req
+            repo_name    = inputs.get("repo_name", "").strip()
+            fingerprint  = inputs.get("fingerprint", "").strip()
+            pr_number_in = inputs.get("pr_number")   # explicit PR number (e.g. Renovate PR)
+            github_token = cfg_loader.sentinel.github_token
+            if not github_token:
+                return json.dumps({"error": "GITHUB_TOKEN not configured"})
+
+            headers = {
+                "Authorization": f"Bearer {github_token}",
+                "Accept": "application/vnd.github+json",
+            }
+
+            # Fuzzy-match repo name against known configs
+            if repo_name not in cfg_loader.repos:
+                for rname in cfg_loader.repos:
+                    if repo_name.lower() in rname.lower():
+                        repo_name = rname
+                        break
+
+            # ── Path A: explicit pr_number — merge directly via GitHub API ────
+            if pr_number_in:'''
+
+NEW_HANDLER_START = '''        if name == "merge_pr":
+            import re as _re
+            import requests as _req
+            repo_name    = inputs.get("repo_name", "").strip()
+            fingerprint  = inputs.get("fingerprint", "").strip()
+            pr_number_in = inputs.get("pr_number")   # explicit PR number (e.g. Renovate PR)
+            confirmed    = bool(inputs.get("confirmed", False))
+            github_token = cfg_loader.sentinel.github_token
+            if not github_token:
+                return json.dumps({"error": "GITHUB_TOKEN not configured"})
+
+            headers = {
+                "Authorization": f"Bearer {github_token}",
+                "Accept": "application/vnd.github+json",
+            }
+
+            # Fuzzy-match repo name against known configs
+            if repo_name not in cfg_loader.repos:
+                for rname in cfg_loader.repos:
+                    if repo_name.lower() in rname.lower():
+                        repo_name = rname
+                        break
+
+            # ── Path A: explicit pr_number — fetch details, then merge ────────
+            if pr_number_in:'''
+
+if OLD_HANDLER_START not in boss:
+    print("ERROR: merge_pr handler start not found")
+    sys.exit(1)
+boss = boss.replace(OLD_HANDLER_START, NEW_HANDLER_START, 1)
+
+# ── 3. After fetching PR details in Path A, add plan phase before merge ───────
+
+OLD_PATH_A_MERGE = '''                pr_data = pr_resp.json()
+                if pr_data.get("state") != "open":
+                    return json.dumps({"error": f"PR #{pr_number_in} is already {pr_data.get('state')} — nothing to merge"})
+                pr_url  = pr_data.get("html_url", "")
+                branch  = pr_data.get("head", {}).get("ref", "")
+                pr_title = pr_data.get("title", "")
+
+                merge_resp = _req.put('''
+
+NEW_PATH_A_MERGE = '''                pr_data = pr_resp.json()
+                if pr_data.get("state") != "open":
+                    return json.dumps({"error": f"PR #{pr_number_in} is already {pr_data.get('state')} — nothing to merge"})
+                pr_url   = pr_data.get("html_url", "")
+                branch   = pr_data.get("head", {}).get("ref", "")
+                pr_title = pr_data.get("title", "")
+                pr_author = pr_data.get("user", {}).get("login", "unknown")
+                pr_body   = (pr_data.get("body") or "")[:300]
+                files_changed = pr_data.get("changed_files", "?")
+                additions     = pr_data.get("additions", "?")
+                deletions     = pr_data.get("deletions", "?")
+                mergeable     = pr_data.get("mergeable")
+
+                # ── Plan phase — always show before merging ───────────────────
+                if not confirmed:
+                    return json.dumps({
+                        "plan": f"Merge PR #{pr_number_in} into {repo_name}",
+                        "pr_number":     pr_number_in,
+                        "pr_url":        pr_url,
+                        "title":         pr_title,
+                        "author":        pr_author,
+                        "branch":        branch,
+                        "files_changed": files_changed,
+                        "additions":     additions,
+                        "deletions":     deletions,
+                        "mergeable":     mergeable,
+                        "description":   pr_body or "(no description)",
+                        "confirm_prompt": (
+                            f"This will squash-merge PR #{pr_number_in} (\\"{pr_title}\\") "
+                            f"from {pr_author} into {repo_name}. Reply with confirmed=true to proceed."
+                        ),
+                    })
+
+                merge_resp = _req.put('''
+
+if OLD_PATH_A_MERGE not in boss:
+    print("ERROR: Path A merge block not found")
+    sys.exit(1)
+boss = boss.replace(OLD_PATH_A_MERGE, NEW_PATH_A_MERGE, 1)
+
+# ── 4. Add plan phase for Path B (state_store PRs) ────────────────────────────
+
+OLD_PATH_B = '''            # ── Path B: state_store lookup (Sentinel-managed PRs) ─────────────
+            open_prs = store.get_open_prs()
+            candidates = [p for p in open_prs if p.get("repo_name") == repo_name]
+            if fingerprint:
+                candidates = [p for p in candidates if p.get("fingerprint", "").startswith(fingerprint)]
+            if not candidates:
+                return json.dumps({"error": f"No open Sentinel PR found for repo \'{repo_name}\'"
+                                            + (f" with fingerprint \'{fingerprint}\'" if fingerprint else "")})
+            fix = candidates[0]  # most recent
+            pr_url = fix.get("pr_url", "")
+            branch = fix.get("branch", "")
+            fp     = fix.get("fingerprint", "")
+
+            # Parse owner/repo and PR number from pr_url
+            m = _re.search(r"github\\.com/([^/]+/[^/]+)/pull/(\\d+)", pr_url)
+            if not m:
+                return json.dumps({"error": f"Cannot parse PR URL: {pr_url}"})
+            owner_repo = m.group(1)
+            pr_number  = m.group(2)'''
+
+NEW_PATH_B = '''            # ── Path B: state_store lookup (Sentinel-managed PRs) ─────────────
+            open_prs = store.get_open_prs()
+            candidates = [p for p in open_prs if p.get("repo_name") == repo_name]
+            if fingerprint:
+                candidates = [p for p in candidates if p.get("fingerprint", "").startswith(fingerprint)]
+            if not candidates:
+                return json.dumps({"error": f"No open Sentinel PR found for repo \'{repo_name}\'"
+                                            + (f" with fingerprint \'{fingerprint}\'" if fingerprint else "")})
+            fix = candidates[0]  # most recent
+            pr_url = fix.get("pr_url", "")
+            branch = fix.get("branch", "")
+            fp     = fix.get("fingerprint", "")
+
+            # Parse owner/repo and PR number from pr_url
+            m = _re.search(r"github\\.com/([^/]+/[^/]+)/pull/(\\d+)", pr_url)
+            if not m:
+                return json.dumps({"error": f"Cannot parse PR URL: {pr_url}"})
+            owner_repo = m.group(1)
+            pr_number  = m.group(2)
+
+            # Fetch live PR details for the plan
+            pr_resp2 = _req.get(
+                f"https://api.github.com/repos/{owner_repo}/pulls/{pr_number}",
+                headers=headers, timeout=15,
+            )
+            pr_detail = pr_resp2.json() if pr_resp2.status_code == 200 else {}
+            pr_title2    = pr_detail.get("title", fix.get("fingerprint", ""))
+            pr_state2    = pr_detail.get("state", "unknown")
+            files_changed2 = pr_detail.get("changed_files", "?")
+            additions2     = pr_detail.get("additions", "?")
+            deletions2     = pr_detail.get("deletions", "?")
+            pr_body2       = (pr_detail.get("body") or "")[:300]
+
+            if pr_state2 != "open" and pr_state2 != "unknown":
+                return json.dumps({"error": f"PR #{pr_number} is already {pr_state2} — nothing to merge"})
+
+            # ── Plan phase — always show before merging ───────────────────────
+            if not confirmed:
+                return json.dumps({
+                    "plan":          f"Merge Sentinel fix PR #{pr_number} into {repo_name}",
+                    "pr_number":     pr_number,
+                    "pr_url":        pr_url,
+                    "title":         pr_title2,
+                    "fingerprint":   fp[:8],
+                    "branch":        branch,
+                    "files_changed": files_changed2,
+                    "additions":     additions2,
+                    "deletions":     deletions2,
+                    "description":   pr_body2 or "(no description)",
+                    "confirm_prompt": (
+                        f"This will squash-merge Sentinel fix PR #{pr_number} (\\"{pr_title2}\\") "
+                        f"into {repo_name}/{fix.get('branch', 'main')}. "
+                        f"Reply with confirmed=true to proceed."
+                    ),
+                })'''
+
+if OLD_PATH_B not in boss:
+    print("ERROR: Path B block not found")
+    sys.exit(1)
+boss = boss.replace(OLD_PATH_B, NEW_PATH_B, 1)
+
+with open(BOSS, 'w', encoding='utf-8') as f:
+    f.write(boss)
+print("Confirmation step added to merge_pr")
+
+# ── Syntax check ──────────────────────────────────────────────────────────────
+with open(BOSS, 'r', encoding='utf-8') as f:
+    src = f.read()
+try:
+    ast.parse(src)
+    print("Syntax OK")
+except SyntaxError as e:
+    lines = src.splitlines()
+    print(f"SyntaxError at line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-5), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)

package/python/scripts/fix_permission_messages.py

@@ -0,0 +1,78 @@
+#!/usr/bin/env python3
+"""
+Make admin permission denial messages more descriptive — tell the user
+exactly which operation they tried and how to get help.
+"""
+import ast, sys
+
+BOSS = '/home/sentinel/sentinel/code/sentinel/sentinel_boss.py'
+
+with open(BOSS, 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+replacements = [
+    # list_prs
+    (
+        '        if name == "list_prs":\n            if not is_admin:\n                return json.dumps({"error": "Admin access required."})',
+        '        if name == "list_prs":\n            if not is_admin:\n                return json.dumps({"error": "list_prs is admin-only. Ask a Sentinel admin (SLACK_ADMIN_USERS) to run this for you."})',
+    ),
+    # drop_pr
+    (
+        '        if name == "drop_pr":\n            if not is_admin:\n                return json.dumps({"error": "Admin access required."})',
+        '        if name == "drop_pr":\n            if not is_admin:\n                return json.dumps({"error": "drop_pr is admin-only. Ask a Sentinel admin to drop this PR for you."})',
+    ),
+    # merge_pr confirmed=false check
+    (
+        '            if not is_admin:\n                return json.dumps({"error": "Admin access required."})\n\n            headers = {',
+        '            if not is_admin:\n                return json.dumps({"error": "merge_pr is admin-only. Ask a Sentinel admin to merge this PR."})\n\n            headers = {',
+    ),
+    # watch_bot
+    (
+        'return json.dumps({"error": "Admin access required to register bots for monitoring."})',
+        'return json.dumps({"error": "watch_bot is admin-only. Ask a Sentinel admin to register this bot."})',
+    ),
+    # unwatch_bot
+    (
+        'return json.dumps({"error": "Admin access required to remove bots from monitoring."})',
+        'return json.dumps({"error": "unwatch_bot is admin-only. Ask a Sentinel admin to remove this bot."})',
+    ),
+    # upgrade
+    (
+        'return json.dumps({"error": "Admin access required to upgrade Sentinel."})',
+        'return json.dumps({"error": "upgrade is admin-only. Ask a Sentinel admin to perform the upgrade."})',
+    ),
+    # restart_project
+    (
+        'return json.dumps({"error": "Admin access required to restart a project."})',
+        'return json.dumps({"error": "restart_project is admin-only. Ask a Sentinel admin to restart the project."})',
+    ),
+    # export_db (generic SLACK_ADMIN_USERS message)
+    (
+        'return json.dumps({"error": "Admin access required. You are not in SLACK_ADMIN_USERS."})',
+        'return json.dumps({"error": "This operation is admin-only (SLACK_ADMIN_USERS). Contact a Sentinel admin if you need access."})',
+    ),
+]
+
+changed = 0
+for old, new in replacements:
+    if old in boss:
+        boss = boss.replace(old, new, 1)
+        changed += 1
+    else:
+        print(f"WARNING: pattern not found — {old[:60]!r}")
+
+print(f"Applied {changed}/{len(replacements)} replacements")
+
+with open(BOSS, 'w', encoding='utf-8') as f:
+    f.write(boss)
+print("Written OK")
+
+try:
+    ast.parse(boss)
+    print("Syntax OK")
+except SyntaxError as e:
+    lines = boss.splitlines()
+    print(f"SyntaxError at line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-3), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)