@misterhuydo/sentinel 1.4.68 → 1.4.69

package/python/scripts/fix_pr_tracking_main.py

@@ -0,0 +1,174 @@
+#!/usr/bin/env python3
+"""
+Add _pr_check_loop to main.py:
+- Polls GitHub API every 30 min for open PRs across all managed repos
+- Upserts into pull_requests table
+- Posts one-time Slack notification per new PR to admin channel
+- Closes PRs in DB that are no longer open on GitHub
+"""
+import ast, sys
+
+MAIN = '/home/sentinel/sentinel/code/sentinel/main.py'
+
+with open(MAIN, 'r', encoding='utf-8') as f:
+    src = f.read()
+
+# ── 1. Add the _pr_check_loop function before run_loop ────────────────────────
+
+ANCHOR = '''async def run_loop(cfg_loader: ConfigLoader, store: StateStore):'''
+
+if ANCHOR not in src:
+    print("ERROR: run_loop anchor not found")
+    sys.exit(1)
+
+PR_LOOP = '''async def _pr_check_loop(cfg_loader: ConfigLoader, store: StateStore) -> None:
+    """
+    Poll GitHub for open PRs across all managed repos every 30 min.
+    New PRs are saved to pull_requests table and admins are notified once.
+    """
+    import re as _re
+    import requests as _req
+
+    CHECK_INTERVAL = 1800  # 30 minutes
+
+    def _classify_source(pr: dict) -> str:
+        author = (pr.get("user") or {}).get("login", "")
+        head   = (pr.get("head") or {}).get("ref", "")
+        if author == "renovate[bot]" or author.startswith("renovate"):
+            return "renovate"
+        if head.startswith("sentinel/fix-"):
+            return "sentinel-fix"
+        return "external"
+
+    def _owner_repo(repo_cfg) -> str:
+        url = getattr(repo_cfg, "repo_url", "") or ""
+        if url.startswith("git@"):
+            return url.split(":")[-1].removesuffix(".git")
+        parts = url.rstrip("/").split("/")
+        return "/".join(parts[-2:]).removesuffix(".git")
+
+    await asyncio.sleep(60)  # short delay at startup so everything else is ready
+
+    while True:
+        cfg      = cfg_loader.sentinel
+        gh_token = cfg.github_token
+        if not gh_token:
+            await asyncio.sleep(CHECK_INTERVAL)
+            continue
+
+        headers = {
+            "Authorization": f"Bearer {gh_token}",
+            "Accept": "application/vnd.github+json",
+        }
+
+        for repo_name, repo_cfg in cfg_loader.repos.items():
+            owner_repo = _owner_repo(repo_cfg)
+            if not owner_repo or "/" not in owner_repo:
+                continue
+            try:
+                resp = _req.get(
+                    f"https://api.github.com/repos/{owner_repo}/pulls?state=open&per_page=50",
+                    headers=headers, timeout=15,
+                )
+                if resp.status_code != 200:
+                    logger.debug("PR check %s: HTTP %s", repo_name, resp.status_code)
+                    continue
+
+                open_prs  = resp.json()
+                seen_nums = set()
+                for pr in open_prs:
+                    num    = pr["number"]
+                    url    = pr["html_url"]
+                    title  = pr.get("title", "")
+                    author = (pr.get("user") or {}).get("login", "unknown")
+                    head   = (pr.get("head") or {}).get("ref", "")
+                    base   = (pr.get("base") or {}).get("ref", "main")
+                    source = _classify_source(pr)
+                    seen_nums.add(num)
+
+                    is_new = store.upsert_pr(
+                        repo_name=repo_name, pr_number=num, pr_url=url,
+                        title=title, author=author, head_branch=head,
+                        base_branch=base, source=source, pr_state="open",
+                    )
+                    if is_new:
+                        logger.info("PR check: new PR %s #%d (%s) by %s", repo_name, num, source, author)
+
+                # Mark PRs in DB that are no longer open on GitHub
+                all_tracked = store.get_prs(repo_name=repo_name, state="open")
+                for tracked in all_tracked:
+                    if tracked["pr_number"] not in seen_nums:
+                        store.close_pr(repo_name, tracked["pr_number"], state="closed")
+                        logger.info("PR check: closed PR %s #%d (no longer open on GitHub)",
+                                    repo_name, tracked["pr_number"])
+
+            except Exception as _e:
+                logger.debug("PR check error for %s: %s", repo_name, _e)
+                continue
+
+        # Notify admins of any unnotified new PRs (one message per PR)
+        to_notify = store.get_prs_for_notification()
+        if to_notify and cfg.slack_bot_token and cfg.slack_channel:
+            from .notify import slack_alert
+            for pr in to_notify:
+                source_tag = {
+                    "renovate": ":dependabot: Renovate",
+                    "sentinel-fix": ":robot_face: Sentinel fix",
+                    "external": ":octocat: External",
+                }.get(pr.get("source", "external"), ":octocat: PR")
+                _nl = "\\n"
+                msg = (
+                    f":bell: *New PR* \\u2014 `{pr['repo_name']}` #{pr['pr_number']} [{source_tag}]{_nl}"
+                    f"*{pr['title']}*{_nl}"
+                    f"By `{pr['author']}` on branch `{pr['head_branch']}`{_nl}"
+                    f"{pr['pr_url']}{_nl}"
+                    f"_Reply: `list prs` to review, then `merge PR #{pr['pr_number']} in {pr['repo_name']}` "
+                    f"or `drop PR #{pr['pr_number']} in {pr['repo_name']}`_"
+                )
+                try:
+                    slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)
+                    store.mark_pr_notified(pr['repo_name'], pr['pr_number'])
+                    logger.info("PR notified: %s #%d", pr['repo_name'], pr['pr_number'])
+                except Exception as _ne:
+                    logger.warning("Failed to notify PR %s #%d: %s", pr['repo_name'], pr['pr_number'], _ne)
+
+        await asyncio.sleep(CHECK_INTERVAL)
+
+
+'''
+
+src = src.replace(ANCHOR, PR_LOOP + ANCHOR, 1)
+print("Step 1 OK: _pr_check_loop added")
+
+# ── 2. Start the loop in run_loop ─────────────────────────────────────────────
+
+OLD_START = '''    if cfg_loader.sentinel.slack_bot_token:
+        from .slack_bot import run_slack_bot
+        asyncio.ensure_future(run_slack_bot(cfg_loader, store))'''
+
+NEW_START = '''    if cfg_loader.sentinel.slack_bot_token:
+        from .slack_bot import run_slack_bot
+        asyncio.ensure_future(run_slack_bot(cfg_loader, store))
+
+    if cfg_loader.sentinel.github_token:
+        asyncio.ensure_future(_pr_check_loop(cfg_loader, store))'''
+
+if OLD_START not in src:
+    print("ERROR: slack_bot start anchor not found")
+    sys.exit(1)
+src = src.replace(OLD_START, NEW_START, 1)
+print("Step 2 OK: _pr_check_loop started in run_loop")
+
+with open(MAIN, 'w', encoding='utf-8') as f:
+    f.write(src)
+print("Written OK")
+
+try:
+    ast.parse(src)
+    print("Syntax OK")
+except SyntaxError as e:
+    lines = src.splitlines()
+    print(f"SyntaxError at line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-5), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)

package/python/scripts/fix_project_isolation.py

@@ -0,0 +1,197 @@
+#!/usr/bin/env python3
+"""
+Project isolation + identity:
+1. Add SLACK_WORKSPACE_ID + PROJECT_DESCRIPTION to config_loader
+2. Verify workspace_id on every incoming Slack event in slack_bot.py
+3. Inject project identity + scope isolation into the runtime system prompt
+4. Boss refuses cross-project requests by design
+"""
+import ast, sys
+
+CODE = '/home/sentinel/sentinel/code/sentinel'
+
+# ── 1. Add fields to SentinelConfig in config_loader.py ──────────────────────
+
+with open(f'{CODE}/config_loader.py', 'r', encoding='utf-8') as f:
+    cfg_src = f.read()
+
+OLD_CFG = '''    project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")'''
+
+NEW_CFG = '''    project_name: str = ""           # optional: friendly name used by Sentinel Boss (e.g. "1881")
+    project_description: str = ""    # short description of what this project is/does
+    slack_workspace_id: str = ""     # Slack team_id (T...) — if set, reject events from other workspaces'''
+
+if OLD_CFG not in cfg_src:
+    print("ERROR: project_name field not found in config_loader")
+    sys.exit(1)
+cfg_src = cfg_src.replace(OLD_CFG, NEW_CFG, 1)
+
+OLD_LOAD = '''        c.project_name = d.get("PROJECT_NAME", "") or Path(self.config_dir).resolve().parent.name'''
+NEW_LOAD = '''        c.project_name        = d.get("PROJECT_NAME", "") or Path(self.config_dir).resolve().parent.name
+        c.project_description = d.get("PROJECT_DESCRIPTION", "")
+        c.slack_workspace_id  = d.get("SLACK_WORKSPACE_ID", "").strip()'''
+
+if OLD_LOAD not in cfg_src:
+    print("ERROR: project_name load line not found in config_loader")
+    sys.exit(1)
+cfg_src = cfg_src.replace(OLD_LOAD, NEW_LOAD, 1)
+
+with open(f'{CODE}/config_loader.py', 'w', encoding='utf-8') as f:
+    f.write(cfg_src)
+try:
+    ast.parse(cfg_src)
+    print("Step 1 OK: SLACK_WORKSPACE_ID + PROJECT_DESCRIPTION added to config")
+except SyntaxError as e:
+    print(f"SyntaxError config_loader line {e.lineno}: {e.msg}"); sys.exit(1)
+
+# ── 2. Workspace verification in slack_bot.py ─────────────────────────────────
+
+with open(f'{CODE}/slack_bot.py', 'r', encoding='utf-8') as f:
+    bot_src = f.read()
+
+# Inject workspace check right after the user_id / allowlist check in _dispatch
+OLD_DISPATCH_CHECK = '''    # Allowlist check — if SLACK_ALLOWED_USERS is configured, silently ignore everyone else
+    allowed = cfg_loader.sentinel.slack_allowed_users
+    if allowed and user_id not in allowed:
+        logger.warning("Boss: ignoring message from unauthorised user %s", user_id)
+        return'''
+
+NEW_DISPATCH_CHECK = '''    # Workspace isolation — if SLACK_WORKSPACE_ID is set, reject events from other workspaces
+    expected_workspace = cfg_loader.sentinel.slack_workspace_id
+    if expected_workspace:
+        event_team = event.get("team") or event.get("team_id", "")
+        if event_team and event_team != expected_workspace:
+            logger.warning(
+                "Boss: ignoring event from workspace %s (expected %s) — user %s",
+                event_team, expected_workspace, user_id,
+            )
+            return
+
+    # Allowlist check — if SLACK_ALLOWED_USERS is configured, silently ignore everyone else
+    allowed = cfg_loader.sentinel.slack_allowed_users
+    if allowed and user_id not in allowed:
+        logger.warning("Boss: ignoring message from unauthorised user %s", user_id)
+        return'''
+
+if OLD_DISPATCH_CHECK not in bot_src:
+    print("ERROR: allowlist check anchor not found in slack_bot")
+    sys.exit(1)
+bot_src = bot_src.replace(OLD_DISPATCH_CHECK, NEW_DISPATCH_CHECK, 1)
+
+with open(f'{CODE}/slack_bot.py', 'w', encoding='utf-8') as f:
+    f.write(bot_src)
+try:
+    ast.parse(bot_src)
+    print("Step 2 OK: workspace isolation check added to slack_bot._dispatch")
+except SyntaxError as e:
+    print(f"SyntaxError slack_bot line {e.lineno}: {e.msg}"); sys.exit(1)
+
+# ── 3. Inject project identity into the runtime system prompt ─────────────────
+
+with open(f'{CODE}/sentinel_boss.py', 'r', encoding='utf-8') as f:
+    boss = f.read()
+
+# Update _resolve_system to accept project context and prepend it
+OLD_RESOLVE = '''def _resolve_system(boss_mode: str = "standard") -> str:
+    hint = _BOSS_MODE_HINTS.get(boss_mode, _BOSS_MODE_HINTS["standard"])
+    return _SYSTEM.replace("{BOSS_MODE_HINT}", hint)'''
+
+NEW_RESOLVE = '''def _resolve_system(boss_mode: str = "standard",
+                    project_name: str = "",
+                    project_description: str = "",
+                    other_project_names: list | None = None) -> str:
+    """Build the system prompt, prepending a project-identity block."""
+    hint = _BOSS_MODE_HINTS.get(boss_mode, _BOSS_MODE_HINTS["standard"])
+    base = _SYSTEM.replace("{BOSS_MODE_HINT}", hint)
+
+    if not project_name:
+        return base
+
+    # Project identity header — injected at the very top
+    desc_line = f"\\nProject description: {project_description}" if project_description else ""
+    others = [n for n in (other_project_names or []) if n.lower() != project_name.lower()]
+    if others:
+        scope_line = (
+            f"\\n\\nSCOPE ISOLATION (important): You serve ONLY the {project_name} project. "
+            f"This Sentinel host also runs instances for: {', '.join(others)}. "
+            f"If a user asks about {', '.join(others)} or any other project not in your repos, "
+            f"decline and explain you are scoped to {project_name} only. "
+            f"Never expose config, logs, errors, or code from other projects."
+        )
+    else:
+        scope_line = (
+            f"\\n\\nSCOPE: You serve ONLY the {project_name} project. "
+            f"Decline requests about projects or repos you do not manage."
+        )
+
+    identity = (
+        f"PROJECT IDENTITY\\n"
+        f"You are Sentinel Boss for: {project_name}{desc_line}"
+        f"{scope_line}\\n"
+        f"{'=' * 60}\\n\\n"
+    )
+    return identity + base'''
+
+if OLD_RESOLVE not in boss:
+    print("ERROR: _resolve_system not found in boss")
+    sys.exit(1)
+boss = boss.replace(OLD_RESOLVE, NEW_RESOLVE, 1)
+print("Step 3a OK: _resolve_system updated to accept project context")
+
+# Update both call sites of _resolve_system to pass project + other-projects context
+# There are two call sites (CLI mode ~3711 and API mode ~3910)
+# We'll update the API mode one first — it has access to cfg_loader
+
+OLD_SYSTEM_CALL_API = '''    system = (
+        _resolve_system(getattr(cfg_loader.sentinel, "boss_mode", "standard"))'''
+
+NEW_SYSTEM_CALL_API = '''    _known_projects = [_read_project_name(d) for d in _find_project_dirs()]
+    system = (
+        _resolve_system(
+            boss_mode=getattr(cfg_loader.sentinel, "boss_mode", "standard"),
+            project_name=cfg_loader.sentinel.project_name or _read_project_name(Path(".")),
+            project_description=getattr(cfg_loader.sentinel, "project_description", ""),
+            other_project_names=_known_projects,
+        )'''
+
+if OLD_SYSTEM_CALL_API not in boss:
+    print("ERROR: API system prompt call not found")
+    sys.exit(1)
+boss = boss.replace(OLD_SYSTEM_CALL_API, NEW_SYSTEM_CALL_API, 1)
+print("Step 3b OK: API-mode system prompt passes project identity")
+
+# CLI fallback mode
+OLD_SYSTEM_CALL_CLI = '''        _resolve_system(getattr(cfg_loader.sentinel, "boss_mode", "standard"))
+        + (f"\\nYou are speaking with: {user_name}'''
+
+NEW_SYSTEM_CALL_CLI = '''        _resolve_system(
+            boss_mode=getattr(cfg_loader.sentinel, "boss_mode", "standard"),
+            project_name=cfg_loader.sentinel.project_name or _read_project_name(Path(".")),
+            project_description=getattr(cfg_loader.sentinel, "project_description", ""),
+            other_project_names=[_read_project_name(d) for d in _find_project_dirs()],
+        )
+        + (f"\\nYou are speaking with: {user_name}'''
+
+if OLD_SYSTEM_CALL_CLI not in boss:
+    print("ERROR: CLI system prompt call not found")
+    sys.exit(1)
+boss = boss.replace(OLD_SYSTEM_CALL_CLI, NEW_SYSTEM_CALL_CLI, 1)
+print("Step 3c OK: CLI-mode system prompt passes project identity")
+
+with open(f'{CODE}/sentinel_boss.py', 'w', encoding='utf-8') as f:
+    f.write(boss)
+try:
+    ast.parse(boss)
+    print("Step 3 OK: sentinel_boss.py Syntax OK")
+except SyntaxError as e:
+    lines = boss.splitlines()
+    print(f"SyntaxError line {e.lineno}: {e.msg}")
+    for i in range(max(0, e.lineno-4), min(len(lines), e.lineno+3)):
+        print(f"  {i+1}: {lines[i]}")
+    sys.exit(1)
+
+print("\nAll steps complete.")
+print("Add to each project's sentinel.properties:")
+print("  PROJECT_NAME=1881")
+print("  PROJECT_DESCRIPTION=Norwegian directory services and telecom platform")
+print("  SLACK_WORKSPACE_ID=T01234ABCD   # Slack team_id for workspace verification")