@misterhuydo/sentinel 1.4.69 → 1.4.71

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-25T16:26:53.611Z
+2026-03-26T18:52:08.498Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-25T16:15:37.097Z",
-  "checkpoint_at": "2026-03-25T16:15:37.098Z",
+  "message": "Auto-checkpoint at 2026-03-26T18:49:49.152Z",
+  "checkpoint_at": "2026-03-26T18:49:49.153Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/.cairn/minify-map.json

@@ -1,20 +1,8 @@
 {
-  "J:\\Projects\\Sentinel\\cli\\lib\\add.js": {
-    "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\fc4a1a_add.js",
-    "state": "edit-ready",
-    "minifiedAt": 1774403831187.837,
-    "readCount": 1
-  },
   "J:\\Projects\\Sentinel\\cli\\lib\\upgrade.js": {
     "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\fb78ac_upgrade.js",
     "state": "edit-ready",
     "minifiedAt": 1774409075884.3267,
     "readCount": 1
-  },
-  "J:\\Projects\\Sentinel\\cli\\lib\\generate.js": {
-    "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\244a09_generate.js",
-    "state": "compressed",
-    "minifiedAt": 1774454098784.183,
-    "readCount": 1
   }
 }

package/lib/add.js

@@ -277,35 +277,49 @@ async function addFromGit(gitUrl, workspace) {
     validate: v => VALID_NAME.test(v) || 'Use letters, numbers, hyphens only',
   }], { onCancel: () => process.exit(0) });
 
-  // ── 1. Generate deploy key for the primary (config) repo ───────────────────
+  // ── 1. Set up SSH access to the primary (config) repo ─────────────────────
   step(`[1/3] Setting up SSH access to ${repoSlug}`);
   ensureKnownHosts();
-  const { keyFile } = generateDeployKey(repoSlug);
-  printDeployKeyInstructions(orgRepo, keyFile);
 
-  await prompts({
-    type: 'text', name: '_', format: () => '',
-    message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
-  }, { onCancel: () => process.exit(0) });
+  // Check if the repo is already accessible via the existing SSH key/agent.
+  // This is the case when GIT_ACCESS=ssh_user_key is configured — no deploy key needed.
+  const existingAccess = validateAccess(gitUrl, null);
+  let keyFile = null;
 
-  // Validate primary repo
-  const primary = validateAccess(gitUrl, keyFile);
-  if (!primary.ok) {
-    console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
-    if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
-    console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
-    process.exit(1);
+  if (existingAccess.ok) {
+    ok(`${repoSlug}: reachable via existing SSH key — skipping deploy key generation`);
+  } else {
+    const { keyFile: generatedKey } = generateDeployKey(repoSlug);
+    keyFile = generatedKey;
+    printDeployKeyInstructions(orgRepo, keyFile);
+
+    await prompts({
+      type: 'text', name: '_', format: () => '',
+      message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
+    }, { onCancel: () => process.exit(0) });
+
+    // Validate primary repo with deploy key
+    const primary = validateAccess(gitUrl, keyFile);
+    if (!primary.ok) {
+      console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
+      if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
+      console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
+      process.exit(1);
+    }
+    ok(`${repoSlug}: reachable`);
   }
-  ok(`${repoSlug}: reachable`);
 
   // ── 2. Clone primary repo and discover additional repos ────────────────────
   const projectDir = path.join(workspace, name);
   step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
 
   if (!fs.existsSync(projectDir)) {
+    const cloneEnv = keyFile
+      ? gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` })
+      : gitEnv({});
     spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, projectDir], {
       stdio: 'inherit',
-      env: gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }),
+      env: cloneEnv,
     });
   }
 
@@ -323,6 +337,23 @@ async function addFromGit(gitUrl, workspace) {
   }
 
 
+  // Read project-level GIT_ACCESS from the cloned sentinel.properties
+  const sentinelPropsPath = path.join(projectDir, 'config', 'sentinel.properties');
+  let projectGitAccess = '';
+  let projectGitSshKey = '';
+  if (fs.existsSync(sentinelPropsPath)) {
+    const lines = fs.readFileSync(sentinelPropsPath, 'utf8').split('\n');
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+      const [k, ...rest] = trimmed.split('=');
+      const v = rest.join('=').split('#')[0].trim();
+      if (k.trim() === 'GIT_ACCESS') projectGitAccess = v;
+      if (k.trim() === 'GIT_SSH_KEY') projectGitSshKey = v.replace(/^~/, require('os').homedir());
+    }
+  }
+  const useSshUserKey = projectGitAccess === 'ssh_user_key';
+
   // Classify each discovered repo
   const privateRepos = [];
   const publicRepos  = [];
@@ -341,50 +372,69 @@ async function addFromGit(gitUrl, workspace) {
     }
   }
 
-  // ── 3. Generate deploy keys for all private repos (batch) ─────────────────
+  // ── 3. Set up access for all private repos ─────────────────────────────────
   if (privateRepos.length > 0) {
-    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
-
-    for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
-      r.keyFile = rKey;
-      const rOrgRepo = gitUrlToOrgRepo(r.url);
-      printDeployKeyInstructions(rOrgRepo, rKey);
-    }
-
-    if (publicRepos.length > 0) {
-      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+    if (useSshUserKey) {
+      // Project uses a personal SSH key — validate access, no deploy keys needed
+      step(`[3/3] Validating access to ${privateRepos.length} private repo(s) via SSH user key…`);
+      const sshKeyForValidation = projectGitSshKey || null;
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, sshKeyForValidation);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow(`  Check that GIT_SSH_KEY (${projectGitSshKey || 'SSH agent'}) has access, then re-run.`));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
       for (const r of publicRepos) {
-        console.log(chalk.green(`      ${r.slug}`));
+        ok(`${r.slug}: public, no key needed`);
+      }
+    } else {
+      // Default: generate a deploy key per private repo
+      step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
+
+      for (const r of privateRepos) {
+        const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
+        r.keyFile = rKey;
+        const rOrgRepo = gitUrlToOrgRepo(r.url);
+        printDeployKeyInstructions(rOrgRepo, rKey);
       }
-      console.log('');
-    }
 
-    await prompts({
-      type: 'text', name: '_', format: () => '',
-      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
-    }, { onCancel: () => process.exit(0) });
+      if (publicRepos.length > 0) {
+        console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+        for (const r of publicRepos) {
+          console.log(chalk.green(`      ${r.slug}`));
+        }
+        console.log('');
+      }
 
-    // Validate each private repo
-    step('Validating repository access…');
-    for (const r of privateRepos) {
-      const v = validateAccess(r.url, r.keyFile);
-      if (!v.ok) {
-        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
-        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
-        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
-        process.exit(1);
+      await prompts({
+        type: 'text', name: '_', format: () => '',
+        message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
+      }, { onCancel: () => process.exit(0) });
+
+      // Validate each private repo
+      step('Validating repository access…');
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, r.keyFile);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
+      for (const r of publicRepos) {
+        ok(`${r.slug}: public, no key needed`);
       }
-      ok(`${r.slug}: reachable`);
-    }
-    for (const r of publicRepos) {
-      ok(`${r.slug}: public, no key needed`);
-    }
 
-    // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
-    // SSH_KEY_FILE is NOT written to git-tracked .properties files.
-    for (const r of privateRepos) {
-      info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
+      for (const r of privateRepos) {
+        info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      }
     }
   } else if (discovered.length > 0) {
     step('[3/3] All repos are public — no deploy keys needed');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.69",
+  "version": "1.4.71",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -109,6 +109,7 @@ class RepoConfig:
     cicd_user: str = ""      # Jenkins username for Basic auth (defaults to "sentinel")
     health_url: str = ""     # optional: HTTP endpoint returning {"Status": "true"}
     cicd_token: str = ""
+    git_access: str = ""     # ssh_user_key | ssh_deploy_key | https_token | https_pat
     ssh_key_file: str = ""   # path to SSH private key; sets GIT_SSH_COMMAND when present
 
 
@@ -226,6 +227,13 @@ class ConfigLoader:
         repos_dir = self.config_dir / "repo-configs"
         if not repos_dir.exists():
             return
+
+        # Project-level defaults from sentinel.properties
+        sentinel_path = self.config_dir / "sentinel.properties"
+        proj_d: dict[str, str] = _parse_properties(str(sentinel_path)) if sentinel_path.exists() else {}
+        default_git_access = proj_d.get("GIT_ACCESS", "")
+        default_git_ssh_key = os.path.expanduser(proj_d.get("GIT_SSH_KEY", ""))
+
         self.repos = {}
         for path in sorted(repos_dir.glob("*.properties")):
             if path.name.startswith("_"):
@@ -242,8 +250,11 @@ class ConfigLoader:
             r.cicd_user = d.get("CICD_USER", "")
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
-            r.ssh_key_file = os.path.expanduser(d.get("SSH_KEY_FILE", ""))
-            # Auto-discover key in project dir if not set in properties
+            r.git_access = d.get("GIT_ACCESS", default_git_access)
+            # GIT_SSH_KEY (preferred) or legacy SSH_KEY_FILE, then project default
+            raw_key = d.get("GIT_SSH_KEY", "") or d.get("SSH_KEY_FILE", "")
+            r.ssh_key_file = os.path.expanduser(raw_key) if raw_key else default_git_ssh_key
+            # Auto-discover deploy key in project dir if no key configured
             if not r.ssh_key_file:
                 auto_key = Path(self.config_dir).parent / f"{r.repo_name}.key"
                 if auto_key.exists():

package/templates/sentinel.properties

@@ -18,6 +18,16 @@ MAILS=you@yourdomain.com
 # Uncomment here only if this project needs a different token.
 # GITHUB_TOKEN=<github-pat>
 
+# Default SSH access method for all repos in this project.
+# Per-repo configs (config/repo-configs/*.properties) can override these.
+#
+# Options:
+#   ssh_user_key   — personal key at GIT_SSH_KEY path (full account access, recommended)
+#   ssh_deploy_key — per-repo deploy key generated by sentinel add (default if not set)
+#
+# GIT_ACCESS=ssh_user_key
+# GIT_SSH_KEY=~/.ssh/your-key
+
 # Fix confirmation: hours of silence after a fix marker appears in production logs before
 # the fix is declared confirmed. Increase for services that deploy infrequently.
 # MARKER_CONFIRM_HOURS=24

package/lib/.cairn/views/244a09_generate.js

@@ -1,274 +0,0 @@
-'use strict';
-const fs = require('fs-extra');
-const path = require('path');
-function writeExampleProject(projectDir, codeDir, pythonBin, anthropicKey = '', slackTokens = {}) {
-  const configDir = path.join(projectDir, 'config', 'log-configs');
-  const repoDir   = path.join(projectDir, 'config', 'repo-configs');
-  fs.ensureDirSync(configDir);
-  fs.ensureDirSync(repoDir);
-  const tplDir = path.join(__dirname, '..', 'templates');
-  let sentinelProps = fs.readFileSync(path.join(tplDir, 'sentinel.properties'), 'utf8');
-  if (anthropicKey) {
-    sentinelProps = sentinelProps.replace(/^# ANTHROPIC_API_KEY=.*/m, `ANTHROPIC_API_KEY=${anthropicKey}`);
-  }
-  if (slackTokens.botToken) {
-    sentinelProps = sentinelProps.replace(/^# SLACK_BOT_TOKEN=.*/m, `SLACK_BOT_TOKEN=${slackTokens.botToken}`);
-  }
-  if (slackTokens.appToken) {
-    sentinelProps = sentinelProps.replace(/^# SLACK_APP_TOKEN=.*/m, `SLACK_APP_TOKEN=${slackTokens.appToken}`);
-  }
-  fs.writeFileSync(path.join(projectDir, 'config', 'sentinel.properties'), sentinelProps);
-  fs.copySync(path.join(tplDir, 'log-configs', '_example.properties'), path.join(configDir, '_example.properties'));
-  fs.copySync(path.join(tplDir, 'repo-configs', '_example.properties'), path.join(repoDir,   '_example.properties'));
-  generateProjectScripts(projectDir, codeDir, pythonBin);
-}
-function generateProjectScripts(projectDir, codeDir, pythonBin) {
-  const name = path.basename(projectDir);
-  fs.writeFileSync(path.join(projectDir, 'start.sh'), `#!/usr/bin/env bash
-# Start this Sentinel instance
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
-  echo "[sentinel] ${name} already running (PID $(cat "$PID_FILE"))"
-  exit 0
-fi
-# Kill any orphaned sentinel processes for this project (stale PIDs not in PID file)
-pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
-rm -f "$PID_FILE"
-WORKSPACE="$(dirname "$DIR")"
-# Check Claude Code authentication — skip if CLAUDE_PRO_FOR_TASKS=false in either config
-_claude_pro=true
-for _conf in "$WORKSPACE/sentinel.properties" "$DIR/config/sentinel.properties"; do
-  if [[ -f "$_conf" ]]; then
-    _val=$(grep -iE "^CLAUDE_PRO_FOR_TASKS[[:space:]]*=" "$_conf" 2>/dev/null | tail -1 | cut -d= -f2- | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
-    [[ -n "$_val" ]] && _claude_pro="$_val"
-  fi
-done
-if [[ "$_claude_pro" != "false" ]]; then
-  AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
-  if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
-    echo ""
-    echo "[sentinel] Claude Code is not authenticated."
-    echo "  1. Open a new terminal and run: claude"
-    echo "  2. Type /login at the prompt"
-    echo "  3. Open the URL in any browser and log in"
-    echo "  4. Type /exit when done"
-    echo "  5. Re-run this script"
-    echo ""
-    exit 1
-  fi
-fi
-mkdir -p "$DIR/logs" "$WORKSPACE/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
-cd "$DIR"
-# Ensure npm-global bin (cairn-mcp, claude) and ~/.local/bin (auto-installed tools) are on PATH
-export PATH="$HOME/.npm-global/bin:$HOME/.local/bin:$PATH"
-PYTHONPATH="${codeDir}" "${codeDir}/.venv/bin/python3" -m sentinel.main --config ./config \\
-  >> "$DIR/logs/sentinel.log" 2>&1 &
-echo $! > "$PID_FILE"
-echo "[sentinel] ${name} started (PID $!)"
-echo "  project log : $DIR/logs/sentinel.log"
-echo "  workspace log: $WORKSPACE/logs/sentinel.log"
-`, { mode: 0o755 });
-  fs.writeFileSync(path.join(projectDir, 'stop.sh'), `#!/usr/bin/env bash
-# Stop this Sentinel instance
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ ! -f "$PID_FILE" ]]; then
-  echo "[sentinel] ${name} — no PID file, not running"
-  exit 0
-fi
-PID=$(cat "$PID_FILE")
-if kill -0 "$PID" 2>/dev/null; then
-  kill "$PID"
-  echo "[sentinel] ${name} stopped (PID $PID)"
-else
-  echo "[sentinel] ${name} — PID $PID not running"
-fi
-rm -f "$PID_FILE"
-`, { mode: 0o755 });
-}
-function generateWorkspaceScripts(workspace, smtpConfig = {}, slackConfig = {}, authConfig = {}, githubToken = '') {
-  const workspaceProps = path.join(workspace, 'sentinel.properties');
-  if (!fs.existsSync(workspaceProps)) {
-    const tplDir = path.join(__dirname, '..', 'templates');
-    let tpl = fs.readFileSync(path.join(tplDir, 'workspace-sentinel.properties'), 'utf8');
-    if (smtpConfig.host)     tpl = tpl.replace('SMTP_HOST=smtp.gmail.com',          'SMTP_HOST=' + smtpConfig.host);
-    if (smtpConfig.port)     tpl = tpl.replace('SMTP_PORT=587',                     'SMTP_PORT=' + smtpConfig.port);
-    if (smtpConfig.user)     tpl = tpl.replace('SMTP_USER=sentinel@yourdomain.com', 'SMTP_USER=' + smtpConfig.user);
-    if (smtpConfig.password) tpl = tpl.replace('SMTP_PASSWORD=<app-password>',      'SMTP_PASSWORD=' + smtpConfig.password);
-    fs.writeFileSync(workspaceProps, tpl);
-  }
-  if (authConfig.apiKey || authConfig.claudeProForTasks !== undefined) {
-    let props = fs.readFileSync(workspaceProps, 'utf8');
-    if (authConfig.apiKey) {
-      if (/^#?\s*ANTHROPIC_API_KEY=/m.test(props))
-        props = props.replace(/^#?\s*ANTHROPIC_API_KEY=.*/mg, 'ANTHROPIC_API_KEY=' + authConfig.apiKey);
-      else
-        props = props.trimEnd() + '\nANTHROPIC_API_KEY=' + authConfig.apiKey + '\n';
-    }
-    if (authConfig.claudeProForTasks !== undefined) {
-      const val = authConfig.claudeProForTasks ? 'true' : 'false';
-      if (/^#?\s*CLAUDE_PRO_FOR_TASKS=/m.test(props))
-        props = props.replace(/^#?\s*CLAUDE_PRO_FOR_TASKS=.*/mg, 'CLAUDE_PRO_FOR_TASKS=' + val);
-      else
-        props = props.trimEnd() + '\nCLAUDE_PRO_FOR_TASKS=' + val + '\n';
-    }
-    fs.writeFileSync(workspaceProps, props);
-  }
-  if (githubToken) {
-    let props = fs.readFileSync(workspaceProps, 'utf8');
-    if (/^#?\s*GITHUB_TOKEN=/m.test(props))
-      props = props.replace(/^#?\s*GITHUB_TOKEN=.*/mg, 'GITHUB_TOKEN=' + githubToken);
-    else
-      props = props.trimEnd() + '\nGITHUB_TOKEN=' + githubToken + '\n';
-    fs.writeFileSync(workspaceProps, props);
-  }
-  if (slackConfig.botToken || slackConfig.appToken) {
-    let props = fs.readFileSync(workspaceProps, 'utf8');
-    if (slackConfig.botToken) {
-      if (/^#?\s*SLACK_BOT_TOKEN=/m.test(props))
-        props = props.replace(/^#?\s*SLACK_BOT_TOKEN=.*/mg, 'SLACK_BOT_TOKEN=' + slackConfig.botToken);
-      else
-        props = props.trimEnd() + '\nSLACK_BOT_TOKEN=' + slackConfig.botToken + '\n';
-    }
-    if (slackConfig.appToken) {
-      if (/^#?\s*SLACK_APP_TOKEN=/m.test(props))
-        props = props.replace(/^#?\s*SLACK_APP_TOKEN=.*/mg, 'SLACK_APP_TOKEN=' + slackConfig.appToken);
-      else
-        props = props.trimEnd() + '\nSLACK_APP_TOKEN=' + slackConfig.appToken + '\n';
-    }
-    fs.writeFileSync(workspaceProps, props);
-  }
-  fs.writeFileSync(path.join(workspace, 'startAll.sh'), `#!/usr/bin/env bash
-# Start all valid Sentinel project instances.
-# A valid project must have config/repo-configs; do
-  [[ -d "$project_dir" ]] || continue
-  name=$(basename "$project_dir")
-  echo " $NON_PROJECT " | grep -qw "$name" && continue
-  # Auto-generate start.sh / stop.sh if missing (codeDir = $WORKSPACE/code)
-  if [[ ! -f "$project_dir/start.sh" ]]; then
-    code_dir="$WORKSPACE/code"
-    python_bin="$code_dir/.venv/bin/python3"
-    sed -e "s|__NAME__|$name|g" -e "s|__CODE_DIR__|$code_dir|g" -e "s|__PYTHON_BIN__|$python_bin|g" << 'STARTSH' > "$project_dir/start.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ -f "$PID_FILE" ]] && kill -0 "$(cat "$PID_FILE")" 2>/dev/null; then
-  echo "[sentinel] __NAME__ already running (PID $(cat "$PID_FILE"))"
-  exit 0
-fi
-pkill -f "sentinel.main --config $DIR/config" 2>/dev/null || true
-rm -f "$PID_FILE"
-WORKSPACE="$(dirname "$DIR")"
-_claude_pro=true
-for _conf in "$WORKSPACE/sentinel.properties" "$DIR/config/sentinel.properties"; do
-  if [[ -f "$_conf" ]]; then
-    _val=$(grep -iE "^CLAUDE_PRO_FOR_TASKS[[:space:]]*=" "$_conf" 2>/dev/null | tail -1 | cut -d= -f2- | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
-    [[ -n "$_val" ]] && _claude_pro="$_val"
-  fi
-done
-if [[ "$_claude_pro" != "false" ]]; then
-  AUTH_OUT=$(claude --print \"hi\" 2>&1 || true)
-  if echo "$AUTH_OUT" | grep -Eqi "not logged in|/login"; then
-    echo "[sentinel] Claude Code is not authenticated. Run: claude then /login"
-    exit 1
-  fi
-fi
-mkdir -p "$DIR/logs" "$WORKSPACE/logs" "$DIR/workspace/fetched" "$DIR/workspace/patches" "$DIR/issues"
-cd "$DIR"
-PYTHONPATH="__CODE_DIR__" "__PYTHON_BIN__" -m sentinel.main --config ./config \
-  > "$DIR/logs/sentinel.log" 2>&1 &
-echo $! > "$PID_FILE"
-echo "[sentinel] __NAME__ started (PID $!)"
-echo "  project log : $DIR/logs/sentinel.log"
-echo "  workspace log: $WORKSPACE/logs/sentinel.log"
-STARTSH
-    chmod +x "$project_dir/start.sh"
-    echo "[sentinel] Auto-generated start.sh for $name"
-  fi
-  if [[ ! -f "$project_dir/stop.sh" ]]; then
-    sed -e "s|__NAME__|$name|g" << 'STOPSH' > "$project_dir/stop.sh"
-#!/usr/bin/env bash
-set -euo pipefail
-DIR="$(cd "$(dirname "$0")" && pwd)"
-PID_FILE="$DIR/sentinel.pid"
-if [[ ! -f "$PID_FILE" ]]; then
-  echo "[sentinel] __NAME__ — no PID file, not running"
-  exit 0
-fi
-PID=$(cat "$PID_FILE")
-if kill -0 "$PID" 2>/dev/null; then
-  kill "$PID"
-  echo "[sentinel] __NAME__ stopped (PID $PID)"
-else
-  echo "[sentinel] __NAME__ — PID $PID not running"
-fi
-rm -f "$PID_FILE"
-STOPSH
-    chmod +x "$project_dir/stop.sh"
-    echo "[sentinel] Auto-generated stop.sh for $name"
-  fi
-  # Must have at least one repo-config with a valid GitHub REPO_URL
-  repo_configs_dir="$project_dir/config/repo-configs"
-  if [[ ! -d "$repo_configs_dir" ]]; then
-    echo "[sentinel] Skipping $name — config/repo-configs/ directory not found"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  has_config=false
-  valid_repo=false
-  for props in "$repo_configs_dir/"*.properties; do
-    [[ -f "$props" ]] || continue
-    [[ "$(basename "$props")" == _* ]] && continue
-    has_config=true
-    if grep -qE "^REPO_URL[[:space:]]*=[[:space:]]*(git@github\.com:|https://github\.com/)" "$props"; then
-      valid_repo=true
-      break
-    else
-      repo_url=$(grep -E "^REPO_URL[[:space:]]*=" "$props" | head -1 | cut -d= -f2- | xargs 2>/dev/null || true)
-      if [[ -z "$repo_url" ]]; then
-        echo "[sentinel] Skipping $name — REPO_URL not set in $(basename \"$props\")"
-      else
-        echo "[sentinel] Skipping $name — REPO_URL in $(basename \"$props\") is not a GitHub URL: $repo_url"
-      fi
-    fi
-  done
-  if [[ "$has_config" == "false" ]]; then
-    echo "[sentinel] Skipping $name — no .properties files in config/repo-configs/ (only _example?)"
-    skipped=$((skipped + 1))
-    continue
-  fi
-  if [[ "$valid_repo" == "false" ]]; then
-    skipped=$((skipped + 1))
-    continue
-  fi
-  if bash "$project_dir/start.sh"; then
-    started=$((started + 1))
-  else
-    echo "[sentinel] Failed to start $name"
-    skipped=$((skipped + 1))
-  fi
-done
-echo "[sentinel] $started project(s) started, $skipped skipped"
-`, { mode: 0o755 });
-  // stopAll.sh
-  fs.writeFileSync(path.join(workspace, 'stopAll.sh'), `#!/usr/bin/env bash
-# Stop all Sentinel project instances
-WORKSPACE="$(cd "$(dirname "$0")" && pwd)"
-stopped=0
-NON_PROJECT="code repos logs issues workspace"
-for project_dir in "$WORKSPACE"/*/; do
-  [[ -d "$project_dir" ]] || continue
-  name=$(basename "$project_dir")
-  echo " $NON_PROJECT " | grep -qw "$name" && continue
-  [[ -f "$project_dir/stop.sh" ]] || continue
-  bash "$project_dir/stop.sh"
-  stopped=$((stopped + 1))
-done
-echo "[sentinel] $stopped project(s) stopped"
-`, { mode: 0o755 });
-}
-module.exports = { writeExampleProject, generateProjectScripts, generateWorkspaceScripts };