npm - @misterhuydo/sentinel - Versions diffs - 1.4.70 → 1.4.71 - Mend

@misterhuydo/sentinel 1.4.70 → 1.4.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.cairn/.hint-lock +1 -1
package/.cairn/session.json +2 -2
package/lib/add.js +73 -37
package/package.json +1 -1
package/python/sentinel/config_loader.py +13 -2
package/templates/sentinel.properties +10 -0

package/.cairn/.hint-lock CHANGED Viewed

	@@ -1 +1 @@
1	- 2026-03-26T18:21:14.~~192Z~~
1	+ 2026-03-26T18:52:08.498Z

package/.cairn/session.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-26T18:22:50.768Z",
-  "checkpoint_at": "2026-03-26T18:22:50.770Z",
+  "message": "Auto-checkpoint at 2026-03-26T18:49:49.152Z",
+  "checkpoint_at": "2026-03-26T18:49:49.153Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/add.js CHANGED Viewed

@@ -337,6 +337,23 @@ async function addFromGit(gitUrl, workspace) {
   }
+  // Read project-level GIT_ACCESS from the cloned sentinel.properties
+  const sentinelPropsPath = path.join(projectDir, 'config', 'sentinel.properties');
+  let projectGitAccess = '';
+  let projectGitSshKey = '';
+  if (fs.existsSync(sentinelPropsPath)) {
+    const lines = fs.readFileSync(sentinelPropsPath, 'utf8').split('\n');
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+      const [k, ...rest] = trimmed.split('=');
+      const v = rest.join('=').split('#')[0].trim();
+      if (k.trim() === 'GIT_ACCESS') projectGitAccess = v;
+      if (k.trim() === 'GIT_SSH_KEY') projectGitSshKey = v.replace(/^~/, require('os').homedir());
+    }
+  }
+  const useSshUserKey = projectGitAccess === 'ssh_user_key';
   // Classify each discovered repo
   const privateRepos = [];
   const publicRepos  = [];
@@ -355,50 +372,69 @@ async function addFromGit(gitUrl, workspace) {
     }
   }
-  // ── 3. Generate deploy keys for all private repos (batch) ─────────────────
+  // ── 3. Set up access for all private repos ─────────────────────────────────
   if (privateRepos.length > 0) {
-    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
-    for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
-      r.keyFile = rKey;
-      const rOrgRepo = gitUrlToOrgRepo(r.url);
-      printDeployKeyInstructions(rOrgRepo, rKey);
-    }
-    if (publicRepos.length > 0) {
-      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+    if (useSshUserKey) {
+      // Project uses a personal SSH key — validate access, no deploy keys needed
+      step(`[3/3] Validating access to ${privateRepos.length} private repo(s) via SSH user key…`);
+      const sshKeyForValidation = projectGitSshKey || null;
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, sshKeyForValidation);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow(`  Check that GIT_SSH_KEY (${projectGitSshKey || 'SSH agent'}) has access, then re-run.`));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
       for (const r of publicRepos) {
-        console.log(chalk.green(`      ${r.slug}`));
+        ok(`${r.slug}: public, no key needed`);
+      }
+    } else {
+      // Default: generate a deploy key per private repo
+      step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
+      for (const r of privateRepos) {
+        const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
+        r.keyFile = rKey;
+        const rOrgRepo = gitUrlToOrgRepo(r.url);
+        printDeployKeyInstructions(rOrgRepo, rKey);
       }
-      console.log('');
-    }
-    await prompts({
-      type: 'text', name: '_', format: () => '',
-      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
-    }, { onCancel: () => process.exit(0) });
+      if (publicRepos.length > 0) {
+        console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+        for (const r of publicRepos) {
+          console.log(chalk.green(`      ${r.slug}`));
+        }
+        console.log('');
+      }
-    // Validate each private repo
-    step('Validating repository access…');
-    for (const r of privateRepos) {
-      const v = validateAccess(r.url, r.keyFile);
-      if (!v.ok) {
-        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
-        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
-        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
-        process.exit(1);
+      await prompts({
+        type: 'text', name: '_', format: () => '',
+        message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
+      }, { onCancel: () => process.exit(0) });
+      // Validate each private repo
+      step('Validating repository access…');
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, r.keyFile);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
+      for (const r of publicRepos) {
+        ok(`${r.slug}: public, no key needed`);
       }
-      ok(`${r.slug}: reachable`);
-    }
-    for (const r of publicRepos) {
-      ok(`${r.slug}: public, no key needed`);
-    }
-    // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
-    // SSH_KEY_FILE is NOT written to git-tracked .properties files.
-    for (const r of privateRepos) {
-      info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
+      for (const r of privateRepos) {
+        info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      }
     }
   } else if (discovered.length > 0) {
     step('[3/3] All repos are public — no deploy keys needed');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.70",
+  "version": "1.4.71",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py CHANGED Viewed

@@ -109,6 +109,7 @@ class RepoConfig:
     cicd_user: str = ""      # Jenkins username for Basic auth (defaults to "sentinel")
     health_url: str = ""     # optional: HTTP endpoint returning {"Status": "true"}
     cicd_token: str = ""
+    git_access: str = ""     # ssh_user_key | ssh_deploy_key | https_token | https_pat
     ssh_key_file: str = ""   # path to SSH private key; sets GIT_SSH_COMMAND when present
@@ -226,6 +227,13 @@ class ConfigLoader:
         repos_dir = self.config_dir / "repo-configs"
         if not repos_dir.exists():
             return
+        # Project-level defaults from sentinel.properties
+        sentinel_path = self.config_dir / "sentinel.properties"
+        proj_d: dict[str, str] = _parse_properties(str(sentinel_path)) if sentinel_path.exists() else {}
+        default_git_access = proj_d.get("GIT_ACCESS", "")
+        default_git_ssh_key = os.path.expanduser(proj_d.get("GIT_SSH_KEY", ""))
         self.repos = {}
         for path in sorted(repos_dir.glob("*.properties")):
             if path.name.startswith("_"):
@@ -242,8 +250,11 @@ class ConfigLoader:
             r.cicd_user = d.get("CICD_USER", "")
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
-            r.ssh_key_file = os.path.expanduser(d.get("SSH_KEY_FILE", ""))
-            # Auto-discover key in project dir if not set in properties
+            r.git_access = d.get("GIT_ACCESS", default_git_access)
+            # GIT_SSH_KEY (preferred) or legacy SSH_KEY_FILE, then project default
+            raw_key = d.get("GIT_SSH_KEY", "") or d.get("SSH_KEY_FILE", "")
+            r.ssh_key_file = os.path.expanduser(raw_key) if raw_key else default_git_ssh_key
+            # Auto-discover deploy key in project dir if no key configured
             if not r.ssh_key_file:
                 auto_key = Path(self.config_dir).parent / f"{r.repo_name}.key"
                 if auto_key.exists():

package/templates/sentinel.properties CHANGED Viewed

@@ -18,6 +18,16 @@ MAILS=you@yourdomain.com
 # Uncomment here only if this project needs a different token.
 # GITHUB_TOKEN=<github-pat>
+# Default SSH access method for all repos in this project.
+# Per-repo configs (config/repo-configs/*.properties) can override these.
+#
+# Options:
+#   ssh_user_key   — personal key at GIT_SSH_KEY path (full account access, recommended)
+#   ssh_deploy_key — per-repo deploy key generated by sentinel add (default if not set)
+#
+# GIT_ACCESS=ssh_user_key
+# GIT_SSH_KEY=~/.ssh/your-key
 # Fix confirmation: hours of silence after a fix marker appears in production logs before
 # the fix is declared confirmed. Increase for services that deploy infrequently.
 # MARKER_CONFIRM_HOURS=24