@misterhuydo/sentinel 1.4.70 → 1.4.72

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-26T18:21:14.192Z
+2026-03-26T18:52:08.498Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-26T18:22:50.768Z",
-  "checkpoint_at": "2026-03-26T18:22:50.770Z",
+  "message": "Auto-checkpoint at 2026-03-26T18:49:49.152Z",
+  "checkpoint_at": "2026-03-26T18:49:49.153Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/add.js

@@ -313,13 +313,20 @@ async function addFromGit(gitUrl, workspace) {
   const projectDir = path.join(workspace, name);
   step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
 
+  const sshEnv = keyFile
+    ? gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` })
+    : gitEnv({});
   if (!fs.existsSync(projectDir)) {
-    const cloneEnv = keyFile
-      ? gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` })
-      : gitEnv({});
     spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, projectDir], {
       stdio: 'inherit',
-      env: cloneEnv,
+      env: sshEnv,
+    });
+  } else {
+    // Pull latest so we get up-to-date sentinel.properties (e.g. GIT_ACCESS setting)
+    spawnSync(gitBin(), ['pull', '--rebase'], {
+      cwd: projectDir,
+      stdio: 'inherit',
+      env: sshEnv,
     });
   }
 
@@ -337,6 +344,23 @@ async function addFromGit(gitUrl, workspace) {
   }
 
 
+  // Read project-level GIT_ACCESS from the cloned sentinel.properties
+  const sentinelPropsPath = path.join(projectDir, 'config', 'sentinel.properties');
+  let projectGitAccess = '';
+  let projectGitSshKey = '';
+  if (fs.existsSync(sentinelPropsPath)) {
+    const lines = fs.readFileSync(sentinelPropsPath, 'utf8').split('\n');
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+      const [k, ...rest] = trimmed.split('=');
+      const v = rest.join('=').split('#')[0].trim();
+      if (k.trim() === 'GIT_ACCESS') projectGitAccess = v;
+      if (k.trim() === 'GIT_SSH_KEY') projectGitSshKey = v.replace(/^~/, require('os').homedir());
+    }
+  }
+  const useSshUserKey = projectGitAccess === 'ssh_user_key';
+
   // Classify each discovered repo
   const privateRepos = [];
   const publicRepos  = [];
@@ -355,50 +379,69 @@ async function addFromGit(gitUrl, workspace) {
     }
   }
 
-  // ── 3. Generate deploy keys for all private repos (batch) ─────────────────
+  // ── 3. Set up access for all private repos ─────────────────────────────────
   if (privateRepos.length > 0) {
-    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
-
-    for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
-      r.keyFile = rKey;
-      const rOrgRepo = gitUrlToOrgRepo(r.url);
-      printDeployKeyInstructions(rOrgRepo, rKey);
-    }
-
-    if (publicRepos.length > 0) {
-      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+    if (useSshUserKey) {
+      // Project uses a personal SSH key — validate access, no deploy keys needed
+      step(`[3/3] Validating access to ${privateRepos.length} private repo(s) via SSH user key…`);
+      const sshKeyForValidation = projectGitSshKey || null;
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, sshKeyForValidation);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow(`  Check that GIT_SSH_KEY (${projectGitSshKey || 'SSH agent'}) has access, then re-run.`));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
       for (const r of publicRepos) {
-        console.log(chalk.green(`      ${r.slug}`));
+        ok(`${r.slug}: public, no key needed`);
+      }
+    } else {
+      // Default: generate a deploy key per private repo
+      step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
+
+      for (const r of privateRepos) {
+        const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
+        r.keyFile = rKey;
+        const rOrgRepo = gitUrlToOrgRepo(r.url);
+        printDeployKeyInstructions(rOrgRepo, rKey);
       }
-      console.log('');
-    }
 
-    await prompts({
-      type: 'text', name: '_', format: () => '',
-      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
-    }, { onCancel: () => process.exit(0) });
+      if (publicRepos.length > 0) {
+        console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+        for (const r of publicRepos) {
+          console.log(chalk.green(`      ${r.slug}`));
+        }
+        console.log('');
+      }
 
-    // Validate each private repo
-    step('Validating repository access…');
-    for (const r of privateRepos) {
-      const v = validateAccess(r.url, r.keyFile);
-      if (!v.ok) {
-        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
-        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
-        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
-        process.exit(1);
+      await prompts({
+        type: 'text', name: '_', format: () => '',
+        message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
+      }, { onCancel: () => process.exit(0) });
+
+      // Validate each private repo
+      step('Validating repository access…');
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, r.keyFile);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
+      for (const r of publicRepos) {
+        ok(`${r.slug}: public, no key needed`);
       }
-      ok(`${r.slug}: reachable`);
-    }
-    for (const r of publicRepos) {
-      ok(`${r.slug}: public, no key needed`);
-    }
 
-    // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
-    // SSH_KEY_FILE is NOT written to git-tracked .properties files.
-    for (const r of privateRepos) {
-      info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      // Keys stored at <projectDir>/<slug>.key — config_loader.py auto-discovers them.
+      for (const r of privateRepos) {
+        info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
+      }
     }
   } else if (discovered.length > 0) {
     step('[3/3] All repos are public — no deploy keys needed');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.70",
+  "version": "1.4.72",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -109,6 +109,7 @@ class RepoConfig:
     cicd_user: str = ""      # Jenkins username for Basic auth (defaults to "sentinel")
     health_url: str = ""     # optional: HTTP endpoint returning {"Status": "true"}
     cicd_token: str = ""
+    git_access: str = ""     # ssh_user_key | ssh_deploy_key | https_token | https_pat
     ssh_key_file: str = ""   # path to SSH private key; sets GIT_SSH_COMMAND when present
 
 
@@ -226,6 +227,13 @@ class ConfigLoader:
         repos_dir = self.config_dir / "repo-configs"
         if not repos_dir.exists():
             return
+
+        # Project-level defaults from sentinel.properties
+        sentinel_path = self.config_dir / "sentinel.properties"
+        proj_d: dict[str, str] = _parse_properties(str(sentinel_path)) if sentinel_path.exists() else {}
+        default_git_access = proj_d.get("GIT_ACCESS", "")
+        default_git_ssh_key = os.path.expanduser(proj_d.get("GIT_SSH_KEY", ""))
+
         self.repos = {}
         for path in sorted(repos_dir.glob("*.properties")):
             if path.name.startswith("_"):
@@ -242,8 +250,11 @@ class ConfigLoader:
             r.cicd_user = d.get("CICD_USER", "")
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
-            r.ssh_key_file = os.path.expanduser(d.get("SSH_KEY_FILE", ""))
-            # Auto-discover key in project dir if not set in properties
+            r.git_access = d.get("GIT_ACCESS", default_git_access)
+            # GIT_SSH_KEY (preferred) or legacy SSH_KEY_FILE, then project default
+            raw_key = d.get("GIT_SSH_KEY", "") or d.get("SSH_KEY_FILE", "")
+            r.ssh_key_file = os.path.expanduser(raw_key) if raw_key else default_git_ssh_key
+            # Auto-discover deploy key in project dir if no key configured
             if not r.ssh_key_file:
                 auto_key = Path(self.config_dir).parent / f"{r.repo_name}.key"
                 if auto_key.exists():

package/templates/sentinel.properties

@@ -18,6 +18,16 @@ MAILS=you@yourdomain.com
 # Uncomment here only if this project needs a different token.
 # GITHUB_TOKEN=<github-pat>
 
+# Default SSH access method for all repos in this project.
+# Per-repo configs (config/repo-configs/*.properties) can override these.
+#
+# Options:
+#   ssh_user_key   — personal key at GIT_SSH_KEY path (full account access, recommended)
+#   ssh_deploy_key — per-repo deploy key generated by sentinel add (default if not set)
+#
+# GIT_ACCESS=ssh_user_key
+# GIT_SSH_KEY=~/.ssh/your-key
+
 # Fix confirmation: hours of silence after a fix marker appears in production logs before
 # the fix is declared confirmed. Increase for services that deploy infrequently.
 # MARKER_CONFIRM_HOURS=24