@misterhuydo/sentinel 1.4.88 → 1.4.90

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-03-27T05:10:33.256Z
+2026-03-27T08:23:02.070Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-03-27T05:16:34.970Z",
-  "checkpoint_at": "2026-03-27T05:16:34.971Z",
+  "message": "Auto-checkpoint at 2026-03-27T08:30:46.754Z",
+  "checkpoint_at": "2026-03-27T08:30:46.755Z",
   "active_files": [],
   "notes": [],
   "mtime_snapshot": {}

package/lib/.cairn/minify-map.json

@@ -1 +1,8 @@
-{}
+{
+  "J:\\Projects\\Sentinel\\cli\\lib\\test.js": {
+    "tempPath": "J:\\Projects\\Sentinel\\cli\\lib\\.cairn\\views\\ff8fde_test.js",
+    "state": "compressed",
+    "minifiedAt": 1774252437350.0059,
+    "readCount": 1
+  }
+}

package/lib/.cairn/views/ff8fde_test.js

@@ -0,0 +1,172 @@
+'use strict';
+const fs       = require('fs-extra');
+const path     = require('path');
+const os       = require('os');
+const { execSync, spawnSync } = require('child_process');
+const chalk    = require('chalk');
+const ok   = msg => console.log(chalk.green('  ✔'), msg);
+const fail = msg => console.log(chalk.red('  ✖'), msg);
+const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
+const info = msg => console.log(chalk.cyan('  →'), msg);
+module.exports = async function testInstall(projectName) {
+  const defaultWorkspace = path.join(os.homedir(), 'sentinel');
+  const projectDir = projectName
+    ? path.join(defaultWorkspace, projectName)
+    : _findActiveProject(defaultWorkspace);
+  console.log(chalk.bold('\nSentinel — Installation Check\n'));
+  let passed = 0;
+  let failed = 0;
+  info('Checking required tools...');
+  const tools = [
+    { cmd: 'python3 --version',  label: 'Python 3'          },
+    { cmd: 'node --version',     label: 'Node.js'           },
+    { cmd: 'git --version',      label: 'git'               },
+  ];
+  for (const { cmd, label } of tools) {
+    try {
+      const out = execSync(cmd, { encoding: 'utf8', stdio: ['pipe','pipe','pipe'] }).trim();
+      ok(`${label}: ${out}`);
+      passed++;
+    } catch {
+      fail(`${label} not found`);
+      failed++;
+    }
+  }
+  info('Checking npm globals...');
+  const npms = [
+    { cmd: 'sentinel --version',  label: '@misterhuydo/sentinel'   },
+    { cmd: 'cairn --version',     label: '@misterhuydo/cairn-mcp'  },
+    { cmd: 'claude --version',    label: '@anthropic-ai/claude-code'},
+  ];
+  for (const { cmd, label } of npms) {
+    try {
+      const out = execSync(cmd, { encoding: 'utf8', stdio: ['pipe','pipe','pipe'] }).trim();
+      ok(`${label}: ${out}`);
+      passed++;
+    } catch {
+      fail(`${label} not installed — run: npm install -g ${label}`);
+      failed++;
+    }
+  }
+  info('Checking Claude auth...');
+  const apiKey = _readSentinelProp(projectDir, 'ANTHROPIC_API_KEY')
+               || process.env.ANTHROPIC_API_KEY || '';
+  const claudeProTasks = (_readSentinelProp(projectDir, 'CLAUDE_PRO_FOR_TASKS') || 'true').toLowerCase() !== 'false';
+  if (apiKey) {
+    ok(`ANTHROPIC_API_KEY configured (${apiKey.slice(0, 12)}...)`);
+    passed++;
+  } else {
+    warn('ANTHROPIC_API_KEY not set — Sentinel Boss will use CLI fallback only');
+  }
+  try {
+    const r = spawnSync('claude', ['--version'], { encoding: 'utf8', stdio: ['pipe','pipe','pipe'] });
+    if (r.status === 0) {
+      ok(`claude CLI available: ${(r.stdout || '').trim()}`);
+      if (claudeProTasks) {
+        ok('CLAUDE_PRO_FOR_TASKS=true — fix_engine will use Claude Pro subscription');
+      }
+      passed++;
+    } else {
+      warn('claude CLI found but --version failed');
+    }
+  } catch {
+    fail('claude CLI not found');
+    failed++;
+  }
+  if (!apiKey) {
+    try {
+      const r = spawnSync('claude', ['--print', 'ping', '--no-interactive'],
+                          { encoding: 'utf8', timeout: 10000, stdio: ['pipe','pipe','pipe'] });
+      if (r.status === 0) {
+        ok('claude OAuth session active');
+        passed++;
+      } else {
+        warn('claude OAuth session may be expired — run: claude login');
+      }
+    } catch {
+      warn('Could not verify claude OAuth session');
+    }
+  }
+  if (projectDir && fs.existsSync(projectDir)) {
+    info(`Checking project config at ${projectDir}...`);
+    const sentinelProps = path.join(projectDir, 'config', 'sentinel.properties');
+    if (fs.existsSync(sentinelProps)) {
+      ok('sentinel.properties found');
+      passed++;
+    } else {
+      fail(`sentinel.properties missing at ${sentinelProps}`);
+      failed++;
+    }
+    const logConfigs  = path.join(projectDir, 'config', 'log-configs');
+    const repoConfigs = path.join(projectDir, 'config', 'repo-configs');
+    const logCount  = fs.existsSync(logConfigs)  ? fs.readdirSync(logConfigs).filter(f => f.endsWith('.properties') && !f.startsWith('_')).length : 0;
+    const repoCount = fs.existsSync(repoConfigs) ? fs.readdirSync(repoConfigs).filter(f => f.endsWith('.properties') && !f.startsWith('_')).length : 0;
+    if (logCount > 0)  { ok(`${logCount} log-config(s) found`);  passed++; }
+    else               { warn('No log-configs found — add at least one in config/log-configs/'); }
+    if (repoCount > 0) { ok(`${repoCount} repo-config(s) found`); passed++; }
+    else               { warn('No repo-configs found — add at least one in config/repo-configs/'); }
+    const ghToken = _readSentinelProp(projectDir, 'GITHUB_TOKEN') || '';
+    if (ghToken) { ok('GITHUB_TOKEN configured'); passed++; }
+    else         { warn('GITHUB_TOKEN not set — cannot open PRs'); }
+    const slackBot = _readSentinelProp(projectDir, 'SLACK_BOT_TOKEN') || '';
+    const slackApp = _readSentinelProp(projectDir, 'SLACK_APP_TOKEN') || '';
+    if (slackBot && slackApp) { ok('Slack tokens configured (Boss enabled)'); passed++; }
+    else                      { warn('Slack tokens not set — Boss disabled'); }
+  } else if (projectName) {
+    fail(`Project '${projectName}' not found at ${projectDir}`);
+    failed++;
+  } else {
+    warn('No project specified — skipping project config checks');
+    warn('Run: sentinel test <project-name>');
+  }
+  info('Checking Python dependencies...');
+  const codeDir = path.join(defaultWorkspace, 'code');
+  const reqFile = path.join(codeDir, 'requirements.txt');
+  if (fs.existsSync(reqFile)) {
+    try {
+      execSync('python3 -c "import paramiko, schedule, requests, jinja2"',
+               { encoding: 'utf8', stdio: ['pipe','pipe','pipe'] });
+      ok('Python dependencies installed');
+      passed++;
+    } catch {
+      fail('Python dependencies missing — run: pip install -r requirements.txt');
+      failed++;
+    }
+  } else {
+    warn('requirements.txt not found — run: sentinel init');
+  }
+  console.log('');
+  if (failed === 0) {
+    console.log(chalk.green.bold(`  ✔ All checks passed (${passed} ok)`));
+  } else {
+    console.log(chalk.yellow.bold(`  ${passed} passed, ${failed} failed`));
+    console.log(chalk.gray('  Fix the issues above before starting Sentinel.'));
+  }
+  console.log('');
+  process.exit(failed > 0 ? 1 : 0);
+};
+function _findActiveProject(workspace) {
+  if (!fs.existsSync(workspace)) return null;
+  const dirs = fs.readdirSync(workspace)
+    .map(d => path.join(workspace, d))
+    .filter(d => fs.statSync(d).isDirectory()
+              && fs.existsSync(path.join(d, 'config', 'sentinel.properties')));
+  return dirs.length === 1 ? dirs[0] : null;
+}
+function _readSentinelProp(projectDir, key) {
+  if (!projectDir) return '';
+  const candidates = [
+    path.join(projectDir, 'config', 'sentinel.properties'),
+    path.join(os.homedir(), 'sentinel', 'sentinel.properties'),
+  ];
+  for (const f of candidates) {
+    if (!fs.existsSync(f)) continue;
+    for (const line of fs.readFileSync(f, 'utf8').split('\n')) {
+      const stripped = line.trim();
+      if (stripped.startsWith('#') || !stripped.includes('=')) continue;
+      const [k, ...rest] = stripped.split('=');
+      if (k.trim() === key) return rest.join('=').split('#')[0].trim();
+    }
+  }
+  return '';
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.4.88",
+  "version": "1.4.90",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/config_loader.py

@@ -75,6 +75,8 @@ class SentinelConfig:
     sync_retention_days: int = 30    # delete synced log files older than this many days
     sync_max_file_mb: int = 200      # truncate synced log files exceeding this size (MB)
     boss_mode: str = "standard"      # standard | strict | fun
+    sentinel_dev_repo_path: str = "" # path to Sentinel source repo for Dev Claude
+    sentinel_dev_auto_publish: bool = False  # if True, auto-publish + upgrade after version bump
 
 
 @dataclass
@@ -206,6 +208,8 @@ class ConfigLoader:
         c.sync_max_file_mb = int(d.get("SYNC_MAX_FILE_MB", 200))
         raw_mode = d.get("BOSS_MODE", "standard").lower().strip()
         c.boss_mode = raw_mode if raw_mode in ("standard", "strict", "fun") else "standard"
+        c.sentinel_dev_repo_path = d.get("SENTINEL_DEV_REPO_PATH", "")
+        c.sentinel_dev_auto_publish = d.get("SENTINEL_DEV_AUTO_PUBLISH", "false").lower() == "true"
         self.sentinel = c
 
     def _load_log_sources(self):

package/python/sentinel/dev_watcher.py

@@ -0,0 +1,280 @@
+"""
+dev_watcher.py — Scan the dev-tasks/ directory for Sentinel self-improvement requests,
+and scan Sentinel's own log for errors to self-repair.
+
+Tasks are dropped by:
+  - Boss (via dev_task tool) → slack-<uuid>.txt
+  - Fix engine (via BOSS_ESCALATE) → bot-<fingerprint>-<ts>.txt
+  - Self-repair (log watcher) → self-<fingerprint>-<ts>.txt
+  - Admin (manual drop) → any other .txt
+
+File format:
+    TYPE: feature|fix|refactor|chore|ask
+    SUBMITTED_BY: Name (UXXX)
+    SOURCE: boss|fix_engine/BOSS_ESCALATE|self_repair|manual
+    SOURCE_FINGERPRINT: <8-char error fingerprint>   # optional
+    SUBMITTED_AT: 2026-03-27T10:00:00+00:00
+
+    Task description — what to implement, fix, or improve in Sentinel.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import logging
+import time
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from pathlib import Path
+import re
+
+logger = logging.getLogger(__name__)
+
+_META_PREFIXES = ("TYPE:", "SUBMITTED_BY:", "SOURCE:", "SOURCE_FINGERPRINT:", "SUBMITTED_AT:")
+
+
+@dataclass
+class DevTask:
+    source: str                 # "dev-tasks/<filename>"
+    task_file: Path             # absolute path, used for archiving
+    message: str                # first non-blank body line — shown in Slack
+    body: str                   # full task body (after headers stripped)
+    task_type: str              # feature|fix|refactor|chore|ask
+    fingerprint: str = ""
+    timestamp: str = ""
+    submitter_user_id: str = ""
+    source_fingerprint: str = ""  # error fingerprint if from BOSS_ESCALATE
+
+    def __post_init__(self):
+        if not self.fingerprint:
+            raw = f"dev:{self.task_type}:{self.message[:200]}"
+            self.fingerprint = hashlib.sha1(raw.encode()).hexdigest()[:16]
+        if not self.timestamp:
+            self.timestamp = datetime.now(timezone.utc).isoformat()
+        if not self.submitter_user_id:
+            for line in self.body.splitlines():
+                m = re.match(r'SUBMITTED_BY:.*\(([UW][A-Z0-9]+)\)', line.strip())
+                if m:
+                    self.submitter_user_id = m.group(1)
+                    break
+
+
+def scan_dev_tasks(project_dir: Path) -> list[DevTask]:
+    """Return all pending dev task files from <project_dir>/dev-tasks/."""
+    tasks_dir = project_dir / "dev-tasks"
+    tasks_dir.mkdir(exist_ok=True)
+
+    def _priority(p: Path) -> tuple:
+        if p.name.startswith("slack-"):
+            return (0, p.name)
+        if p.name.startswith("bot-"):
+            return (2, p.name)
+        return (1, p.name)
+
+    tasks = []
+    for f in sorted(tasks_dir.iterdir(), key=_priority):
+        if not f.is_file() or f.name.startswith("."):
+            continue
+        if f.suffix.lower() not in (".txt", ".md", ""):
+            continue
+        try:
+            content = f.read_text(encoding="utf-8", errors="replace").strip()
+        except OSError as e:
+            logger.error("Cannot read dev task %s: %s", f, e)
+            continue
+        if not content:
+            continue
+
+        lines = content.splitlines()
+        task_type = "feature"
+        source_fingerprint = ""
+        submitter_user_id = ""
+        body_start = 0
+
+        for i, line in enumerate(lines):
+            stripped = line.strip()
+            upper = stripped.upper()
+            if upper.startswith("TYPE:"):
+                raw = stripped[5:].strip().lower()
+                task_type = raw if raw in ("feature", "fix", "refactor", "chore", "ask") else "feature"
+                body_start = i + 1
+            elif upper.startswith("SUBMITTED_BY:"):
+                m = re.search(r'\(([UW][A-Z0-9]+)\)', stripped)
+                if m:
+                    submitter_user_id = m.group(1)
+                body_start = i + 1
+            elif upper.startswith("SOURCE_FINGERPRINT:"):
+                source_fingerprint = stripped[19:].strip()
+                body_start = i + 1
+            elif any(upper.startswith(p) for p in _META_PREFIXES) or not stripped:
+                body_start = i + 1
+            else:
+                break
+
+        body = "\n".join(lines[body_start:]).strip() or content
+        message = next((l.strip() for l in lines[body_start:] if l.strip()), f.name)
+
+        tasks.append(DevTask(
+            source=f"dev-tasks/{f.name}",
+            task_file=f,
+            message=message,
+            body=body,
+            task_type=task_type,
+            submitter_user_id=submitter_user_id,
+            source_fingerprint=source_fingerprint,
+        ))
+        logger.info("Found dev task: %s (type=%s)", f.name, task_type)
+
+    return tasks
+
+
+def mark_dev_done(task_file: Path) -> None:
+    """Archive a processed dev task to dev-tasks/.done/ regardless of outcome."""
+    done_dir = task_file.parent / ".done"
+    done_dir.mkdir(exist_ok=True)
+    dest = done_dir / task_file.name
+    if dest.exists():
+        dest = done_dir / f"{task_file.stem}-{int(time.time())}{task_file.suffix}"
+    task_file.rename(dest)
+    logger.info("Dev task archived: %s -> .done/%s", task_file.name, dest.name)
+
+
+_LOG_TIMESTAMP_RE = re.compile(
+    r'^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d+ '
+    r'(ERROR|CRITICAL)\s+(\S+) — (.+)$'
+)
+_LOG_LINE_RE = re.compile(r'^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d+ \w')
+
+# Error patterns in Sentinel's own code that are worth Dev Claude investigating.
+# Excludes transient/external errors that Dev Claude cannot fix.
+_SKIP_PATTERNS = re.compile(
+    r'SSH|Connection|Timeout|Rate.limit|npm show|git pull|git push'
+    r'|slack_bolt|urllib|requests\.|socket\.',
+    re.IGNORECASE,
+)
+
+
+def scan_sentinel_errors(
+    log_path: Path,
+    tail_lines: int = 300,
+    seen_fps: set | None = None,
+) -> list[tuple[str, str]]:
+    """
+    Scan Sentinel's own log file for recent ERROR/CRITICAL entries and
+    group them with their Traceback blocks.
+
+    Returns list of (fingerprint, error_text) for errors not in seen_fps.
+    Each error_text is suitable as a Dev Claude task body.
+    seen_fps is updated in-place so callers can track across polls.
+    """
+    if seen_fps is None:
+        seen_fps = set()
+
+    if not log_path.exists():
+        return []
+
+    try:
+        # Read last tail_lines lines efficiently
+        with open(log_path, encoding="utf-8", errors="replace") as f:
+            lines = f.readlines()
+        lines = lines[-tail_lines:]
+    except OSError:
+        return []
+
+    # Group lines into blocks: each block starts at an ERROR/CRITICAL log line
+    blocks: list[list[str]] = []
+    current: list[str] | None = None
+
+    for line in lines:
+        if _LOG_LINE_RE.match(line):
+            if current is not None:
+                blocks.append(current)
+            m = _LOG_TIMESTAMP_RE.match(line.rstrip())
+            current = [line.rstrip()] if m else None
+        elif current is not None:
+            current.append(line.rstrip())
+
+    if current:
+        blocks.append(current)
+
+    results = []
+    for block in blocks:
+        if not block:
+            continue
+        header = block[0]
+        m = _LOG_TIMESTAMP_RE.match(header)
+        if not m:
+            continue
+
+        level, logger_name, message = m.group(1), m.group(2), m.group(3)
+
+        # Skip errors from external systems that Dev Claude can't fix
+        if _SKIP_PATTERNS.search(message):
+            continue
+        # Skip if no traceback (single-line errors are often transient)
+        has_traceback = any("Traceback" in l or "Error:" in l for l in block[1:])
+        if not has_traceback and level != "CRITICAL":
+            continue
+
+        # Fingerprint: hash of normalized message + top traceback frame
+        top_frame = next(
+            (l.strip() for l in block if l.strip().startswith("File ")), ""
+        )
+        normalized = re.sub(r'0x[0-9a-f]+|\d+', 'N', message)
+        raw = f"sentinel-self:{logger_name}:{normalized}:{top_frame[:80]}"
+        fp = hashlib.sha1(raw.encode()).hexdigest()[:16]
+
+        if fp in seen_fps:
+            continue
+        seen_fps.add(fp)
+
+        error_text = "\n".join(block)
+        task_body = (
+            f"Sentinel detected an error in its own code (logger: {logger_name}).\n"
+            f"Investigate the root cause in the Sentinel source and fix it.\n\n"
+            f"LOG ENTRY:\n{error_text}\n"
+        )
+        results.append((fp, task_body))
+
+    return results
+
+
+def drop_self_repair_task(project_dir: Path, fp: str, task_body: str) -> Path:
+    """
+    Create a self-repair dev task file for an error found in Sentinel's own log.
+    Returns the path to the created file.
+    """
+    dev_tasks_dir = project_dir / "dev-tasks"
+    dev_tasks_dir.mkdir(exist_ok=True)
+    ts = int(time.time())
+    fname = f"self-{fp[:8]}-{ts}.txt"
+    fpath = dev_tasks_dir / fname
+    lines = [
+        "TYPE: fix",
+        "SOURCE: self_repair",
+        f"SOURCE_FINGERPRINT: {fp}",
+        f"SUBMITTED_AT: {datetime.now(timezone.utc).isoformat()}",
+        "",
+        task_body,
+    ]
+    fpath.write_text("\n".join(lines), encoding="utf-8")
+    logger.info("Self-repair task dropped: %s", fname)
+    return fpath
+
+
+def purge_old_dev_tasks(dev_tasks_dir: Path, keep_days: int = 30) -> int:
+    """Delete files older than keep_days from dev-tasks/.done/."""
+    cutoff = time.time() - keep_days * 86400
+    deleted = 0
+    done = dev_tasks_dir / ".done"
+    if done.exists():
+        for f in done.iterdir():
+            if f.is_file() and f.stat().st_mtime < cutoff:
+                try:
+                    f.unlink()
+                    deleted += 1
+                except OSError:
+                    pass
+    if deleted:
+        logger.info("Purged %d old dev task archive file(s) (>%d days)", deleted, keep_days)
+    return deleted

package/python/sentinel/fix_engine.py

@@ -126,6 +126,10 @@ def _build_prompt(event, repo: RepoConfig, log_file, marker: str, stale_markers:
         "   was insufficient or unsafe, (c) exactly what a human needs to do or decide.",
         "   Do NOT output NEEDS_HUMAN just because the fix is complex — only when human",
         "   judgement or access is genuinely required.",
+        "8. If the fix requires changing Sentinel's own source code (the monitoring/fix agent",
+        "   itself, not the application being monitored) — output exactly:",
+        "   BOSS_ESCALATE: <description of what needs to change in Sentinel>",
+        "   This escalates to the Sentinel Dev Claude agent who will implement it.",
     ]
     return "\n".join(lines_out)
 
@@ -444,6 +448,27 @@ def generate_fix(
         logger.info("Claude skipped fix for %s: %s", event.fingerprint, reason)
         return "skip", None, reason
 
+    # BOSS_ESCALATE: child Claude determined the fix requires changing Sentinel itself
+    if output.strip().upper().startswith("BOSS_ESCALATE:"):
+        description = output.strip()[len("BOSS_ESCALATE:"):].strip()
+        logger.info(
+            "fix_engine: BOSS_ESCALATE for %s — dropping dev task: %s",
+            event.fingerprint, description[:200],
+        )
+        try:
+            from .sentinel_dev import drop_escalation
+            from pathlib import Path as _Path
+            project_dir = _Path(cfg.workspace_dir).parent
+            drop_escalation(
+                project_dir,
+                description,
+                source="fix_engine/BOSS_ESCALATE",
+                source_fingerprint=event.fingerprint,
+            )
+        except Exception as _esc_err:
+            logger.error("fix_engine: failed to drop escalation: %s", _esc_err)
+        return "skip", None, description
+
     patch = _extract_patch(output)
     if not patch:
         logger.warning("No patch found in Claude output for %s", event.fingerprint)

package/python/sentinel/git_manager.py

@@ -358,6 +358,21 @@ def publish(
         return branch, pr_url
 
 
+def _alert_github_token_error(cfg: "SentinelConfig", owner_repo: str, status: int, hint: str = "") -> None:
+    """Fire a Slack alert when GitHub API rejects the token during PR creation."""
+    msg = (
+        f":warning: *Sentinel — GitHub token error ({status})*\n"
+        f"Could not open a PR for `{owner_repo}`.\n"
+        f"{hint}\n"
+        f"Check `GITHUB_TOKEN` in `sentinel.properties` — it may be expired, revoked, "
+        f"or not scoped to this org/repo."
+    )
+    logger.error("GitHub token error %s for %s: %s", status, owner_repo, hint)
+    if cfg.slack_bot_token and cfg.slack_channel:
+        from .notify import slack_alert
+        slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)
+
+
 def _open_github_pr(
     event: ErrorEvent,
     repo: RepoConfig,
@@ -407,10 +422,31 @@ def _open_github_pr(
         return pr_url
     else:
         logger.error("Failed to open PR (%s): %s", resp.status_code, resp.text[:300])
+        if resp.status_code in (401, 403, 404):
+            hint = "Token may lack access to this org/repo." if resp.status_code == 404 else resp.json().get("message", "")
+            _alert_github_token_error(cfg, owner_repo, resp.status_code, hint)
         return ""
 
 
-def poll_open_prs(store, github_token: str) -> list[dict]:
+def _delete_github_branch(owner_repo: str, branch: str, headers: dict) -> None:
+    """Delete a remote branch from GitHub after its PR is merged or closed."""
+    try:
+        resp = requests.delete(
+            f"https://api.github.com/repos/{owner_repo}/git/refs/heads/{branch}",
+            headers=headers,
+            timeout=15,
+        )
+        if resp.status_code == 204:
+            logger.info("Deleted branch %s from %s", branch, owner_repo)
+        elif resp.status_code == 422:
+            logger.debug("Branch %s already deleted on %s", branch, owner_repo)
+        else:
+            logger.warning("Could not delete branch %s (%s): %s", branch, resp.status_code, resp.text[:200])
+    except Exception as e:
+        logger.warning("Failed to delete branch %s: %s", branch, e)
+
+
+def poll_open_prs(store, github_token: str, cfg: "SentinelConfig | None" = None) -> list[dict]:
     """
     Check GitHub for the current state of all pending PRs in the state store.
 
@@ -463,6 +499,14 @@ def poll_open_prs(store, github_token: str) -> list[dict]:
         if resp.status_code == 404:
             logger.warning("poll_open_prs: PR not found (deleted?): %s", pr_url)
             continue
+        if resp.status_code in (401, 403):
+            logger.error(
+                "poll_open_prs: GitHub token rejected (%s) for %s — "
+                "org may require a fine-grained PAT. Set GITHUB_TOKEN in sentinel.properties.",
+                resp.status_code, pr_url,
+            )
+            _alert_github_token_error(cfg, pr_url, resp.status_code, resp.json().get("message", ""))
+            break  # No point retrying other PRs with the same bad token
         if resp.status_code != 200:
             logger.warning("poll_open_prs: unexpected %s for %s", resp.status_code, pr_url)
             continue
@@ -475,6 +519,7 @@ def poll_open_prs(store, github_token: str) -> list[dict]:
             continue  # still pending
 
         new_status = "merged" if merged else "skipped"
+        branch = fix.get("branch", "")
 
         with store._conn() as conn:
             conn.execute(
@@ -486,6 +531,11 @@ def poll_open_prs(store, github_token: str) -> list[dict]:
             "poll_open_prs: PR #%s %s → %s (fp=%s)",
             pr_number, owner_repo, new_status, fingerprint[:8],
         )
+
+        # Delete the fix branch from GitHub when PR is closed (merged or rejected)
+        if branch:
+            _delete_github_branch(owner_repo, branch, headers)
+
         changes.append({
             "fingerprint": fingerprint,
             "pr_url":      pr_url,

package/python/sentinel/issue_watcher.py

@@ -52,7 +52,9 @@ class IssueEvent:
 
     def __post_init__(self):
         if not self.fingerprint:
-            raw = f"issue:{self.source}:{self.message[:200]}"
+            # Use target_repo + message (not filename) so retries of the same
+            # issue share the same fingerprint — enables cooldown dedup.
+            raw = f"issue:{self.target_repo}:{self.message[:200]}"
             self.fingerprint = hashlib.sha1(raw.encode()).hexdigest()[:16]
         if not self.submitter_user_id:
             import re as _re