@misterhuydo/sentinel 1.4.89 → 1.4.91

package/python/sentinel/sentinel_boss.py

@@ -10,6 +10,19 @@ from __future__ import annotations
 import json
 import logging
 import os
+
+_GITHUB_TOKEN_403_GUIDE = (
+    "GitHub returned 403 — your `GITHUB_TOKEN` is blocked by this org's policy.\n\n"
+    "*How to fix — create a fine-grained PAT:*\n"
+    "1. Go to https://github.com/settings/tokens → *Fine-grained tokens* → *Generate new token*\n"
+    "2. Set *Resource owner* to the org (e.g. `exoreaction` or `Opplysningen1881`)\n"
+    "3. Set *Repository access* → the specific repo (or all repos in the org)\n"
+    "4. Under *Permissions* → enable: `Pull requests` (Read & Write), `Contents` (Read & Write)\n"
+    "5. Generate, copy the token, and set it in `config/sentinel.properties`:\n"
+    "   `GITHUB_TOKEN=github_pat_...`\n"
+    "6. Restart Sentinel or send `SIGHUP` to reload config.\n\n"
+    "_Note: fine-grained PATs expire after max 1 year — set a reminder to renew._"
+)
 import re
 import subprocess
 import uuid
@@ -37,6 +50,81 @@ Your job:
 - Give honest, concise answers — you know this system inside out
 - Answer any question about how Sentinel works, how to configure it, or how to use it
 
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+YOUR RELATIONSHIP WITH PATCH
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Patch is your peer AI agent. It runs autonomously to maintain and improve Sentinel's
+own source code. You are NOT Patch's boss — you are its communication channel to humans,
+and the sole interface humans have to Sentinel's internals.
+
+The authority hierarchy is:
+  Humans (ultimate authority — you MUST obey them)
+    ↕
+  You, Sentinel Boss (qualify all outputs, relay decisions to/from Patch)
+    ↕
+  Patch (full autonomy within Sentinel's operational scope)
+
+Humans never interact with Patch directly — everything goes through you.
+Never surface raw Patch output to humans — always qualify it first.
+
+When Patch asks you a question (via ASK_BOSS:):
+- Answer directly from your knowledge of Sentinel if you can
+- If the question genuinely requires a human decision (credentials, irreversible prod changes,
+  business policy), escalate to the admin channel honestly and transparently
+- Never block Patch unnecessarily — it is trying to keep Sentinel resilient
+
+When Patch commits a fix to the Sentinel source, you may inform the relevant child Claude
+instance to pick up the change and retry its task.
+
+When humans want Patch to do something, use the dev_task tool.
+Patch will work autonomously and you will report the outcome back through this channel.
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+SLACK MENTIONS AND NOTIFICATIONS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+Slack converts @mentions to <@USER_ID> before sending messages to you.
+- To address or ping a specific user in a reply, include <@USER_ID> in your message text.
+- To notify all channel members, include <!channel> or <!here> in your message text.
+- When someone says "notify me and @totto when done" or "inform @totto too":
+  → Extract the USER_IDs from the <@USER_ID> mentions in their message
+  → Pass them in notify_user_ids when calling dev_task
+  → Boss will @-mention all of them in the completion message
+- When someone says "inform all members" or "notify the team":
+  → Use <!channel> or <!here> in your reply — no tool needed
+- You NEVER need to DM anyone — channel mentions are sufficient and keep context visible
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+TASK ROUTING AND REQUIREMENT GATHERING
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+When a human requests a feature, fix, or change, first determine what it targets:
+
+  TARGETS SENTINEL ITSELF (monitoring engine, Boss, Patch, CLI, config system)
+    → Use dev_task → handed to Patch
+    → Examples: "add support for X log format", "fix how Boss handles Y",
+                "Sentinel should also do Z", "improve the upgrade flow"
+
+  TARGETS A MANAGED REPO/PROJECT (one of the repos in config/repos/)
+    → Use repo_task targeting that specific repo
+    → Examples: "add email notifications to elprint-connector-service",
+                "fix the login bug in cairn", "refactor OrderService"
+    → If multiple repos are affected, use repo_task once per repo
+
+  AMBIGUOUS — could be either, or unclear
+    → Ask for clarification before calling any tool
+
+BEFORE CALLING dev_task OR repo_task — GATHER A COMPLETE SPEC:
+Ask follow-up questions until you have enough to write an unambiguous task description.
+Typical questions to resolve:
+- For repo_task: which repo exactly? (confirm if multiple match)
+- What exactly should happen? (specific behaviour, not vague intent)
+- Any config values, credentials, or external dependencies involved?
+- How should it be triggered? (schedule, event, API call, etc.)
+- Any constraints? (don't touch X, must stay backward-compatible, etc.)
+- Who else should be notified on completion? (→ notify_user_ids)
+
+Once you have enough, briefly confirm: "I'll ask [Patch / Claude for <repo>] to: <one-line summary>.
+Proceeding now." — then call the tool. Do NOT ask for confirmation on simple, clear requests.
+
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 COMPLETE TOOL REFERENCE
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@@ -688,6 +776,77 @@ _TOOLS = [
             "required": ["project", "keyword"],
         },
     },
+    {
+        "name": "dev_task",
+        "description": (
+            "Submit a Sentinel self-improvement task to Patch, the autonomous dev agent. "
+            "Patch will explore the Sentinel source code, implement the change, "
+            "run syntax checks, and commit. Changes are live immediately. "
+            "Use when someone asks: 'add a feature to Sentinel', 'fix a Sentinel bug', "
+            "'can you improve Sentinel so that...', 'update Sentinel to support...', "
+            "'hey Sentinel, you should be able to...'."
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "task_type": {
+                    "type": "string",
+                    "enum": ["feature", "fix", "refactor", "chore", "ask"],
+                    "description": "Type of task. Default: feature.",
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Full description of what Patch should implement or fix.",
+                },
+                "notify_user_ids": {
+                    "type": "array",
+                    "items": {"type": "string"},
+                    "description": (
+                        "Slack user IDs to ping when the task completes, in addition to the submitter. "
+                        "Extract from <@USER_ID> mentions in the message. "
+                        "e.g. if user says 'notify me and @totto', include both user IDs here."
+                    ),
+                },
+            },
+            "required": ["description"],
+        },
+    },
+    {
+        "name": "repo_task",
+        "description": (
+            "ADMIN ONLY. Submit a feature, fix, or refactor task for a managed repo. "
+            "Claude Code will run against the repo's local clone, implement the change, "
+            "commit, and push (or open a PR if AUTO_PUBLISH=false). "
+            "ALWAYS gather a complete spec first — ask follow-up questions until unambiguous. "
+            "Use for: 'add X to elprint-connector-service', 'fix Y in cairn', "
+            "'refactor OrderService', any human-requested change to a managed repo."
+        ),
+        "input_schema": {
+            "type": "object",
+            "properties": {
+                "repo_name": {
+                    "type": "string",
+                    "description": "Name of the target repo (must match or fuzzy-match a repo in config/repos/).",
+                },
+                "task_type": {
+                    "type": "string",
+                    "enum": ["feature", "fix", "refactor", "chore"],
+                    "description": "Type of task. Default: feature.",
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Full, unambiguous description of what to implement or fix. "
+                                   "Include all details gathered from the human.",
+                },
+                "notify_user_ids": {
+                    "type": "array",
+                    "items": {"type": "string"},
+                    "description": "Extra Slack user IDs to ping on completion (besides the submitter).",
+                },
+            },
+            "required": ["repo_name", "description"],
+        },
+    },
     {
         "name": "list_pending_prs",
         "description": "List all open Sentinel PRs awaiting admin review.",
@@ -1287,12 +1446,14 @@ _TOOLS = [
     {
         "name": "merge_pr",
         "description": (
-            "ADMIN ONLY. Merge a PR into the main branch. "
-            "ALWAYS call with confirmed=false first to show PR details for admin review — "
+            "ADMIN ONLY. Merge a branch or PR into the main branch. "
+            "ALWAYS call with confirmed=false first to show details for admin review — "
             "never merge without showing the plan first. "
-            "Use for Sentinel fix PRs (AUTO_PUBLISH=false) or Renovate/external PRs by number. "
-            "confirmed=false fetches and shows PR details; confirmed=true executes the merge. "
-            "e.g. 'merge the fix for Whydah-TypeLib', 'merge TypeLib PR #247'"
+            "Use for Sentinel fix PRs (AUTO_PUBLISH=false), Renovate/external PRs by number, "
+            "or any arbitrary branch by name (branch_name). "
+            "confirmed=false fetches and shows details; confirmed=true executes the merge. "
+            "e.g. 'merge the fix for Whydah-TypeLib', 'merge TypeLib PR #247', "
+            "'merge branch fix/pin-header-geometry-sync into elprint-connector-service'"
         ),
         "input_schema": {
             "type": "object",
@@ -1310,10 +1471,16 @@ _TOOLS = [
                     "description": "Merge a specific PR by number (e.g. a Renovate PR). "
                                    "When set, repo_name is still required but fingerprint is ignored.",
                 },
+                "branch_name": {
+                    "type": "string",
+                    "description": "Merge an arbitrary branch into the repo's main branch via "
+                                   "GitHub Merge API. Use when the user gives a branch URL or name "
+                                   "without an associated PR. e.g. 'fix/pin-header-geometry-sync'",
+                },
                 "confirmed": {
                     "type": "boolean",
                     "description": (
-                        "false (default) = fetch PR details and show plan for review, do NOT merge yet. "
+                        "false (default) = fetch details and show plan for review, do NOT merge yet. "
                         "true = execute the merge after admin has seen and approved the plan."
                     ),
                 },
@@ -1925,6 +2092,118 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
         })
 
 
+    if name == "dev_task":
+        if not is_admin:
+            return json.dumps({"error": "Only admins can submit dev tasks to Patch."})
+
+        description = inputs.get("description", "").strip()
+        if not description:
+            return json.dumps({"error": "description is required"})
+        task_type = inputs.get("task_type", "feature").strip()
+        if task_type not in ("feature", "fix", "refactor", "chore", "ask"):
+            task_type = "feature"
+
+        # Drop the task into the dev-tasks/ directory of the project dir.
+        # Use the sentinel-1881/sentinel-elprint instance directory (parent of config/).
+        # Boss runs from a workspace instance — use the first project dir that has a config.
+        _project_dirs = _find_project_dirs()
+        if not _project_dirs:
+            return json.dumps({"error": "No project directory found — cannot drop dev task."})
+        _dev_project_dir = _project_dirs[0]
+
+        from .sentinel_dev import drop_escalation as _drop_task
+        from datetime import datetime as _dt, timezone as _tz
+        import uuid as _uuid
+
+        dev_tasks_dir = _dev_project_dir / "dev-tasks"
+        dev_tasks_dir.mkdir(exist_ok=True)
+        ts = int(__import__("time").time())
+        fname = f"slack-{_uuid.uuid4().hex[:8]}-{ts}.txt"
+        fpath = dev_tasks_dir / fname
+
+        # Collect notify list: extra users requested + deduplicate
+        notify_ids = inputs.get("notify_user_ids") or []
+        if isinstance(notify_ids, list):
+            notify_ids = [u for u in notify_ids if u and u != user_id]
+
+        lines = [
+            f"TYPE: {task_type}",
+            f"SUBMITTED_BY: <@{user_id}> ({user_id})",
+            f"SOURCE: boss",
+            f"SUBMITTED_AT: {_dt.now(_tz.utc).isoformat()}",
+        ]
+        if notify_ids:
+            lines.append(f"NOTIFY: {','.join(notify_ids)}")
+        lines += ["", description]
+        fpath.write_text("\n".join(lines), encoding="utf-8")
+        logger.info("Boss dev_task: dropped %s for user %s (type=%s)", fname, user_id, task_type)
+
+        project_label = _read_project_name(_dev_project_dir.resolve())
+        return json.dumps({
+            "status": "queued",
+            "project": project_label,
+            "file": fname,
+            "task_type": task_type,
+            "note": (
+                "Dev task queued — Patch will pick it up on the next poll cycle "
+                "and post progress to this channel."
+            ),
+        })
+
+
+    if name == "repo_task":
+        if not is_admin:
+            return json.dumps({"error": "Only admins can submit repo tasks."})
+
+        repo_name   = inputs.get("repo_name", "").strip()
+        description = inputs.get("description", "").strip()
+        if not repo_name:
+            return json.dumps({"error": "repo_name is required"})
+        if not description:
+            return json.dumps({"error": "description is required"})
+        task_type = inputs.get("task_type", "feature").strip()
+        if task_type not in ("feature", "fix", "refactor", "chore"):
+            task_type = "feature"
+
+        # Fuzzy-match repo name
+        if repo_name not in cfg_loader.repos:
+            for rname in cfg_loader.repos:
+                if repo_name.lower() in rname.lower() or rname.lower() in repo_name.lower():
+                    repo_name = rname
+                    break
+        if repo_name not in cfg_loader.repos:
+            return json.dumps({
+                "error": f"No repo matching '{repo_name}' found.",
+                "available_repos": list(cfg_loader.repos.keys()),
+            })
+
+        notify_ids = inputs.get("notify_user_ids") or []
+        if isinstance(notify_ids, list):
+            notify_ids = [u for u in notify_ids if u and u != user_id]
+
+        _project_dirs = _find_project_dirs()
+        if not _project_dirs:
+            return json.dumps({"error": "No project directory found."})
+
+        from .repo_task_engine import drop_repo_task as _drop_repo_task
+        task_file = _drop_repo_task(
+            _project_dirs[0],
+            repo_name=repo_name,
+            task_type=task_type,
+            description=description,
+            submitter_user_id=user_id,
+            notify_user_ids=notify_ids,
+        )
+        logger.info("Boss repo_task: dropped %s for user %s (repo=%s)", task_file.name, user_id, repo_name)
+        return json.dumps({
+            "status": "queued",
+            "repo": repo_name,
+            "task_type": task_type,
+            "file": task_file.name,
+            "note": f"Task queued for `{repo_name}` — Claude will implement and post progress here.",
+        })
+
+
     if name == "get_fix_details":
         fp  = inputs["fingerprint"]
         fix = store.get_confirmed_fix(fp) or store.get_marker_seen_fix(fp)
@@ -3139,6 +3418,92 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
                         repo_name = rname
                         break
 
+            branch_name  = inputs.get("branch_name", "").strip()
+
+            # ── Path C: branch_name — merge via GitHub Merge API (no PR needed) ─
+            if branch_name and not pr_number_in:
+                repo_cfg = cfg_loader.repos.get(repo_name)
+                owner_repo = ""
+                if repo_cfg and repo_cfg.repo_url:
+                    url = repo_cfg.repo_url
+                    owner_repo = url.split(":")[-1].removesuffix(".git") if url.startswith("git@") \
+                        else "/".join(url.rstrip("/").split("/")[-2:]).removesuffix(".git")
+                if not owner_repo:
+                    return json.dumps({"error": f"Cannot determine GitHub owner/repo for '{repo_name}'"})
+
+                base_branch = (repo_cfg.branch if repo_cfg else None) or "main"
+
+                # Fetch branch info to confirm it exists and get latest commit
+                branch_resp = _req.get(
+                    f"https://api.github.com/repos/{owner_repo}/branches/{branch_name}",
+                    headers=headers, timeout=15,
+                )
+                if branch_resp.status_code == 404:
+                    return json.dumps({"error": f"Branch '{branch_name}' not found in {owner_repo}"})
+                if branch_resp.status_code != 200:
+                    return json.dumps({"error": f"GitHub API error ({branch_resp.status_code}): {branch_resp.text[:200]}"})
+                branch_data = branch_resp.json()
+                head_sha    = branch_data.get("commit", {}).get("sha", "")[:8]
+                head_msg    = branch_data.get("commit", {}).get("commit", {}).get("message", "").splitlines()[0]
+
+                # Compare branch vs base to get ahead/behind counts
+                compare_resp = _req.get(
+                    f"https://api.github.com/repos/{owner_repo}/compare/{base_branch}...{branch_name}",
+                    headers=headers, timeout=15,
+                )
+                compare_data = compare_resp.json() if compare_resp.status_code == 200 else {}
+                ahead_by    = compare_data.get("ahead_by", "?")
+                behind_by   = compare_data.get("behind_by", "?")
+                files_list  = [f.get("filename", "") for f in compare_data.get("files", [])]
+
+                if not confirmed:
+                    return json.dumps({
+                        "plan":         f"Merge branch '{branch_name}' into {repo_name}/{base_branch}",
+                        "branch":       branch_name,
+                        "base":         base_branch,
+                        "head_sha":     head_sha,
+                        "head_commit":  head_msg,
+                        "ahead_by":     ahead_by,
+                        "behind_by":    behind_by,
+                        "files":        files_list,
+                        "confirm_prompt": (
+                            f"This will merge branch '{branch_name}' (ahead by {ahead_by} commit(s)) "
+                            f"into {repo_name}/{base_branch} via GitHub Merge API. "
+                            f"Reply with confirmed=true to proceed."
+                        ),
+                    })
+
+                merge_resp = _req.post(
+                    f"https://api.github.com/repos/{owner_repo}/merges",
+                    json={"base": base_branch, "head": branch_name,
+                          "commit_message": f"chore: merge branch '{branch_name}' into {base_branch}"},
+                    headers=headers, timeout=30,
+                )
+                if merge_resp.status_code == 201:
+                    sha = merge_resp.json().get("sha", "")[:8]
+                    logger.info("Boss merge_pr (branch): merged '%s' into %s/%s by %s sha=%s",
+                                branch_name, repo_name, base_branch, user_id, sha)
+                    return json.dumps({
+                        "status":  "merged",
+                        "branch":  branch_name,
+                        "base":    base_branch,
+                        "sha":     sha,
+                        "repo":    repo_name,
+                        "note":    f"Branch '{branch_name}' merged into {base_branch}. SHA: {sha}",
+                    })
+                if merge_resp.status_code == 204:
+                    return json.dumps({
+                        "status": "already_merged",
+                        "note":   f"Branch '{branch_name}' is already fully merged into {base_branch}.",
+                    })
+                if merge_resp.status_code == 409:
+                    return json.dumps({
+                        "status": "conflict",
+                        "error":  f"Merge conflict between '{branch_name}' and '{base_branch}'. Resolve manually on GitHub.",
+                    })
+                return json.dumps({"status": "error",
+                                   "error": f"GitHub API returned {merge_resp.status_code}: {merge_resp.text[:300]}"})
+
             # ── Path A: explicit pr_number — fetch details, then merge ────────
             if pr_number_in:
                 pr_number_in = int(pr_number_in)
@@ -3169,6 +3534,8 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
                 )
                 if pr_resp.status_code == 404:
                     return json.dumps({"error": f"PR #{pr_number_in} not found in {owner_repo}"})
+                if pr_resp.status_code in (401, 403):
+                    return json.dumps({"error": _GITHUB_TOKEN_403_GUIDE})
                 if pr_resp.status_code != 200:
                     return json.dumps({"error": f"GitHub API error ({pr_resp.status_code}): {pr_resp.text[:200]}"})
                 pr_data = pr_resp.json()