@misterhuydo/sentinel 1.5.1 → 1.5.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.5.1",
+  "version": "1.5.3",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/fix_engine.py

@@ -259,17 +259,19 @@ def _run_claude_attempt(
     cwd: str | None = None,
     claude_log_path: Path | None = None,
     on_progress=None,
+    cmd_override: list | None = None,
 ) -> tuple[str, bool]:
     """
     Run claude CLI with the given env. Returns (output, timed_out).
     Raises FileNotFoundError if binary is missing.
     If on_progress is given, calls on_progress(msg) for meaningful output lines
     (deduped — same message not repeated consecutively).
+    cmd_override: if provided, use this command list instead of _claude_cmd() default.
     """
     import threading as _threading
 
     proc = subprocess.Popen(
-        _claude_cmd(bin_path, prompt),
+        cmd_override if cmd_override is not None else _claude_cmd(bin_path, prompt),
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         text=True, env=env, cwd=cwd or None,
     )

package/python/sentinel/repo_task_engine.py

@@ -171,12 +171,27 @@ def run_repo_task(
     if on_progress:
         on_progress(f":mag: Exploring `{repo.repo_name}`...")
 
+    import os as _os
+    skip_perms = _os.getuid() != 0
+    # OAuth attempt: no --bare so the stored OAuth session is used naturally
+    oauth_cmd = (
+        [cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]
+        if skip_perms else
+        [cfg.claude_code_bin, "--print", prompt]
+    )
+    # API key fallback: --bare forces API-key-only auth
+    api_cmd = (
+        [cfg.claude_code_bin, "--dangerously-skip-permissions", "--bare", "--print", prompt]
+        if skip_perms else
+        [cfg.claude_code_bin, "--bare", "--print", prompt]
+    )
+    api_env = {**env, "ANTHROPIC_API_KEY": cfg.anthropic_api_key} if cfg.anthropic_api_key else None
+
     try:
         output, timed_out = _run_claude_attempt(
             cfg.claude_code_bin, prompt, env,
-            cwd=local_path,
-            claude_log_path=claude_log,
-            on_progress=on_progress,
+            cwd=local_path, claude_log_path=claude_log, on_progress=on_progress,
+            cmd_override=oauth_cmd,
         )
     except FileNotFoundError:
         return "error", f"Claude binary not found: {cfg.claude_code_bin}"
@@ -187,7 +202,26 @@ def run_repo_task(
     stripped = output.strip()
 
     if _is_auth_error(stripped):
-        return "error", "Claude authentication error — check API key or run `claude login`."
+        # Silent fallback: OAuth session expired — retry with API key
+        if api_env:
+            logger.warning("repo_task/%s: OAuth session issue — retrying with API key", repo.repo_name)
+            if on_progress:
+                on_progress(":key: Auth refreshed — retrying...")
+            try:
+                output, timed_out = _run_claude_attempt(
+                    cfg.claude_code_bin, prompt, api_env,
+                    cwd=local_path, claude_log_path=claude_log, on_progress=on_progress,
+                    cmd_override=api_cmd,
+                )
+            except FileNotFoundError:
+                return "error", f"Claude binary not found: {cfg.claude_code_bin}"
+            if timed_out:
+                return "error", "Claude timed out after 15 minutes."
+            stripped = output.strip()
+            if _is_auth_error(stripped):
+                return "error", "Claude authentication failed — check ANTHROPIC_API_KEY."
+        else:
+            return "error", "Claude authentication error — run `claude login` on the server or set ANTHROPIC_API_KEY."
 
     if stripped.upper().startswith("SKIP:"):
         reason = stripped[5:].strip()

package/python/sentinel/sentinel_boss.py

@@ -2929,23 +2929,30 @@ async def _run_tool(name: str, inputs: dict, cfg_loader, store, slack_client=Non
                 f"Question / Task: {question}"
             )
             from .fix_engine import _is_auth_error
-            cmd = (
+            skip_perms = os.getuid() != 0
+            # OAuth attempt: no --bare so the stored OAuth session is used naturally
+            oauth_cmd = (
+                [cfg.claude_code_bin, "--dangerously-skip-permissions", "--print", prompt]
+                if skip_perms else
+                [cfg.claude_code_bin, "--print", prompt]
+            )
+            # API key fallback: --bare forces API-key-only auth (no OAuth/hooks)
+            api_cmd = (
                 [cfg.claude_code_bin, "--dangerously-skip-permissions", "--bare", "--print", prompt]
-                if os.getuid() != 0 else
+                if skip_perms else
                 [cfg.claude_code_bin, "--bare", "--print", prompt]
             )
             run_kwargs = dict(capture_output=True, text=True, timeout=300,
                               cwd=str(local_path), stdin=subprocess.DEVNULL)
             try:
-                # Try OAuth first (or API key if claude_pro_for_tasks=False)
-                r = subprocess.run(cmd, env=env, **run_kwargs)
+                r = subprocess.run(oauth_cmd, env=env, **run_kwargs)
                 output = (r.stdout or "").strip()
                 auth_failed = _is_auth_error(output) or _is_auth_error(r.stderr or "")
 
-                # Silent fallback: retry with API key if OAuth session expired
+                # Silent fallback: OAuth session expired — retry with API key
                 if auth_failed and api_env:
                     logger.warning("ask_codebase/%s: OAuth session issue — retrying with API key", repo_name)
-                    r = subprocess.run(cmd, env=api_env, **run_kwargs)
+                    r = subprocess.run(api_cmd, env=api_env, **run_kwargs)
                     output = (r.stdout or "").strip()
 
                 logger.info("Boss ask_codebase %s mode=%s rc=%d len=%d", repo_name, mode, r.returncode, len(output))