@misterhuydo/sentinel 1.5.4 → 1.5.6

package/lib/.cairn/views/fc4a1a_add.js

@@ -6,6 +6,7 @@ const { execSync, spawnSync } = require('child_process');
 const prompts = require('prompts');
 const chalk = require('chalk');
 const { writeExampleProject, generateWorkspaceScripts, generateProjectScripts } = require('./generate');
+const { printSlackSetupGuide } = require('./slack-setup');
 const ok   = msg => console.log(chalk.green('  ✔'), msg);
 const info = msg => console.log(chalk.cyan('  →'), msg);
 const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
@@ -241,26 +242,64 @@ async function addFromGit(gitUrl, workspace) {
   }], { onCancel: () => process.exit(0) });
   step(`[1/3] Setting up SSH access to ${repoSlug}`);
   ensureKnownHosts();
-  const { keyFile } = generateDeployKey(repoSlug);
-  printDeployKeyInstructions(orgRepo, keyFile);
-  await prompts({
-    type: 'text', name: '_', format: () => '',
-    message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
-  }, { onCancel: () => process.exit(0) });
-  const primary = validateAccess(gitUrl, keyFile);
-  if (!primary.ok) {
-    console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
-    if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
-    console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
-    process.exit(1);
+  const existingAccess = validateAccess(gitUrl, null);
+  let keyFile = null;
+  if (existingAccess.ok) {
+    ok(`${repoSlug}: reachable via existing SSH key — skipping deploy key generation`);
+  } else {
+    const keyAlreadyExisted = fs.existsSync(path.join(os.homedir(), '.ssh', `${repoSlug}.key`));
+    const { keyFile: generatedKey } = generateDeployKey(repoSlug);
+    keyFile = generatedKey;
+    if (keyAlreadyExisted) {
+      const primary = validateAccess(gitUrl, keyFile);
+      if (primary.ok) {
+        ok(`${repoSlug}: reachable (reusing existing deploy key)`);
+      } else {
+        printDeployKeyInstructions(orgRepo, keyFile);
+        await prompts({
+          type: 'text', name: '_', format: () => '',
+          message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
+        }, { onCancel: () => process.exit(0) });
+        const retry = validateAccess(gitUrl, keyFile);
+        if (!retry.ok) {
+          console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
+          if (retry.stderr) console.error(chalk.red('    ' + retry.stderr));
+          console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
+          process.exit(1);
+        }
+        ok(`${repoSlug}: reachable`);
+      }
+    } else {
+      printDeployKeyInstructions(orgRepo, keyFile);
+      await prompts({
+        type: 'text', name: '_', format: () => '',
+        message: chalk.bold(`Press Enter once you've added the deploy key to GitHub…`),
+      }, { onCancel: () => process.exit(0) });
+      const primary = validateAccess(gitUrl, keyFile);
+      if (!primary.ok) {
+        console.error(chalk.red('  ✖ Cannot reach ' + gitUrl));
+        if (primary.stderr) console.error(chalk.red('    ' + primary.stderr));
+        console.error(chalk.yellow('  Check the deploy key has write access, then re-run.'));
+        process.exit(1);
+      }
+      ok(`${repoSlug}: reachable`);
+    }
   }
-  ok(`${repoSlug}: reachable`);
   const projectDir = path.join(workspace, name);
   step(`[2/3] Scanning repo-configs in ${repoSlug}…`);
+  const sshEnv = keyFile
+    ? gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` })
+    : gitEnv({});
   if (!fs.existsSync(projectDir)) {
     spawnSync(gitBin(), ['clone', '--depth', '1', gitUrl, projectDir], {
       stdio: 'inherit',
-      env: gitEnv({ GIT_SSH_COMMAND: `ssh -i ${keyFile} -o StrictHostKeyChecking=no -o BatchMode=yes` }),
+      env: sshEnv,
+    });
+  } else {
+    spawnSync(gitBin(), ['pull', '--rebase'], {
+      cwd: projectDir,
+      stdio: 'inherit',
+      env: sshEnv,
     });
   }
   const discovered = discoverReposFromClone(projectDir);
@@ -273,6 +312,21 @@ async function addFromGit(gitUrl, workspace) {
     fs.appendFileSync(gitignorePath, (giContent.endsWith('\n') ? '' : '\n') + giLines.join('\n') + '\n');
     ok('.gitignore updated: *.key and *.pub excluded from git');
   }
+  const sentinelPropsPath = path.join(projectDir, 'config', 'sentinel.properties');
+  let projectGitAccess = '';
+  let projectGitSshKey = '';
+  if (fs.existsSync(sentinelPropsPath)) {
+    const lines = fs.readFileSync(sentinelPropsPath, 'utf8').split('\n');
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+      const [k, ...rest] = trimmed.split('=');
+      const v = rest.join('=').split('#')[0].trim();
+      if (k.trim() === 'GIT_ACCESS') projectGitAccess = v;
+      if (k.trim() === 'GIT_SSH_KEY') projectGitSshKey = v.replace(/^~/, require('os').homedir());
+    }
+  }
+  const useSshUserKey = projectGitAccess === 'ssh_user_key';
   const privateRepos = [];
   const publicRepos  = [];
   if (discovered.length === 0) {
@@ -289,40 +343,58 @@ async function addFromGit(gitUrl, workspace) {
     }
   }
   if (privateRepos.length > 0) {
-    step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
-    for (const r of privateRepos) {
-      const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
-      r.keyFile = rKey;
-      const rOrgRepo = gitUrlToOrgRepo(r.url);
-      printDeployKeyInstructions(rOrgRepo, rKey);
-    }
-    if (publicRepos.length > 0) {
-      console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+    if (useSshUserKey) {
+      step(`[3/3] Validating access to ${privateRepos.length} private repo(s) via SSH user key…`);
+      const sshKeyForValidation = projectGitSshKey || null;
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, sshKeyForValidation);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow(`  Check that GIT_SSH_KEY (${projectGitSshKey || 'SSH agent'}) has access, then re-run.`));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
       for (const r of publicRepos) {
-        console.log(chalk.green(`      ${r.slug}`));
+        ok(`${r.slug}: public, no key needed`);
       }
-      console.log('');
-    }
-    await prompts({
-      type: 'text', name: '_', format: () => '',
-      message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
-    }, { onCancel: () => process.exit(0) });
-    step('Validating repository access…');
-    for (const r of privateRepos) {
-      const v = validateAccess(r.url, r.keyFile);
-      if (!v.ok) {
-        console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
-        if (v.stderr) console.error(chalk.red('    ' + v.stderr));
-        console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
-        process.exit(1);
+    } else {
+      step(`[3/3] Deploy keys needed for ${privateRepos.length} private repo(s)`);
+      for (const r of privateRepos) {
+        const { keyFile: rKey } = generateDeployKey(r.slug, projectDir);
+        r.keyFile = rKey;
+        const rOrgRepo = gitUrlToOrgRepo(r.url);
+        printDeployKeyInstructions(rOrgRepo, rKey);
+      }
+      if (publicRepos.length > 0) {
+        console.log(chalk.green('  ✔ Public repos (no deploy key needed):'));
+        for (const r of publicRepos) {
+          console.log(chalk.green(`      ${r.slug}`));
+        }
+        console.log('');
+      }
+      await prompts({
+        type: 'text', name: '_', format: () => '',
+        message: chalk.bold(`Press Enter once you've added all ${privateRepos.length} deploy key(s) to GitHub…`),
+      }, { onCancel: () => process.exit(0) });
+      step('Validating repository access…');
+      for (const r of privateRepos) {
+        const v = validateAccess(r.url, r.keyFile);
+        if (!v.ok) {
+          console.error(chalk.red(`  ✖ ${r.slug}: cannot reach ${r.url}`));
+          if (v.stderr) console.error(chalk.red('    ' + v.stderr));
+          console.error(chalk.yellow('  Fix access then re-run sentinel add.'));
+          process.exit(1);
+        }
+        ok(`${r.slug}: reachable`);
+      }
+      for (const r of publicRepos) {
+        ok(`${r.slug}: public, no key needed`);
+      }
+      for (const r of privateRepos) {
+        info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
       }
-      ok(`${r.slug}: reachable`);
-    }
-    for (const r of publicRepos) {
-      ok(`${r.slug}: public, no key needed`);
-    }
-    for (const r of privateRepos) {
-      info(`Key stored at ${r.keyFile} (auto-discovered, not committed to git)`);
     }
   } else if (discovered.length > 0) {
     step('[3/3] All repos are public — no deploy keys needed');
@@ -386,6 +458,35 @@ async function addFromGit(gitUrl, workspace) {
   } else if (effectiveToken) {
     info('GITHUB_TOKEN will be written when project files are created');
   }
+  const workspaceSlackToken = fs.existsSync(workspaceProps)
+    ? (fs.readFileSync(workspaceProps, 'utf8').match(/^SLACK_BOT_TOKEN\s*=\s*(.+)$/m) || [])[1]?.trim()
+    : '';
+  const { ownSlack } = await prompts({
+    type: 'confirm', name: 'ownSlack',
+    message: workspaceSlackToken
+      ? 'Does this project use a different Slack workspace than the default?'
+      : 'Does this project use Slack (Sentinel Boss)?',
+    initial: false,
+  }, { onCancel: () => process.exit(0) });
+  let projectSlackBotToken = '';
+  let projectSlackAppToken = '';
+  if (ownSlack) {
+    printSlackSetupGuide(false, 'Setting up project Slack Bot…');
+    const slackAnswers = await prompts([
+      {
+        type: 'password', name: 'botToken',
+        message: 'Slack Bot Token  (xoxb-...)',
+        validate: v => !v || v.startsWith('xoxb-') ? true : 'Should start with xoxb-',
+      },
+      {
+        type: 'password', name: 'appToken',
+        message: 'Slack App-Level Token  (xapp-...)',
+        validate: v => !v || v.startsWith('xapp-') ? true : 'Should start with xapp-',
+      },
+    ], { onCancel: () => process.exit(0) });
+    projectSlackBotToken = slackAnswers.botToken || '';
+    projectSlackAppToken = slackAnswers.appToken || '';
+  }
   step('Dry-run preview');
   info(`Will create: ${projectDir}/`);
   if (discovered.length > 0) {
@@ -408,9 +509,6 @@ async function addFromGit(gitUrl, workspace) {
   const pythonBin = path.join(codeDir, '.venv', 'bin', 'python3');
   if (discovered.length > 0) {
     generateProjectScripts(projectDir, codeDir, pythonBin);
-    ok(`Project "${name}" ready at ${projectDir}`);
-    printNextSteps(projectDir, autoPublish);
-    await offerToStart(projectDir);
   } else {
     writeExampleProject(projectDir, codeDir, pythonBin);
     const repoDir = path.join(projectDir, 'config', 'repo-configs');
@@ -423,10 +521,25 @@ async function addFromGit(gitUrl, workspace) {
     const example = path.join(repoDir, '_example.properties');
     if (fs.existsSync(example)) fs.removeSync(example);
     generateWorkspaceScripts(workspace, {}, {}, {}, effectiveToken);
-    ok(`Project "${name}" created at ${projectDir}`);
-    printNextSteps(projectDir, autoPublish);
-    await offerToStart(projectDir);
   }
+  if (projectSlackBotToken || projectSlackAppToken) {
+    const privateProps = path.join(projectDir, 'private_sentinel.properties');
+    const lines = ['# Private credentials for this project — DO NOT COMMIT'];
+    if (projectSlackBotToken) lines.push(`SLACK_BOT_TOKEN=${projectSlackBotToken}`);
+    if (projectSlackAppToken) lines.push(`SLACK_APP_TOKEN=${projectSlackAppToken}`);
+    fs.writeFileSync(privateProps, lines.join('\n') + '\n');
+    ok('Private tokens → private_sentinel.properties (local only)');
+    const gitignore = path.join(projectDir, '.gitignore');
+    const ignoreEntry = 'private_sentinel.properties';
+    const existing = fs.existsSync(gitignore) ? fs.readFileSync(gitignore, 'utf8') : '';
+    if (!existing.includes(ignoreEntry)) {
+      fs.writeFileSync(gitignore, existing.trimEnd() + `\n${ignoreEntry}\n`);
+      ok('.gitignore updated — private_sentinel.properties will not be committed');
+    }
+  }
+  ok(`Project "${name}" ${discovered.length > 0 ? 'ready' : 'created'} at ${projectDir}`);
+  printNextSteps(projectDir, autoPublish);
+  await offerToStart(projectDir);
 }
 async function addFromName(nameArg, workspace) {
   const answers = await prompts([{

package/lib/init.js

@@ -8,6 +8,7 @@ const prompts = require('prompts');
 const chalk = require('chalk');
 const { generateProjectScripts, generateWorkspaceScripts, writeExampleProject } = require('./generate');
 const { buildSlackManifest, printSlackSetupGuide } = require('./slack-setup');
+const { generateSettingsXml } = require('./maven');
 
 const ok   = msg => console.log(chalk.green('  ✔'), msg);
 const info = msg => console.log(chalk.cyan('  →'), msg);
@@ -95,6 +96,29 @@ module.exports = async function init() {
       message: 'Set up Slack Bot (Sentinel Boss — conversational AI interface)?',
       initial: !!(existing.SLACK_BOT_TOKEN),
     },
+    {
+      type: 'confirm',
+      name: 'setupMaven',
+      message: 'Do your projects use Maven with a private Nexus/Artifactory repository?',
+      initial: fs.existsSync(path.join(os.homedir(), '.m2', 'settings.xml')),
+    },
+    {
+      type: prev => prev ? 'select' : null,
+      name: 'mavenMode',
+      message: 'How would you like to configure Maven settings?',
+      choices: [
+        { title: 'Sentinel will ask me via Slack after startup  (recommended)', value: 'detect' },
+        { title: 'Copy my existing settings.xml from this machine',              value: 'copy'   },
+        { title: 'Skip — I will configure it manually later',                    value: 'skip'   },
+      ],
+    },
+    {
+      type: (_, { mavenMode } = {}) => mavenMode === 'copy' ? 'text' : null,
+      name: 'mavenSettingsPath',
+      message: 'Path to your settings.xml',
+      initial: path.join(os.homedir(), '.m2', 'settings.xml'),
+      validate: v => fs.existsSync(v) ? true : 'File not found',
+    },
   ], { onCancel: () => process.exit(0) });
 
   // ── Slack app creation helper (shown before token prompts) ───────────────────
@@ -119,6 +143,18 @@ module.exports = async function init() {
 
   Object.assign(answers, tokenAnswers);
 
+  // ── Maven / Nexus ─────────────────────────────────────────────────────────────
+  // Credentials are configured via Slack after startup — no prompts needed here.
+  // On first boot, Sentinel will scan pom.xml files, detect Nexus servers, and
+  // DM the first admin user with instructions to send:
+  //   "nexus settings <paste settings.xml content>"  — or —
+  //   "nexus creds <host> <username> <password>"
+  if (answers.mavenMode === 'detect') {
+    info('Nexus credentials will be configured via Slack after Sentinel starts.');
+    info('Sentinel will DM you with instructions when it detects missing credentials.');
+  }
+  const nexusServers = [];
+
   const { workspace, authMode, anthropicKey, example, systemd, smtpUser, smtpPassword, smtpHost, setupSlack, slackBotToken, slackAppToken } = answers;
   const effectiveAnthropicKey  = anthropicKey  || existing.ANTHROPIC_API_KEY || '';
   const effectiveSmtpPassword  = smtpPassword  || existing.SMTP_PASSWORD     || '';
@@ -205,6 +241,23 @@ module.exports = async function init() {
     info('Re-run  sentinel init  after creating the app to fill in the tokens');
   }
 
+  // ── Maven settings.xml ──────────────────────────────────────────────────────
+  if (answers.mavenMode === 'copy' && answers.mavenSettingsPath) {
+    step('Configuring Maven…');
+    const m2Dir = path.join(os.homedir(), '.m2');
+    fs.ensureDirSync(m2Dir);
+    fs.copySync(answers.mavenSettingsPath, path.join(m2Dir, 'settings.xml'), { overwrite: true });
+    ok(`settings.xml copied from ${answers.mavenSettingsPath}`);
+  } else if (answers.mavenMode === 'detect' && nexusServers.length) {
+    step('Writing Maven settings.xml…');
+    const m2Dir = path.join(os.homedir(), '.m2');
+    fs.ensureDirSync(m2Dir);
+    fs.writeFileSync(path.join(m2Dir, 'settings.xml'), generateSettingsXml(nexusServers));
+    const totalIds = nexusServers.reduce((n, s) => n + s.repoIds.length, 0);
+    ok(`settings.xml written — ${nexusServers.length} server(s), ${totalIds} repo ID(s)`);
+    nexusServers.forEach(s => info(`  ${s.host}  →  [${s.repoIds.join(', ')}]`));
+  }
+
   // ── Workspace structure ─────────────────────────────────────────────────────
   step('Creating workspace…');
   fs.ensureDirSync(workspace);
@@ -403,6 +456,7 @@ function ensureNpmUserPrefix() {
 }
 
 
+
 function setupSystemd(workspace) {
   const user = os.userInfo().username;
   const svc = `/etc/systemd/system/sentinel.service`;

package/lib/maven.js

@@ -0,0 +1,212 @@
+'use strict';
+
+const fs   = require('fs-extra');
+const path = require('path');
+const os   = require('os');
+const { spawnSync } = require('child_process');
+const prompts = require('prompts');
+const chalk   = require('chalk');
+
+const ok   = msg => console.log(chalk.green('  ✔'), msg);
+const info = msg => console.log(chalk.cyan('  →'), msg);
+const warn = msg => console.log(chalk.yellow('  ⚠'), msg);
+
+const PUBLIC_REPOS = /repo1\.maven\.org|central\.maven\.org|repo\.maven\.apache\.org/i;
+const REPO_RE = /<(?:repository|snapshotRepository|pluginRepository)>\s*<id>([^<]+)<\/id>\s*<url>([^<]+)<\/url>/gs;
+const SERVER_RE = /<server>\s*<id>([^<]+)<\/id>/g;
+
+/** Recursively find all pom.xml files (skips node_modules / .git / target). */
+function findPoms(dir) {
+  const results = [];
+  const SKIP = new Set(['node_modules', '.git', 'target', '.mvn']);
+  try {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      if (SKIP.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) results.push(...findPoms(full));
+      else if (entry.name === 'pom.xml') results.push(full);
+    }
+  } catch (_) {}
+  return results;
+}
+
+/**
+ * Scan pom.xml files in repoPaths and return:
+ *   Map<host, { urls: Set<string>, ids: Set<string> }>
+ * Only includes non-central repositories.
+ */
+function scanMavenRepos(repoPaths) {
+  const nexusMap = new Map();
+  for (const repoPath of repoPaths) {
+    for (const pom of findPoms(repoPath)) {
+      let text;
+      try { text = fs.readFileSync(pom, 'utf8'); } catch (_) { continue; }
+      for (const m of text.matchAll(REPO_RE)) {
+        const id  = m[1].trim();
+        const url = m[2].trim();
+        if (PUBLIC_REPOS.test(url)) continue;
+        let host;
+        try { host = new URL(url).hostname; } catch (_) { continue; }
+        if (!nexusMap.has(host)) nexusMap.set(host, { urls: new Set(), ids: new Set() });
+        nexusMap.get(host).urls.add(url);
+        nexusMap.get(host).ids.add(id);
+      }
+    }
+  }
+  return nexusMap;
+}
+
+/** Return Set of server IDs already in ~/.m2/settings.xml. */
+function readConfiguredServerIds() {
+  const settingsPath = path.join(os.homedir(), '.m2', 'settings.xml');
+  const ids = new Set();
+  if (!fs.existsSync(settingsPath)) return ids;
+  try {
+    const text = fs.readFileSync(settingsPath, 'utf8');
+    for (const m of text.matchAll(SERVER_RE)) ids.add(m[1].trim());
+  } catch (_) {}
+  return ids;
+}
+
+/** Merge new server entries into ~/.m2/settings.xml (creates it if missing). */
+function mergeSettingsXml(servers) {
+  const settingsPath = path.join(os.homedir(), '.m2', 'settings.xml');
+  fs.ensureDirSync(path.join(os.homedir(), '.m2'));
+
+  let existing = '';
+  if (fs.existsSync(settingsPath)) {
+    existing = fs.readFileSync(settingsPath, 'utf8');
+  }
+
+  const newBlocks = servers.flatMap(s =>
+    s.repoIds.map(id => `
+    <server>
+      <id>${id}</id>
+      <username>${s.user}</username>
+      <password>${s.password}</password>
+    </server>`)
+  ).join('');
+
+  if (existing.includes('<servers>')) {
+    // Inject before closing </servers>
+    existing = existing.replace('</servers>', `${newBlocks}\n  </servers>`);
+  } else if (existing.includes('<settings>')) {
+    existing = existing.replace('<settings>', `<settings>\n\n  <servers>${newBlocks}\n  </servers>`);
+  } else {
+    // Write fresh
+    existing = generateSettingsXml(servers);
+  }
+
+  fs.writeFileSync(settingsPath, existing);
+}
+
+function generateSettingsXml(servers) {
+  const serverBlocks = servers.flatMap(s =>
+    s.repoIds.map(id => `
+    <server>
+      <id>${id}</id>
+      <username>${s.user}</username>
+      <password>${s.password}</password>
+    </server>`)
+  ).join('');
+
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
+                              http://maven.apache.org/xsd/settings-1.0.0.xsd">
+
+  <servers>${serverBlocks}
+  </servers>
+
+</settings>
+`;
+}
+
+/**
+ * Shallow-clone a repo to a temp dir, scan its pom.xml files, then delete the clone.
+ * Returns the nexusMap for that repo.
+ */
+function scanRepoUrl(repoUrl, sshEnv) {
+  const tmp = path.join(os.tmpdir(), `sentinel-maven-scan-${Date.now()}`);
+  try {
+    const r = spawnSync(
+      'git', ['clone', '--depth', '1', '--quiet', repoUrl, tmp],
+      { env: sshEnv || process.env, stdio: 'pipe' },
+    );
+    if (r.status !== 0) return new Map();
+    return scanMavenRepos([tmp]);
+  } finally {
+    try { fs.removeSync(tmp); } catch (_) {}
+  }
+}
+
+/**
+ * Main entry point for add.js:
+ * Scan repos, detect missing Nexus credentials, prompt and update settings.xml.
+ *
+ * @param {Array<{url: string}>} repos   — list of discovered repos
+ * @param {object}               sshEnv  — git SSH environment
+ */
+async function checkAndConfigureMaven(repos, sshEnv) {
+  if (repos.length === 0) return;
+
+  info('Scanning repos for Maven/Nexus configuration…');
+  const configuredIds = readConfiguredServerIds();
+  const nexusMap = new Map();  // host → {urls, ids}
+
+  for (const repo of repos) {
+    const repoMap = scanRepoUrl(repo.url, sshEnv);
+    for (const [host, data] of repoMap) {
+      if (!nexusMap.has(host)) nexusMap.set(host, { urls: new Set(), ids: new Set() });
+      for (const u of data.urls) nexusMap.get(host).urls.add(u);
+      for (const id of data.ids) nexusMap.get(host).ids.add(id);
+    }
+  }
+
+  if (nexusMap.size === 0) return;  // No private Maven repos found
+
+  // Filter to only hosts that have at least one unconfigured repo ID
+  const missing = new Map();
+  for (const [host, data] of nexusMap) {
+    const unconfigured = [...data.ids].filter(id => !configuredIds.has(id));
+    if (unconfigured.length > 0) missing.set(host, { ...data, ids: new Set(unconfigured) });
+  }
+
+  if (missing.size === 0) {
+    ok('Maven settings up to date — all Nexus repos already configured');
+    return;
+  }
+
+  console.log('');
+  warn(`Found ${missing.size} Nexus server(s) missing from ~/.m2/settings.xml:`);
+  for (const [host, data] of missing)
+    info(`  ${chalk.cyan(host)}  →  ${[...data.ids].join(', ')}`);
+  console.log('');
+
+  const { configure } = await prompts({
+    type: 'confirm', name: 'configure',
+    message: 'Configure Nexus credentials now?',
+    initial: true,
+  }, { onCancel: () => process.exit(0) });
+
+  if (!configure) {
+    warn('Skipped — add credentials to ~/.m2/settings.xml before starting Sentinel');
+    return;
+  }
+
+  const servers = [];
+  for (const [host, data] of missing) {
+    const creds = await prompts([
+      { type: 'text',     name: 'user',     message: `${chalk.cyan(host)}  username` },
+      { type: 'password', name: 'password', message: `${chalk.cyan(host)}  password` },
+    ], { onCancel: () => process.exit(0) });
+    servers.push({ host, user: creds.user, password: creds.password, repoIds: [...data.ids] });
+  }
+
+  mergeSettingsXml(servers);
+  const totalIds = servers.reduce((n, s) => n + s.repoIds.length, 0);
+  ok(`~/.m2/settings.xml updated — ${servers.length} server(s), ${totalIds} repo ID(s) added`);
+}
+
+module.exports = { scanMavenRepos, scanRepoUrl, checkAndConfigureMaven, mergeSettingsXml, generateSettingsXml, readConfiguredServerIds };

package/lib/slack-setup.js

@@ -11,6 +11,11 @@ function buildSlackManifest() {
       background_color: '#1a1a2e',
     },
     features: {
+      app_home: {
+        home_tab_enabled: false,
+        messages_tab_enabled: true,           // enables DMs to Sentinel
+        messages_tab_read_only_mode_enabled: false, // allows users to send messages
+      },
       bot_user: {
         display_name: 'Sentinel',
         always_online: true,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.5.4",
+  "version": "1.5.6",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/requirements.txt

@@ -6,3 +6,4 @@ jinja2>=3.1
 anthropic>=0.27
 slack-bolt>=1.18
 aiohttp>=3.9
+tzdata>=2024.1

package/python/sentinel/.cairn/.hint-lock

@@ -0,0 +1 @@
+2026-04-08T10:22:06.173Z

package/python/sentinel/.cairn/session.json

@@ -0,0 +1,9 @@
+{
+  "message": "Auto-checkpoint at 2026-04-08T10:21:21.356Z",
+  "checkpoint_at": "2026-04-08T10:21:21.443Z",
+  "active_files": [],
+  "notes": [
+    "[2026-04-08] git-snapshot: .cairn/session.json                    |  28 ++++-\n .claude/settings.local.json            |  47 ++++++-\n cli/.cairn/.hint-lock                  |   2 +-\n cli/.cairn/minify-map.json             |  14 ++-\n cli/.cairn/session.json                |   4 +-\n cli/.cairn/views/62a614_bundle.js      |   5 +-\n cli/lib/.cairn/minify-map.json         |   6 +\n cli/lib/.cairn/views/fb78ac_upgrade.js |  37 +++++-\n cli/lib/.cairn/views/fc4a1a_add.js     | 215 +++++++++++++++++++++++++--------\n cli/package.json                       |   2 +-\n 10 files changed, 296 insertions(+), 64 deletions(-) | status: M ../../../.cairn/session.json\n M ../../../.claude/settings.local.json\n M ../../.cairn/.hint-lock\n M ../../.cairn/minify-map.json\n M ../../.cairn/session.json\n M ../../.cairn/views/62a614_bundle.js\n M ../../lib/.cairn/minify-map.json\n M ../../lib/.cairn/views/fb78ac_upgrade.js\n M ../../lib/.cairn/views/fc4a1a_add.js\n M ../../package.json\n?? ../../../.cairn/.cairn-project\n?? ../../../.cairn/memory/\n?? ../../../.cairn/minify-map.json\n?? ../../../.cairn/views/\n?? ../../.cairn/views/23edf4_sentinel_boss.py\n?? ../../.cairn/views/5f5141_main.py\n?? ../../.cairn/views/7802b9_cicd_trigger.py\n?? ../../.cairn/views/ac3df4_repo_task_engine.py\n?? ../../lib/.cairn/views/2a85cc_init.js\n?? ../../lib/.cairn/views/e26996_slack-setup.js\n?? ../../../scripts/fix_ask_codebase_context.py\n?? ../../../scripts/fix_ask_codebase_stdin.py\n?? ../../../scripts/fix_chain_slack.py\n?? ../../../scripts/fix_fstring.py\n?? ../../../scripts/fix_knowledge_cache.py\n?? ../../../scripts/fix_knowledge_cache_staleness.py\n?? ../../../scripts/fix_merge_confirm.py\n?? ../../../scripts/fix_permission_messages.py\n?? ../../../scripts/fix_pr_check_head_detect.py\n?? ../../../scripts/fix_pr_msg_newlines.py\n?? ../../../scripts/fix_pr_tracking_boss.py\n?? ../../../scripts/fix_pr_tracking_db.py\n?? ../../../scripts/fix_pr_tracking_main.py\n?? ../../../scripts/fix_project_isolation.py\n?? ../../../scripts/fix_system_prompt.py\n?? ../../../scripts/fix_two_bugs.py\n?? ../../../scripts/patch_chain_release.py"
+  ],
+  "mtime_snapshot": {}
+}