@misterhuydo/sentinel 1.5.4 → 1.5.6

package/python/sentinel/config_loader.py

@@ -78,6 +78,8 @@ class SentinelConfig:
     sync_max_file_mb: int = 200      # truncate synced log files exceeding this size (MB)
     boss_mode: str = "standard"      # standard | strict | fun
     sentinel_dev_repo_path: str = "" # path to Sentinel source repo for Dev Claude
+    sentinel_dev_soak_minutes: int = 30  # minutes to monitor after a Patch restart before publishing
+    sentinel_dev_auto_publish: bool = False  # if True, auto-publish to npm after clean soak
 
 
 @dataclass
@@ -112,8 +114,13 @@ class RepoConfig:
     cicd_user: str = ""      # Jenkins username for Basic auth (defaults to "sentinel")
     health_url: str = ""     # optional: HTTP endpoint returning {"Status": "true"}
     cicd_token: str = ""
-    git_access: str = ""     # ssh_user_key | ssh_deploy_key | https_token | https_pat
-    ssh_key_file: str = ""   # path to SSH private key; sets GIT_SSH_COMMAND when present
+    git_ssh_user_key: str = ""   # personal GitHub SSH key (contributor on org repos)
+    git_ssh_deploy_key: str = "" # repo-specific deploy key (repos you own/admin)
+
+    @property
+    def ssh_key_file(self) -> str:
+        """Resolved SSH key — deploy key takes priority over user key."""
+        return self.git_ssh_deploy_key or self.git_ssh_user_key
 
 
 # ── Loader ────────────────────────────────────────────────────────────────────
@@ -123,6 +130,7 @@ class ConfigLoader:
         self.config_dir = Path(config_dir)
         self.sentinel: SentinelConfig = SentinelConfig()
         self.log_sources: dict[str, LogSourceConfig] = {}
+        self._on_reload_callbacks: list = []  # called after every load()
         self.repos: dict[str, RepoConfig] = {}
         self.load()
         self._register_sighup()
@@ -135,6 +143,15 @@ class ConfigLoader:
             "Config loaded: %d log-config(s), %d repo-config(s)",
             len(self.log_sources), len(self.repos),
         )
+        for cb in self._on_reload_callbacks:
+            try:
+                cb(self)
+            except Exception as e:
+                logger.warning("Config reload callback failed: %s", e)
+
+    def register_on_reload(self, callback) -> None:
+        """Register a callback(cfg_loader) to be called after every config reload."""
+        self._on_reload_callbacks.append(callback)
 
     def _load_sentinel(self):
         # Load workspace-level config first (~/sentinel/sentinel.properties),
@@ -218,6 +235,8 @@ class ConfigLoader:
         raw_mode = d.get("BOSS_MODE", "standard").lower().strip()
         c.boss_mode = raw_mode if raw_mode in ("standard", "strict", "fun") else "standard"
         c.sentinel_dev_repo_path = d.get("SENTINEL_DEV_REPO_PATH", "")
+        c.sentinel_dev_soak_minutes = int(d.get("SENTINEL_DEV_SOAK_MINUTES", 30))
+        c.sentinel_dev_auto_publish = d.get("SENTINEL_DEV_AUTO_PUBLISH", "false").lower() == "true"
         self.sentinel = c
 
     def _load_log_sources(self):
@@ -254,8 +273,8 @@ class ConfigLoader:
         # Project-level defaults from sentinel.properties
         sentinel_path = self.config_dir / "sentinel.properties"
         proj_d: dict[str, str] = _parse_properties(str(sentinel_path)) if sentinel_path.exists() else {}
-        default_git_access = proj_d.get("GIT_ACCESS", "")
-        default_git_ssh_key = os.path.expanduser(proj_d.get("GIT_SSH_KEY", ""))
+        default_user_key   = os.path.expanduser(proj_d.get("GIT_SSH_USER_KEY", ""))
+        default_deploy_key = os.path.expanduser(proj_d.get("GIT_SSH_DEPLOY_KEY", ""))
 
         self.repos = {}
         for path in sorted(repos_dir.glob("*.properties")):
@@ -273,15 +292,15 @@ class ConfigLoader:
             r.cicd_user = d.get("CICD_USER", "")
             r.cicd_token = d.get("CICD_TOKEN", "")
             r.health_url = d.get("HEALTH_URL", "")
-            r.git_access = d.get("GIT_ACCESS", default_git_access)
-            # GIT_SSH_KEY (preferred) or legacy SSH_KEY_FILE, then project default
-            raw_key = d.get("GIT_SSH_KEY", "") or d.get("SSH_KEY_FILE", "")
-            r.ssh_key_file = os.path.expanduser(raw_key) if raw_key else default_git_ssh_key
+            raw_user_key   = d.get("GIT_SSH_USER_KEY", "")
+            raw_deploy_key = d.get("GIT_SSH_DEPLOY_KEY", "") or d.get("GIT_SSH_KEY", "") or d.get("SSH_KEY_FILE", "")
+            r.git_ssh_user_key   = os.path.expanduser(raw_user_key)   if raw_user_key   else default_user_key
+            r.git_ssh_deploy_key = os.path.expanduser(raw_deploy_key) if raw_deploy_key else default_deploy_key
             # Auto-discover deploy key in project dir if no key configured
-            if not r.ssh_key_file:
+            if not r.git_ssh_deploy_key and not r.git_ssh_user_key:
                 auto_key = Path(self.config_dir).parent / f"{r.repo_name}.key"
                 if auto_key.exists():
-                    r.ssh_key_file = str(auto_key.resolve())
+                    r.git_ssh_deploy_key = str(auto_key.resolve())
             self.repos[r.repo_name] = r
 
     def _register_sighup(self):

package/python/sentinel/dependency_manager.py

@@ -232,8 +232,8 @@ def execute_cascade(
     Returns one CascadeResult per dependent repo attempted.
     """
     # Import here to avoid circular imports
-    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env, _git, maven_compile_check, MissingToolError  # noqa: E501
-    from .notify import notify_cascade_build_failed
+    from .git_manager import commit_file_change, push_dep_update, open_dep_pr, _git_env, _git, maven_compile_check, MissingToolError, MavenAuthError  # noqa: E501
+    from .notify import notify_cascade_build_failed, notify_nexus_auth_failure
 
     all_dependents = find_dependents(artifact_id, repos, skip_repo=source_repo_name)
     if target_repo_names:
@@ -264,6 +264,13 @@ def execute_cascade(
             # Dry-run: compile before committing — catch broken deps early
             try:
                 compile_ok, compile_output = maven_compile_check(repo.local_path)
+            except MavenAuthError as e:
+                _git(["checkout", "pom.xml"], cwd=repo.local_path, env=_git_env(repo))
+                result.error = "Maven auth failed — Nexus credentials missing or invalid"
+                logger.error("Cascade auth failure for %s: %s", repo.repo_name, e.output[-300:])
+                notify_nexus_auth_failure(cfg, repo.repo_name, f"cascade dep update {artifact_id}→{new_version}", e.output)
+                results.append(result)
+                continue
             except MissingToolError:
                 compile_ok, compile_output = False, "mvn not installed on this server"
 

package/python/sentinel/git_manager.py

@@ -29,6 +29,25 @@ class MissingToolError(Exception):
         super().__init__(f"Build tool '{tool}' not found on this server")
         self.tool = tool
 
+
+class MavenAuthError(Exception):
+    """Raised when mvn fails due to Nexus/Artifactory credential issues (401/403)."""
+    def __init__(self, output: str):
+        super().__init__("Maven dependency resolution failed — Nexus credentials missing or invalid")
+        self.output = output
+
+
+_NEXUS_AUTH_RE = re.compile(
+    r"(DependencyResolutionException"
+    r"|Could not transfer artifact"
+    r"|RepoAuthenticationException"
+    r"|status code: 40[13]"
+    r"|401 Unauthorized"
+    r"|403 Forbidden"
+    r"|authentication failed)",
+    re.IGNORECASE,
+)
+
 # Files that must never be modified by Sentinel
 _PROTECTED_PATHS = {".github/", "Jenkinsfile"}
 
@@ -69,6 +88,8 @@ def maven_compile_check(local_path: str, timeout: int = 300) -> tuple[bool, str]
         timeout=timeout,
     )
     output = (r.stdout + r.stderr).strip()
+    if r.returncode != 0 and _NEXUS_AUTH_RE.search(output):
+        raise MavenAuthError(output)
     return r.returncode == 0, output
 
 
@@ -160,6 +181,8 @@ def _run_tests(repo: RepoConfig, local_path: str) -> bool:
     if r.returncode != 0:
         output = r.stdout[-3000:] + r.stderr[-1000:]
         logger.error("Tests failed:\n%s", output)
+        if _NEXUS_AUTH_RE.search(output):
+            raise MavenAuthError(output)
         # Detect missing sub-tool invoked by the build (e.g. yarn called from Maven exec plugin)
         import re as _re
         m = _re.search(r'Cannot run program "([^"]+)"', output)

package/python/sentinel/issue_watcher.py

@@ -42,6 +42,7 @@ class IssueEvent:
     severity: str = "ERROR"
     timestamp: str = ""
     submitter_user_id: str = ""  # Slack user ID who raised this via Boss, if known
+    origin_channel: str = ""    # Slack channel where the issue was raised, if known
 
     # Compatibility fields matching ErrorEvent interface
     level: str = "ERROR"
@@ -130,8 +131,9 @@ def scan_issues(project_dir: Path) -> list[IssueEvent]:
 
         # Parse metadata headers in any order (TARGET_REPO, SUBMITTED_BY, SUBMITTED_AT, etc.)
         import re as _re
-        _META = ("TARGET_REPO:", "SUBMITTED_BY:", "SUBMITTED_AT:", "SUPPORT_URL:")
+        _META = ("TARGET_REPO:", "SUBMITTED_BY:", "SUBMITTED_AT:", "SUPPORT_URL:", "ORIGIN_CHANNEL:")
         submitter_user_id = ""
+        origin_channel = ""
         for i, line in enumerate(lines):
             stripped = line.strip()
             upper = stripped.upper()
@@ -143,6 +145,9 @@ def scan_issues(project_dir: Path) -> list[IssueEvent]:
                 if m:
                     submitter_user_id = m.group(1)
                 body_start = i + 1
+            elif upper.startswith("ORIGIN_CHANNEL:"):
+                origin_channel = stripped[len("ORIGIN_CHANNEL:"):].strip()
+                body_start = i + 1
             elif any(upper.startswith(p) for p in _META) or not stripped:
                 body_start = i + 1
             else:
@@ -158,6 +163,7 @@ def scan_issues(project_dir: Path) -> list[IssueEvent]:
             body=body,
             target_repo=target_repo,
             submitter_user_id=submitter_user_id,
+            origin_channel=origin_channel,
         ))
         logger.info("Found issue: %s (target_repo=%r)", f.name, target_repo or "auto")
 

package/python/sentinel/main.py

@@ -23,7 +23,7 @@ from pathlib import Path
 from .cairn_client import ensure_installed as cairn_installed, index_repo
 from .config_loader import ConfigLoader, SentinelConfig
 from .fix_engine import generate_fix
-from .git_manager import apply_and_commit, publish, _git_env, MissingToolError, poll_open_prs
+from .git_manager import apply_and_commit, publish, _git_env, MissingToolError, MavenAuthError, poll_open_prs
 from .cicd_trigger import trigger as cicd_trigger
 from .log_fetcher import fetch_all
 from .log_parser import parse_all, scan_all_for_markers, ErrorEvent
@@ -223,6 +223,12 @@ async def _handle_error(event: ErrorEvent, cfg_loader: ConfigLoader, store: Stat
 
     try:
         commit_status, commit_hash = apply_and_commit(event, patch_path, repo, sentinel)
+    except MavenAuthError as e:
+        from .notify import notify_nexus_auth_failure
+        logger.error("Nexus auth failure applying fix for %s: %s", event.fingerprint, str(e))
+        notify_nexus_auth_failure(sentinel, repo.repo_name, f"fix {event.fingerprint[:8]}", e.output)
+        store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+        return
     except MissingToolError as e:
         logger.warning("Missing tool for %s: %s", event.source, e)
         if _auto_install_if_safe(e.tool, repo.local_path, sentinel, repo.repo_name, event.source):
@@ -319,13 +325,14 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
     # Post "working on" to channel and capture thread_ts for progress replies
     from .notify import slack_alert as _slack_alert, slack_thread_reply as _slack_reply
     _submitter = getattr(event, "submitter_user_id", "")
+    _origin_channel = getattr(event, "origin_channel", "") or sentinel.slack_channel
     _started_msg = (
         f":hammer: Working on *<@{_submitter}>*'s request — *{repo.repo_name}*\n"
         f"_{event.message[:120]}_"
     ) if _submitter else (
         f":hammer: Working on *{repo.repo_name}*\n_{event.message[:120]}_"
     )
-    _thread_ts = _slack_alert(sentinel.slack_bot_token, sentinel.slack_channel, _started_msg)
+    _thread_ts = _slack_alert(sentinel.slack_bot_token, _origin_channel, _started_msg)
 
     def _progress(msg: str) -> None:
         """Post a threaded reply under the 'Working on' message."""
@@ -402,7 +409,7 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             _progress(f":arrow_right: <{pr_url}|PR opened> — awaiting review")
         notify_fix_applied(sentinel, event.source, event.message,
                            repo_name=repo.repo_name, branch=branch, pr_url=pr_url,
-                           submitter_user_id=submitter_uid)
+                           submitter_user_id=submitter_uid, origin_channel=_origin_channel)
         mark_done(event.issue_file)
 
         if repo.auto_publish:
@@ -415,6 +422,16 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
         return {"submitter": submitter_uid, "repo_name": repo.repo_name,
                 "status": "done", "summary": event.message[:120], "pr_url": pr_url}
 
+    except MavenAuthError as e:
+        from .notify import notify_nexus_auth_failure
+        submitter_uid = getattr(event, "submitter_user_id", "")
+        logger.error("Nexus auth failure for issue %s: %s", event.fingerprint, str(e))
+        _progress(":lock: Maven authentication failed — DMing admin for Nexus credentials")
+        notify_nexus_auth_failure(sentinel, repo.repo_name, f"issue fix {event.fingerprint[:8]}", e.output)
+        store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+        mark_done(event.issue_file)
+        return {"submitter": submitter_uid, "repo_name": repo.repo_name,
+                "status": "blocked", "summary": "Nexus credentials needed", "pr_url": ""}
     except MissingToolError as e:
         logger.warning("Missing tool for %s: %s", event.source, e)
         submitter_uid = getattr(event, "submitter_user_id", "")
@@ -424,7 +441,7 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
         )
         if not installed:
             _progress(f":x: `{e.tool}` is not a known safe tool — manual install required")
-            notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, submitter_uid)
+            notify_missing_tool(sentinel, e.tool, repo.repo_name, event.source, submitter_uid, _origin_channel)
             store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
             mark_done(event.issue_file)
             return {"submitter": submitter_uid, "repo_name": repo.repo_name,
@@ -448,7 +465,8 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             _progress(":x: Tests still failing after tool install — needs human review")
             notify_fix_blocked(sentinel, event.source, event.message,
                                reason="Patch was generated but commit/tests failed after tool install",
-                               repo_name=repo.repo_name, submitter_user_id=submitter_uid)
+                               repo_name=repo.repo_name, submitter_user_id=submitter_uid,
+                               origin_channel=_origin_channel)
             mark_done(event.issue_file)
             return {"submitter": submitter_uid, "repo_name": repo.repo_name,
                     "status": "blocked", "summary": "Commit/tests failed after tool install", "pr_url": ""}
@@ -472,7 +490,7 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             _progress(f":arrow_right: <{pr_url}|PR opened> — awaiting review")
         notify_fix_applied(sentinel, event.source, event.message,
                            repo_name=repo.repo_name, branch=branch, pr_url=pr_url,
-                           submitter_user_id=submitter_uid)
+                           submitter_user_id=submitter_uid, origin_channel=_origin_channel)
         mark_done(event.issue_file)
         if repo.auto_publish:
             ok = cicd_trigger(repo, store, event.fingerprint)
@@ -721,9 +739,125 @@ async def _startup_checks(cfg_loader: ConfigLoader) -> dict:
                 results["ssh"].append({"name": src_name, "host": host,
                                        "status": "error", "message": str(e)})
 
+    # ── Maven settings.xml check ─────────────────────────────────────────────
+    _check_maven_settings(cfg_loader, results)
+
     return results
 
 
+def _check_maven_settings(cfg_loader, results: dict) -> None:
+    """
+    Scan pom.xml files in all cloned repos for private Nexus <repository> entries.
+    Groups missing credentials by hostname and DMs the first configured admin user
+    with two options: paste full settings.xml content, or provide creds per host.
+    """
+    import re as _re
+    import os as _os
+    from pathlib import Path as _Path
+    from urllib.parse import urlparse as _urlparse
+
+    settings_path = _Path(_os.path.expanduser("~/.m2/settings.xml"))
+
+    _PUBLIC = _re.compile(r"repo1\.maven\.org|central\.maven\.org|repo\.maven\.apache\.org", _re.I)
+    _REPO_RE = _re.compile(
+        r"<(?:repository|snapshotRepository|pluginRepository)>"
+        r"\s*<id>([^<]+)</id>\s*<url>([^<]+)</url>",
+        _re.S,
+    )
+    _SERVER_RE = _re.compile(r"<server>\s*<id>([^<]+)</id>", _re.S)
+
+    # Scan all cloned repos — group by hostname → set of repo IDs
+    nexus_map: dict[str, set[str]] = {}
+    for repo in cfg_loader.repos.values():
+        local = _Path(repo.local_path)
+        if not local.exists():
+            continue
+        for pom in local.rglob("pom.xml"):
+            if any(p in ("target", ".git", "node_modules") for p in pom.parts):
+                continue
+            try:
+                text = pom.read_text(encoding="utf-8", errors="replace")
+            except OSError:
+                continue
+            for m in _REPO_RE.finditer(text):
+                repo_id = m.group(1).strip()
+                url = m.group(2).strip()
+                if _PUBLIC.search(url):
+                    continue
+                try:
+                    hostname = _urlparse(url).hostname or ""
+                except Exception:
+                    continue
+                if hostname:
+                    nexus_map.setdefault(hostname, set()).add(repo_id)
+
+    if not nexus_map:
+        return
+
+    # Read configured server IDs from existing settings.xml
+    configured_ids: set[str] = set()
+    if settings_path.exists():
+        try:
+            for m in _SERVER_RE.finditer(settings_path.read_text(encoding="utf-8", errors="replace")):
+                configured_ids.add(m.group(1).strip())
+        except OSError:
+            pass
+
+    # Filter to hosts with at least one unconfigured ID
+    missing_hosts: dict[str, set[str]] = {
+        host: ids - configured_ids
+        for host, ids in nexus_map.items()
+        if ids - configured_ids
+    }
+
+    if not missing_hosts:
+        all_ids = {rid for ids in nexus_map.values() for rid in ids}
+        logger.info("Maven settings OK — %d repo ID(s) configured", len(all_ids))
+        return
+
+    summary = "; ".join(
+        f"{host} ({', '.join(sorted(ids))})"
+        for host, ids in sorted(missing_hosts.items())
+    )
+    results["warnings"].append(f"Maven credentials missing: {summary}")
+    logger.warning("Maven settings gap: %s", summary)
+
+    # DM the first admin user with two resolution options
+    cfg = cfg_loader.sentinel
+    if not cfg.slack_admin_users or not cfg.slack_bot_token:
+        logger.warning(
+            "Cannot DM admin about Maven credentials — "
+            "set SLACK_ADMIN_USERS and SLACK_BOT_TOKEN in sentinel.properties"
+        )
+        return
+
+    lines = [
+        ":warning: *Maven credentials needed* — I found Nexus servers missing from `~/.m2/settings.xml`:",
+    ]
+    for host, ids in sorted(missing_hosts.items()):
+        lines.append(f"  • `{host}`  →  repo IDs: `{', '.join(sorted(ids))}`")
+    lines += [
+        "",
+        "Pick one of these two ways to fix it:",
+        "",
+        "*Option 1 — paste your existing `settings.xml`*",
+        "Copy the full content of your `~/.m2/settings.xml` and send it to me starting with:",
+        "`nexus settings`",
+        "then the XML on the next line(s). I'll extract the credentials and save them.",
+        "",
+        "*Option 2 — provide credentials per server*",
+        "Send one message per Nexus host:",
+        "`nexus creds <host> <username> <password>`",
+        "",
+        "Examples:",
+    ]
+    for host in sorted(missing_hosts):
+        lines.append(f"`nexus creds {host} myuser mypassword`")
+
+    from .notify import slack_dm as _slack_dm
+    _slack_dm(cfg.slack_bot_token, cfg.slack_admin_users[0], "\n".join(lines))
+
+
 async def _send_startup_email_delayed(cfg, results: dict, delay: int = 300):
     """Wait delay seconds then send startup summary email."""
     await asyncio.sleep(delay)
@@ -1010,8 +1144,73 @@ async def _handle_dev_task(task, cfg_loader: ConfigLoader, store: StateStore):
     if status == "done":
         _slack_alert(
             sentinel.slack_bot_token, sentinel.slack_channel,
-            f"{mentions}:white_check_mark: *Patch finished* — changes committed to Sentinel source.",
+            f"{mentions}:white_check_mark: *Patch finished* — running tests before restart...",
         )
+        # Run test suite before restarting — revert if tests fail.
+        import os as _os, sys as _sys, subprocess as _sp
+        _loop2 = asyncio.get_event_loop()
+        _code_dir = Path(sentinel.sentinel_dev_repo_path or ".")
+        _venv_pytest = _code_dir / ".venv" / "bin" / "pytest"
+        _pytest_bin = str(_venv_pytest) if _venv_pytest.exists() else "pytest"
+        try:
+            _test_result = await _loop2.run_in_executor(
+                None,
+                lambda: _sp.run(
+                    [_pytest_bin, "tests/", "-q", "--tb=short", "--no-header"],
+                    cwd=str(_code_dir), capture_output=True, text=True, timeout=120,
+                ),
+            )
+        except Exception as _e:
+            _slack_alert(
+                sentinel.slack_bot_token, sentinel.slack_channel,
+                f"{mentions}:warning: *Patch* — could not run tests: {_e}. Restarting anyway.",
+            )
+            _test_result = None
+
+        if _test_result is not None and _test_result.returncode != 0:
+            # Tests failed — revert the fix and stay on old code
+            _revert = await _loop2.run_in_executor(
+                None,
+                lambda: _sp.run(
+                    ["git", "revert", "--no-edit", "HEAD"],
+                    cwd=str(_code_dir), capture_output=True, text=True, timeout=60,
+                ),
+            )
+            _revert_ok = _revert.returncode == 0
+            _test_summary = (_test_result.stdout + _test_result.stderr)[-800:]
+            _slack_alert(
+                sentinel.slack_bot_token, sentinel.slack_channel,
+                f"{mentions}:x: *Patch tests failed* — fix reverted{'✓' if _revert_ok else ' (revert failed — check manually)'}.\n```{_test_summary}```",
+            )
+            logger.error("Patch tests failed — reverted. Output:\n%s", _test_summary)
+        else:
+            _summary = ""
+            if _test_result:
+                _lines = _test_result.stdout.strip().splitlines()
+                _summary = f" ({_lines[-1]})" if _lines else ""
+            _slack_alert(
+                sentinel.slack_bot_token, sentinel.slack_channel,
+                f"{mentions}:white_check_mark: *Patch applied* — tests passed{_summary}. Restarting...",
+            )
+            logger.info("Patch tests passed — restarting Sentinel (execv)")
+            # Write soak marker so the next boot knows to monitor for regressions.
+            _patch_hash = _sp.run(
+                ["git", "rev-parse", "HEAD"],
+                cwd=str(_code_dir), capture_output=True, text=True,
+            ).stdout.strip()
+            from datetime import datetime as _dt, timezone as _tz
+            _soak_mins = cfg_loader.sentinel.sentinel_dev_soak_minutes
+            _soak_until = (_dt.now(_tz.utc).timestamp() + _soak_mins * 60)
+            _auto_pub   = cfg_loader.sentinel.sentinel_dev_auto_publish
+            (_code_dir / ".patch-soak").write_text(
+                f"PATCH_HASH={_patch_hash}\n"
+                f"PATCHED_AT={_dt.now(_tz.utc).isoformat()}\n"
+                f"SOAK_UNTIL={_soak_until}\n"
+                f"AUTO_PUBLISH={str(_auto_pub).lower()}\n"
+                f"SOAK_MINUTES={_soak_mins}\n"
+            )
+            await asyncio.sleep(1)  # let the Slack message flush
+            _os.execv(_sys.executable, [_sys.executable] + _sys.argv)
     elif status == "needs_human":
         # Boss qualifies the raw Patch explanation before surfacing to users
         qualified = _boss_qualify_dev_reason(detail, sentinel)
@@ -1128,7 +1327,13 @@ async def _handle_repo_task(task, repo_cfg, cfg_loader: ConfigLoader, store: Sta
         mentions = (mentions + " ") if mentions else ""
 
     if status == "done":
-        if detail:  # PR URL
+        if detail and detail.startswith("__cicd__"):
+            cicd_name = detail[len("__cicd__"):]
+            _slack_alert(
+                sentinel.slack_bot_token, sentinel.slack_channel,
+                f"{mentions}:white_check_mark: Done — pushed to `{task.repo_name}/{repo_cfg.branch}` and triggered `{cicd_name}` release.",
+            )
+        elif detail:  # PR URL
             _slack_alert(
                 sentinel.slack_bot_token, sentinel.slack_channel,
                 f"{mentions}:white_check_mark: Done — PR opened for `{task.repo_name}`: {detail}",
@@ -1224,6 +1429,139 @@ def _log_auth_status(cfg: SentinelConfig) -> None:
         slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)
 
 
+async def _patch_soak_monitor(cfg_loader: ConfigLoader) -> None:
+    """
+    After a Patch-triggered restart, monitor sentinel.log for N minutes.
+    - Clean soak → notify Slack; if AUTO_PUBLISH=true → npm publish
+    - Crash detected → git revert HEAD, restart, alert Slack
+    """
+    import subprocess as _sp, time as _time
+    from datetime import datetime as _dt, timezone as _tz
+    from .notify import slack_alert as _slack_alert
+
+    code_dir = Path(cfg_loader.sentinel.sentinel_dev_repo_path)
+    marker   = code_dir / ".patch-soak"
+    if not marker.exists():
+        return
+
+    raw = {}
+    for line in marker.read_text().splitlines():
+        if "=" in line:
+            k, _, v = line.partition("=")
+            raw[k.strip()] = v.strip()
+
+    patch_hash   = raw.get("PATCH_HASH", "unknown")
+    soak_until   = float(raw.get("SOAK_UNTIL", 0))
+    auto_publish = raw.get("AUTO_PUBLISH", "false") == "true"
+    soak_mins    = int(raw.get("SOAK_MINUTES", 30))
+
+    if _time.time() > soak_until:
+        # Already expired (e.g. second restart after revert) — clean up and bail
+        marker.unlink(missing_ok=True)
+        return
+
+    cfg = cfg_loader.sentinel
+    log_path = Path(".") / "logs" / "sentinel.log"
+    patched_at_iso = raw.get("PATCHED_AT", _dt.now(_tz.utc).isoformat())
+
+    logger.info("Patch soak monitor started — hash=%s soak=%dm auto_publish=%s",
+                patch_hash[:8], soak_mins, auto_publish)
+    _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                 f":hourglass: *Patch soak started* — monitoring for {soak_mins} min "
+                 f"(patch `{patch_hash[:8]}`). Will notify when done.")
+
+    check_interval = 60  # seconds
+    error_found    = False
+
+    while _time.time() < soak_until:
+        await asyncio.sleep(check_interval)
+
+        # Scan sentinel.log for new ERROR lines since the patch
+        if log_path.exists():
+            try:
+                text = log_path.read_text(encoding="utf-8", errors="replace")
+                # Look for ERROR lines after our patch timestamp marker
+                new_errors = [
+                    l for l in text.splitlines()
+                    if " ERROR " in l and l > patched_at_iso[:19]
+                ]
+                if new_errors:
+                    error_found = True
+                    logger.error("Patch soak: new errors detected — reverting patch %s", patch_hash[:8])
+                    break
+            except OSError:
+                pass
+
+    marker.unlink(missing_ok=True)
+
+    if error_found:
+        # Revert and restart
+        loop = asyncio.get_event_loop()
+        revert = await loop.run_in_executor(
+            None,
+            lambda: _sp.run(
+                ["git", "revert", "--no-edit", "HEAD"],
+                cwd=str(code_dir), capture_output=True, text=True, timeout=60,
+            ),
+        )
+        revert_ok = revert.returncode == 0
+        _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                     f":x: *Patch soak failed* — new errors detected after patch `{patch_hash[:8]}`. "
+                     f"Reverted {'✓' if revert_ok else '(failed — check manually)'}. Restarting...")
+        if revert_ok:
+            import os as _os, sys as _sys
+            await asyncio.sleep(2)
+            _os.execv(_sys.executable, [_sys.executable] + _sys.argv)
+        return
+
+    # Clean soak — notify
+    remaining = max(0, int(soak_until - _time.time()))
+    if auto_publish:
+        # Sync patched Python into the npm package dir and publish
+        import shutil as _sh
+        npm_root = _sp.run(
+            ["npm", "root", "-g"], capture_output=True, text=True, timeout=30,
+        ).stdout.strip()
+        pkg_dir = Path(npm_root) / "@misterhuydo" / "sentinel"
+        if pkg_dir.exists():
+            try:
+                _sh.copytree(str(code_dir / "sentinel"), str(pkg_dir / "python" / "sentinel"),
+                             dirs_exist_ok=True)
+                _sh.copytree(str(code_dir / "tests"), str(pkg_dir / "python" / "tests"),
+                             dirs_exist_ok=True)
+                ver_result = _sp.run(
+                    ["npm", "version", "patch", "--no-git-tag-version"],
+                    cwd=str(pkg_dir), capture_output=True, text=True, timeout=30,
+                )
+                new_ver = ver_result.stdout.strip()
+                pub = _sp.run(
+                    ["npm", "publish", "--access", "public"],
+                    cwd=str(pkg_dir), capture_output=True, text=True, timeout=120,
+                )
+                if pub.returncode == 0:
+                    _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                 f":rocket: *Patch published* — `{new_ver}` is live on npm. "
+                                 f"Users with `AUTO_UPGRADE=true` will receive it within "
+                                 f"{cfg.upgrade_check_hours}h.")
+                else:
+                    _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                                 f":white_check_mark: Soak clean — but `npm publish` failed: "
+                                 f"```{pub.stderr[-300:]}```\nPublish manually or say *publish* to Boss.")
+            except Exception as e:
+                _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                             f":white_check_mark: Soak clean — publish error: {e}. Publish manually.")
+        else:
+            _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                         f":white_check_mark: *Patch soak clean* (`{patch_hash[:8]}`, {soak_mins} min). "
+                         f"npm package dir not found — publish manually.")
+    else:
+        _slack_alert(cfg.slack_bot_token, cfg.slack_channel,
+                     f":white_check_mark: *Patch soak clean* — `{patch_hash[:8]}` stable for {soak_mins} min. "
+                     f"Say *publish* when ready to release to all users.")
+
+    logger.info("Patch soak complete — hash=%s clean=True auto_publish=%s", patch_hash[:8], auto_publish)
+
+
 async def run_loop(cfg_loader: ConfigLoader, store: StateStore):
     interval = cfg_loader.sentinel.poll_interval_seconds
     logger.info("Sentinel starting — poll interval: %ds, repos: %s",
@@ -1249,6 +1587,12 @@ async def run_loop(cfg_loader: ConfigLoader, store: StateStore):
     else:
         logger.info("Startup checks passed — startup email in 5 minutes")
 
+    # Re-run Maven check on every config reload (SIGHUP or Boss reload_config)
+    def _maven_reload_cb(cl):
+        _check_maven_settings(cl, {})
+
+    cfg_loader.register_on_reload(_maven_reload_cb)
+
     asyncio.ensure_future(_send_startup_email_delayed(cfg_loader.sentinel, results))
     asyncio.ensure_future(_config_poll_loop(cfg_loader))
     if cfg_loader.sentinel.auto_upgrade:
@@ -1260,6 +1604,7 @@ async def run_loop(cfg_loader: ConfigLoader, store: StateStore):
         asyncio.ensure_future(run_slack_bot(cfg_loader, store))
     if cfg_loader.sentinel.sentinel_dev_repo_path:
         asyncio.ensure_future(_dev_poll_loop(cfg_loader, store))
+        asyncio.ensure_future(_patch_soak_monitor(cfg_loader))
     asyncio.ensure_future(_repo_task_poll_loop(cfg_loader, store))
 
     while True: