@misterhuydo/sentinel 1.6.0 → 1.6.2

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-04-22T05:30:19.725Z
+2026-04-24T10:50:33.264Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-04-22T05:33:19.801Z",
-  "checkpoint_at": "2026-04-22T05:33:19.802Z",
+  "message": "Auto-checkpoint at 2026-04-24T11:12:56.361Z",
+  "checkpoint_at": "2026-04-24T11:12:56.362Z",
   "active_files": [
     "J:\\Projects\\Sentinel\\cli\\bin\\sentinel.js",
     "J:\\Projects\\Sentinel\\cli\\lib\\test.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.0"
+__version__ = "1.6.2"

package/python/sentinel/fix_engine.py

@@ -177,6 +177,14 @@ def _build_prompt(
         "2. Use your available tools to explore the codebase and identify the root cause.",
         "   You can read across ALL listed repos — use that visibility to follow type",
         "   definitions, callers, or shared library code that may be involved.",
+        "",
+        "CRITICAL — fresh reads only",
+        "   Before you write ANY diff line, use the Read tool to view the CURRENT content",
+        "   of every file you intend to modify. Do NOT rely on prior memory of the file",
+        "   from earlier turns in this conversation: the working tree may have been",
+        "   updated by a previous Sentinel fix, a human commit, or a `git pull` that ran",
+        "   moments ago. A patch generated from stale memory will fail dry-run.",
+        "",
         f"3. {marker_instruction}",
         "4. Consider all possible fix approaches. For each, weigh:",
         "   - Confidence: is this definitely the root cause?",
@@ -254,12 +262,22 @@ def _is_auth_error(output: str) -> bool:
     return any(hint in low for hint in _AUTH_ERROR_HINTS)
 
 
-def _claude_cmd(bin_path: str, prompt: str, session_id: str = "") -> list[str]:
+def _claude_cmd(
+    bin_path: str,
+    prompt: str,
+    session_id: str = "",
+    use_bare: bool = True,
+) -> list[str]:
     """Build the `claude --print` command line.
 
     `session_id` (if non-empty) attaches `--resume <id>` so Claude continues an
     existing session — gives prompt-cache reuse and shared context across fixes.
 
+    `use_bare` controls the `--bare` flag, which forces `ANTHROPIC_API_KEY`-only
+    auth. It MUST be True for the API-key attempt (claude needs a key in env)
+    and MUST be False for the OAuth attempt (otherwise claude refuses to read
+    the cached `claude login` token). The caller picks per attempt.
+
     Output is forced to `--output-format json` so the caller can extract the
     session_id, cost, and result text deterministically.
     """
@@ -268,10 +286,9 @@ def _claude_cmd(bin_path: str, prompt: str, session_id: str = "") -> list[str]:
         skip = _os.getuid() != 0
     except AttributeError:
         skip = True  # Windows — always pass flag
-    # --bare: forces ANTHROPIC_API_KEY-only auth, skips keychain/OAuth/hooks.
-    # Required on headless servers (EC2) where Claude Code 2.x silently returns
-    # empty output when keychain auth fails.
-    cmd = [bin_path, "--bare"]
+    cmd = [bin_path]
+    if use_bare:
+        cmd.append("--bare")
     if skip:
         cmd.append("--dangerously-skip-permissions")
     if session_id:
@@ -346,6 +363,7 @@ def _run_claude_attempt(
     on_progress=None,
     cmd_override: list | None = None,
     session_id: str = "",
+    use_bare: bool | None = None,
 ) -> tuple[str, bool]:
     """
     Run claude CLI with the given env. Returns (output, timed_out).
@@ -354,11 +372,16 @@ def _run_claude_attempt(
     (deduped — same message not repeated consecutively).
     cmd_override: if provided, use this command list instead of _claude_cmd() default.
     session_id: if provided, passes --resume to Claude to continue an existing session.
+    use_bare: if None (default), auto-detect — True iff env carries ANTHROPIC_API_KEY.
+              Pass --bare ONLY for the API-key attempt; the OAuth attempt must
+              omit it so Claude reads the cached `claude login` token.
     """
     import threading as _threading
 
+    if use_bare is None:
+        use_bare = bool(env.get("ANTHROPIC_API_KEY"))
     proc = subprocess.Popen(
-        cmd_override if cmd_override is not None else _claude_cmd(bin_path, prompt, session_id),
+        cmd_override if cmd_override is not None else _claude_cmd(bin_path, prompt, session_id, use_bare=use_bare),
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
         text=True, env=env, cwd=cwd or None,
     )
@@ -477,11 +500,28 @@ def generate_fix(
         except Exception as _e:
             logger.debug("fix_engine: git log check failed: %s", _e)
 
-    # Pull saved session id (per project) so Claude continues an existing session.
+    # Pre-pull every project repo so Claude reads up-to-date content. This
+    # closes the window where a previous sentinel commit (or human commit)
+    # has landed on remote but the local working tree hasn't been refreshed.
+    if all_repos:
+        from .git_manager import pull_all_repos
+        pull_results = pull_all_repos(all_repos)
+        n_failed = sum(1 for ok in pull_results.values() if not ok)
+        if n_failed:
+            logger.warning(
+                "fix_engine: pre-fix pull failed for %d/%d repo(s): %s",
+                n_failed, len(pull_results),
+                [n for n, ok in pull_results.items() if not ok][:5],
+            )
+
+    # Pull saved session id — keyed per (project, target_repo) so a prior fix
+    # targeting repo A doesn't contaminate Claude's memory for a fix targeting
+    # repo B (their files differ; resumed memory leads to stale-context patches).
+    session_key = f"{getattr(cfg, 'project_name', '') or '_default'}/{repo.repo_name}"
     session_id = ""
-    if store is not None and getattr(cfg, "project_name", ""):
+    if store is not None:
         try:
-            saved = store.get_claude_session(cfg.project_name)
+            saved = store.get_claude_session(session_key)
             if saved:
                 session_id = saved.get("session_id", "") or ""
         except Exception as _se:
@@ -491,8 +531,8 @@ def generate_fix(
     claude_logs_dir = Path(cfg.workspace_dir).parent / "logs" / "claude"
     claude_log_path = claude_logs_dir / f"{event.fingerprint[:8]}-{ts}.log"
     logger.info(
-        "Invoking Claude Code for %s (fp=%s) — log: %s — resume=%s",
-        event.source, event.fingerprint, claude_log_path,
+        "Invoking Claude Code for %s (fp=%s, route=%s) — log: %s — resume=%s",
+        event.source, event.fingerprint, repo.repo_name, claude_log_path,
         session_id[:8] if session_id else "(new)",
     )
 
@@ -571,15 +611,16 @@ def generate_fix(
 
     # Persist the session id (and cost delta) regardless of fix outcome — even
     # NEEDS_HUMAN / SKIP turns count toward the conversation history.
-    if store is not None and getattr(cfg, "project_name", "") and parsed["session_id"]:
+    # Same composite key as the read above so per-route memory stays separated.
+    if store is not None and parsed["session_id"]:
         try:
             store.set_claude_session(
-                cfg.project_name, parsed["session_id"],
+                session_key, parsed["session_id"],
                 cost_delta=parsed["total_cost_usd"],
             )
             logger.info(
-                "fix_engine: saved claude session %s for project %s (turn cost $%.4f)",
-                parsed["session_id"][:8], cfg.project_name, parsed["total_cost_usd"],
+                "fix_engine: saved claude session %s for %s (turn cost $%.4f)",
+                parsed["session_id"][:8], session_key, parsed["total_cost_usd"],
             )
         except Exception as _se:
             logger.warning("fix_engine: set_claude_session failed: %s", _se)

package/python/sentinel/git_manager.py

@@ -192,6 +192,38 @@ def maven_compile_check(local_path: str, timeout: int = 300) -> tuple[bool, str]
     return r.returncode == 0, output
 
 
+def pull_all_repos(repos: list[RepoConfig]) -> dict[str, bool]:
+    """Discard local edits and `git pull --rebase` every repo in the list.
+
+    Used right before invoking Claude so it reads up-to-date file content. A
+    failure for any single repo is logged as a warning but never raised — the
+    return dict tells callers which repos pulled cleanly so they can decide
+    what to do (e.g. fix engine continues anyway; the target-repo dry-run in
+    apply_and_commit_multi will catch a stale-on-disk patch later).
+    """
+    results: dict[str, bool] = {}
+    for repo in repos:
+        if not repo.local_path:
+            results[repo.repo_name] = False
+            continue
+        env = _git_env(repo)
+        try:
+            _git(["checkout", "."], cwd=repo.local_path, env=env)
+            r = _git(["pull", "--rebase", "origin", repo.branch],
+                     cwd=repo.local_path, env=env)
+            ok = (r.returncode == 0)
+            results[repo.repo_name] = ok
+            if not ok:
+                logger.warning(
+                    "pull_all_repos: %s pull failed: %s",
+                    repo.repo_name, r.stderr.strip()[:200],
+                )
+        except Exception as e:
+            logger.warning("pull_all_repos: %s exception: %s", repo.repo_name, e)
+            results[repo.repo_name] = False
+    return results
+
+
 def _check_protected_paths(patch_path: Path) -> bool:
     text = patch_path.read_text(encoding="utf-8", errors="replace")
     for line in text.splitlines():

package/python/sentinel/main.py

@@ -628,12 +628,15 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
     try:
         patches_dir = Path(sentinel.workspace_dir).resolve() / "patches"
         _loop = asyncio.get_event_loop()
+        all_repos = list(cfg_loader.repos.values())
 
         # Run blocking subprocess work in thread executor so Boss stays responsive.
         # _progress is thread-safe (HTTP POST) so pass it as streaming callback.
         _progress(":brain: Analyzing with Claude Code...")
         status, patch_path, marker = await _loop.run_in_executor(
-            None, generate_fix, event, repo, sentinel, patches_dir, store, _progress
+            None,
+            lambda: generate_fix(event, repo, sentinel, patches_dir, store,
+                                 _progress, all_repos),
         )
 
         submitter_uid = getattr(event, "submitter_user_id", "")
@@ -652,6 +655,133 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             return {"submitter": submitter_uid, "repo_name": repo.repo_name,
                     "status": "blocked", "summary": reason_text[:120], "pr_url": ""}
 
+        # ── Try multi-repo apply first; fall back to single-repo on legacy patches ──
+        _progress(f":mag: Patch generated — applying & testing...")
+        multi_results = await _loop.run_in_executor(
+            None, apply_and_commit_multi, event, patch_path, all_repos, sentinel,
+        )
+
+        if multi_results:
+            multi_results = await _loop.run_in_executor(
+                None, publish_multi, event, multi_results, sentinel,
+            )
+
+            committed = [r for r in multi_results if r["status"] == "committed"]
+            failed    = [r for r in multi_results if r["status"] != "committed"]
+
+            for r in multi_results:
+                pr_state = "open" if r.get("pr_url") else (
+                    "merged" if r["status"] == "committed" and auto_commit else ""
+                )
+                try:
+                    store.record_fix_repo(
+                        event.fingerprint, r["repo_name"],
+                        branch=r.get("branch", ""), commit_hash=r.get("commit_hash", ""),
+                        pr_url=r.get("pr_url", ""),
+                        pr_state=pr_state if r["status"] == "committed" else r["status"],
+                        apply_order=r.get("apply_order", 0),
+                    )
+                except Exception as _se:
+                    logger.warning("record_fix_repo failed for %s: %s", r["repo_name"], _se)
+
+            primary = next((r for r in multi_results if r["repo_name"] == repo.repo_name), None)
+            if primary and primary["status"] == "committed":
+                store.record_fix(
+                    event.fingerprint,
+                    "applied" if auto_commit else "pending",
+                    patch_path=str(patch_path),
+                    commit_hash=primary["commit_hash"],
+                    branch=primary.get("branch", ""),
+                    pr_url=primary.get("pr_url", ""),
+                    repo_name=repo.repo_name,
+                    sentinel_marker=marker,
+                )
+            else:
+                store.record_fix(event.fingerprint, "failed", repo_name=repo.repo_name)
+
+            if not committed:
+                reasons = "; ".join(f"{r['repo_name']}: {r['reason']}" for r in failed)
+                _progress(f":x: Multi-repo fix aborted — {reasons[:300]}")
+                notify_fix_blocked(sentinel, event.source, event.message,
+                                   reason=f"Multi-repo apply failed: {reasons[:400]}",
+                                   repo_name=repo.repo_name,
+                                   submitter_user_id=submitter_uid,
+                                   body=getattr(event, "body", ""))
+                mark_done(event.issue_file)
+                return {"submitter": submitter_uid, "repo_name": repo.repo_name,
+                        "status": "blocked", "summary": "Multi-repo apply failed", "pr_url": ""}
+
+            if failed:
+                _progress(
+                    f":warning: Multi-repo fix PARTIAL — committed in "
+                    f"{', '.join(r['repo_name'] for r in committed)}; "
+                    f"failed in {', '.join(r['repo_name'] for r in failed)}"
+                )
+
+            pr_lines = []
+            for r in committed:
+                if r.get("pr_url"):
+                    pr_lines.append(f"  • `{r['repo_name']}` → {r['pr_url']}")
+                else:
+                    pr_lines.append(
+                        f"  • `{r['repo_name']}` → pushed to `{r.get('branch','main')}` "
+                        f"(`{r.get('commit_hash','')[:8]}`)"
+                    )
+            if pr_lines:
+                _progress(":white_check_mark: Fix complete:\n" + "\n".join(pr_lines))
+
+            if auto_commit and not auto_release:
+                for r in committed:
+                    if r.get("commit_hash") and r.get("branch"):
+                        store.add_pending_release(
+                            r["repo_name"], r["commit_hash"], r["branch"],
+                            description=event.message[:120],
+                            fingerprint=event.fingerprint,
+                        )
+
+            if primary and primary["status"] == "committed":
+                send_fix_notification(sentinel, {
+                    "source":       event.source,
+                    "severity":     "ERROR",
+                    "fingerprint":  event.fingerprint,
+                    "first_seen":   event.timestamp,
+                    "message":      event.message,
+                    "stack_trace":  event.body,
+                    "repo_name":    repo.repo_name,
+                    "commit_hash":  primary.get("commit_hash", ""),
+                    "branch":       primary.get("branch", ""),
+                    "pr_url":       primary.get("pr_url", ""),
+                    "auto_commit":  auto_commit,
+                    "files_changed": [],
+                })
+                notify_fix_applied(
+                    sentinel, event.source, event.message,
+                    repo_name=repo.repo_name,
+                    branch=primary.get("branch", ""),
+                    pr_url=primary.get("pr_url", ""),
+                    submitter_user_id=submitter_uid,
+                    origin_channel=_origin_channel,
+                )
+
+            mark_done(event.issue_file)
+
+            if auto_commit and auto_release and primary and primary["status"] == "committed":
+                ok = cicd_trigger(repo, store, event.fingerprint)
+                if ok:
+                    _progress(f":rocket: Release triggered via {repo.cicd_type}")
+                if ok and repo.cicd_type.lower() in ("jenkins_release", "jenkins-release"):
+                    _run_cascade(repo, sentinel, cfg_loader)
+
+            return {"submitter": submitter_uid, "repo_name": repo.repo_name,
+                    "status": "done" if not failed else "partial",
+                    "summary": event.message[:120],
+                    "pr_url": primary.get("pr_url", "") if primary else ""}
+
+        # Legacy single-repo patch (no `repos/<name>/` prefix) — existing flow below.
+        logger.info(
+            "_handle_issue: patch %s has no repos/<name>/ prefix — falling back to single-repo apply",
+            event.fingerprint[:8],
+        )
         _progress(f":mag: Patch generated — running tests (`{repo.repo_name}`)...")
         commit_status, commit_hash = await _loop.run_in_executor(
             None, apply_and_commit, event, patch_path, repo, sentinel

package/python/tests/test_fix_engine_cmd.py

@@ -0,0 +1,53 @@
+"""
+test_fix_engine_cmd.py — Tests for _claude_cmd flag composition.
+
+The OAuth path silently fast-failed in production until 1.6.1 because
+_claude_cmd unconditionally passed --bare, which forces API-key-only auth
+and rejects the OAuth attempt's keyless env. These tests pin the new
+behaviour: --bare only when the API key is actually in the env.
+"""
+from sentinel.fix_engine import _claude_cmd
+
+
+def test_default_includes_bare_for_backcompat():
+    """Existing callers without an explicit flag still get --bare."""
+    cmd = _claude_cmd("claude", "hi")
+    assert "--bare" in cmd
+
+
+def test_use_bare_false_drops_bare():
+    cmd = _claude_cmd("claude", "hi", use_bare=False)
+    assert "--bare" not in cmd
+
+
+def test_use_bare_true_keeps_bare():
+    cmd = _claude_cmd("claude", "hi", use_bare=True)
+    assert "--bare" in cmd
+
+
+def test_session_id_adds_resume():
+    cmd = _claude_cmd("claude", "hi", session_id="abc-123")
+    assert "--resume" in cmd
+    i = cmd.index("--resume")
+    assert cmd[i + 1] == "abc-123"
+
+
+def test_no_session_id_skips_resume():
+    cmd = _claude_cmd("claude", "hi", session_id="")
+    assert "--resume" not in cmd
+
+
+def test_output_format_json_always_present():
+    cmd_a = _claude_cmd("claude", "hi", use_bare=True)
+    cmd_b = _claude_cmd("claude", "hi", use_bare=False)
+    for cmd in (cmd_a, cmd_b):
+        assert "--output-format" in cmd
+        i = cmd.index("--output-format")
+        assert cmd[i + 1] == "json"
+
+
+def test_print_and_prompt_are_last():
+    """`--print <prompt>` must come last so all flags are interpreted."""
+    cmd = _claude_cmd("claude", "the actual prompt", use_bare=False)
+    assert cmd[-2] == "--print"
+    assert cmd[-1] == "the actual prompt"

package/python/tests/test_pull_all_repos.py

@@ -0,0 +1,94 @@
+"""
+test_pull_all_repos.py — Tests for the pre-fix git pull helper.
+
+pull_all_repos() runs `git checkout . && git pull --rebase` on every project repo
+so Claude reads up-to-date content. Per-repo failures are non-fatal — they get
+logged as warnings and recorded in the result dict, not raised.
+"""
+from pathlib import Path
+from unittest.mock import patch
+from types import SimpleNamespace
+
+from sentinel import git_manager
+from sentinel.config_loader import RepoConfig
+
+
+def _ok():
+    return SimpleNamespace(returncode=0, stdout="", stderr="")
+
+
+def _fail(msg="pull rejected"):
+    return SimpleNamespace(returncode=1, stdout="", stderr=msg)
+
+
+def _mk_repo(tmp_path: Path, name: str) -> RepoConfig:
+    p = tmp_path / "repos" / name
+    p.mkdir(parents=True, exist_ok=True)
+    return RepoConfig(repo_name=name, local_path=str(p), branch="main")
+
+
+def test_empty_repo_list_returns_empty(tmp_path):
+    assert git_manager.pull_all_repos([]) == {}
+
+
+def test_single_successful_repo(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git", return_value=_ok()):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": True}
+
+
+def test_single_failing_repo_recorded_not_raised(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git", return_value=_fail()):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": False}
+
+
+def test_mixed_results_per_repo(tmp_path):
+    a = _mk_repo(tmp_path, "ok-repo")
+    b = _mk_repo(tmp_path, "bad-repo")
+    c = _mk_repo(tmp_path, "ok-repo-2")
+
+    # Each repo gets two _git calls (checkout + pull). We make 'bad-repo' fail on pull.
+    call_log = []
+    def fake_git(args, cwd, env=None, timeout=git_manager.GIT_TIMEOUT):
+        call_log.append((args[0], cwd))
+        if "bad-repo" in cwd and args[0] == "pull":
+            return _fail("conflict")
+        return _ok()
+
+    with patch.object(git_manager, "_git", side_effect=fake_git):
+        result = git_manager.pull_all_repos([a, b, c])
+
+    assert result == {"ok-repo": True, "bad-repo": False, "ok-repo-2": True}
+
+
+def test_repo_with_empty_local_path_is_skipped(tmp_path):
+    repo = RepoConfig(repo_name="ghost", local_path="", branch="main")
+    with patch.object(git_manager, "_git") as g:
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"ghost": False}
+    g.assert_not_called()
+
+
+def test_subprocess_exception_caught_and_recorded(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git",
+                      side_effect=RuntimeError("git binary missing")):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": False}
+
+
+def test_calls_checkout_then_pull_per_repo(tmp_path):
+    """Order matters: checkout (discard local edits) before pull."""
+    repo = _mk_repo(tmp_path, "r1")
+    seq = []
+    def fake_git(args, cwd, env=None, timeout=git_manager.GIT_TIMEOUT):
+        seq.append(args[0])
+        return _ok()
+    with patch.object(git_manager, "_git", side_effect=fake_git):
+        git_manager.pull_all_repos([repo])
+    assert seq[0] == "checkout"
+    assert "pull" in seq
+    assert seq.index("checkout") < seq.index("pull")