@misterhuydo/sentinel 1.6.1 → 1.6.3

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-04-24T10:50:33.264Z
+2026-04-24T11:26:01.385Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-04-24T10:58:52.087Z",
-  "checkpoint_at": "2026-04-24T10:58:52.089Z",
+  "message": "Auto-checkpoint at 2026-04-24T11:34:54.330Z",
+  "checkpoint_at": "2026-04-24T11:34:54.331Z",
   "active_files": [
     "J:\\Projects\\Sentinel\\cli\\bin\\sentinel.js",
     "J:\\Projects\\Sentinel\\cli\\lib\\test.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.6.1",
+  "version": "1.6.3",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.1"
+__version__ = "1.6.3"

package/python/sentinel/fix_engine.py

@@ -177,6 +177,14 @@ def _build_prompt(
         "2. Use your available tools to explore the codebase and identify the root cause.",
         "   You can read across ALL listed repos — use that visibility to follow type",
         "   definitions, callers, or shared library code that may be involved.",
+        "",
+        "CRITICAL — fresh reads only",
+        "   Before you write ANY diff line, use the Read tool to view the CURRENT content",
+        "   of every file you intend to modify. Do NOT rely on prior memory of the file",
+        "   from earlier turns in this conversation: the working tree may have been",
+        "   updated by a previous Sentinel fix, a human commit, or a `git pull` that ran",
+        "   moments ago. A patch generated from stale memory will fail dry-run.",
+        "",
         f"3. {marker_instruction}",
         "4. Consider all possible fix approaches. For each, weigh:",
         "   - Confidence: is this definitely the root cause?",
@@ -254,6 +262,9 @@ def _is_auth_error(output: str) -> bool:
     return any(hint in low for hint in _AUTH_ERROR_HINTS)
 
 
+_CAIRN_ONLY_MCP_CONFIG = '{"mcpServers":{"cairn":{"command":"cairn-mcp"}}}'
+
+
 def _claude_cmd(
     bin_path: str,
     prompt: str,
@@ -270,6 +281,14 @@ def _claude_cmd(
     and MUST be False for the OAuth attempt (otherwise claude refuses to read
     the cached `claude login` token). The caller picks per attempt.
 
+    For the OAuth path (use_bare=False) we ALSO pass:
+      --setting-sources project,local   (skip user settings.json — bypasses the
+        cairn `minify` / `edit-guard` PreToolUse hooks that block Read/Edit
+        with `exit 2` and force Claude to fall back to hand-crafting diffs)
+      --mcp-config '{...cairn...}'      (re-add cairn MCP tools that we just
+        bypassed by skipping user settings — the prompt's cairn_checkpoint
+        instruction needs them)
+
     Output is forced to `--output-format json` so the caller can extract the
     session_id, cost, and result text deterministically.
     """
@@ -283,6 +302,10 @@ def _claude_cmd(
         cmd.append("--bare")
     if skip:
         cmd.append("--dangerously-skip-permissions")
+    if not use_bare:
+        # OAuth-mode isolation: skip user-scope cairn hooks, re-load cairn MCP.
+        cmd += ["--setting-sources", "project,local"]
+        cmd += ["--mcp-config", _CAIRN_ONLY_MCP_CONFIG]
     if session_id:
         cmd += ["--resume", session_id]
     cmd += ["--output-format", "json", "--print", prompt]
@@ -492,11 +515,28 @@ def generate_fix(
         except Exception as _e:
             logger.debug("fix_engine: git log check failed: %s", _e)
 
-    # Pull saved session id (per project) so Claude continues an existing session.
+    # Pre-pull every project repo so Claude reads up-to-date content. This
+    # closes the window where a previous sentinel commit (or human commit)
+    # has landed on remote but the local working tree hasn't been refreshed.
+    if all_repos:
+        from .git_manager import pull_all_repos
+        pull_results = pull_all_repos(all_repos)
+        n_failed = sum(1 for ok in pull_results.values() if not ok)
+        if n_failed:
+            logger.warning(
+                "fix_engine: pre-fix pull failed for %d/%d repo(s): %s",
+                n_failed, len(pull_results),
+                [n for n, ok in pull_results.items() if not ok][:5],
+            )
+
+    # Pull saved session id — keyed per (project, target_repo) so a prior fix
+    # targeting repo A doesn't contaminate Claude's memory for a fix targeting
+    # repo B (their files differ; resumed memory leads to stale-context patches).
+    session_key = f"{getattr(cfg, 'project_name', '') or '_default'}/{repo.repo_name}"
     session_id = ""
-    if store is not None and getattr(cfg, "project_name", ""):
+    if store is not None:
         try:
-            saved = store.get_claude_session(cfg.project_name)
+            saved = store.get_claude_session(session_key)
             if saved:
                 session_id = saved.get("session_id", "") or ""
         except Exception as _se:
@@ -506,8 +546,8 @@ def generate_fix(
     claude_logs_dir = Path(cfg.workspace_dir).parent / "logs" / "claude"
     claude_log_path = claude_logs_dir / f"{event.fingerprint[:8]}-{ts}.log"
     logger.info(
-        "Invoking Claude Code for %s (fp=%s) — log: %s — resume=%s",
-        event.source, event.fingerprint, claude_log_path,
+        "Invoking Claude Code for %s (fp=%s, route=%s) — log: %s — resume=%s",
+        event.source, event.fingerprint, repo.repo_name, claude_log_path,
         session_id[:8] if session_id else "(new)",
     )
 
@@ -586,15 +626,16 @@ def generate_fix(
 
     # Persist the session id (and cost delta) regardless of fix outcome — even
     # NEEDS_HUMAN / SKIP turns count toward the conversation history.
-    if store is not None and getattr(cfg, "project_name", "") and parsed["session_id"]:
+    # Same composite key as the read above so per-route memory stays separated.
+    if store is not None and parsed["session_id"]:
         try:
             store.set_claude_session(
-                cfg.project_name, parsed["session_id"],
+                session_key, parsed["session_id"],
                 cost_delta=parsed["total_cost_usd"],
             )
             logger.info(
-                "fix_engine: saved claude session %s for project %s (turn cost $%.4f)",
-                parsed["session_id"][:8], cfg.project_name, parsed["total_cost_usd"],
+                "fix_engine: saved claude session %s for %s (turn cost $%.4f)",
+                parsed["session_id"][:8], session_key, parsed["total_cost_usd"],
             )
         except Exception as _se:
             logger.warning("fix_engine: set_claude_session failed: %s", _se)

package/python/sentinel/git_manager.py

@@ -192,6 +192,38 @@ def maven_compile_check(local_path: str, timeout: int = 300) -> tuple[bool, str]
     return r.returncode == 0, output
 
 
+def pull_all_repos(repos: list[RepoConfig]) -> dict[str, bool]:
+    """Discard local edits and `git pull --rebase` every repo in the list.
+
+    Used right before invoking Claude so it reads up-to-date file content. A
+    failure for any single repo is logged as a warning but never raised — the
+    return dict tells callers which repos pulled cleanly so they can decide
+    what to do (e.g. fix engine continues anyway; the target-repo dry-run in
+    apply_and_commit_multi will catch a stale-on-disk patch later).
+    """
+    results: dict[str, bool] = {}
+    for repo in repos:
+        if not repo.local_path:
+            results[repo.repo_name] = False
+            continue
+        env = _git_env(repo)
+        try:
+            _git(["checkout", "."], cwd=repo.local_path, env=env)
+            r = _git(["pull", "--rebase", "origin", repo.branch],
+                     cwd=repo.local_path, env=env)
+            ok = (r.returncode == 0)
+            results[repo.repo_name] = ok
+            if not ok:
+                logger.warning(
+                    "pull_all_repos: %s pull failed: %s",
+                    repo.repo_name, r.stderr.strip()[:200],
+                )
+        except Exception as e:
+            logger.warning("pull_all_repos: %s exception: %s", repo.repo_name, e)
+            results[repo.repo_name] = False
+    return results
+
+
 def _check_protected_paths(patch_path: Path) -> bool:
     text = patch_path.read_text(encoding="utf-8", errors="replace")
     for line in text.splitlines():

package/python/tests/test_fix_engine_cmd.py

@@ -51,3 +51,40 @@ def test_print_and_prompt_are_last():
     cmd = _claude_cmd("claude", "the actual prompt", use_bare=False)
     assert cmd[-2] == "--print"
     assert cmd[-1] == "the actual prompt"
+
+
+# ── OAuth-mode isolation (skip user settings, keep cairn MCP) ─────────────────
+
+def test_oauth_mode_skips_user_settings_to_avoid_cairn_hooks():
+    """Cairn PreToolUse hooks live in user settings.json and block Read/Edit
+    for OAuth mode. --setting-sources project,local bypasses them."""
+    cmd = _claude_cmd("claude", "x", use_bare=False)
+    assert "--setting-sources" in cmd
+    i = cmd.index("--setting-sources")
+    assert cmd[i + 1] == "project,local"
+
+
+def test_bare_mode_does_not_set_setting_sources():
+    """--bare already skips hooks; no need for --setting-sources, and avoiding
+    it keeps the cmd surface identical to legacy behaviour."""
+    cmd = _claude_cmd("claude", "x", use_bare=True)
+    assert "--setting-sources" not in cmd
+
+
+def test_oauth_mode_loads_cairn_mcp_via_inline_config():
+    """When user settings are skipped, cairn MCP tools must be re-enabled
+    explicitly via --mcp-config so the prompt's cairn_checkpoint instruction works."""
+    cmd = _claude_cmd("claude", "x", use_bare=False)
+    # Either --mcp-config <json> or --mcp-config=<json>
+    found = False
+    for i, tok in enumerate(cmd):
+        if tok == "--mcp-config" and i + 1 < len(cmd) and "cairn" in cmd[i + 1]:
+            found = True; break
+        if tok.startswith("--mcp-config=") and "cairn" in tok:
+            found = True; break
+    assert found, f"--mcp-config with cairn missing from cmd: {cmd}"
+
+
+def test_bare_mode_does_not_set_mcp_config():
+    cmd = _claude_cmd("claude", "x", use_bare=True)
+    assert not any(tok.startswith("--mcp-config") for tok in cmd)

package/python/tests/test_pull_all_repos.py

@@ -0,0 +1,94 @@
+"""
+test_pull_all_repos.py — Tests for the pre-fix git pull helper.
+
+pull_all_repos() runs `git checkout . && git pull --rebase` on every project repo
+so Claude reads up-to-date content. Per-repo failures are non-fatal — they get
+logged as warnings and recorded in the result dict, not raised.
+"""
+from pathlib import Path
+from unittest.mock import patch
+from types import SimpleNamespace
+
+from sentinel import git_manager
+from sentinel.config_loader import RepoConfig
+
+
+def _ok():
+    return SimpleNamespace(returncode=0, stdout="", stderr="")
+
+
+def _fail(msg="pull rejected"):
+    return SimpleNamespace(returncode=1, stdout="", stderr=msg)
+
+
+def _mk_repo(tmp_path: Path, name: str) -> RepoConfig:
+    p = tmp_path / "repos" / name
+    p.mkdir(parents=True, exist_ok=True)
+    return RepoConfig(repo_name=name, local_path=str(p), branch="main")
+
+
+def test_empty_repo_list_returns_empty(tmp_path):
+    assert git_manager.pull_all_repos([]) == {}
+
+
+def test_single_successful_repo(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git", return_value=_ok()):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": True}
+
+
+def test_single_failing_repo_recorded_not_raised(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git", return_value=_fail()):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": False}
+
+
+def test_mixed_results_per_repo(tmp_path):
+    a = _mk_repo(tmp_path, "ok-repo")
+    b = _mk_repo(tmp_path, "bad-repo")
+    c = _mk_repo(tmp_path, "ok-repo-2")
+
+    # Each repo gets two _git calls (checkout + pull). We make 'bad-repo' fail on pull.
+    call_log = []
+    def fake_git(args, cwd, env=None, timeout=git_manager.GIT_TIMEOUT):
+        call_log.append((args[0], cwd))
+        if "bad-repo" in cwd and args[0] == "pull":
+            return _fail("conflict")
+        return _ok()
+
+    with patch.object(git_manager, "_git", side_effect=fake_git):
+        result = git_manager.pull_all_repos([a, b, c])
+
+    assert result == {"ok-repo": True, "bad-repo": False, "ok-repo-2": True}
+
+
+def test_repo_with_empty_local_path_is_skipped(tmp_path):
+    repo = RepoConfig(repo_name="ghost", local_path="", branch="main")
+    with patch.object(git_manager, "_git") as g:
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"ghost": False}
+    g.assert_not_called()
+
+
+def test_subprocess_exception_caught_and_recorded(tmp_path):
+    repo = _mk_repo(tmp_path, "r1")
+    with patch.object(git_manager, "_git",
+                      side_effect=RuntimeError("git binary missing")):
+        result = git_manager.pull_all_repos([repo])
+    assert result == {"r1": False}
+
+
+def test_calls_checkout_then_pull_per_repo(tmp_path):
+    """Order matters: checkout (discard local edits) before pull."""
+    repo = _mk_repo(tmp_path, "r1")
+    seq = []
+    def fake_git(args, cwd, env=None, timeout=git_manager.GIT_TIMEOUT):
+        seq.append(args[0])
+        return _ok()
+    with patch.object(git_manager, "_git", side_effect=fake_git):
+        git_manager.pull_all_repos([repo])
+    assert seq[0] == "checkout"
+    assert "pull" in seq
+    assert seq.index("checkout") < seq.index("pull")