@misterhuydo/sentinel 1.6.2 → 1.6.4

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-04-24T10:50:33.264Z
+2026-04-24T12:01:49.183Z

package/.cairn/session.json

@@ -1,6 +1,6 @@
 {
-  "message": "Auto-checkpoint at 2026-04-24T11:12:56.361Z",
-  "checkpoint_at": "2026-04-24T11:12:56.362Z",
+  "message": "Auto-checkpoint at 2026-04-24T12:05:54.299Z",
+  "checkpoint_at": "2026-04-24T12:05:54.301Z",
   "active_files": [
     "J:\\Projects\\Sentinel\\cli\\bin\\sentinel.js",
     "J:\\Projects\\Sentinel\\cli\\lib\\test.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.6.2",
+  "version": "1.6.4",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.2"
+__version__ = "1.6.4"

package/python/sentinel/fix_engine.py

@@ -220,10 +220,11 @@ def _build_prompt(
         "   BOSS_ESCALATE: <description of what needs to change in Sentinel>",
         "   This escalates to Patch, the Sentinel dev agent, who will implement it.",
         "",
-        "FINAL STEP — checkpoint cairn",
-        "10. Before you stop, call the `cairn_checkpoint` MCP tool with a one-line summary",
-        "    of what you changed (e.g. \"Broaden FirstName regex; bump consumer to 2.7.1\").",
-        "    This lets the next session resume with full context of prior fixes.",
+        "CRITICAL — your FINAL message must be the patch itself",
+        "    The unified diff (with the `# Affected repos:` header for multi-repo) MUST be",
+        "    the very last text you emit. Do NOT call any tool (including cairn_checkpoint)",
+        "    after the diff — Sentinel only reads the FINAL assistant message and a trailing",
+        "    tool call leaves the result field empty.",
     ]
     return "\n".join(lines_out)
 
@@ -262,6 +263,9 @@ def _is_auth_error(output: str) -> bool:
     return any(hint in low for hint in _AUTH_ERROR_HINTS)
 
 
+_CAIRN_ONLY_MCP_CONFIG = '{"mcpServers":{"cairn":{"command":"cairn-mcp"}}}'
+
+
 def _claude_cmd(
     bin_path: str,
     prompt: str,
@@ -278,6 +282,14 @@ def _claude_cmd(
     and MUST be False for the OAuth attempt (otherwise claude refuses to read
     the cached `claude login` token). The caller picks per attempt.
 
+    For the OAuth path (use_bare=False) we ALSO pass:
+      --setting-sources project,local   (skip user settings.json — bypasses the
+        cairn `minify` / `edit-guard` PreToolUse hooks that block Read/Edit
+        with `exit 2` and force Claude to fall back to hand-crafting diffs)
+      --mcp-config '{...cairn...}'      (re-add cairn MCP tools that we just
+        bypassed by skipping user settings — the prompt's cairn_checkpoint
+        instruction needs them)
+
     Output is forced to `--output-format json` so the caller can extract the
     session_id, cost, and result text deterministically.
     """
@@ -291,6 +303,10 @@ def _claude_cmd(
         cmd.append("--bare")
     if skip:
         cmd.append("--dangerously-skip-permissions")
+    if not use_bare:
+        # OAuth-mode isolation: skip user-scope cairn hooks, re-load cairn MCP.
+        cmd += ["--setting-sources", "project,local"]
+        cmd += ["--mcp-config", _CAIRN_ONLY_MCP_CONFIG]
     if session_id:
         cmd += ["--resume", session_id]
     cmd += ["--output-format", "json", "--print", prompt]

package/python/tests/test_fix_engine_cmd.py

@@ -51,3 +51,40 @@ def test_print_and_prompt_are_last():
     cmd = _claude_cmd("claude", "the actual prompt", use_bare=False)
     assert cmd[-2] == "--print"
     assert cmd[-1] == "the actual prompt"
+
+
+# ── OAuth-mode isolation (skip user settings, keep cairn MCP) ─────────────────
+
+def test_oauth_mode_skips_user_settings_to_avoid_cairn_hooks():
+    """Cairn PreToolUse hooks live in user settings.json and block Read/Edit
+    for OAuth mode. --setting-sources project,local bypasses them."""
+    cmd = _claude_cmd("claude", "x", use_bare=False)
+    assert "--setting-sources" in cmd
+    i = cmd.index("--setting-sources")
+    assert cmd[i + 1] == "project,local"
+
+
+def test_bare_mode_does_not_set_setting_sources():
+    """--bare already skips hooks; no need for --setting-sources, and avoiding
+    it keeps the cmd surface identical to legacy behaviour."""
+    cmd = _claude_cmd("claude", "x", use_bare=True)
+    assert "--setting-sources" not in cmd
+
+
+def test_oauth_mode_loads_cairn_mcp_via_inline_config():
+    """When user settings are skipped, cairn MCP tools must be re-enabled
+    explicitly via --mcp-config so the prompt's cairn_checkpoint instruction works."""
+    cmd = _claude_cmd("claude", "x", use_bare=False)
+    # Either --mcp-config <json> or --mcp-config=<json>
+    found = False
+    for i, tok in enumerate(cmd):
+        if tok == "--mcp-config" and i + 1 < len(cmd) and "cairn" in cmd[i + 1]:
+            found = True; break
+        if tok.startswith("--mcp-config=") and "cairn" in tok:
+            found = True; break
+    assert found, f"--mcp-config with cairn missing from cmd: {cmd}"
+
+
+def test_bare_mode_does_not_set_mcp_config():
+    cmd = _claude_cmd("claude", "x", use_bare=True)
+    assert not any(tok.startswith("--mcp-config") for tok in cmd)