@misterhuydo/sentinel 1.6.8 → 1.6.10

package/.cairn/.hint-lock

@@ -1 +1 @@
-2026-04-24T14:02:31.712Z
+2026-04-25T09:41:31.525Z

package/.cairn/minify-map.json

@@ -10,11 +10,5 @@
     "state": "edit-ready",
     "minifiedAt": 1774252437350.0059,
     "readCount": 1
-  },
-  "J:\\Projects\\Sentinel\\cli\\python\\sentinel\\cicd_trigger.py": {
-    "tempPath": "J:\\Projects\\Sentinel\\cli\\.cairn\\views\\7802b9_cicd_trigger.py",
-    "state": "compressed",
-    "minifiedAt": 1774523631399.9514,
-    "readCount": 1
   }
 }

package/.cairn/session.json

@@ -1,10 +1,9 @@
 {
-  "message": "Auto-checkpoint at 2026-04-24T13:58:01.367Z",
-  "checkpoint_at": "2026-04-24T13:58:01.369Z",
+  "message": "Auto-checkpoint at 2026-04-25T09:42:20.720Z",
+  "checkpoint_at": "2026-04-25T09:42:20.724Z",
   "active_files": [
     "J:\\Projects\\Sentinel\\cli\\bin\\sentinel.js",
-    "J:\\Projects\\Sentinel\\cli\\lib\\test.js",
-    "J:\\Projects\\Sentinel\\cli\\python\\sentinel\\cicd_trigger.py"
+    "J:\\Projects\\Sentinel\\cli\\lib\\test.js"
   ],
   "notes": [
     {
@@ -186,7 +185,6 @@
   ],
   "mtime_snapshot": {
     "J:\\Projects\\Sentinel\\cli\\bin\\sentinel.js": 1774252515044.4768,
-    "J:\\Projects\\Sentinel\\cli\\lib\\test.js": 1774252437350.0059,
-    "J:\\Projects\\Sentinel\\cli\\python\\sentinel\\cicd_trigger.py": 1774523631399.9514
+    "J:\\Projects\\Sentinel\\cli\\lib\\test.js": 1774252437350.0059
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@misterhuydo/sentinel",
-  "version": "1.6.8",
+  "version": "1.6.10",
   "description": "Sentinel — Autonomous DevOps Agent installer and manager",
   "bin": {
     "sentinel": "./bin/sentinel.js"

package/python/sentinel/__init__.py

@@ -1 +1 @@
-__version__ = "1.6.8"
+__version__ = "1.6.10"

package/python/sentinel/fix_engine.py

@@ -582,6 +582,12 @@ def generate_fix(
             if timed_out:
                 logger.error("Claude Code timed out for %s", event.fingerprint)
                 return "error", None, ""
+            # Envelope check first: a successful JSON result means the attempt
+            # authenticated cleanly, even if the diff body contains substrings
+            # like "HttpStatus.UNAUTHORIZED" that would fool the substring scan.
+            parsed_attempt = _parse_claude_json(raw_output)
+            if not parsed_attempt["is_error"] and parsed_attempt["result"]:
+                break
             if not _is_auth_error(raw_output):
                 break
             logger.warning("fix_engine: %s auth error for %s — trying next method", label, event.fingerprint)
@@ -605,15 +611,18 @@ def generate_fix(
         slack_alert(cfg.slack_bot_token, cfg.slack_channel, msg)
         return "error", None, ""
 
+    # Parse the JSON envelope: get session_id, cost, and the actual result text.
+    parsed = _parse_claude_json(raw_output)
+
+    # Pass empty when not is_error — the auth-signal regex would otherwise
+    # match trigger words ("authentication", "login", "billing", ...) inside
+    # successful diff content.
     alert_if_rate_limited(
         cfg.slack_bot_token,
         cfg.slack_channel,
         source=f"fix_engine/{event.fingerprint}",
-        output=raw_output,
+        output=raw_output if parsed["is_error"] else "",
     )
-
-    # Parse the JSON envelope: get session_id, cost, and the actual result text.
-    parsed = _parse_claude_json(raw_output)
     if parsed["is_error"] and not parsed["result"]:
         # Fall back to legacy text parsing if JSON decode failed completely.
         # (Older Claude CLI versions may not emit JSON; --output-format flag is ignored.)

package/python/sentinel/git_manager.py

@@ -479,7 +479,7 @@ def _run_tests(repo: RepoConfig, local_path: str) -> bool:
 
     logger.info("Running tests for %s: %s", repo.repo_name, " ".join(cmd))
     try:
-        r = subprocess.run(cmd, cwd=local_path, capture_output=True, text=True, timeout=300)
+        r = subprocess.run(cmd, cwd=local_path, capture_output=True, text=True, timeout=900)
     except FileNotFoundError:
         raise MissingToolError(cmd[0])
     if r.returncode != 0:

package/python/sentinel/main.py

@@ -606,6 +606,15 @@ async def _handle_issue(event: IssueEvent, cfg_loader: ConfigLoader, store: Stat
             mark_done(event.issue_file)  # archive so it doesn't re-prompt every poll
             return
 
+    # Per-project lock — serialise issue processing within a project so two
+    # concurrent claude sessions never race on the working tree of any repo.
+    async with _project_lock(sentinel.project_name or "_default"):
+        return await _handle_issue_locked(event, repo, cfg_loader, store)
+
+
+async def _handle_issue_locked(event, repo, cfg_loader, store):
+    """Heavy work portion of _handle_issue — serialised per project via _project_lock."""
+    sentinel = cfg_loader.sentinel
     auto_commit  = resolve_auto_commit(repo, sentinel)
     auto_release = resolve_auto_release(repo, sentinel)
 

package/python/tests/test_fix_engine_json.py

@@ -1,95 +1,126 @@
-"""
-test_fix_engine_json.py — Unit tests for _parse_claude_json().
-
-Parses the single-object JSON emitted by `claude --print --output-format json`.
-Critical: must extract session_id (for resume), cost (for budget tracking),
-and the result text (which contains the patch).
-"""
-import json
-import pytest
-
-from sentinel.fix_engine import _parse_claude_json
-
-
-def _wrap(result_text: str, session_id: str = "abc-123",
-          cost: float = 0.05, is_error: bool = False) -> str:
-    return json.dumps({
-        "type": "result",
-        "subtype": "success" if not is_error else "error",
-        "is_error": is_error,
-        "result": result_text,
-        "session_id": session_id,
-        "total_cost_usd": cost,
-        "duration_ms": 1234,
-        "stop_reason": "end_turn",
-    })
-
-
-# ── happy path ────────────────────────────────────────────────────────────────
-
-def test_extracts_result_session_cost():
-    raw = _wrap("Here is the patch:\n```diff\n...```", "sess-1", 0.07)
-    parsed = _parse_claude_json(raw)
-    assert parsed["session_id"] == "sess-1"
-    assert parsed["total_cost_usd"] == pytest.approx(0.07)
-    assert "patch" in parsed["result"]
-    assert parsed["is_error"] is False
-
-
-def test_handles_zero_cost():
-    raw = _wrap("ok", "sess", 0.0)
-    parsed = _parse_claude_json(raw)
-    assert parsed["total_cost_usd"] == 0.0
-
-
-def test_carries_is_error_flag():
-    raw = _wrap("err msg", "sess", 0.01, is_error=True)
-    parsed = _parse_claude_json(raw)
-    assert parsed["is_error"] is True
-
-
-# ── tolerant inputs ───────────────────────────────────────────────────────────
-
-def test_strips_leading_trailing_whitespace():
-    raw = "   \n" + _wrap("ok", "s", 0.0) + "\n  "
-    parsed = _parse_claude_json(raw)
-    assert parsed["session_id"] == "s"
-    assert parsed["result"] == "ok"
-
-
-def test_finds_json_after_stderr_garbage():
-    """Claude sometimes prints debug lines before the JSON object."""
-    raw = (
-        "Some stderr line\n"
-        "Another warning\n"
-        + _wrap("payload", "s", 0.0)
-    )
-    parsed = _parse_claude_json(raw)
-    assert parsed["session_id"] == "s"
-    assert parsed["result"] == "payload"
-
-
-def test_returns_empty_on_unparseable():
-    parsed = _parse_claude_json("not json at all")
-    assert parsed["session_id"] == ""
-    assert parsed["result"] == ""
-    assert parsed["total_cost_usd"] == 0.0
-    # When unparseable, surface as an error so caller doesn't silently swallow it
-    assert parsed["is_error"] is True
-
-
-def test_returns_empty_on_empty_string():
-    parsed = _parse_claude_json("")
-    assert parsed["session_id"] == ""
-    assert parsed["result"] == ""
-    assert parsed["is_error"] is True
-
-
-def test_handles_missing_fields_gracefully():
-    """If claude omits some fields, extract what's there and default the rest."""
-    raw = json.dumps({"type": "result", "result": "x", "session_id": "s"})
-    parsed = _parse_claude_json(raw)
-    assert parsed["session_id"] == "s"
-    assert parsed["result"] == "x"
-    assert parsed["total_cost_usd"] == 0.0
-    assert parsed["is_error"] is False
+"""
+test_fix_engine_json.py — Unit tests for _parse_claude_json().
+
+Parses the single-object JSON emitted by `claude --print --output-format json`.
+Critical: must extract session_id (for resume), cost (for budget tracking),
+and the result text (which contains the patch).
+"""
+import json
+import pytest
+
+from sentinel.fix_engine import _parse_claude_json, _is_auth_error
+
+
+def _wrap(result_text: str, session_id: str = "abc-123",
+          cost: float = 0.05, is_error: bool = False) -> str:
+    return json.dumps({
+        "type": "result",
+        "subtype": "success" if not is_error else "error",
+        "is_error": is_error,
+        "result": result_text,
+        "session_id": session_id,
+        "total_cost_usd": cost,
+        "duration_ms": 1234,
+        "stop_reason": "end_turn",
+    })
+
+
+# ── happy path ────────────────────────────────────────────────────────────────
+
+def test_extracts_result_session_cost():
+    raw = _wrap("Here is the patch:\n```diff\n...```", "sess-1", 0.07)
+    parsed = _parse_claude_json(raw)
+    assert parsed["session_id"] == "sess-1"
+    assert parsed["total_cost_usd"] == pytest.approx(0.07)
+    assert "patch" in parsed["result"]
+    assert parsed["is_error"] is False
+
+
+def test_handles_zero_cost():
+    raw = _wrap("ok", "sess", 0.0)
+    parsed = _parse_claude_json(raw)
+    assert parsed["total_cost_usd"] == 0.0
+
+
+def test_carries_is_error_flag():
+    raw = _wrap("err msg", "sess", 0.01, is_error=True)
+    parsed = _parse_claude_json(raw)
+    assert parsed["is_error"] is True
+
+
+# ── tolerant inputs ───────────────────────────────────────────────────────────
+
+def test_strips_leading_trailing_whitespace():
+    raw = "   \n" + _wrap("ok", "s", 0.0) + "\n  "
+    parsed = _parse_claude_json(raw)
+    assert parsed["session_id"] == "s"
+    assert parsed["result"] == "ok"
+
+
+def test_finds_json_after_stderr_garbage():
+    """Claude sometimes prints debug lines before the JSON object."""
+    raw = (
+        "Some stderr line\n"
+        "Another warning\n"
+        + _wrap("payload", "s", 0.0)
+    )
+    parsed = _parse_claude_json(raw)
+    assert parsed["session_id"] == "s"
+    assert parsed["result"] == "payload"
+
+
+def test_returns_empty_on_unparseable():
+    parsed = _parse_claude_json("not json at all")
+    assert parsed["session_id"] == ""
+    assert parsed["result"] == ""
+    assert parsed["total_cost_usd"] == 0.0
+    # When unparseable, surface as an error so caller doesn't silently swallow it
+    assert parsed["is_error"] is True
+
+
+def test_returns_empty_on_empty_string():
+    parsed = _parse_claude_json("")
+    assert parsed["session_id"] == ""
+    assert parsed["result"] == ""
+    assert parsed["is_error"] is True
+
+
+def test_handles_missing_fields_gracefully():
+    """If claude omits some fields, extract what's there and default the rest."""
+    raw = json.dumps({"type": "result", "result": "x", "session_id": "s"})
+    parsed = _parse_claude_json(raw)
+    assert parsed["session_id"] == "s"
+    assert parsed["result"] == "x"
+    assert parsed["total_cost_usd"] == 0.0
+    assert parsed["is_error"] is False
+
+
+def test_successful_envelope_overrides_unauthorized_substring():
+    # Regression: fp 6cb7a875 on 2026-04-27 - Claude generated a valid patch
+    # whose unchanged-context lines contained "HttpStatus.UNAUTHORIZED",
+    # tripping _is_auth_error and triggering a false "Both API key and OAuth
+    # failed" alert. The fix is to consult the JSON envelope first.
+    diff_with_unauthorized = (
+        "diff --git a/Foo.java b/Foo.java\n"
+        "@@ -10,3 +10,3 @@\n"
+        " return new ResponseEntity<>(err, HttpStatus.UNAUTHORIZED);\n"
+    )
+    raw = _wrap(diff_with_unauthorized, is_error=False)
+    assert _is_auth_error(raw) is True  # substring match alone is fooled
+    parsed = _parse_claude_json(raw)
+    assert parsed["is_error"] is False  # envelope is the source of truth
+    assert parsed["result"]
+
+
+@pytest.mark.parametrize("hint", [
+    "Error: Not logged in. Please run claude login.",
+    "API key is not set",
+    "401 Unauthorized",
+    "authentication failed",
+])
+def test_is_auth_error_matches_real_hints(hint):
+    assert _is_auth_error(hint) is True
+
+
+def test_is_auth_error_skips_benign_text():
+    assert _is_auth_error("All good, here is the patch") is False

package/.cairn/views/7802b9_cicd_trigger.py

@@ -1,171 +0,0 @@
-import logging
-import re
-import time
-from pathlib import Path
-import requests
-from .config_loader import RepoConfig
-from .state_store import StateStore
-logger = logging.getLogger(__name__)
-JENKINS_RELEASE_TIMEOUT = 900
-JENKINS_POLL_INTERVAL   = 20
-def trigger(repo: RepoConfig, store: StateStore, fingerprint: str, wait: bool = False) -> bool:
-    if not repo.cicd_type or not repo.cicd_job_url:
-        return True
-    cicd_type = repo.cicd_type.lower()
-    if cicd_type == "jenkins":
-        return _trigger_jenkins(repo)
-    elif cicd_type in ("jenkins_release", "jenkins-release"):
-        return _trigger_jenkins_release(repo, wait=wait)
-    elif cicd_type in ("github_actions", "github-actions"):
-        return _trigger_github_actions(repo, fingerprint)
-    else:
-        logger.warning("Unknown CICD_TYPE '%s' for %s", repo.cicd_type, repo.repo_name)
-        return False
-def _trigger_jenkins(repo: RepoConfig) -> bool:
-    url = f"{repo.cicd_job_url.rstrip('/')}/build"
-    resp = requests.post(url, auth=("sentinel", repo.cicd_token), timeout=15)
-    success = resp.status_code in (200, 201, 204)
-    if success:
-        logger.info("Jenkins build triggered: %s", repo.cicd_job_url)
-    else:
-        logger.error("Jenkins trigger failed (%s): %s", resp.status_code, resp.text[:200])
-    return success
-def _get_last_build_number(session: requests.Session, job_url: str) -> int:
-    try:
-        r = session.get(f"{job_url.rstrip('/')}/api/json", timeout=10)
-        data = r.json()
-        lb = data.get("lastBuild")
-        return lb["number"] if lb else 0
-    except Exception as exc:
-        logger.warning("Could not get last build number for %s: %s", job_url, exc)
-        return 0
-def _wait_for_jenkins_build(
-    session: requests.Session,
-    job_url: str,
-    prev_build_num: int,
-    timeout: int = JENKINS_RELEASE_TIMEOUT,
-) -> bool:
-    deadline = time.time() + timeout
-    build_num = None
-    while time.time() < deadline:
-        current = _get_last_build_number(session, job_url)
-        if current > prev_build_num:
-            build_num = current
-            logger.info("Jenkins build
-            break
-        logger.debug("Waiting for Jenkins build to start (last=%d)...", current)
-        time.sleep(JENKINS_POLL_INTERVAL)
-    else:
-        logger.error("Timed out waiting for Jenkins build to start: %s", job_url)
-        return False
-    build_api = f"{job_url.rstrip('/')}/{build_num}/api/json"
-    while time.time() < deadline:
-        try:
-            r = session.get(build_api, timeout=10)
-            data = r.json()
-            if not data.get("building", True):
-                result = data.get("result", "UNKNOWN")
-                if result == "SUCCESS":
-                    logger.info("Jenkins build
-                    return True
-                else:
-                    logger.error("Jenkins build
-                    return False
-            elapsed = int(time.time() - (deadline - timeout))
-            logger.info("Jenkins build
-        except Exception as exc:
-            logger.warning("Jenkins poll error for %s: %s", build_api, exc)
-        time.sleep(JENKINS_POLL_INTERVAL)
-    logger.error("Timed out waiting for Jenkins build
-    return False
-def _trigger_jenkins_release(repo: RepoConfig, wait: bool = False) -> bool:
-    release_ver, dev_ver = _maven_release_versions(repo.local_path)
-    if not release_ver:
-        logger.error("Jenkins release: could not determine release version from pom.xml")
-        return False
-    url = f"{repo.cicd_job_url.rstrip('/')}/m2release/submit"
-    auth = (repo.cicd_user or "sentinel", repo.cicd_token)
-    session = requests.Session()
-    session.auth = auth
-    from urllib.parse import urlparse
-    parsed = urlparse(repo.cicd_job_url)
-    jenkins_root = f"{parsed.scheme}://{parsed.netloc}"
-    crumb_data = session.get(f"{jenkins_root}/crumbIssuer/api/json", timeout=10).json()
-    crumb_header = {crumb_data["crumbRequestField"]: crumb_data["crumb"]}
-    prev_build_num = _get_last_build_number(session, repo.cicd_job_url) if wait else 0
-    scm_tag = f"{repo.repo_name}-{release_ver}"
-    import json as _json
-    stapler_json = _json.dumps({
-        "releaseVersion":        release_ver,
-        "developmentVersion":    dev_ver,
-        "isDryRun":              False,
-        "specifyScmCredentials": False,
-        "scmUsername":           "",
-        "scmCommentPrefix":      "[maven-release-plugin] ",
-        "appendHudsonUserName":  False,
-        "specifyScmTag":         False,
-        "scmTag":                scm_tag,
-    })
-    resp = session.post(
-        url,
-        headers={
-            **crumb_header,
-            "Referer": f"{repo.cicd_job_url.rstrip('/')}/m2release/",
-        },
-        data={
-            "releaseVersion":     release_ver,
-            "developmentVersion": dev_ver,
-            "scmCommentPrefix":   "[maven-release-plugin] ",
-            "scmTag":             scm_tag,
-            "json":               stapler_json,
-        },
-        timeout=15,
-        allow_redirects=False,
-    )
-    triggered = resp.status_code in (200, 201, 204, 302)
-    if not triggered:
-        logger.error("Jenkins release trigger failed (%s): %s", resp.status_code, resp.text[:200])
-        return False
-    logger.info(
-        "Jenkins Maven Release triggered: %s → %s (next: %s)%s",
-        repo.cicd_job_url, release_ver, dev_ver,
-        " — waiting for completion..." if wait else "",
-    )
-    if wait:
-        return _wait_for_jenkins_build(session, repo.cicd_job_url, prev_build_num)
-    return True
-def _maven_release_versions(local_path: str) -> tuple[str, str]:
-    pom = Path(local_path) / "pom.xml"
-    if not pom.exists():
-        return ("", "")
-    text = pom.read_text(encoding="utf-8", errors="ignore")
-    m = re.search(r"<version>(\d+\.\d+\.\d+)-SNAPSHOT</version>", text)
-    if not m:
-        return ("", "")
-    parts = m.group(1).split(".")
-    release_ver = m.group(1)
-    next_patch = int(parts[2]) + 1
-    dev_ver = f"{parts[0]}.{parts[1]}.{next_patch}-SNAPSHOT"
-    return release_ver, dev_ver
-def _trigger_github_actions(repo: RepoConfig, fingerprint: str) -> bool:
-    owner_repo = _owner_repo(repo.repo_url)
-    url = f"https://api.github.com/repos/{owner_repo}/dispatches"
-    resp = requests.post(
-        url,
-        json={"event_type": "sentinel-deploy", "client_payload": {"fingerprint": fingerprint}},
-        headers={
-            "Authorization": f"Bearer {repo.cicd_token}",
-            "Accept": "application/vnd.github+json",
-        },
-        timeout=15,
-    )
-    success = resp.status_code == 204
-    if success:
-        logger.info("GitHub Actions dispatch sent for %s", owner_repo)
-    else:
-        logger.error("GH Actions dispatch failed (%s): %s", resp.status_code, resp.text[:200])
-    return success
-def _owner_repo(repo_url: str) -> str:
-    if repo_url.startswith("git@"):
-        return repo_url.split(":")[-1].removesuffix(".git")
-    return "/".join(repo_url.rstrip("/").split("/")[-2:]).removesuffix(".git")