@tuent/sentinel 0.1.1 → 0.1.3

package/dist/{chunk-QHE56MEO.js → chunk-JTR2E7RD.js}

@@ -234,8 +234,43 @@ var DEFAULT_FORBIDDEN_PATTERNS = [
   "**/id_ed25519*",
   "**/*.pem",
   "**/*.key",
-  "/etc/**"
+  "/etc/**",
+  // Sprint 26 FIX 1 (A) — common credential stores. DRIFT: keep in sync with
+  // STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts (template↔defaults
+  // unification tracked in a separate ticket — do not refactor here).
+  "**/.netrc",
+  "**/.npmrc",
+  "**/.git-credentials",
+  "**/.pgpass",
+  "**/.zsh_history",
+  "**/.config/gh/**",
+  "**/.docker/config.json",
+  "**/.gnupg/**",
+  "**/.config/gcloud/**",
+  "**/.kube/**",
+  "**/Library/Keychains/**",
+  // Sprint 26 FIX 1 (B) — Sentinel's own state dir (current path only; the
+  // ~/.dahlia → ~/.sentinel rename is a separate re-arch).
+  "**/.dahlia/**",
+  // Sprint 26 FIX 3 — the live policy file and cc's hook-wiring settings files.
+  // Denies the agent's own tool-writes (policy rewrite / unhook vectors); reads
+  // stay allowed via DEFAULT_POLICY_READ_EXCEPTIONS below. The settings glob
+  // covers project AND user-level (~/.claude/settings*.json) in one pattern.
+  // DRIFT: keep in sync with STARTER_POLICY.forbid.targets in setup/initClaudeCode.ts.
+  "**/.sentinel.yaml",
+  "**/.claude/settings*.json"
 ];
+var DEFAULT_POLICY_READ_EXCEPTIONS = [
+  { target: "**/.sentinel.yaml", allowedActions: ["file_read"] },
+  { target: "**/.claude/settings*.json", allowedActions: ["file_read"] }
+];
+function withPolicyReadExceptions(existing) {
+  const merged = existing ? [...existing] : [];
+  for (const exc of DEFAULT_POLICY_READ_EXCEPTIONS) {
+    if (!merged.some((e) => e.target === exc.target)) merged.push(exc);
+  }
+  return merged;
+}
 var DEFAULT_MEDIUM_DISPOSITION = {
   network_request: "deny"
 };
@@ -419,7 +454,7 @@ function shouldDispatchWildcard(token) {
   if (BRACE_PATTERN_RE.test(token)) return true;
   return false;
 }
-var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key)/i;
+var SENSITIVE_BASENAME_RE = /(?:\.env|\.ssh|secrets|credentials|id_rsa|id_dsa|id_ecdsa|id_ed25519|\.pem|\.key|\.netrc|\.npmrc|\.pgpass|\.zsh_history|\.gnupg|\.kube|\.dahlia)/i;
 var DANGEROUS_COMMAND_TOKENS = /* @__PURE__ */ new Set(["eval"]);
 var COMMAND_SUBSTITUTION_RE = /\$\(|`/;
 var DANGEROUS_RAW_RE = /<<<|<\(|>\(/;
@@ -515,7 +550,7 @@ function tokenizePaths(command) {
       if (dispatch.unparseable) {
         result.unparseable = true;
       }
-    } else if (isPathShaped(token)) {
+    } else if (isPathShaped(token) && !isEnvIdentifierChain(token)) {
       const resolved = resolvePathToken(token);
       result.paths.push(resolved);
     }
@@ -523,6 +558,21 @@ function tokenizePaths(command) {
   }
   return result;
 }
+function isEnvIdentifierChain(token) {
+  if (token.includes("/") || token.startsWith(".")) return false;
+  if (!allEnvOccurrencesIdentifierEmbedded(token)) return false;
+  return !SENSITIVE_BASENAME_RE.test(token.replace(/\.env/gi, " "));
+}
+function allEnvOccurrencesIdentifierEmbedded(s) {
+  const envHits = /\.env/gi;
+  let m;
+  let any = false;
+  while ((m = envHits.exec(s)) !== null) {
+    any = true;
+    if (!/[A-Za-z0-9_$]/.test(s[m.index - 1] ?? "")) return false;
+  }
+  return any;
+}
 function isPathShaped(token) {
   if (token.includes("/")) return true;
   if (token.startsWith(".")) return true;
@@ -577,7 +627,13 @@ var FORBIDDEN_BASENAMES = [
   "id_ecdsa",
   "id_ed25519",
   ".pem",
-  ".key"
+  ".key",
+  // Sprint 26 FIX 1 (A) — credential-store file basenames (L2 bash deny).
+  // `.git-credentials` is already covered by the "credentials" entry above.
+  ".netrc",
+  ".npmrc",
+  ".pgpass",
+  ".zsh_history"
 ];
 function scanBashCommand(command, forbiddenBasenames) {
   const basenames = forbiddenBasenames ?? FORBIDDEN_BASENAMES;
@@ -744,8 +800,38 @@ function isPositionallySafeMention(command) {
   const safe = positionallySafeBasenames(command);
   return hits.every((h) => safe.has(h));
 }
+function classifyDeny(command, signals) {
+  const { l2Hits, hasL1Hit, unparseable, hasDangerousConstruct } = signals;
+  if (hasL1Hit || unparseable || hasDangerousConstruct) return { mentionOnly: false };
+  if (l2Hits.length === 0) return { mentionOnly: false };
+  let tokens;
+  try {
+    tokens = shellParse(command, (key) => ({ __sentinel_var: key }));
+  } catch {
+    return { mentionOnly: false };
+  }
+  if (!Array.isArray(tokens)) return { mentionOnly: false };
+  if (tokens.some((t) => isVarMarker(t))) return { mentionOnly: false };
+  const strTokens = tokens.filter((t) => typeof t === "string");
+  for (const hit of l2Hits) {
+    const h = hit.toLowerCase();
+    const confident = strTokens.some((tok) => {
+      const low = tok.toLowerCase();
+      if (!low.includes(h)) return false;
+      if (low.length === h.length) return false;
+      const reHits = scanBashCommand(tok, FORBIDDEN_BASENAMES).hits;
+      if (reHits.some((rh) => tok.length === rh.length)) return false;
+      const reTok = tokenizePaths(tok);
+      if (reTok.unparseable || reTok.hasDangerousConstruct) return false;
+      return true;
+    });
+    if (!confident) return { mentionOnly: false };
+  }
+  return { mentionOnly: true };
+}
 
 // src/roleValidator.ts
+import { parse as shellParse2 } from "shell-quote";
 var SUSPICIOUS_BASENAME_RE = /^\.|(\.env|secret|credential|key|config|token)/i;
 function resolveSymlinks(normalizedPath) {
   if (!normalizedPath || normalizedPath.includes("://")) return normalizedPath;
@@ -832,6 +918,11 @@ function normalizeForbiddenPattern(pattern) {
   if (pattern.startsWith("**/") || pattern.startsWith("/")) return pattern;
   return "**/" + pattern;
 }
+function unionWithDefaultForbiddenPatterns(supplied) {
+  return [
+    ...new Set([...supplied ?? [], ...DEFAULT_FORBIDDEN_PATTERNS].map(normalizeForbiddenPattern))
+  ];
+}
 function isPathShaped2(value) {
   if (value.length === 0 || value.length > 4096) return false;
   if (/\s/.test(value)) return false;
@@ -1073,10 +1164,26 @@ var RoleValidator = class {
         }
       }
     }
-    const safeCommandMention = event.action === "command_exec" && isPositionallySafeMention(event.primaryTarget);
+    if (event.action === "command_exec") {
+      const cmd = this.screenCommandTarget(event);
+      if (cmd) {
+        const finding = this.buildForbiddenFinding(
+          event,
+          cmd.matchedTarget,
+          cmd.matchedPattern,
+          activeTask ?? null
+        );
+        if (finding) {
+          finding.targetKey = cmd.targetKey;
+          finding.dedupKey = event.primaryTarget;
+          finding.mentionOnly = false;
+          return finding;
+        }
+      }
+    }
     for (const pattern of this.role.forbiddenTargetPatterns) {
       let matchedTargetValue = null;
-      if (!safeCommandMention && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
+      if (event.action !== "command_exec" && primaryTargetPaths.some((tp) => matchGlobInsensitive(pattern, tp))) {
         matchedTargetValue = normalizedPrimaryTarget;
       }
       if (!matchedTargetValue) {
@@ -1094,57 +1201,13 @@ var RoleValidator = class {
         }
       }
       if (matchedTargetValue) {
-        const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
-        const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
-        const finding = this.makeFinding(event, {
-          severity: "HIGH",
-          type: "unauthorized_target",
-          description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
-          recommendation: getTargetRecommendation(
-            "unauthorized_target",
-            matchedTargetValue,
-            event.action
-          ),
-          matchedTarget: matchedTargetValue
-        });
-        if (!isCritical) {
-          const exception = findMatchingException(this.role.exceptions, event, activeTask ?? null);
-          if (exception) {
-            this.onAuditEntry?.({
-              type: "exception_applied",
-              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-              agentId: event.agentId,
-              target: matchedTargetValue,
-              action: event.action,
-              exceptionTarget: exception.target,
-              taskId: activeTask?.taskId ?? null
-            });
-            if (exception.requiresApproval) {
-              const ctx = {
-                finding,
-                exception,
-                activeTask: activeTask ?? null,
-                expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
-              };
-              const approved = this.approvalFn?.(ctx) === true;
-              if (approved) {
-                this.onAuditEntry?.({
-                  type: "exception_approved",
-                  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-                  agentId: event.agentId,
-                  target: matchedTargetValue,
-                  action: event.action,
-                  exceptionTarget: exception.target,
-                  taskId: activeTask?.taskId ?? null
-                });
-                continue;
-              }
-            } else {
-              continue;
-            }
-          }
-        }
-        return this.enhanceWithSensitivity(finding, event);
+        const finding = this.buildForbiddenFinding(
+          event,
+          matchedTargetValue,
+          pattern,
+          activeTask ?? null
+        );
+        if (finding) return finding;
       }
     }
     if (this.sensitivityScorer && event.metadata?._mcpTool === "true") {
@@ -1163,7 +1226,7 @@ var RoleValidator = class {
         });
       }
     }
-    if (this.role.allowedTargetPatterns.length > 0) {
+    if (this.role.allowedTargetPatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const matched = this.role.allowedTargetPatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1201,7 +1264,7 @@ var RoleValidator = class {
       }
     }
     const scopePatterns = activeTask?.scopePatterns;
-    if (scopePatterns && scopePatterns.length > 0) {
+    if (scopePatterns && scopePatterns.length > 0 && event.action !== "command_exec") {
       const anchor = this.workspaceRoot !== "" && PATH_TARGET_ACTIONS.has(event.action);
       const inScope = scopePatterns.some((pattern) => {
         const candidates = anchor ? [pattern, anchorAllowedPattern(pattern, this.workspaceRoot)] : [pattern];
@@ -1265,6 +1328,127 @@ var RoleValidator = class {
     }
     return finding;
   }
+  /**
+   * Sprint 26B B′ — scanner-authoritative forbidden screen for a command_exec
+   * PRIMARY target (the command string). Three layers, first match wins:
+   *
+   *  L1 — tokenizePaths(command): resolved path-shaped tokens (symlink-resolved,
+   *       dir-globs, F-5b's isEnvIdentifierChain guard inside) matched against the
+   *       FULL role patterns via matchGlob.
+   *  Boundary — every argv token's basename vs each pattern's basename component
+   *       via the SAME matchGlob (its `^…$` anchoring → true boundary, so
+   *       `^\.env$` rejects `process.env` and `^payroll\.csv$` rejects
+   *       `mypayroll.csv`, while a `payroll.csv` token matches a `payroll.csv`
+   *       pattern basename). Patterns whose basename is pure-wildcard (a bare
+   *       star or globstar) are dir-globs and are skipped here (L1 handles them
+   *       on resolved paths).
+   *  L2 — scanBashCommand substring net (fixed FORBIDDEN_BASENAMES) gated by
+   *       isPositionallySafeMention, for heredoc/substitution shapes tokenization
+   *       can't cleanly split.
+   *
+   * Returns the matched target + the F-5a targetKey (resolved path / token /
+   * `l2:<basenames>`, mirroring the gateway emit) + a pattern label for the
+   * finding description, or null when nothing matches.
+   */
+  screenCommandTarget(event) {
+    const command = event.primaryTarget;
+    if (isPositionallySafeMention(command)) return null;
+    const tr = tokenizePaths(command);
+    for (const p of tr.paths) {
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        if (matchGlobInsensitive(pattern, p)) {
+          return { matchedTarget: p, targetKey: p, matchedPattern: pattern };
+        }
+      }
+    }
+    let tokens;
+    try {
+      tokens = shellParse2(command);
+    } catch {
+      tokens = [];
+    }
+    for (const tok of tokens) {
+      if (typeof tok !== "string") continue;
+      const tokBase = basename2(tok);
+      if (tokBase.length === 0) continue;
+      for (const pattern of this.role.forbiddenTargetPatterns) {
+        const patBase = basename2(pattern);
+        if (patBase === "*" || patBase === "**") continue;
+        if (matchGlobInsensitive(patBase, tokBase)) {
+          return { matchedTarget: tok, targetKey: tok, matchedPattern: pattern };
+        }
+      }
+    }
+    const scan = scanBashCommand(command, FORBIDDEN_BASENAMES);
+    if (scan.matched) {
+      const hits = [...new Set(scan.hits)].sort();
+      return {
+        matchedTarget: scan.hits[0],
+        targetKey: `l2:${hits.join(",")}`,
+        matchedPattern: hits.join(", ")
+      };
+    }
+    return null;
+  }
+  /**
+   * Build the unauthorized_target finding for a matched forbidden target, applying
+   * the same exception/approval/sensitivity flow shared by Check 2's per-pattern
+   * loop and the B′ command screen. Returns the finding to emit, or null when an
+   * exception (auto, or approved) suppresses it (caller continues / falls through).
+   */
+  buildForbiddenFinding(event, matchedTargetValue, pattern, activeTask) {
+    const sensitivity = this.sensitivityScorer?.scoreTarget(matchedTargetValue, event.action);
+    const isCritical = sensitivity ? sensitivity.effectiveScore >= 0.9 : false;
+    const finding = this.makeFinding(event, {
+      severity: "HIGH",
+      type: "unauthorized_target",
+      description: `Agent accessed '${matchedTargetValue}' which matches forbidden pattern '${pattern}'`,
+      recommendation: getTargetRecommendation(
+        "unauthorized_target",
+        matchedTargetValue,
+        event.action
+      ),
+      matchedTarget: matchedTargetValue
+    });
+    if (!isCritical) {
+      const exception = findMatchingException(this.role.exceptions, event, activeTask);
+      if (exception) {
+        this.onAuditEntry?.({
+          type: "exception_applied",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          agentId: event.agentId,
+          target: matchedTargetValue,
+          action: event.action,
+          exceptionTarget: exception.target,
+          taskId: activeTask?.taskId ?? null
+        });
+        if (exception.requiresApproval) {
+          const ctx = {
+            finding,
+            exception,
+            activeTask,
+            expiresAt: exception.expiresAfter != null && activeTask ? new Date(new Date(activeTask.startedAt).getTime() + exception.expiresAfter) : null
+          };
+          const approved = this.approvalFn?.(ctx) === true;
+          if (approved) {
+            this.onAuditEntry?.({
+              type: "exception_approved",
+              timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+              agentId: event.agentId,
+              target: matchedTargetValue,
+              action: event.action,
+              exceptionTarget: exception.target,
+              taskId: activeTask?.taskId ?? null
+            });
+            return null;
+          }
+        } else {
+          return null;
+        }
+      }
+    }
+    return this.enhanceWithSensitivity(finding, event);
+  }
   makeFinding(event, details) {
     return {
       severity: details.severity,
@@ -1694,6 +1878,7 @@ export {
   removeOverlayDecision,
   createEmptyOverlay,
   DEFAULT_FORBIDDEN_PATTERNS,
+  withPolicyReadExceptions,
   DEFAULT_MEDIUM_DISPOSITION,
   TargetSensitivityScorer,
   tokenizePaths,
@@ -1702,12 +1887,14 @@ export {
   scanContentForForbiddenBasenames,
   scanGlobPattern,
   isPositionallySafeMention,
+  classifyDeny,
   matchGlob,
   normalizeForbiddenPattern,
+  unionWithDefaultForbiddenPatterns,
   matchGlobInsensitive,
   getTargetRecommendation,
   walkForbiddenInodeRoots,
   findMatchingException,
   RoleValidator
 };
-//# sourceMappingURL=chunk-QHE56MEO.js.map
+//# sourceMappingURL=chunk-JTR2E7RD.js.map

package/dist/{chunk-NS6ZLMDK.js → chunk-SSDIBY52.js}

@@ -1,5 +1,4 @@
 import {
-  DEFAULT_FORBIDDEN_PATTERNS,
   DEFAULT_MAP_PATH,
   DEFAULT_MEDIUM_DISPOSITION,
   DEFAULT_OVERLAY_PATH,
@@ -16,13 +15,15 @@ import {
   removeOverlayDecision,
   saveMap,
   saveOverlay,
-  walkForbiddenInodeRoots
-} from "./chunk-QHE56MEO.js";
+  unionWithDefaultForbiddenPatterns,
+  walkForbiddenInodeRoots,
+  withPolicyReadExceptions
+} from "./chunk-JTR2E7RD.js";
 import {
   loadPolicy,
   policyToConfig,
   policyToRole
-} from "./chunk-2FFMYSVC.js";
+} from "./chunk-WLIDSTS4.js";
 import {
   publicKeyToBase64,
   reconstructSigningPayload,
@@ -314,6 +315,9 @@ var ProfileStore = class {
     this.profile = await this.backend.read();
     this.engine = new DataEngine({ petalCount: this.petalCount });
     if (this.profile) {
+      if (!Array.isArray(this.profile.dataPoints)) {
+        this.profile.dataPoints = [];
+      }
       for (const point of this.profile.dataPoints) {
         this.engine.addPoint(point);
       }
@@ -617,6 +621,7 @@ var AgentActivityClassifier = class {
 
 // src/auditTrail.ts
 import { createHash } from "crypto";
+import { existsSync } from "fs";
 var AuditTrail = class _AuditTrail {
   static GENESIS_HASH = "0".repeat(64);
   /** S21-P4: honest label for cumulative-stats.json's totalEntries. */
@@ -650,6 +655,11 @@ var AuditTrail = class _AuditTrail {
     this.agentId = agentId;
     const home = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
     const logDir = options?.logDir ?? `${home}/.dahlia/agents/${agentId}`;
+    if (options?.logDir && !existsSync(`${logDir}/audit.log`) && existsSync(`${logDir}/${agentId}/audit.log`)) {
+      throw new Error(
+        `AuditTrail logDir must be the agent's own directory, not the agents root: "${logDir}" contains no audit.log, but "${logDir}/${agentId}/audit.log" exists. Pass join(agentsRoot, "${agentId}") instead.`
+      );
+    }
     this.logPath = `${logDir}/audit.log`;
     this.statsPath = `${logDir}/cumulative-stats.json`;
     this.manifestPath = `${logDir}/audit.manifest`;
@@ -742,6 +752,15 @@ var AuditTrail = class _AuditTrail {
     if (finding.softSignal === true) {
       entry.softSignal = true;
     }
+    if (finding.mentionOnly === true) {
+      entry.mentionOnly = true;
+    }
+    if (finding.dedupKey !== void 0) {
+      entry.dedupKey = finding.dedupKey;
+    }
+    if (finding.targetKey !== void 0) {
+      entry.targetKey = finding.targetKey;
+    }
     await this.writeLine(entry);
   }
   /**
@@ -2971,6 +2990,7 @@ var SentinelRunner = class {
   }
   async runGapCheck() {
     if (!this._deviationDetector || !this.auditTrail) return;
+    if (this._eventCount === 0) return;
     const finding = await this._deviationDetector.checkActivityGap(this.auditTrail);
     if (finding) {
       this.findings.push(finding);
@@ -3522,7 +3542,7 @@ var SentinelManager = class {
 };
 
 // src/Sentinel.ts
-import { lstatSync, existsSync } from "fs";
+import { lstatSync, existsSync as existsSync2 } from "fs";
 import { resolve as resolve2, dirname, sep as sep2 } from "path";
 
 // src/baselineBuilder.ts
@@ -6411,7 +6431,7 @@ var Sentinel = class _Sentinel {
         );
       }
     }
-    if (!existsSync(root)) {
+    if (!existsSync2(root)) {
       console.warn(
         `[Sentinel] Workspace root '${root}' does not exist on disk \u2014 anchored allowed patterns will match nothing and every allowed read may be denied.`
       );
@@ -6438,12 +6458,16 @@ var Sentinel = class _Sentinel {
         "tool_invocation"
       ],
       allowedTargetPatterns: options.allowedTargetPatterns ?? ["**"],
-      // Forbidden-pattern normalization chokepoint (Part A): **/-prepend bare
-      // patterns so they match absolute paths in Check 2. Idempotent.
-      forbiddenTargetPatterns: (options.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(
-        normalizeForbiddenPattern
-      ),
-      exceptions: options.exceptions,
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B:
+      // the defaults are a floor unioned into every role, not a fallback — a
+      // policy yaml extends but cannot remove them (the `??` form let any
+      // policy-supplied list supersede the defaults entirely).
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(options.forbiddenTargetPatterns),
+      // Sprint 26 FIX 3 — ceiling-side read carve-out for the self-protection
+      // forbids (policy + hook-wiring files). Appended here, not in the yaml
+      // template: mergeRoles drops workspace exceptions, so this is the only
+      // authorable layer — which is the self-locking property.
+      exceptions: withPolicyReadExceptions(options.exceptions),
       networkHosts: options.networkHosts,
       expectedSchedule: options.expectedSchedule,
       maxEventsPerHour: options.maxEventsPerHour,
@@ -6513,8 +6537,15 @@ var Sentinel = class _Sentinel {
       ...options.role,
       agentId,
       name: options.name,
-      // Forbidden-pattern normalization chokepoint (Part A) — idempotent.
-      forbiddenTargetPatterns: (options.role.forbiddenTargetPatterns ?? DEFAULT_FORBIDDEN_PATTERNS).map(normalizeForbiddenPattern)
+      // Forbidden-pattern normalization chokepoint (Part A) + Sprint 26 FIX 3B
+      // defaults-as-floor union — same semantics as monitor().
+      forbiddenTargetPatterns: unionWithDefaultForbiddenPatterns(
+        options.role.forbiddenTargetPatterns
+      ),
+      // Sprint 26 FIX 3 — same ceiling-side read carve-out as monitor(). The
+      // merged role arriving here keeps ceiling exceptions (workspace ones are
+      // already dropped by mergeRoles); the append is idempotent by target.
+      exceptions: withPolicyReadExceptions(options.role.exceptions)
     };
     if (await this.profileManager.agentExists(agentId)) {
       const store = await this.profileManager.loadAgentProfile(agentId);
@@ -7318,13 +7349,13 @@ var Sentinel = class _Sentinel {
           type: "agent_quarantined",
           agentId,
           agentName: event.agentName ?? agentId,
-          description: `Agent ${agentId} is quarantined. All actions blocked. Run 'sentinel release' to restore access.`,
+          description: `Agent ${agentId} is quarantined. All actions blocked. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           evidence: {
             action: event.action,
             target: event.primaryTarget,
             timestamp: event.timestamp
           },
-          recommendation: `Agent must be manually released before it can perform any actions. Run 'sentinel release' in this workspace (or 'sentinel release --agent=${agentId}') to restore access.`,
+          recommendation: `Agent must be manually released before it can perform any actions. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore access.`,
           timestamp: event.timestamp
         }
       };
@@ -7339,13 +7370,13 @@ var Sentinel = class _Sentinel {
             type: "agent_restricted",
             agentId,
             agentName: event.agentName ?? agentId,
-            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode. Run 'sentinel release' to restore full access.`,
+            description: `Agent ${agentId} is restricted. Action '${event.action}' is not permitted in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             evidence: {
               action: event.action,
               target: event.primaryTarget,
               timestamp: event.timestamp
             },
-            recommendation: `Only file_read and tool_invocation are allowed in restricted mode. Run 'sentinel release' in this workspace (or 'sentinel release --agent=${agentId}') to restore full access.`,
+            recommendation: `Only file_read and tool_invocation are allowed in restricted mode. Run 'npx @tuent/sentinel release --agent=${agentId}' to restore full access.`,
             timestamp: event.timestamp
           }
         };
@@ -7374,6 +7405,17 @@ var Sentinel = class _Sentinel {
    * Sprint 16 Prompt 3 — replaces in-memory blockCounts Map to survive
    * gateway restarts. Same pattern as Sprint 11 sessionCount Shape D fix.
    */
+  /**
+   * Shared escalation-eligibility predicate (Sprint 26 F-5). Single source of
+   * truth for "this finding counts toward the block ladder", extracted from the
+   * formerly-inline copies in getEffectiveBlockCount and maybeEscalate — behavior
+   * of both is identical to before the extraction. Accepts either a
+   * SecurityFinding-shaped object ({type}) or an audit entry ({findingType},
+   * mapped by the caller).
+   */
+  static isEscalationEligible(f) {
+    return _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.type) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable";
+  }
   async getEffectiveBlockCount(agentId) {
     const modeChanges = await this.query(agentId, { type: "mode_change" });
     const releaseEntry = modeChanges.find((e) => e.mode === "normal");
@@ -7382,16 +7424,33 @@ var Sentinel = class _Sentinel {
       type: "finding",
       ...anchor ? { startTime: anchor } : {}
     });
-    return findings.filter(
-      (f) => _Sentinel.ESCALATION_ELIGIBLE_TYPES.has(f.findingType) && (f.severity === "HIGH" || f.severity === "CRITICAL") && f.kind === "actionable"
-    ).length;
+    const survivors = findings.filter(
+      (f) => _Sentinel.isEscalationEligible({
+        type: f.findingType,
+        severity: f.severity,
+        kind: f.kind
+      }) && f.mentionOnly !== true
+    );
+    const distinctKeys = /* @__PURE__ */ new Set();
+    let keyless = 0;
+    for (const f of survivors) {
+      const tk = f.targetKey;
+      const dk = f.dedupKey;
+      if (typeof tk === "string" && tk.length > 0) distinctKeys.add(`t:${tk}`);
+      else if (typeof dk === "string" && dk.length > 0) distinctKeys.add(`c:${dk}`);
+      else keyless++;
+    }
+    return distinctKeys.size + keyless;
   }
   async maybeEscalate(agentId, finding) {
     const mode = this.getMode(agentId);
     if (mode === "quarantined") return;
-    if (finding.severity !== "HIGH" && finding.severity !== "CRITICAL") return;
-    if (!_Sentinel.ESCALATION_ELIGIBLE_TYPES.has(finding.type)) return;
-    if (finding.kind !== "actionable") return;
+    if (!_Sentinel.isEscalationEligible({
+      type: finding.type,
+      severity: finding.severity,
+      kind: finding.kind
+    }))
+      return;
     const count = await this.getEffectiveBlockCount(agentId);
     if (mode === "restricted") {
       if (count >= this.quarantineThreshold) {
@@ -7426,4 +7485,4 @@ export {
   createCliApproval,
   Sentinel
 };
-//# sourceMappingURL=chunk-NS6ZLMDK.js.map
+//# sourceMappingURL=chunk-SSDIBY52.js.map

package/dist/chunk-TKAKHSZ3.js

@@ -0,0 +1 @@
+//# sourceMappingURL=chunk-TKAKHSZ3.js.map