sentinelayer-cli 0.1.0 → 0.1.1

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
-    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js",
+    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js",
     "test": "npm run test:unit && npm run test:e2e",
     "test:unit": "node --test tests/unit*.test.mjs",
     "test:e2e": "node --test tests/e2e.test.mjs",

package/src/agents/jules/tools/runtime-audit.js

@@ -18,7 +18,7 @@ const LIGHTHOUSE_TIMEOUT_MS = 120000;
  * @param {{ operation: string, url?: string, path?: string }} input
  * @returns {object} Structured result per operation
  */
-export function runtimeAudit(input) {
+export async function runtimeAudit(input) {
   if (!RUNTIME_OPS.has(input.operation)) {
     throw new RuntimeAuditError(
       "Unknown operation: " + input.operation + ". Valid: " + [...RUNTIME_OPS].join(", "),
@@ -49,7 +49,7 @@ const RUNTIME_DISPATCH = {
  * Run Lighthouse via npx (no install required).
  * Returns performance, accessibility, best-practices, SEO scores + key metrics.
  */
-function lighthouseScan(input) {
+async function lighthouseScan(input) {
   const url = input.url;
   if (!url) {
     throw new RuntimeAuditError("lighthouse_scan requires a url parameter");
@@ -58,6 +58,13 @@ function lighthouseScan(input) {
     throw new RuntimeAuditError("Invalid URL: " + url);
   }
 
+  // Prefer SentinelLayer API scanner (authenticated, server-side Lighthouse).
+  // Falls back to local npx lighthouse if API unavailable.
+  try {
+    const apiResult = await callScannerApi(url);
+    if (apiResult.available) return apiResult;
+  } catch { /* API unavailable — fall back to local */ }
+
   try {
     const outputPath = path.join(
       input.path || process.cwd(),
@@ -76,6 +83,7 @@ function lighthouseScan(input) {
       encoding: "utf-8",
       timeout: LIGHTHOUSE_TIMEOUT_MS,
       stdio: ["pipe", "pipe", "pipe"],
+      shell: true, // Windows: npx is npx.cmd, needs shell resolution
     });
 
     if (!fs.existsSync(outputPath)) {
@@ -401,6 +409,82 @@ function sanitizeUrlForShell(url) {
   }
 }
 
+/**
+ * Call the SentinelLayer API scanner endpoint for server-side Lighthouse.
+ * Requires authenticated session (token from sl auth login).
+ * Returns structured result or throws if unavailable.
+ */
+async function callScannerApi(url) {
+  let session;
+  try {
+    const { readStoredSession } = await import("../../../auth/session-store.js");
+    session = await readStoredSession();
+  } catch { /* session read failed */ }
+
+  if (!session || !session.token) {
+    return { available: false, reason: "Not authenticated — run sl auth login" };
+  }
+
+  const apiUrl = session.apiUrl || "https://api.sentinelayer.com";
+  const scanEndpoint = apiUrl + "/api/v1/scan/url";
+
+  // Submit scan
+  const submitResponse = await fetch(scanEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": "Bearer " + session.token,
+    },
+    body: JSON.stringify({ url, scan_type: "lighthouse" }),
+    signal: AbortSignal.timeout(15000),
+  });
+
+  if (!submitResponse.ok) {
+    return { available: false, reason: "Scanner API returned " + submitResponse.status };
+  }
+
+  const submitData = await submitResponse.json();
+  const scanId = submitData.scan_id || submitData.id;
+  if (!scanId) {
+    return { available: false, reason: "Scanner did not return scan_id" };
+  }
+
+  // Poll for completion (max 90s)
+  const pollUrl = apiUrl + "/api/v1/scan/url/" + scanId;
+  for (let attempt = 0; attempt < 30; attempt++) {
+    await new Promise(r => setTimeout(r, 3000));
+    try {
+      const pollResponse = await fetch(pollUrl, {
+        headers: { "Authorization": "Bearer " + session.token },
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!pollResponse.ok) continue;
+      const pollData = await pollResponse.json();
+      if (pollData.status === "completed" || pollData.status === "complete") {
+        const scores = pollData.scores || pollData.lighthouse_scores || {};
+        return {
+          available: true,
+          source: "sentinelayer-api",
+          scanId,
+          reportPath: null,
+          scores: {
+            performance: scores.performance ?? null,
+            accessibility: scores.accessibility ?? null,
+            bestPractices: scores.best_practices ?? scores.bestPractices ?? null,
+            seo: scores.seo ?? null,
+          },
+          metrics: pollData.metrics || {},
+          opportunities: pollData.opportunities || [],
+        };
+      }
+      if (pollData.status === "failed" || pollData.status === "error") {
+        return { available: false, reason: "Scanner reported failure: " + (pollData.error || pollData.status) };
+      }
+    } catch { /* poll failed, retry */ }
+  }
+  return { available: false, reason: "Scanner timed out after 90s" };
+}
+
 export class RuntimeAuditError extends Error {
   constructor(message) {
     super(message);

package/src/auth/gate.js

@@ -0,0 +1,92 @@
+import process from "node:process";
+import pc from "picocolors";
+import { readStoredSession } from "./session-store.js";
+
+/**
+ * Auth gate — ensures user is logged in before running any command.
+ *
+ * Commands that bypass auth:
+ * - auth login, auth status, auth --help
+ * - --help, --version, -h, -v
+ * - config (read-only config inspection)
+ *
+ * All other commands require a valid session.
+ * If not authenticated, prints instructions and exits.
+ */
+
+const AUTH_BYPASS_COMMANDS = new Set([
+  "auth",      // auth subcommands handle their own auth
+  "--help",
+  "-h",
+  "--version",
+  "-v",
+]);
+
+// Commands that work without auth (read-only, no API calls)
+const NO_AUTH_REQUIRED = new Set([
+  "config",    // local config inspection
+]);
+
+/**
+ * Check if the current command requires authentication.
+ * Returns true if auth is required but user is not logged in.
+ *
+ * @param {string[]} args - CLI arguments (after normalization)
+ * @returns {Promise<{ authenticated: boolean, session: object|null, bypassReason: string|null }>}
+ */
+export async function checkAuthGate(args) {
+  const first = String(args[0] || "").trim().toLowerCase();
+
+  // Bypass commands
+  if (!first || AUTH_BYPASS_COMMANDS.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "auth_bypass_command" };
+  }
+
+  if (NO_AUTH_REQUIRED.has(first)) {
+    return { authenticated: true, session: null, bypassReason: "no_auth_required" };
+  }
+
+  // CI/test bypass — allows automated testing without auth
+  if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" || process.env.CI === "true") {
+    return { authenticated: true, session: null, bypassReason: "env_bypass" };
+  }
+
+  // Check for stored session
+  try {
+    const session = await readStoredSession();
+    if (session && session.token) {
+      // Check if token is expired
+      if (session.tokenExpiresAt) {
+        const expiresAt = new Date(session.tokenExpiresAt).getTime();
+        if (expiresAt < Date.now()) {
+          return { authenticated: false, session: null, bypassReason: null };
+        }
+      }
+      return { authenticated: true, session, bypassReason: null };
+    }
+  } catch {
+    // Session read failed — treat as not authenticated
+  }
+
+  return { authenticated: false, session: null, bypassReason: null };
+}
+
+/**
+ * Print auth required message and exit.
+ */
+export function printAuthRequired() {
+  console.error("");
+  console.error(pc.bold(pc.red("Authentication required.")));
+  console.error("");
+  console.error("  Log in to SentinelLayer to use CLI commands:");
+  console.error("");
+  console.error("    " + pc.cyan("sl auth login"));
+  console.error("");
+  console.error("  This opens your browser to authenticate via GitHub or Google.");
+  console.error("  Your session is encrypted and stored locally.");
+  console.error("");
+  console.error("  " + pc.gray("Why? All CLI operations sync to your SentinelLayer account —"));
+  console.error("  " + pc.gray("audit reports, findings, cost tracking, and run history."));
+  console.error("");
+  process.exitCode = 1;
+}

package/src/cli.js

@@ -230,6 +230,14 @@ export async function runCli(rawArgs = process.argv.slice(2)) {
   // Normalize slash commands (/omargate → omargate, /audit → audit, etc.)
   const normalizedArgs = normalizeSlashArgs(rawArgs);
 
+  // Auth gate — require login for all commands except auth/help/version/config
+  const { checkAuthGate, printAuthRequired } = await import("./auth/gate.js");
+  const authResult = await checkAuthGate(normalizedArgs);
+  if (!authResult.authenticated) {
+    printAuthRequired();
+    return;
+  }
+
   if (shouldBypassCommander(normalizedArgs)) {
     await runLegacyCliWithErrorHandling(normalizedArgs);
     return;