sentinelayer-cli 0.10.0 → 0.10.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.10.0",
+  "version": "0.10.2",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {

package/src/commands/session.js

@@ -347,14 +347,37 @@ async function ensureLocalSessionForRemoteCommand(
     }
     const existingStatus = normalizeString(existing.status).toLowerCase();
     const locallyClosedByStatus = existingStatus === "expired" || existingStatus === "archived";
+    let verifiedRemoteSession = remoteSession;
+    let verifiedRemoteStatus = normalizeString(
+      verifiedRemoteSession?.archiveStatus || verifiedRemoteSession?.status,
+    ).toLowerCase();
     if (locallyClosedByStatus && !skipRemoteProbe) {
+      const verification = await verifyRemoteSession(sessionId, { targetPath }).catch((error) => ({
+        ok: false,
+        reason: normalizeString(error?.message) || "verify_failed",
+      }));
+      if (!verification?.ok) {
+        throw new Error(
+          `Session '${sessionId}' is ${existingStatus} locally and remote verification failed (${verification?.reason || "unknown"}).`,
+        );
+      }
+      verifiedRemoteSession = verification.session || verifiedRemoteSession;
+      verifiedRemoteStatus = normalizeString(
+        verifiedRemoteSession?.archiveStatus || verifiedRemoteSession?.status,
+      ).toLowerCase();
+    }
+    if (
+      locallyClosedByStatus &&
+      verifiedRemoteStatus &&
+      !["active", "pending"].includes(verifiedRemoteStatus)
+    ) {
       throw new Error(
-        `Session '${sessionId}' is ${existingStatus} locally; run \`sl session join ${sessionId}\` to verify remote access before posting.`,
+        `Session '${sessionId}' is ${existingStatus} locally and remote status is ${verifiedRemoteStatus}; refusing to reopen a closed session.`,
       );
     }
 
-    let access = { accessible: Boolean(skipRemoteProbe), reason: "" };
-    if (!skipRemoteProbe) {
+    let access = { accessible: Boolean(skipRemoteProbe || locallyClosedByStatus), reason: "" };
+    if (!skipRemoteProbe && !locallyClosedByStatus) {
       access = await probeSessionAccess(sessionId, { targetPath }).catch((error) => ({
         accessible: false,
         reason: normalizeString(error?.message) || "probe_failed",
@@ -368,12 +391,13 @@ async function ensureLocalSessionForRemoteCommand(
 
     const refreshed = await refreshSessionCacheForRemoteActivity(sessionId, {
       targetPath,
-      title,
+      title: title || normalizeString(verifiedRemoteSession?.title),
+      expiresAt: normalizeString(verifiedRemoteSession?.expiresAt),
       lastInteractionAt:
-        normalizeString(remoteSession?.lastInteractionAt) ||
-        normalizeString(remoteSession?.lastActivityAt) ||
-        normalizeString(remoteSession?.updatedAt) ||
-        normalizeString(remoteSession?.createdAt),
+        normalizeString(verifiedRemoteSession?.lastInteractionAt) ||
+        normalizeString(verifiedRemoteSession?.lastActivityAt) ||
+        normalizeString(verifiedRemoteSession?.updatedAt) ||
+        normalizeString(verifiedRemoteSession?.createdAt),
     });
     return { materialized: false, refreshed: Boolean(refreshed), session: refreshed || existing };
   }
@@ -396,6 +420,13 @@ async function ensureLocalSessionForRemoteCommand(
     targetPath,
     sessionId,
     title: normalizeString(title) || `remote-${String(sessionId).slice(0, 8)}`,
+    createdAt: normalizeString(remoteSession?.createdAt),
+    expiresAt: normalizeString(remoteSession?.expiresAt),
+    lastInteractionAt:
+      normalizeString(remoteSession?.lastInteractionAt) ||
+      normalizeString(remoteSession?.lastActivityAt) ||
+      normalizeString(remoteSession?.updatedAt) ||
+      normalizeString(remoteSession?.createdAt),
   });
   return { materialized: true, refreshed: false, session: created };
 }

package/src/legacy-cli.js

@@ -2316,7 +2316,7 @@ jobs:
           fi
       - name: Run Omar Gate
         id: omar
-        uses: mrrCarter/sentinelayer-v1-action@b13504565105b2496c5b1dbb7a3e9bf914c2a9f8
+        uses: mrrCarter/sentinelayer-v1-action@4cb3063e04e3b899981b25f6918b26f70d35a8d4
         with:
           sentinelayer_token: \${{ secrets.${normalizedSecret} }}${specIdBindingLine}
           scan_mode: \${{ github.event_name == 'workflow_dispatch' && inputs.scan_mode || 'deep' }}

package/src/scan/generator.js

@@ -2,7 +2,7 @@ import YAML from "yaml";
 
 export const DEFAULT_SCAN_WORKFLOW_PATH = ".github/workflows/omar-gate.yml";
 export const DEFAULT_SCAN_SECRET_NAME = "SENTINELAYER_TOKEN";
-export const SENTINELAYER_ACTION_REF = "mrrCarter/sentinelayer-v1-action@b13504565105b2496c5b1dbb7a3e9bf914c2a9f8";
+export const SENTINELAYER_ACTION_REF = "mrrCarter/sentinelayer-v1-action@4cb3063e04e3b899981b25f6918b26f70d35a8d4";
 export const SUPPORTED_E2E_HINTS = Object.freeze(["auto", "yes", "no"]);
 export const SUPPORTED_PLAYWRIGHT_MODES = Object.freeze(["auto", "off", "baseline", "audit"]);
 

package/src/session/store.js

@@ -537,6 +537,7 @@ export async function refreshSessionCacheForRemoteActivity(
     targetPath = process.cwd(),
     title = "",
     ttlSeconds = DEFAULT_TTL_SECONDS,
+    expiresAt = "",
     lastInteractionAt = "",
     nowIso = new Date().toISOString(),
   } = {}
@@ -563,7 +564,7 @@ export async function refreshSessionCacheForRemoteActivity(
   const metadata = {
     ...loaded.metadata,
     updatedAt: nowIso,
-    expiresAt: toIsoAfterSeconds(nowIso, normalizedTtlSeconds),
+    expiresAt: normalizeIsoTimestamp(expiresAt, toIsoAfterSeconds(nowIso, normalizedTtlSeconds)),
     ttlSeconds: normalizedTtlSeconds,
     status: SESSION_STATUS_ACTIVE,
     expiredAt: null,

package/src/session/stream.js

@@ -6,13 +6,15 @@ import { createAgentEvent, normalizeAgentEvent } from "../events/schema.js";
 import { enrichEventWithMentions } from "./mentions.js";
 import { resolveSessionPaths } from "./paths.js";
 import { redactEventPayload } from "./redact.js";
-import { syncSessionEventToApi } from "./sync.js";
+import { fetchSessionFromApi, listSessionsFromApi, syncSessionEventToApi } from "./sync.js";
 
 const DEFAULT_POLL_MS = 500;
 const DEFAULT_LOCK_TIMEOUT_MS = 10_000;
 const DEFAULT_LOCK_STALE_MS = 30_000;
 const DEFAULT_LOCK_POLL_MS = 25;
 const DEFAULT_MAX_STREAM_EVENTS = 10_000;
+const DEFAULT_REMOTE_REFRESH_TTL_SECONDS = 24 * 60 * 60;
+const REMOTE_REFRESH_TIMEOUT_MS = 2_500;
 
 function normalizeString(value) {
   return String(value || "").trim();
@@ -41,6 +43,15 @@ function normalizePositiveInteger(value, fallbackValue) {
   return Math.floor(normalized);
 }
 
+function toIsoAfterSeconds(baseIso, seconds) {
+  const baseEpoch = Date.parse(normalizeIsoTimestamp(baseIso, new Date().toISOString()));
+  const normalizedSeconds = normalizePositiveInteger(
+    seconds,
+    DEFAULT_REMOTE_REFRESH_TTL_SECONDS,
+  );
+  return new Date(baseEpoch + normalizedSeconds * 1000).toISOString();
+}
+
 async function readSessionMetadata(paths) {
   try {
     const raw = await fsp.readFile(paths.metadataPath, "utf-8");
@@ -64,6 +75,108 @@ async function writeSessionMetadata(paths, metadata = {}) {
   await fsp.rename(tmpPath, paths.metadataPath);
 }
 
+function remoteStatusAllowsLocalRefresh(remoteSession = {}) {
+  const status = normalizeString(remoteSession.archiveStatus || remoteSession.status).toLowerCase();
+  return !status || status === "active" || status === "pending";
+}
+
+function resolveRemoteSessionStatus(remoteSession = {}) {
+  return normalizeString(remoteSession.archiveStatus || remoteSession.status).toLowerCase();
+}
+
+async function resolveRemoteRefreshCandidate(sessionId, { targetPath = process.cwd() } = {}) {
+  const singletonResult = await fetchSessionFromApi(sessionId, {
+    targetPath,
+    timeoutMs: REMOTE_REFRESH_TIMEOUT_MS,
+  }).catch((error) => ({
+    ok: false,
+    reason: normalizeString(error?.message) || "fetch_failed",
+    session: null,
+  }));
+  if (singletonResult?.ok && singletonResult.session) {
+    if (!remoteStatusAllowsLocalRefresh(singletonResult.session)) {
+      return {
+        ok: false,
+        reason: `remote_${resolveRemoteSessionStatus(singletonResult.session) || "closed"}`,
+        remoteSession: singletonResult.session,
+      };
+    }
+    return { ok: true, reason: "", remoteSession: singletonResult.session };
+  }
+  if (singletonResult?.status && singletonResult.status !== 404) {
+    return { ok: false, reason: singletonResult.reason || `api_${singletonResult.status}` };
+  }
+
+  const listResult = await listSessionsFromApi({
+    targetPath,
+    includeArchived: true,
+    limit: 200,
+    timeoutMs: REMOTE_REFRESH_TIMEOUT_MS,
+  }).catch((error) => ({
+    ok: false,
+    reason: normalizeString(error?.message) || "list_failed",
+    sessions: [],
+  }));
+  if (listResult?.ok) {
+    const remoteSession = (listResult.sessions || []).find(
+      (entry) => normalizeString(entry?.sessionId) === sessionId,
+    );
+    if (remoteSession) {
+      if (!remoteStatusAllowsLocalRefresh(remoteSession)) {
+        return {
+          ok: false,
+          reason: `remote_${resolveRemoteSessionStatus(remoteSession) || "closed"}`,
+          remoteSession,
+        };
+      }
+      return { ok: true, reason: "", remoteSession };
+    }
+  }
+
+  return { ok: false, reason: listResult?.reason || singletonResult?.reason || "remote_unavailable" };
+}
+
+async function refreshExpiredMetadataFromRemote(paths, metadata = {}, { targetPath = process.cwd() } = {}) {
+  const candidate = await resolveRemoteRefreshCandidate(paths.sessionId, { targetPath });
+  if (!candidate?.ok) {
+    return { refreshed: false, reason: candidate?.reason || "remote_unavailable", metadata };
+  }
+  const remoteSession = candidate.remoteSession || {};
+  const nowIso = new Date().toISOString();
+  const ttlSeconds = normalizePositiveInteger(
+    metadata.ttlSeconds,
+    DEFAULT_REMOTE_REFRESH_TTL_SECONDS,
+  );
+  const remoteExpiresAt = normalizeString(remoteSession.expiresAt);
+  const remoteExpiryEpoch = Date.parse(remoteExpiresAt);
+  const nowEpoch = Date.parse(nowIso);
+  const expiresAt =
+    Number.isFinite(remoteExpiryEpoch) && Number.isFinite(nowEpoch) && remoteExpiryEpoch > nowEpoch
+      ? new Date(remoteExpiryEpoch).toISOString()
+      : toIsoAfterSeconds(nowIso, ttlSeconds);
+  const refreshed = {
+    ...metadata,
+    updatedAt: nowIso,
+    expiresAt,
+    ttlSeconds,
+    status: "active",
+    expiredAt: null,
+    archivedAt: null,
+    archiveStatus: resolveRemoteSessionStatus(remoteSession) || "active",
+    title: normalizeString(remoteSession.title) || metadata.title || null,
+    lastInteractionAt: normalizeIsoTimestamp(
+      remoteSession.lastInteractionAt ||
+        remoteSession.lastActivityAt ||
+        remoteSession.updatedAt ||
+        remoteSession.createdAt ||
+        metadata.lastInteractionAt,
+      metadata.lastInteractionAt || metadata.createdAt || nowIso,
+    ),
+  };
+  await writeSessionMetadata(paths, refreshed);
+  return { refreshed: true, reason: "", metadata: refreshed };
+}
+
 function isSessionExpired(metadata = {}, nowIso = new Date().toISOString()) {
   const status = normalizeString(metadata.status).toLowerCase();
   if (status === "expired" || status === "archived") {
@@ -227,12 +340,18 @@ export async function appendToStream(
   { targetPath = process.cwd(), maxEvents = DEFAULT_MAX_STREAM_EVENTS, syncRemote = true } = {}
 ) {
   const paths = resolveSessionPaths(sessionId, { targetPath });
-  const metadata = await readSessionMetadata(paths);
+  let metadata = await readSessionMetadata(paths);
   if (!metadata) {
     throw new Error(`Session '${paths.sessionId}' was not found.`);
   }
   if (isSessionExpired(metadata)) {
-    throw new Error(`Session '${paths.sessionId}' is expired and does not accept new events.`);
+    const refresh = await refreshExpiredMetadataFromRemote(paths, metadata, { targetPath });
+    if (!refresh.refreshed) {
+      throw new Error(
+        `Session '${paths.sessionId}' is expired and does not accept new events (remote refresh failed: ${refresh.reason}).`,
+      );
+    }
+    metadata = refresh.metadata;
   }
 
   const rawEvent = materializeCanonicalEvent(paths.sessionId, event);

package/src/session/sync.js

@@ -1319,6 +1319,91 @@ export async function listSessionsFromApi({
   };
 }
 
+/**
+ * Fetch one visible session row by id via `GET /api/v1/sessions/{id}`.
+ *
+ * The session-events read probe can prove membership, but it cannot prove the
+ * remote session is still active. Callers that need to refresh local closed
+ * metadata should use this status-bearing endpoint first, then fall back to
+ * `listSessionsFromApi` only for older API deployments without singleton read.
+ *
+ * @param {string} sessionId
+ * @param {object} [options]
+ * @param {string} [options.targetPath]
+ * @param {Function} [options.resolveAuthSession]
+ * @param {Function} [options.fetchImpl]
+ * @param {number} [options.timeoutMs]
+ * @returns {Promise<{ok: boolean, reason: string, session: object|null, status?: number}>}
+ */
+export async function fetchSessionFromApi(
+  sessionId,
+  {
+    targetPath = process.cwd(),
+    resolveAuthSession = resolveActiveAuthSession,
+    fetchImpl = fetchWithTimeout,
+    timeoutMs = DEFAULT_SYNC_TIMEOUT_MS,
+  } = {},
+) {
+  const normalizedSessionId = normalizeString(sessionId);
+  if (!normalizedSessionId) {
+    return { ok: false, reason: "invalid_session_id", session: null };
+  }
+
+  let session;
+  try {
+    session = await resolveAuthSession({
+      cwd: targetPath,
+      env: process.env,
+      autoRotate: false,
+    });
+  } catch {
+    return { ok: false, reason: "no_session", session: null };
+  }
+  if (!session || !session.token) {
+    return { ok: false, reason: "not_authenticated", session: null, status: 401 };
+  }
+
+  const apiBaseUrl = resolveApiBaseUrl(session);
+  const endpoint = `${apiBaseUrl}/api/v1/sessions/${encodeURIComponent(normalizedSessionId)}`;
+
+  let response;
+  try {
+    response = await fetchImpl(
+      endpoint,
+      {
+        method: "GET",
+        headers: { Authorization: `Bearer ${session.token}` },
+      },
+      normalizePositiveInteger(timeoutMs, DEFAULT_SYNC_TIMEOUT_MS),
+    );
+  } catch (err) {
+    return {
+      ok: false,
+      reason: normalizeString(err?.message) || "fetch_failed",
+      session: null,
+    };
+  }
+  if (!response) {
+    return { ok: false, reason: "no_response", session: null };
+  }
+  if (response.ok) {
+    const body = await response.json().catch(() => ({}));
+    const sessionPayload = body && body.session && typeof body.session === "object"
+      ? body.session
+      : body && typeof body === "object"
+        ? body
+        : null;
+    return { ok: true, reason: "", session: sessionPayload, status: response.status };
+  }
+  if (response.status === 403) {
+    return { ok: false, reason: "not_a_member", session: null, status: 403 };
+  }
+  if (response.status === 404) {
+    return { ok: false, reason: "session_not_found", session: null, status: 404 };
+  }
+  return { ok: false, reason: `api_${response.status}`, session: null, status: response.status };
+}
+
 /**
  * Probe whether a single session is visible to the active user.
  *