sentinelayer-cli 0.3.0 → 0.4.4

package/README.md

@@ -863,7 +863,7 @@ Ledger contract:
 
 ## Requirements
 
-- Node `>=18.17`
+- Node `>=20.0`
 - network access to Sentinelayer API/web
 - optional: GitHub CLI (`gh`) authenticated for secret injection
 
@@ -884,15 +884,17 @@ Build provenance attestations are enforced by `.github/workflows/attestations.ym
 Prerequisites:
 
 - npm package name is available (`sentinelayer-cli`)
-- repository secret `NPM_TOKEN` is set with publish access
+- one publish auth path is configured:
+  - repository secret `NPM_TOKEN` with publish access, or
+  - npm trusted publishing for this repository/tag workflow
 
 Release options:
 
 1. Merge to `main` and let `Release Please` open/update the release PR and tag.
 2. Push a tag like `v0.1.1` to publish automatically (or via release-please tag creation).
-3. Run `Release` manually in verify-only mode (`publish=false`, default) to validate and upload tarball artifact.
-4. Run `Release` manually with `publish=true` to publish from Actions.
-5. If `NPM_TOKEN` is not configured, publish is skipped with an explicit workflow message (verification + tarball still succeed).
+3. Run `Release` manually (`workflow_dispatch`) to validate gates and rollback readiness without publishing.
+4. Tag-triggered publish resolves auth mode at runtime (`NPM_TOKEN` first, otherwise trusted publishing OIDC).
+5. If neither auth mode is available, publish fails closed with an explicit workflow error.
 
 Release publish now enforces tarball checksum-manifest validation and attestation verification bound to `.github/workflows/release.yml` before `npm publish`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.3.0",
+  "version": "0.4.4",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
@@ -23,7 +23,7 @@
     "README.md"
   ],
   "engines": {
-    "node": ">=18.17.0"
+    "node": ">=20.0.0"
   },
   "keywords": [
     "sentinelayer",
@@ -57,6 +57,7 @@
     "keytar": "7.9.0"
   },
   "devDependencies": {
-    "c8": "10.1.3"
+    "c8": "10.1.3",
+    "license-checker-rseidelsohn": "4.4.2"
   }
 }

package/src/agents/jules/pulse.js

@@ -264,12 +264,11 @@ async function sendSlackWebhook(webhookUrl, alert) {
     ],
   });
 
-  const response = await fetch(webhookUrl, {
+  const response = await fetchWithTimeout(webhookUrl, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: payload,
-    signal: AbortSignal.timeout(10000),
-  });
+  }, 10000);
 
   if (!response.ok) {
     throw new Error("Slack webhook failed: " + response.status);
@@ -285,12 +284,11 @@ async function sendTelegramMessage(botToken, chatId, alert) {
     disable_web_page_preview: true,
   });
 
-  const response = await fetch(url, {
+  const response = await fetchWithTimeout(url, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: payload,
-    signal: AbortSignal.timeout(10000),
-  });
+  }, 10000);
 
   if (!response.ok) {
     throw new Error("Telegram send failed: " + response.status);
@@ -316,4 +314,14 @@ function resolveAlertChannels() {
   return channels;
 }
 
+async function fetchWithTimeout(url, options, timeoutMs) {
+  const controller = new AbortController();
+  const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...options, signal: controller.signal });
+  } finally {
+    clearTimeout(timeoutHandle);
+  }
+}
+
 export { STUCK_THRESHOLDS };