sentinelayer-cli 0.3.0 → 0.4.5

package/src/agents/jules/tools/runtime-audit.js

@@ -3,6 +3,7 @@ import path from "node:path";
 import fs from "node:fs";
 import os from "node:os";
 import { randomUUID } from "node:crypto";
+import { assertPermittedAuditTarget } from "./url-policy.js";
 
 /**
  * Jules Tanaka — Runtime Audit Tool
@@ -54,14 +55,12 @@ async function lighthouseScan(input) {
   if (!url) {
     throw new RuntimeAuditError("lighthouse_scan requires a url parameter");
   }
-  if (!isValidUrl(url)) {
-    throw new RuntimeAuditError("Invalid URL: " + url);
-  }
+  const targetUrl = resolveRuntimeTargetUrl(url, input, "lighthouse_scan");
 
   // Prefer SentinelLayer API scanner (authenticated, server-side Lighthouse).
   // Falls back to local npx lighthouse if API unavailable.
   try {
-    const apiResult = await callScannerApi(url);
+    const apiResult = await callScannerApi(targetUrl);
     if (apiResult.available) return apiResult;
   } catch { /* API unavailable — fall back to local */ }
 
@@ -76,7 +75,7 @@ async function lighthouseScan(input) {
     if (!fs.existsSync(outputDir)) fs.mkdirSync(outputDir, { recursive: true });
 
     execFileSync("npx", [
-      "--yes", "lighthouse@12", url,
+      "--yes", "lighthouse@12", targetUrl,
       "--output", "json", "--output-path", outputPath,
       "--chrome-flags=--headless --no-sandbox --disable-gpu", "--quiet",
     ], {
@@ -136,10 +135,10 @@ async function lighthouseScan(input) {
 function checkResponseHeaders(input) {
   const url = input.url;
   if (!url) throw new RuntimeAuditError("check_response_headers requires a url");
-  if (!isValidUrl(url)) throw new RuntimeAuditError("Invalid URL: " + url);
+  const targetUrl = resolveRuntimeTargetUrl(url, input, "check_response_headers");
 
   try {
-    const safeUrl = sanitizeUrlForShell(url);
+    const safeUrl = sanitizeUrlForShell(targetUrl);
     if (!safeUrl) throw new Error("URL sanitization failed");
     const output = execFileSync("curl", ["-sI", "-L", "--max-time", "10", safeUrl], {
       encoding: "utf-8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"],
@@ -165,7 +164,7 @@ function checkResponseHeaders(input) {
 
     return {
       available: true,
-      url,
+      url: targetUrl,
       statusCode: parseInt(output.match(/HTTP\/[\d.]+ (\d+)/)?.[1] || "0"),
       headers,
       securityFindings: findings,
@@ -224,7 +223,7 @@ function detectDeployedUrl(input) {
 function checkConsoleErrors(input) {
   const url = input.url;
   if (!url) throw new RuntimeAuditError("check_console_errors requires a url");
-  if (!isValidUrl(url)) throw new RuntimeAuditError("Invalid URL: " + url);
+  const targetUrl = resolveRuntimeTargetUrl(url, input, "check_console_errors");
 
   // Try playwright — URL passed via env var to prevent command injection
   try {
@@ -250,7 +249,7 @@ function checkConsoleErrors(input) {
     const output = execFileSync("node", [scriptPath], {
       encoding: "utf-8", timeout: 45000,
       stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env, SL_AUDIT_TARGET_URL: url },
+      env: { ...process.env, SL_AUDIT_TARGET_URL: targetUrl },
     });
     try { fs.unlinkSync(scriptPath); } catch { /* best effort */ }
     try { fs.rmdirSync(path.dirname(scriptPath)); } catch { /* best effort */ }
@@ -272,13 +271,13 @@ function checkConsoleErrors(input) {
 function checkNetworkWaterfall(input) {
   const url = input.url;
   if (!url) throw new RuntimeAuditError("check_network_waterfall requires a url");
-  if (!isValidUrl(url)) throw new RuntimeAuditError("Invalid URL: " + url);
+  const targetUrl = resolveRuntimeTargetUrl(url, input, "check_network_waterfall");
 
   try {
     // Write curl format to temp file to avoid shell quoting issues across platforms
     const formatFile = secureTempFile("sl-curl-fmt-" + randomUUID().slice(0, 8) + ".txt");
     fs.writeFileSync(formatFile, '{"dns_ms":%{time_namelookup},"connect_ms":%{time_connect},"tls_ms":%{time_appconnect},"ttfb_ms":%{time_starttransfer},"total_ms":%{time_total},"size_bytes":%{size_download},"status":%{http_code}}');
-    const safeUrl = sanitizeUrlForShell(url);
+    const safeUrl = sanitizeUrlForShell(targetUrl);
     if (!safeUrl) { try { fs.unlinkSync(formatFile); } catch {} throw new Error("URL sanitization failed"); }
     const output = execFileSync("curl", [
       "-sL", "-o", devNull(), "-w", "@" + formatFile, "--max-time", "15", safeUrl,
@@ -290,7 +289,7 @@ function checkNetworkWaterfall(input) {
     for (const key of ["dns_ms", "connect_ms", "tls_ms", "ttfb_ms", "total_ms"]) {
       timing[key] = Math.round(timing[key] * 1000);
     }
-    return { available: true, url, timing };
+    return { available: true, url: targetUrl, timing };
   } catch (err) {
     return { available: false, reason: "curl timing failed: " + err.message };
   }
@@ -302,7 +301,7 @@ function checkNetworkWaterfall(input) {
 function checkDomStats(input) {
   const url = input.url;
   if (!url) throw new RuntimeAuditError("check_dom_stats requires a url");
-  if (!isValidUrl(url)) throw new RuntimeAuditError("Invalid URL: " + url);
+  const targetUrl = resolveRuntimeTargetUrl(url, input, "check_dom_stats");
 
   // URL passed via env var to prevent command injection (CodeQL alert #51)
   try {
@@ -336,7 +335,7 @@ function checkDomStats(input) {
     const output = execFileSync("node", [scriptPath], {
       encoding: "utf-8", timeout: 45000,
       stdio: ["pipe", "pipe", "pipe"],
-      env: { ...process.env, SL_AUDIT_TARGET_URL: url },
+      env: { ...process.env, SL_AUDIT_TARGET_URL: targetUrl },
     });
     try { fs.unlinkSync(scriptPath); } catch { /* best effort */ }
     try { fs.rmdirSync(path.dirname(scriptPath)); } catch { /* best effort */ }
@@ -348,12 +347,15 @@ function checkDomStats(input) {
 
 // ── Helpers ──────────────────────────────────────────────��───────────
 
-function isValidUrl(url) {
+function resolveRuntimeTargetUrl(url, input, operation) {
   try {
-    const parsed = new URL(url);
-    return parsed.protocol === "http:" || parsed.protocol === "https:";
-  } catch {
-    return false;
+    const parsed = assertPermittedAuditTarget(url, {
+      operation,
+      allowPrivateTargets: input.allowPrivateTargets === true,
+    });
+    return parsed.toString();
+  } catch (error) {
+    throw new RuntimeAuditError(error.message);
   }
 }
 
@@ -409,6 +411,16 @@ function sanitizeUrlForShell(url) {
   }
 }
 
+async function fetchWithTimeout(url, options, timeoutMs) {
+  const controller = new AbortController();
+  const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...options, signal: controller.signal });
+  } finally {
+    clearTimeout(timeoutHandle);
+  }
+}
+
 /**
  * Call the SentinelLayer API scanner endpoint for server-side Lighthouse.
  * Requires authenticated session (token from sl auth login).
@@ -429,15 +441,14 @@ async function callScannerApi(url) {
   const scanEndpoint = apiUrl + "/api/v1/scan/url";
 
   // Submit scan
-  const submitResponse = await fetch(scanEndpoint, {
+  const submitResponse = await fetchWithTimeout(scanEndpoint, {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
       "Authorization": "Bearer " + session.token,
     },
     body: JSON.stringify({ url, scan_type: "lighthouse" }),
-    signal: AbortSignal.timeout(15000),
-  });
+  }, 15000);
 
   if (!submitResponse.ok) {
     return { available: false, reason: "Scanner API returned " + submitResponse.status };
@@ -454,10 +465,9 @@ async function callScannerApi(url) {
   for (let attempt = 0; attempt < 30; attempt++) {
     await new Promise(r => setTimeout(r, 3000));
     try {
-      const pollResponse = await fetch(pollUrl, {
+      const pollResponse = await fetchWithTimeout(pollUrl, {
         headers: { "Authorization": "Bearer " + session.token },
-        signal: AbortSignal.timeout(10000),
-      });
+      }, 10000);
       if (!pollResponse.ok) continue;
       const pollData = await pollResponse.json();
       if (pollData.status === "completed" || pollData.status === "complete") {

package/src/agents/jules/tools/url-policy.js

@@ -0,0 +1,100 @@
+const PRIVATE_HOST_SUFFIXES = [".internal", ".local", ".localhost"];
+const BLOCKED_LITERAL_HOSTS = new Set([
+  "localhost",
+  "127.0.0.1",
+  "::1",
+  "0.0.0.0",
+  "169.254.169.254",
+  "metadata.google.internal",
+  "metadata.google.internal.",
+]);
+
+function isNumericIpv4(hostname) {
+  const parts = String(hostname || "").split(".");
+  if (parts.length !== 4) {
+    return false;
+  }
+  return parts.every((part) => /^[0-9]{1,3}$/.test(part) && Number(part) >= 0 && Number(part) <= 255);
+}
+
+function isPrivateIpv4(hostname) {
+  if (!isNumericIpv4(hostname)) {
+    return false;
+  }
+  const parts = hostname.split(".").map((part) => Number(part));
+  const [a, b] = parts;
+  if (a === 10 || a === 127 || a === 0) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  return false;
+}
+
+function isPrivateIpv6(hostname) {
+  const normalized = String(hostname || "").toLowerCase().split("%")[0];
+  if (!normalized.includes(":")) {
+    return false;
+  }
+  if (normalized === "::1" || normalized === "::") {
+    return true;
+  }
+  if (normalized.startsWith("fc") || normalized.startsWith("fd")) {
+    return true;
+  }
+  if (normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb")) {
+    return true;
+  }
+  return false;
+}
+
+function isPrivateHostname(hostname) {
+  const normalized = String(hostname || "").toLowerCase();
+  if (!normalized) {
+    return true;
+  }
+  if (BLOCKED_LITERAL_HOSTS.has(normalized)) {
+    return true;
+  }
+  if (PRIVATE_HOST_SUFFIXES.some((suffix) => normalized.endsWith(suffix))) {
+    return true;
+  }
+  if (isPrivateIpv4(normalized) || isPrivateIpv6(normalized)) {
+    return true;
+  }
+  return false;
+}
+
+function isPrivateTargetBypassEnabled(allowPrivateTargets) {
+  if (allowPrivateTargets === true) {
+    return true;
+  }
+  if (process.env.SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS === "1") {
+    return true;
+  }
+  if (process.env.NODE_ENV === "test") {
+    return true;
+  }
+  return false;
+}
+
+export function assertPermittedAuditTarget(urlValue, options = {}) {
+  const { operation = "audit", allowPrivateTargets = false } = options;
+  let parsed;
+  try {
+    parsed = new URL(urlValue);
+  } catch {
+    throw new Error("Invalid URL: " + urlValue);
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error("Invalid URL: " + parsed.toString());
+  }
+  if (!isPrivateTargetBypassEnabled(allowPrivateTargets) && isPrivateHostname(parsed.hostname)) {
+    throw new Error(
+      `Blocked private audit target for ${operation}: ${parsed.hostname}. ` +
+      "Set allowPrivateTargets=true or SENTINELAYER_ALLOW_PRIVATE_AUDIT_TARGETS=1 to override."
+    );
+  }
+  return parsed;
+}

package/src/auth/gate.js

@@ -16,6 +16,7 @@ import { readStoredSession } from "./session-store.js";
 
 const AUTH_BYPASS_COMMANDS = new Set([
   "auth",      // auth subcommands handle their own auth
+  "help",      // help must work without login so agents can discover commands
   "--help",
   "-h",
   "--version",
@@ -27,6 +28,46 @@ const NO_AUTH_REQUIRED = new Set([
   "config",    // local config inspection
 ]);
 
+function hasTrustedBypassContext() {
+  const nonce = String(process.env.SENTINELAYER_CLI_TEST_BYPASS_NONCE || "").trim();
+  return (
+    process.env.NODE_ENV === "test" &&
+    process.env.SENTINELAYER_CLI_TEST_MODE === "1" &&
+    nonce.length >= 12
+  );
+}
+
+function isValidSessionToken(session) {
+  const token = String(session?.token || "");
+  if (!token || token !== token.trim()) {
+    return false;
+  }
+  if (/\s/.test(token)) {
+    return false;
+  }
+  // Require printable ASCII only for bearer token material in local metadata.
+  if (/[^\x21-\x7E]/.test(token)) {
+    return false;
+  }
+  const tokenPrefix = String(session?.tokenPrefix || "").trim();
+  if (tokenPrefix && !token.startsWith(tokenPrefix)) {
+    return false;
+  }
+  return true;
+}
+
+function isSessionUnexpired(tokenExpiresAt) {
+  const normalized = String(tokenExpiresAt || "").trim();
+  if (!normalized) {
+    return false;
+  }
+  const expiresAt = new Date(normalized).getTime();
+  if (!Number.isFinite(expiresAt)) {
+    return false;
+  }
+  return expiresAt >= Date.now();
+}
+
 /**
  * Check if the current command requires authentication.
  * Returns true if auth is required but user is not logged in.
@@ -46,22 +87,15 @@ export async function checkAuthGate(args) {
     return { authenticated: true, session: null, bypassReason: "no_auth_required" };
   }
 
-  // CI/test bypass — allows automated testing without auth
-  if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" || process.env.CI === "true") {
-    return { authenticated: true, session: null, bypassReason: "env_bypass" };
+  // Explicit bypass is gated to trusted test contexts only.
+  if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" && hasTrustedBypassContext()) {
+    return { authenticated: true, session: null, bypassReason: "env_bypass_guarded" };
   }
 
   // Check for stored session
   try {
     const session = await readStoredSession();
-    if (session && session.token) {
-      // Check if token is expired
-      if (session.tokenExpiresAt) {
-        const expiresAt = new Date(session.tokenExpiresAt).getTime();
-        if (expiresAt < Date.now()) {
-          return { authenticated: false, session: null, bypassReason: null };
-        }
-      }
+    if (session && isValidSessionToken(session) && isSessionUnexpired(session.tokenExpiresAt)) {
       return { authenticated: true, session, bypassReason: null };
     }
   } catch {

package/src/auth/http.js

@@ -5,6 +5,18 @@ import { setTimeout as sleep } from "node:timers/promises";
  * @type {number}
  */
 export const DEFAULT_REQUEST_TIMEOUT_MS = 20_000;
+export const DEFAULT_MAX_RETRIES = 2;
+export const DEFAULT_RETRY_DELAY_MS = 250;
+export const MAX_RETRY_DELAY_MS = 2_000;
+export const CIRCUIT_BREAKER_THRESHOLD = 5;
+export const CIRCUIT_BREAKER_COOLDOWN_MS = 30_000;
+
+const RETRYABLE_STATUS_CODES = new Set([408, 425, 429, 500, 502, 503, 504]);
+const CIRCUIT_TRACK_STATUS_CODES = new Set([401, 403, 408, 425, 429, 500, 502, 503, 504]);
+const circuitState = {
+  consecutiveFailures: 0,
+  openedAtMs: 0,
+};
 
 function normalizeApiError(errorPayload = {}) {
   if (!errorPayload || typeof errorPayload !== "object" || Array.isArray(errorPayload)) {
@@ -35,6 +47,88 @@ export class SentinelayerApiError extends Error {
   }
 }
 
+function normalizePositiveNumber(value, fallback) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return fallback;
+  }
+  return parsed;
+}
+
+function normalizeNonNegativeInteger(value, fallback) {
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed < 0) {
+    return fallback;
+  }
+  return Math.floor(parsed);
+}
+
+function parseRetryAfterMs(value) {
+  const raw = String(value || "").trim();
+  if (!raw) {
+    return null;
+  }
+  const seconds = Number(raw);
+  if (Number.isFinite(seconds) && seconds >= 0) {
+    return Math.round(seconds * 1000);
+  }
+  const parsedDate = Date.parse(raw);
+  if (Number.isFinite(parsedDate)) {
+    const delta = parsedDate - Date.now();
+    if (delta > 0) {
+      return delta;
+    }
+  }
+  return null;
+}
+
+function computeBackoffMs({ attempt, retryDelayMs, retryAfterHeader }) {
+  const retryAfterMs = parseRetryAfterMs(retryAfterHeader);
+  if (retryAfterMs !== null) {
+    return Math.min(retryAfterMs, MAX_RETRY_DELAY_MS);
+  }
+  const exponent = Math.max(0, Number(attempt) - 1);
+  const computed = Math.round(retryDelayMs * Math.pow(2, exponent));
+  return Math.min(Math.max(1, computed), MAX_RETRY_DELAY_MS);
+}
+
+function isCircuitOpen() {
+  if (circuitState.openedAtMs <= 0) {
+    return false;
+  }
+  if (Date.now() - circuitState.openedAtMs >= CIRCUIT_BREAKER_COOLDOWN_MS) {
+    circuitState.openedAtMs = 0;
+    circuitState.consecutiveFailures = 0;
+    return false;
+  }
+  return true;
+}
+
+function recordFailureForCircuit() {
+  circuitState.consecutiveFailures += 1;
+  if (circuitState.consecutiveFailures >= CIRCUIT_BREAKER_THRESHOLD) {
+    circuitState.openedAtMs = Date.now();
+  }
+}
+
+function recordSuccessForCircuit() {
+  circuitState.consecutiveFailures = 0;
+  circuitState.openedAtMs = 0;
+}
+
+function shouldRetryStatus(statusCode) {
+  return RETRYABLE_STATUS_CODES.has(Number(statusCode || 0));
+}
+
+function shouldRecordFailureForStatus(statusCode) {
+  return CIRCUIT_TRACK_STATUS_CODES.has(Number(statusCode || 0));
+}
+
+export function __resetRequestCircuitForTests() {
+  circuitState.consecutiveFailures = 0;
+  circuitState.openedAtMs = 0;
+}
+
 /**
  * Execute an HTTP request against the Sentinelayer API and parse a JSON response.
  * Throws `SentinelayerApiError` for transport errors, timeouts, API failures, and invalid JSON.
@@ -45,69 +139,132 @@ export class SentinelayerApiError extends Error {
  *   headers?: Record<string, string>,
  *   body?: unknown,
  *   timeoutMs?: number
+ *   maxRetries?: number,
+ *   retryDelayMs?: number
  * }} [options]
  * @returns {Promise<any>}
  */
 export async function requestJson(
   url,
-  { method = "GET", headers = {}, body, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS } = {}
+  {
+    method = "GET",
+    headers = {},
+    body,
+    timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS,
+    maxRetries = DEFAULT_MAX_RETRIES,
+    retryDelayMs = DEFAULT_RETRY_DELAY_MS,
+  } = {}
 ) {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), Number(timeoutMs || DEFAULT_REQUEST_TIMEOUT_MS));
-
-  try {
-    const response = await fetch(String(url), {
-      method,
-      headers: {
-        "Content-Type": "application/json",
-        ...headers,
-      },
-      body: body === undefined ? undefined : JSON.stringify(body),
-      signal: controller.signal,
+  if (isCircuitOpen()) {
+    throw new SentinelayerApiError("Request circuit breaker is open after consecutive API failures.", {
+      status: 503,
+      code: "CIRCUIT_OPEN",
     });
+  }
+
+  const normalizedTimeoutMs = normalizePositiveNumber(timeoutMs, DEFAULT_REQUEST_TIMEOUT_MS);
+  const normalizedMaxRetries = normalizeNonNegativeInteger(maxRetries, DEFAULT_MAX_RETRIES);
+  const normalizedRetryDelayMs = normalizePositiveNumber(retryDelayMs, DEFAULT_RETRY_DELAY_MS);
 
-    const rawBody = await response.text();
-    let json = {};
-    if (rawBody.trim()) {
-      try {
-        json = JSON.parse(rawBody);
-      } catch {
-        throw new SentinelayerApiError("Invalid JSON returned by API.", {
-          status: response.status,
-          code: "INVALID_JSON",
-        });
+  let lastRetryableError = null;
+  for (let attempt = 0; attempt <= normalizedMaxRetries; attempt += 1) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), normalizedTimeoutMs);
+
+    try {
+      const response = await fetch(String(url), {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          ...headers,
+        },
+        body: body === undefined ? undefined : JSON.stringify(body),
+        signal: controller.signal,
+      });
+
+      const rawBody = await response.text();
+      let json = {};
+      if (rawBody.trim()) {
+        try {
+          json = JSON.parse(rawBody);
+        } catch {
+          if (response.ok) {
+            throw new SentinelayerApiError("Invalid JSON returned by API.", {
+              status: response.status,
+              code: "INVALID_JSON",
+            });
+          }
+        }
+      }
+
+      if (response.ok) {
+        recordSuccessForCircuit();
+        return json;
       }
-    }
 
-    if (!response.ok) {
       const apiError = normalizeApiError(json && typeof json === "object" ? json.error : {});
-      throw new SentinelayerApiError(apiError.message, {
-        status: response.status,
+      const statusCode = Number(response.status || 500);
+      const retryable = shouldRetryStatus(statusCode);
+      const shouldRecordCircuitFailure = shouldRecordFailureForStatus(statusCode);
+      const error = new SentinelayerApiError(apiError.message, {
+        status: statusCode,
         code: apiError.code,
         requestId: apiError.requestId,
       });
-    }
 
-    return json;
-  } catch (error) {
-    if (error instanceof SentinelayerApiError) {
-      throw error;
-    }
-    if (error && typeof error === "object" && error.name === "AbortError") {
-      throw new SentinelayerApiError("Request timed out.", {
-        status: 408,
-        code: "TIMEOUT",
+      if (!retryable || attempt >= normalizedMaxRetries) {
+        if (shouldRecordCircuitFailure) {
+          recordFailureForCircuit();
+        }
+        throw error;
+      }
+
+      lastRetryableError = error;
+      const delayMs = computeBackoffMs({
+        attempt: attempt + 1,
+        retryDelayMs: normalizedRetryDelayMs,
+        retryAfterHeader: response.headers.get("retry-after"),
       });
-    }
-    throw new SentinelayerApiError(
-      error instanceof Error ? error.message : String(error || "Request failed"),
-      {
-        status: 503,
-        code: "NETWORK_ERROR",
+      await sleep(delayMs);
+      continue;
+    } catch (error) {
+      if (error instanceof SentinelayerApiError) {
+        throw error;
       }
-    );
-  } finally {
-    clearTimeout(timeout);
-    await sleep(0);
+
+      const isAbortError = Boolean(error && typeof error === "object" && error.name === "AbortError");
+      const normalizedError = new SentinelayerApiError(
+        isAbortError ? "Request timed out." : (error instanceof Error ? error.message : String(error || "Request failed")),
+        {
+          status: isAbortError ? 408 : 503,
+          code: isAbortError ? "TIMEOUT" : "NETWORK_ERROR",
+        }
+      );
+
+      if (attempt >= normalizedMaxRetries) {
+        recordFailureForCircuit();
+        throw normalizedError;
+      }
+
+      lastRetryableError = normalizedError;
+      const delayMs = computeBackoffMs({
+        attempt: attempt + 1,
+        retryDelayMs: normalizedRetryDelayMs,
+        retryAfterHeader: null,
+      });
+      await sleep(delayMs);
+      continue;
+    } finally {
+      clearTimeout(timeout);
+      await sleep(0);
+    }
+  }
+
+  if (lastRetryableError instanceof SentinelayerApiError) {
+    throw lastRetryableError;
   }
+  throw new SentinelayerApiError("Request failed without a terminal response.", {
+    status: 503,
+    code: "NETWORK_ERROR",
+  });
 }

package/src/cli.js

@@ -168,7 +168,7 @@ function shouldBypassCommander(rawArgs) {
     return true;
   }
 
-  if (first === "--help" || first === "-h" || first === "--version" || first === "-v") {
+  if (first === "--help" || first === "-h" || first === "help" || first === "--version" || first === "-v") {
     return true;
   }