sentinelayer-cli 0.3.0 → 0.4.5

package/src/legacy-cli.js

@@ -143,7 +143,7 @@ function parseCliArgs(argv) {
   for (let i = 0; i < argv.length; i += 1) {
     const arg = String(argv[i] || "").trim();
     if (!arg) continue;
-    if (arg === "--help" || arg === "-h") {
+    if (arg === "--help" || arg === "-h" || arg === "help") {
       showHelp = true;
       continue;
     }
@@ -191,32 +191,66 @@ function parseCliArgs(argv) {
 function printUsage() {
   console.log(`sentinelayer-cli v${CLI_VERSION}`);
   console.log("");
-  console.log("Usage:");
-  console.log("  sentinelayer-cli [project-name] [options]");
-  console.log("  sentinelayer-cli /omargate deep [--path PATH]");
-  console.log("  sentinelayer-cli /audit [--path PATH]");
-  console.log("  sentinelayer-cli /persona orchestrator [--mode MODE] [--path PATH]");
-  console.log("  sentinelayer-cli /apply --plan <todo.md> [--path PATH]");
-  console.log("  sentinelayer-cli config <list|get|set|edit> [options]");
-  console.log("  sentinelayer-cli ingest map [--path PATH] [--output-file PATH]");
-  console.log("  sentinelayer-cli spec <list-templates|show-template|generate> [options]");
-  console.log("  sentinelayer-cli prompt <generate|preview> [options]");
+  console.log("Usage: sl <command> [options]");
+  console.log("");
+  console.log("Scaffold:");
+  console.log("  sl [project-name]                  Create a new project with SentinelLayer scaffolding");
+  console.log("  sl init [project-name]             Same as above (interactive or --non-interactive)");
+  console.log("");
+  console.log("Authentication:");
+  console.log("  sl auth login                      Log in via browser (provisions SentinelLayer + AIdenID)");
+  console.log("  sl auth status                     Show authentication and AIdenID provisioning status");
+  console.log("  sl auth sessions                   List stored session metadata");
+  console.log("  sl auth logout                     Clear local session");
+  console.log("");
+  console.log("Security & Review:");
+  console.log("  sl review scan --path . --json     Deterministic code review (full or --mode diff)");
+  console.log("  sl /omargate deep --path . --json  Local Omar Gate security scan (P0/P1/P2 findings)");
+  console.log("  sl scan init                       Generate .github/workflows/omar-gate.yml from spec");
+  console.log("  sl scan setup-secrets --repo <slug> Inject SENTINELAYER_TOKEN into GitHub repo secrets");
+  console.log("");
+  console.log("Specification & Planning:");
+  console.log("  sl spec list-templates             List available project templates");
+  console.log("  sl spec generate                   Generate SPEC.md from template or AI");
+  console.log("  sl prompt generate                 Generate agent execution prompt from spec");
+  console.log("  sl guide generate                  Generate BUILD_GUIDE.md from spec");
+  console.log("  sl ingest map --json               Codebase AST ingest with framework detection");
+  console.log("");
+  console.log("Audit & Quality:");
+  console.log("  sl audit --path . --json           Full 15-agent audit swarm");
+  console.log("  sl audit frontend --path . --json  Jules frontend audit (--stream for NDJSON, --url for runtime)");
+  console.log("  sl audit security --path . --json  Security-focused audit");
+  console.log("");
+  console.log("AIdenID (Identity Testing):");
+  console.log("  sl ai identity provision --execute  Provision ephemeral test email (auto-credentials after login)");
+  console.log("  sl ai identity wait-for-otp <id>   Poll for OTP extraction from provisioned email");
+  console.log("  sl ai identity list                List tracked identities");
+  console.log("  sl ai identity lineage <id>        Show identity parent/child tree");
+  console.log("  sl ai identity revoke <id>         Revoke a provisioned identity");
+  console.log("");
+  console.log("Cost & Policy:");
+  console.log("  sl cost show --json                Show accumulated cost tracking");
+  console.log("  sl policy list                     List available policy packs");
+  console.log("  sl policy use <pack>               Switch active policy pack");
+  console.log("");
+  console.log("Advanced:");
+  console.log("  sl swarm plan --path . --json      Multi-agent swarm planning");
+  console.log("  sl mcp list --json                 List MCP registries and adapters");
+  console.log("  sl telemetry show --json            Show run event ledger");
+  console.log("  sl config list                     Show current configuration");
   console.log("");
   console.log("Options:");
-  console.log("  -h, --help             Show help");
+  console.log("  -h, --help             Show this help");
   console.log("  -v, --version          Show CLI version");
-  console.log("  --non-interactive      Disable prompts and require interview payload");
-  console.log("  --interview-file PATH  Load interview JSON from file");
-  console.log("  --skip-browser-open    Do not auto-open browser during auth");
-  console.log("  --path PATH            Target path for local command mode");
-  console.log("  --output-dir PATH      Artifact root for local command reports (default .sentinelayer)");
-  console.log("  --json                 Emit machine-readable JSON for local command mode");
+  console.log("  --json                 Machine-readable JSON output");
+  console.log("  --path PATH            Target workspace path");
+  console.log("  --non-interactive      Disable prompts (require --interview-file)");
   console.log("");
-  console.log("Environment:");
-  console.log("  SENTINELAYER_CLI_NON_INTERACTIVE=1");
-  console.log("  SENTINELAYER_CLI_SKIP_BROWSER_OPEN=1");
-  console.log("  SENTINELAYER_CLI_INTERVIEW_JSON='{\"projectName\":\"my-app\",...}'");
-  console.log("  SENTINELAYER_GITHUB_CLONE_BASE_URL=https://github.com");
+  console.log("Quickstart:");
+  console.log("  sl auth login && npx create-sentinelayer my-app && cd my-app");
+  console.log("  # Then hand docs/spec.md to your coding agent");
+  console.log("");
+  console.log("Docs: https://sentinelayer.com/docs");
 }
 
 function normalizeInterviewInput(
@@ -808,6 +842,12 @@ async function collectScanFiles(rootPath) {
 }
 
 async function runCredentialScan(targetPath) {
+  const testOrFixturePathPattern = /(?:^|[\\/])(?:test|tests|__tests__|fixtures?)(?:[\\/]|$)/i;
+  const localReviewSourcePathPattern = /(?:^|[\\/])src[\\/]review[\\/]local-review\.js$/i;
+  const workItemExcludePathPattern = new RegExp(
+    `${testOrFixturePathPattern.source}|${localReviewSourcePathPattern.source}`,
+    "i"
+  );
   const rules = [
     {
       severity: "P1",
@@ -828,11 +868,13 @@ async function runCredentialScan(targetPath) {
       severity: "P2",
       message: "Possible hardcoded credential literal.",
       regex: /(api[_-]?key|secret|token)\s*[:=]\s*['"][^'"]{20,}['"]/i,
+      excludePathPattern: testOrFixturePathPattern,
     },
     {
       severity: "P2",
       message: "Work-item marker found.",
       regex: /\b(?:\x54\x4f\x44\x4f|\x46\x49\x58\x4d\x45|\x48\x41\x43\x4b)\b/,
+      excludePathPattern: workItemExcludePathPattern,
     },
   ];
 
@@ -841,6 +883,7 @@ async function runCredentialScan(targetPath) {
   const maxFindings = 200;
 
   for (const filePath of files) {
+    const relativePath = path.relative(targetPath, filePath).replace(/\\/g, "/");
     let text = "";
     try {
       text = await fsp.readFile(filePath, "utf-8");
@@ -853,10 +896,11 @@ async function runCredentialScan(targetPath) {
       if (!line) continue;
       if (line.includes("<your-token>") || line.includes("example")) continue;
       for (const rule of rules) {
+        if (rule.excludePathPattern && rule.excludePathPattern.test(relativePath)) continue;
         if (!rule.regex.test(line)) continue;
         findings.push({
           severity: rule.severity,
-          file: path.relative(targetPath, filePath).replace(/\\/g, "/"),
+          file: relativePath,
           line: lineIndex + 1,
           message: rule.message,
           excerpt: line.trim().slice(0, 180),

package/src/review/local-review.js

@@ -45,6 +45,13 @@ const SEVERITY_ORDER = new Map([
   ["P3", 3],
 ]);
 
+const TEST_OR_FIXTURE_PATH_PATTERN = /(?:^|[\\/])(?:test|tests|__tests__|fixtures?)(?:[\\/]|$)/i;
+const LOCAL_REVIEW_SOURCE_PATH_PATTERN = /(?:^|[\\/])src[\\/]review[\\/]local-review\.js$/i;
+const WORK_ITEM_MARKER_EXCLUDE_PATH_PATTERN = new RegExp(
+  `${TEST_OR_FIXTURE_PATH_PATTERN.source}|${LOCAL_REVIEW_SOURCE_PATH_PATTERN.source}`,
+  "i"
+);
+
 const REVIEW_RULES = Object.freeze([
   {
     severity: "P1",
@@ -65,11 +72,13 @@ const REVIEW_RULES = Object.freeze([
     severity: "P2",
     message: "Possible hardcoded credential literal.",
     regex: /(api[_-]?key|secret|token)\s*[:=]\s*['\"][^'\"]{20,}['\"]/i,
+    excludePathPattern: TEST_OR_FIXTURE_PATH_PATTERN,
   },
   {
     severity: "P2",
     message: "Work-item marker found.",
     regex: /\b(?:\x54\x4f\x44\x4f|\x46\x49\x58\x4d\x45|\x48\x41\x43\x4b)\b/,
+    excludePathPattern: WORK_ITEM_MARKER_EXCLUDE_PATH_PATTERN,
   },
 ]);
 
@@ -112,6 +121,7 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     suggestedFix: "Replace literal with environment/secret-manager lookup.",
     regex: /(api[_-]?key|secret|token|password|passwd)\s*[:=]\s*['\"][^'\"]{12,}['\"]/i,
     sourceOnly: true,
+    excludePathPattern: TEST_OR_FIXTURE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-006",
@@ -184,6 +194,7 @@ const DETERMINISTIC_REVIEW_RULES = Object.freeze([
     suggestedFix: "Resolve or scope pending work before release.",
     regex: /\b(?:TODO|FIXME|HACK)\b/,
     sourceOnly: true,
+    excludePathPattern: WORK_ITEM_MARKER_EXCLUDE_PATH_PATTERN,
   },
   {
     id: "SL-SEC-015",

package/src/scaffold/templates.js

@@ -86,7 +86,7 @@ export function getPackageJsonTemplate({ projectName, description }) {
     },
     devDependencies: {},
     engines: {
-      node: ">=18.17.0",
+      node: ">=20.0.0",
     },
   };
 }

package/src/telemetry/sync.js

@@ -117,15 +117,14 @@ export async function syncRunToDashboard(runData) {
       },
     };
 
-    const response = await fetch(apiUrl + "/api/v1/telemetry", {
+    const response = await fetchWithTimeout(apiUrl + "/api/v1/telemetry", {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
         Authorization: "Bearer " + session.token,
       },
-      signal: AbortSignal.timeout(SYNC_TIMEOUT_MS),
       body: JSON.stringify(payload),
-    });
+    }, SYNC_TIMEOUT_MS);
 
     if (!response.ok) {
       consecutiveFailures++;
@@ -188,3 +187,13 @@ function detectGitRef() {
     return "main";
   }
 }
+
+async function fetchWithTimeout(url, options, timeoutMs) {
+  const controller = new AbortController();
+  const timeoutHandle = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...options, signal: controller.signal });
+  } finally {
+    clearTimeout(timeoutHandle);
+  }
+}