sentinelayer-cli 0.4.5 → 0.8.0

package/README.md

@@ -44,6 +44,8 @@ sl review --diff
 sl watch run-events --run-id <run-id>
 ```
 
+Windows PowerShell note: `sl` is a built-in alias for `Set-Location`. Use `sentinelayer-cli` (or short alias `slc`) instead.
+
 ## 60-second flow
 
 1. Trigger:
@@ -141,18 +143,24 @@ For long-running agent/operator workflows, the CLI now supports persistent auth
 - `sl auth sessions`
 - `sl auth revoke --token-id <token-id>`
 
+On Windows PowerShell, run these as `sentinelayer-cli auth ...` or `slc auth ...`.
+
 Behavior:
 
 - login uses browser approval (`/api/v1/auth/cli/sessions/*`)
 - after approval, CLI mints a long-lived API token (`/api/v1/auth/api-tokens`)
 - session metadata is stored at `~/.sentinelayer/credentials.json`
-- token storage uses OS keyring when `keytar` is available; file fallback is used otherwise
+- token storage uses OS keyring only when explicitly enabled (`SENTINELAYER_KEYRING_MODE=keyring`) and `keytar` is installed; file fallback is used otherwise
 - near-expiry token rotation is automatic on command use for stored sessions
 - env/config tokens still take precedence:
   - `SENTINELAYER_TOKEN`
   - `.sentinelayer.yml` `sentinelayerToken`
 
-Opt-out of keyring usage:
+Opt-in to keyring usage:
+
+- `SENTINELAYER_KEYRING_MODE=keyring` (requires `npm install keytar`)
+
+Opt-out of keyring usage (overrides any opt-in):
 
 - `SENTINELAYER_DISABLE_KEYRING=1`
 
@@ -779,6 +787,7 @@ Generate and validate a spec-aligned security workflow:
 - `scan_mode` + `severity_gate` from spec risk profile
 - `playwright_mode` from spec signals + optional E2E wizard/flags
 - `sbom_mode` from supply-chain/dependency signals in spec
+- Action bridge parity: generated `scan_mode` options align to `sentinelayer-v1-action` (`baseline`, `deep`, `audit`, `full-depth`) and use the pinned action ref.
 
 `scan validate` checks workflow drift against the current spec profile and exits non-zero when mismatched.
 
@@ -871,15 +880,10 @@ Ledger contract:
 
 This repo includes `.github/workflows/release.yml`.
 Automated version/tag PR flow is handled by `.github/workflows/release-please.yml`.
-AppSec SAST is enforced by `.github/workflows/codeql.yml` (`CodeQL Summary` check).
-Custom static policy checks are enforced by `.github/workflows/semgrep.yml` (`Semgrep Summary` check) using `.semgrep/rules/sentinelayer-cli.yml`.
-Secret scanning is enforced by `.github/workflows/gitleaks.yml` (`Gitleaks Summary` check).
-IaC misconfiguration scanning is enforced by `.github/workflows/iac-scan.yml` (`IaC Summary` check).
-Dependency vulnerability policy is enforced by `.github/workflows/sca-audit.yml` (`SCA Summary` check).
-Open-source license policy is enforced by `.github/workflows/license-gate.yml` (`License Summary` check) using `.github/policies/license-policy.json` (`allowed_licenses` with `fail_on_unknown` policy behavior).
-Dependabot auto-fix governance is enforced by `.github/workflows/dependabot-governance.yml` with policy controls in `.github/policies/dependabot-governance.json`.
-SBOM governance is enforced by `.github/workflows/sbom.yml` (`SBOM Summary`) with CycloneDX/SPDX JSON artifacts and hash-manifest output.
-Build provenance attestations are enforced by `.github/workflows/attestations.yml` (`Attestation Summary`) with verification against signer-workflow policy.
+Primary gate enforcement is Omar-first:
+- `.github/workflows/omar-gate.yml` (`Omar Gate`) for AppSec findings and merge thresholds
+- `.github/workflows/quality-gates.yml` (`Quality Summary`) for deterministic build/test/package checks
+- `.github/workflows/attestations.yml` (`Attestation Summary`) for provenance verification
 
 Prerequisites:
 
@@ -902,13 +906,6 @@ Release guardrails now require successful upstream checks on the target commit:
 
 - `Quality Summary`
 - `Omar Gate`
-- `CodeQL Summary`
-- `Semgrep Summary`
-- `Gitleaks Summary`
-- `IaC Summary`
-- `SCA Summary`
-- `License Summary`
-- `SBOM Summary`
 - `Attestation Summary`
 
 ## Local verification
@@ -937,6 +934,7 @@ The CLI now supports a command tree, while keeping slash-command compatibility:
 
 - `sentinelayer-cli init <project-name>` runs scaffold/auth generation (legacy top-level invocation still works)
 - `sentinelayer-cli omargate deep --path <repo>` runs a local credential/policy scan and writes `.sentinelayer/reports/omargate-deep-*.md` (non-zero exit if P1 findings exist)
+- Local `/omargate` is a local preflight engine; GitHub PR gate execution runs through `sentinelayer-v1-action` -> Sentinelayer API (`/api/v1/github-app/trigger` + `/api/v1/github-app/runs/{id}/status`).
 - `sentinelayer-cli audit [--agents <ids>] [--max-parallel <n>]` runs orchestrated audit agents and writes `.sentinelayer/audits/<run-id>/AUDIT_REPORT.{md,json}`
 - `sentinelayer-cli audit registry` lists built-in/customized audit-agent registry records
 - `sentinelayer-cli audit security` runs the security specialist agent and writes a dedicated `SECURITY_AGENT_REPORT.md`

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "sentinelayer-cli",
-  "version": "0.4.5",
+  "version": "0.8.0",
   "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
   "type": "module",
   "scripts": {
-    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js && node --check src/telemetry/sync.js && node --check src/telemetry/session-tracker.js && node --check src/interactive/workspace.js && node --check src/interactive/auto-ingest.js && node --check src/interactive/action-menu.js && node --check src/interactive/index.js && node --check src/daemon/ingest-refresh.js",
+    "check": "node --check bin/sentinelayer-cli.js && node --check bin/create-sentinelayer.js && node --check bin/sl.js && node --check src/cli.js && node --check src/legacy-cli.js && node --check src/commands/config.js && node --check src/commands/ingest.js && node --check src/commands/spec.js && node --check src/commands/prompt.js && node --check src/commands/scan.js && node --check src/commands/guide.js && node --check src/commands/cost.js && node --check src/commands/telemetry.js && node --check src/commands/auth.js && node --check src/commands/watch.js && node --check src/commands/mcp.js && node --check src/commands/plugin.js && node --check src/commands/ai.js && node --check src/commands/review.js && node --check src/commands/chat.js && node --check src/commands/policy.js && node --check src/commands/swarm.js && node --check src/commands/daemon.js && node --check src/commands/session.js && node --check src/commands/audit.js && node --check src/config/service.js && node --check src/ingest/engine.js && node --check src/spec/generator.js && node --check src/spec/regenerate.js && node --check src/spec/templates.js && node --check src/prompt/generator.js && node --check src/scan/generator.js && node --check src/guide/generator.js && node --check src/cost/tracker.js && node --check src/cost/history.js && node --check src/cost/budget.js && node --check src/ai/client.js && node --check src/ai/aidenid.js && node --check src/ai/identity-store.js && node --check src/ai/domain-target-store.js && node --check src/ai/site-store.js && node --check src/review/local-review.js && node --check src/review/ai-review.js && node --check src/review/report.js && node --check src/review/replay.js && node --check src/audit/registry.js && node --check src/audit/orchestrator.js && node --check src/audit/package.js && node --check src/audit/replay.js && node --check src/audit/agents/security.js && node --check src/audit/agents/architecture.js && node --check src/audit/agents/testing.js && node --check src/audit/agents/performance.js && node --check src/audit/agents/compliance.js && node --check src/audit/agents/documentation.js && node --check src/swarm/registry.js && node --check src/swarm/factory.js && node --check src/swarm/runtime.js && node --check src/swarm/scenario-dsl.js && node --check src/swarm/dashboard.js && node --check src/swarm/report.js && node --check src/swarm/pentest.js && node --check src/daemon/error-worker.js && node --check src/daemon/assignment-ledger.js && node --check src/daemon/jira-lifecycle.js && node --check src/daemon/budget-governor.js && node --check src/daemon/operator-control.js && node --check src/daemon/artifact-lineage.js && node --check src/daemon/ast-parser-layer.js && node --check src/daemon/callgraph-overlay.js && node --check src/daemon/hybrid-mapper.js && node --check src/daemon/scope-engine.js && node --check src/daemon/reliability-lane.js && node --check src/daemon/watchdog.js && node --check src/telemetry/ledger.js && node --check src/auth/http.js && node --check src/auth/session-store.js && node --check src/auth/service.js && node --check src/mcp/registry.js && node --check src/memory/blackboard.js && node --check src/memory/retrieval.js && node --check src/plugin/manifest.js && node --check src/policy/packs.js && node --check src/ui/markdown.js && node --check src/ui/progress.js && node --check src/ui/command-hints.js && node --check src/agents/jules/tools/file-read.js && node --check src/agents/jules/tools/grep.js && node --check src/agents/jules/tools/glob.js && node --check src/agents/jules/tools/shell.js && node --check src/agents/jules/tools/file-edit.js && node --check src/agents/jules/tools/dispatch.js && node --check src/agents/jules/tools/index.js && node --check src/agents/jules/tools/frontend-analyze.js && node --check src/agents/jules/swarm/sub-agent.js && node --check src/agents/jules/swarm/file-scanner.js && node --check src/agents/jules/swarm/pattern-hunter.js && node --check src/agents/jules/swarm/index.js && node --check src/agents/jules/swarm/orchestrator.js && node --check src/agents/jules/config/definition.js && node --check src/agents/jules/loop.js && node --check src/agents/jules/stream.js && node --check src/agents/jules/fix-cycle.js && node --check src/agents/jules/error-intake.js && node --check src/agents/jules/tools/runtime-audit.js && node --check src/agents/jules/config/system-prompt.js && node --check src/agents/jules/tools/auth-audit.js && node --check src/auth/gate.js && node --check src/telemetry/sync.js && node --check src/telemetry/session-tracker.js && node --check src/session/paths.js && node --check src/session/store.js && node --check src/session/stream.js && node --check src/session/agent-registry.js && node --check src/session/daemon.js && node --check src/session/runtime-bridge.js && node --check src/interactive/workspace.js && node --check src/interactive/auto-ingest.js && node --check src/interactive/action-menu.js && node --check src/interactive/index.js && node --check src/daemon/ingest-refresh.js",
     "test": "npm run test:unit && npm run test:e2e",
     "test:unit": "node --test tests/unit*.test.mjs",
     "test:e2e": "node --test tests/e2e.test.mjs",
@@ -15,6 +15,8 @@
     "sentinelayer-cli": "bin/sentinelayer-cli.js",
     "create-sentinelayer": "bin/create-sentinelayer.js",
     "sentinel": "bin/create-sentinelayer.js",
+    "sl-cli": "bin/sentinelayer-cli.js",
+    "slc": "bin/sentinelayer-cli.js",
     "sl": "bin/sl.js"
   },
   "files": [
@@ -23,7 +25,7 @@
     "README.md"
   ],
   "engines": {
-    "node": ">=20.0.0"
+    "node": "^20.0.0 || ^22.0.0"
   },
   "keywords": [
     "sentinelayer",
@@ -53,11 +55,10 @@
     "yaml": "2.8.3",
     "zod": "4.1.12"
   },
-  "optionalDependencies": {
-    "keytar": "7.9.0"
-  },
+  "optionalDependencies": {},
   "devDependencies": {
     "c8": "10.1.3",
     "license-checker-rseidelsohn": "4.4.2"
   }
 }
+

package/src/agents/jules/config/definition.js

@@ -60,11 +60,13 @@ export const JULES_DEFINITION = Object.freeze({
     ],
   },
 
-  // Evidence requirements
+  // Evidence requirements (aligned with output contract in system-prompt.js)
   evidenceRequirements: [
-    "file_path_and_line",
-    "reproduction_steps",
-    "user_impact_statement",
+    "file_and_line",
+    "evidence",
+    "user_impact",
+    "reproduction_p0_p1",
+    "confidence",
   ],
   confidenceFloor: 0.75,
 
@@ -149,61 +151,10 @@ export const JULES_DEFINITION = Object.freeze({
   },
 });
 
-/**
- * All 13 SentinelLayer personas — visual identity, domain specialty, and bias.
- * Jules Tanaka was the first onboarded, but every persona follows the same
- * tool-equipped, budget-governed, isolated-context architecture.
- */
-export const PERSONA_VISUALS = Object.freeze({
-  frontend:        { color: "cyan",    avatar: "\u{1F3AF}", shortName: "Jules",  fullName: "Jules Tanaka",     domain: "frontend_runtime",      specialty: "React/Next.js/Vue production specialist — hydration safety, render cost, accessibility, bundle weight, mobile responsiveness", bias: "user-perceived performance over vanity optimization" },
-  security:        { color: "red",     avatar: "\u{1F6E1}\uFE0F", shortName: "Nina",   fullName: "Nina Patel",       domain: "security_overlay",      specialty: "AuthZ breaks, secret exposure, injection paths, policy bypass, externally reachable abuse conditions", bias: "assume hostile inputs until proven safe" },
-  backend:         { color: "blue",    avatar: "\u2699\uFE0F",    shortName: "Maya",   fullName: "Maya Volkov",      domain: "backend_runtime",       specialty: "Unsafe request handling, runtime crashes, unbounded work, validation gaps, server-side trust boundary failures", bias: "every request is potentially adversarial" },
-  testing:         { color: "green",   avatar: "\u{1F9EA}",       shortName: "Priya",  fullName: "Priya Raman",      domain: "testing_correctness",   specialty: "Missing regression coverage, false confidence from shallow tests, broken invariants with no executable proof", bias: "tests that pass but miss real bugs are worse than no tests" },
-  release:         { color: "yellow",  avatar: "\u{1F680}",       shortName: "Omar",   fullName: "Omar Singh",       domain: "release_engineering",   specialty: "CI/CD integrity, workflow trust, artifact provenance, bypassable gates, unsafe deployment automation", bias: "every deployment is a security boundary" },
-  "code-quality":  { color: "purple",  avatar: "\u{1F48E}",       shortName: "Ethan",  fullName: "Ethan Park",       domain: "code_quality",          specialty: "Complexity hotspots, unsafe shortcuts, brittle structure, maintenance risks that hide future defects", bias: "simplicity is a security feature" },
-  infrastructure:  { color: "orange",  avatar: "\u{1F3D7}\uFE0F", shortName: "Kat",    fullName: "Kat Hughes",       domain: "infrastructure",        specialty: "IAM blast radius, public exposure, network posture, secrets placement, infrastructure policy drift", bias: "least privilege by default, explicit escalation required" },
-  data:            { color: "pink",    avatar: "\u{1F5C4}\uFE0F", shortName: "Linh",   fullName: "Linh Tran",        domain: "data_layer",            specialty: "Query safety, migration drift, integrity failures, tenancy leaks, schema/application mismatches", bias: "data integrity is non-negotiable" },
-  observability:   { color: "magenta", avatar: "\u{1F4CA}",       shortName: "Sofia",  fullName: "Sofia Alvarez",    domain: "observability",         specialty: "Missing telemetry, broken alerting, weak auditability, blind spots that hide failures or attacks", bias: "if you can't observe it, you can't secure it" },
-  reliability:     { color: "white",   avatar: "\u{1F504}",       shortName: "Noah",   fullName: "Noah Ben-David",   domain: "reliability_sre",       specialty: "Timeout safety, retry storms, backlog growth, partial failure handling, operational blast radius", bias: "graceful degradation over silent failure" },
-  documentation:   { color: "gray",    avatar: "\u{1F4DD}",       shortName: "Samir",  fullName: "Samir Okafor",     domain: "docs_knowledge",        specialty: "Operational drift between docs and code, missing runbook steps, misleading instructions that break operators", bias: "documentation is a contract, not decoration" },
-  "supply-chain":  { color: "brown",   avatar: "\u{1F4E6}",       shortName: "Nora",   fullName: "Nora Kline",       domain: "supply_chain",          specialty: "Dependency risk, provenance gaps, pinning drift, artifact trust, compromised build inputs", bias: "every dependency is a trust decision" },
-  "ai-governance": { color: "violet",  avatar: "\u{1F916}",       shortName: "Amina",  fullName: "Amina Chen",       domain: "ai_pipeline",           specialty: "Prompt injection, tool abuse, eval regressions, unsafe model routing, guardrail bypass, policy drift in agentic flows", bias: "AI autonomy requires proportional governance" },
-});
-
-/**
- * Resolve persona visual identity by agent ID or persona name.
- */
-export function resolvePersonaVisual(idOrName) {
-  if (!idOrName) return null;
-  const lower = String(idOrName).toLowerCase();
-
-  // Direct ID match
-  if (PERSONA_VISUALS[lower]) return { id: lower, ...PERSONA_VISUALS[lower] };
-
-  // Name match (first name or full name)
-  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
-    if (visual.shortName.toLowerCase() === lower || visual.fullName.toLowerCase() === lower) {
-      return { id, ...visual };
-    }
-  }
-
-  return null;
-}
-
-/**
- * List all persona IDs for autocomplete.
- */
-export function listPersonaIds() {
-  return Object.keys(PERSONA_VISUALS);
-}
-
-/**
- * List all persona names (short + full) for autocomplete.
- */
-export function listPersonaNames() {
-  const names = [];
-  for (const [id, visual] of Object.entries(PERSONA_VISUALS)) {
-    names.push(id, visual.shortName.toLowerCase(), visual.fullName.toLowerCase());
-  }
-  return names;
-}
+// Re-export from shared persona-visuals. These cover all 13 personas — not Jules-specific.
+export {
+  PERSONA_VISUALS,
+  resolvePersonaVisual,
+  listPersonaIds,
+  listPersonaNames,
+} from "../../persona-visuals.js";

package/src/agents/jules/config/system-prompt.js

@@ -164,9 +164,16 @@ Return findings as a JSON array in a \`\`\`json code block:
   "evidence": "dangerouslySetInnerHTML with user-controlled prop at line 42",
   "rootCause": "No DOMPurify sanitization before render",
   "recommendedFix": "Wrap input with DOMPurify.sanitize() before passing to dangerouslySetInnerHTML",
-  "trafficLight": "red"
+  "trafficLight": "red",
+  "reproduction": { "type": "manual_step", "steps": ["Open RichText component with untrusted HTML input", "Observe raw HTML rendered without sanitization"] },
+  "user_impact": "Attacker-controlled HTML renders in the user's browser, enabling XSS",
+  "confidence": 0.92
 }]
 
+reproduction: required for P0/P1, optional for P2+. Object with "type" (manual_step | shell | runtime_probe) and "steps" array.
+user_impact: required. One sentence: what the user or system experiences if this is exploited or triggered.
+confidence: required. Number 0.0-1.0. Your confidence this is a real issue with sufficient evidence. Below ${def.confidenceFloor} = flag as evidence_gap instead of confirmed.
+
 VOICE
 Sharp, skeptical, concrete, user-centric.
 Like someone who has debugged hydration crashes at 2 a.m. and knows "technically correct" UI can still feel broken.

package/src/agents/jules/fix-cycle.js

@@ -1,377 +1,17 @@
-import { execFileSync } from "node:child_process";
-import path from "node:path";
-import fsp from "node:fs/promises";
+// Re-export from platform daemon. Fix-cycle is not Jules-specific.
+// Jules passes its own identity; any persona can use the same lifecycle.
+import { runFixCycle as _runFixCycle } from "../../daemon/fix-cycle.js";
 import { JULES_DEFINITION } from "./config/definition.js";
-import { startJiraLifecycle, commentJiraIssue, transitionJiraIssue } from "../../daemon/jira-lifecycle.js";
-import { claimAssignment, heartbeatAssignment, releaseAssignment } from "../../daemon/assignment-ledger.js";
 
-/**
- * Jules Tanaka — Autonomous Fix Cycle
- *
- * Complete lifecycle:
- *   claim → Jira open → worktree create → agentic fix → test →
- *   Jira comment findings → PR create → Omar Gate watch →
- *   fix P0-P2 from comments → merge → Jira close → artifact → release
- *
- * Failure path: BLOCKED status + Jira comment + release assignment
- * Worktree cleanup: always in finally block
- */
-
-const LEASE_TTL_SECONDS = 1800;
-const HEARTBEAT_INTERVAL_MS = 300000;
-// MAX_FIX_ATTEMPTS reserved for future agentic retry loop
-const OMAR_POLL_INTERVAL_MS = 15000;
-const OMAR_POLL_MAX_ATTEMPTS = 40; // 10 minutes max wait
-
-export async function runFixCycle({ workItemId, workItem, rootPath, scopeMap, findings, onEvent }) {
-  const emit = (ev, pl) => {
-    if (onEvent) onEvent({
-      stream: "sl_event", event: ev,
-      agent: { id: JULES_DEFINITION.id, persona: JULES_DEFINITION.persona, color: JULES_DEFINITION.color, avatar: JULES_DEFINITION.avatar },
-      payload: { workItemId, ...pl },
-    });
-  };
-
-  const artDir = path.join(rootPath, ".sentinelayer", "observability", "fixes", workItemId);
-  await fsp.mkdir(artDir, { recursive: true });
-
-  let jiraKey = null;
-  let prNumber = null;
-  let worktreePath = null;
-  let branchName = null;
-  let hbTimer = null;
-
-  try {
-    // ── [1] CLAIM ─────────────────────────────────────────────────
-    emit("fix_claim", { status: "claiming" });
-    await claimAssignment({
-      targetPath: rootPath, workItemId,
-      agentIdentity: "jules-tanaka@frontend",
-      leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
-    });
-
-    hbTimer = setInterval(async () => {
-      try {
-        await heartbeatAssignment({
-          targetPath: rootPath, workItemId,
-          agentIdentity: "jules-tanaka@frontend",
-          leaseTtlSeconds: LEASE_TTL_SECONDS, stage: "fix",
-        });
-      } catch { /* heartbeat failure is non-blocking */ }
-    }, HEARTBEAT_INTERVAL_MS);
-
-    // ── [2] JIRA OPEN ─────────────────────────────────────────────
-    emit("fix_jira", { status: "opening" });
-    const sev = workItem?.severity || "P2";
-    const endpoint = workItem?.endpoint || "unknown";
-    const errorCode = workItem?.errorCode || "UNKNOWN";
-
-    const jr = await startJiraLifecycle({
-      targetPath: rootPath, workItemId, actor: JULES_DEFINITION.persona,
-      summary: "[" + sev + "] Frontend: " + errorCode + " at " + endpoint,
-      description: buildDescription(workItem, findings),
-      labels: ["sentinelayer", "jules-tanaka", "frontend", "severity-" + sev.toLowerCase()],
-      planMessage: buildPlan(workItem, scopeMap, findings),
-      issueKeyPrefix: "SLD",
-    });
-    jiraKey = jr.issue?.issueKey;
-    emit("fix_jira", { status: "opened", issueKey: jiraKey });
-
-    // ── [3] WORKTREE CREATE ───────────────────────────────────────
-    branchName = "fix/jules-" + workItemId.replace(/[^a-zA-Z0-9-]/g, "-");
-    worktreePath = path.join(rootPath, ".jules-worktree-" + workItemId);
-    emit("fix_worktree", { status: "creating", branch: branchName });
-
-    safeExecFile("git", ["fetch", "origin"], rootPath);
-    safeExecFile("git", ["worktree", "add", "-b", branchName, worktreePath, "origin/main"], rootPath);
-    emit("fix_worktree", { status: "created", path: worktreePath });
-
-    // ── [4] INVESTIGATE + FIX ─────────────────────────────────────
-    emit("fix_investigate", { status: "analyzing" });
-
-    // Comment Jira with findings before fix attempt
-    if (jiraKey && findings && findings.length > 0) {
-      await commentJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        actor: JULES_DEFINITION.persona, type: "finding",
-        message: buildFindingsComment(findings),
-      });
-    }
-
-    // Fix generation: the caller is responsible for writing changes to the
-    // worktree before invoking runFixCycle, or for wiring julesAuditLoop
-    // in fix mode with FileEdit tool access. runFixCycle handles the full
-    // PR/Omar/merge/Jira lifecycle for whatever changes exist in the worktree.
-
-    // ── [5] PUSH + PR ─────────────────────────────────────────────
-    emit("fix_pr", { status: "pushing" });
-
-    // Check if there are changes to commit in the worktree
-    const diffOutput = safeExecFile("git", ["diff", "--stat"], worktreePath);
-    const untrackedOutput = safeExecFile("git", ["ls-files", "--others", "--exclude-standard"], worktreePath);
-    const hasChanges = diffOutput.trim().length > 0 || untrackedOutput.trim().length > 0;
-
-    if (hasChanges) {
-      safeExecFile("git", ["add", "-A"], worktreePath);
-      safeExecFile("git", ["commit", "-m", "[Jules] Fix " + errorCode + " at " + endpoint], worktreePath);
-    }
-
-    safeExecFile("git", ["push", "-u", "origin", branchName], worktreePath);
-
-    const prBody = buildPrBody(workItem, findings, jiraKey);
-    const prUrl = safeExecFile("gh", [
-      "pr", "create",
-      "--title", "[Jules] Fix " + errorCode,
-      "--body", prBody,
-      "--head", branchName,
-    ], worktreePath).trim();
-
-    const prMatch = prUrl.match(/\/pull\/(\d+)/);
-    prNumber = prMatch ? parseInt(prMatch[1]) : null;
-    emit("fix_pr", { status: "created", prNumber, url: prUrl });
-
-    // ── [6] OMAR GATE WATCH ───────────────────────────────────────
-    if (prNumber) {
-      emit("fix_omar", { status: "watching", prNumber });
-      const omarPassed = await watchOmarGate(rootPath, branchName, emit);
-
-      if (!omarPassed) {
-        emit("fix_omar", { status: "failed" });
-        // Comment Jira about Omar failure
-        if (jiraKey) {
-          await commentJiraIssue({
-            targetPath: rootPath, workItemId, issueKey: jiraKey,
-            actor: JULES_DEFINITION.persona, type: "operator_stop",
-            message: "## Omar Gate Failed\nPR #" + prNumber + " did not pass Omar Gate.\nEscalating to human review.\n\n" + JULES_DEFINITION.signature,
-          });
-          await transitionJiraIssue({
-            targetPath: rootPath, workItemId, issueKey: jiraKey,
-            toStatus: "BLOCKED", actor: JULES_DEFINITION.persona,
-            reason: "Omar Gate failed on PR #" + prNumber,
-          });
-        }
-        await releaseAssignment({
-          targetPath: rootPath, workItemId,
-          agentIdentity: "jules-tanaka@frontend",
-          status: "BLOCKED", reason: "Omar Gate failed on PR #" + prNumber,
-        });
-        return {
-          workItemId, jiraIssueKey: jiraKey, prNumber,
-          status: "blocked_omar", signature: JULES_DEFINITION.signature,
-        };
-      }
-
-      emit("fix_omar", { status: "passed", prNumber });
-
-      // ── [7] MERGE ───────────────────────────────────────────────
-      emit("fix_merge", { status: "merging", prNumber });
-      try {
-        safeExecFile("gh", ["pr", "merge", String(prNumber), "--squash", "--delete-branch"], rootPath);
-        emit("fix_merge", { status: "merged", prNumber });
-      } catch (mergeErr) {
-        emit("fix_merge", { status: "failed", error: mergeErr.message });
-        // PR created but merge failed — still better than nothing
-      }
-    }
-
-    // ── [8] JIRA CLOSE ────────────────────────────────────────────
-    if (jiraKey) {
-      await commentJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        actor: JULES_DEFINITION.persona, type: "fix",
-        message: "## Resolution\nPR #" + (prNumber || "pending") + " merged.\nOmar Gate: passed.\nFindings addressed: " + (findings?.length || 0) + "\n\n" + JULES_DEFINITION.signature,
-      });
-      await transitionJiraIssue({
-        targetPath: rootPath, workItemId, issueKey: jiraKey,
-        toStatus: "DONE", actor: JULES_DEFINITION.persona,
-        reason: "Fixed in PR #" + (prNumber || "pending"),
-      });
-    }
-
-    // ── [9] ARTIFACT + S3 UPLOAD ────────────────────────────────────
-    const result = {
-      workItemId, jiraIssueKey: jiraKey, prNumber,
-      status: "completed",
-      findingsAddressed: findings?.length || 0,
+export function runFixCycle(opts) {
+  return _runFixCycle({
+    ...opts,
+    agentIdentity: {
+      id: JULES_DEFINITION.id,
+      persona: JULES_DEFINITION.persona,
+      color: JULES_DEFINITION.color,
+      avatar: JULES_DEFINITION.avatar,
       signature: JULES_DEFINITION.signature,
-    };
-    await fsp.writeFile(
-      path.join(artDir, "fix-result.json"),
-      JSON.stringify(result, null, 2),
-    );
-
-    // Upload to S3 for compliance archive + agent training data
-    emit("fix_s3", { status: "uploading" });
-    const s3Result = await uploadFixArtifactsToS3(artDir, workItemId, rootPath);
-    emit("fix_s3", { status: s3Result.uploaded ? "uploaded" : "skipped", reason: s3Result.reason });
-
-    // ── [10] RELEASE ──────────────────────────────────────────────
-    await releaseAssignment({
-      targetPath: rootPath, workItemId,
-      agentIdentity: "jules-tanaka@frontend",
-      status: "DONE",
-      reason: "PR #" + (prNumber || "pending") + " merged. " + JULES_DEFINITION.signature,
-    });
-
-    emit("fix_complete", { prNumber, jiraIssueKey: jiraKey, status: "completed" });
-    return result;
-
-  } catch (err) {
-    emit("fix_error", { error: err.message });
-    try {
-      await releaseAssignment({
-        targetPath: rootPath, workItemId,
-        agentIdentity: "jules-tanaka@frontend",
-        status: "BLOCKED", reason: "Fix cycle failed: " + err.message,
-      });
-    } catch { /* release failure non-blocking */ }
-    if (jiraKey) {
-      try {
-        await commentJiraIssue({
-          targetPath: rootPath, workItemId, issueKey: jiraKey,
-          actor: JULES_DEFINITION.persona, type: "operator_stop",
-          message: "## Fix Failed\n" + err.message + "\nEscalating to human.\n\n" + JULES_DEFINITION.signature,
-        });
-        await transitionJiraIssue({
-          targetPath: rootPath, workItemId, issueKey: jiraKey,
-          toStatus: "BLOCKED", actor: JULES_DEFINITION.persona,
-          reason: "Fix cycle failed: " + err.message,
-        });
-      } catch { /* Jira failure non-blocking */ }
-    }
-    return { workItemId, jiraIssueKey: jiraKey, prNumber, status: "failed", error: err.message, signature: JULES_DEFINITION.signature };
-  } finally {
-    if (hbTimer) clearInterval(hbTimer);
-    if (worktreePath) {
-      try { safeExecFile("git", ["worktree", "remove", worktreePath, "--force"], rootPath); } catch { /* best effort */ }
-    }
-  }
-}
-
-// ── Omar Gate Watch ──────────────────────────────────────────────────
-
-async function watchOmarGate(rootPath, branchName, emit) {
-  for (let attempt = 0; attempt < OMAR_POLL_MAX_ATTEMPTS; attempt++) {
-    await sleep(OMAR_POLL_INTERVAL_MS);
-    try {
-      const runJson = safeExecFile("gh", [
-        "run", "list", "--workflow", "Omar Gate", "--branch", branchName,
-        "--limit", "1", "--json", "databaseId,status,conclusion",
-      ], rootPath);
-      const runs = JSON.parse(runJson || "[]");
-      if (runs.length === 0) continue;
-
-      const run = runs[0];
-      if (run.status === "completed") {
-        emit("fix_omar", { status: "completed", conclusion: run.conclusion, runId: run.databaseId });
-        return run.conclusion === "success";
-      }
-      if (attempt % 4 === 0) {
-        emit("fix_omar", { status: "waiting", attempt, runId: run.databaseId });
-      }
-    } catch { /* polling failure non-blocking, will retry */ }
-  }
-  // Timed out waiting for Omar
-  emit("fix_omar", { status: "timeout" });
-  return false;
-}
-
-// ── Helpers ──────────────────────────────────────────────────────────
-
-function safeExecFile(bin, args, cwd) {
-  return execFileSync(bin, args, {
-    cwd, encoding: "utf-8", timeout: 60000,
-    stdio: ["pipe", "pipe", "pipe"],
+    },
   });
 }
-
-function sleep(ms) {
-  return new Promise(resolve => setTimeout(resolve, ms));
-}
-
-function buildDescription(w, f) {
-  const parts = [];
-  parts.push("**Service:** " + (w?.service || "unknown"));
-  parts.push("**Endpoint:** " + (w?.endpoint || "unknown"));
-  parts.push("**Error:** " + (w?.errorCode || "UNKNOWN"));
-  parts.push("**Severity:** " + (w?.severity || "P2"));
-  if (w?.message) parts.push("**Message:** " + w.message.slice(0, 500));
-  if (w?.stackFingerprint) parts.push("**Stack fingerprint:** " + w.stackFingerprint);
-  if (f?.length) parts.push("\n**Related findings:** " + f.length);
-  parts.push("\n" + JULES_DEFINITION.signature);
-  return parts.join("\n");
-}
-
-function buildPlan(w, s, f) {
-  const parts = [];
-  parts.push("## Investigation Plan");
-  parts.push("1. Scope reconstruction from error at " + (w?.endpoint || "unknown"));
-  parts.push("2. Read " + ((s?.primary || []).length) + " primary scope files");
-  parts.push("3. Identify root cause from stack trace + code analysis");
-  parts.push("4. Apply fix in isolated worktree");
-  parts.push("5. Run tests to verify fix");
-  parts.push("6. Open PR and watch Omar Gate");
-  if (f?.length) parts.push("\n**Pre-existing findings:** " + f.length);
-  parts.push("\n" + JULES_DEFINITION.signature);
-  return parts.join("\n");
-}
-
-function buildFindingsComment(f) {
-  const parts = ["## Findings"];
-  const items = f || [];
-  for (const finding of items.slice(0, 10)) {
-    parts.push("- **[" + (finding.severity || "P3") + "]** " + (finding.file || "") + ":" + (finding.line || "") + " " + (finding.title || finding.type || ""));
-    if (finding.evidence) parts.push("  Evidence: " + String(finding.evidence).slice(0, 200));
-  }
-  if (items.length > 10) parts.push("... and " + (items.length - 10) + " more");
-  parts.push("\n" + JULES_DEFINITION.signature);
-  return parts.join("\n");
-}
-
-function buildPrBody(w, f, jiraKey) {
-  const parts = [];
-  if (jiraKey) parts.push("Fixes " + jiraKey);
-  parts.push("Error: " + (w?.errorCode || "UNKNOWN") + " at " + (w?.endpoint || "unknown"));
-  parts.push("Severity: " + (w?.severity || "P2"));
-  if (f?.length) parts.push("Findings addressed: " + f.length);
-  parts.push("");
-  parts.push(JULES_DEFINITION.signature);
-  return parts.join("\n");
-}
-
-// ── S3 Upload ────────────────────────────────────────────────────────
-
-/**
- * Upload fix artifacts to S3 for compliance archive and agent training.
- * Uses AWS CLI (must be configured in environment).
- * Fails silently — S3 upload must never block the fix cycle.
- *
- * Bucket: SENTINELAYER_AUDIT_S3_BUCKET env var (default: sentinelayer-audit-artifacts)
- * Key pattern: {repo}/{date}/jules-tanaka/{workItemId}/
- */
-async function uploadFixArtifactsToS3(artifactDir, workItemId, rootPath) {
-  const bucket = process.env.SENTINELAYER_AUDIT_S3_BUCKET;
-  if (!bucket) {
-    return { uploaded: false, reason: "SENTINELAYER_AUDIT_S3_BUCKET not set" };
-  }
-
-  try {
-    // Derive repo name from git remote or directory name
-    let repoName = "unknown-repo";
-    try {
-      const remote = safeExecFile("git", ["remote", "get-url", "origin"], rootPath).trim();
-      const match = remote.match(/\/([^/]+?)(?:\.git)?$/);
-      if (match) repoName = match[1];
-    } catch { /* use default */ }
-
-    const date = new Date().toISOString().split("T")[0];
-    const s3Key = repoName + "/" + date + "/jules-tanaka/" + workItemId + "/";
-    const s3Url = "s3://" + bucket + "/" + s3Key;
-
-    safeExecFile("aws", ["s3", "sync", artifactDir, s3Url, "--quiet", "--sse", "AES256"], rootPath);
-
-    return { uploaded: true, bucket, key: s3Key };
-  } catch (err) {
-    return { uploaded: false, reason: "S3 upload failed: " + err.message };
-  }
-}