npm - sentinelayer-cli - Versions diffs - 0.4.5 → 0.8.0 - Mend

sentinelayer-cli 0.4.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (72) hide show

package/README.md +16 -18
package/package.json +7 -6
package/src/agents/jules/config/definition.js +13 -62
package/src/agents/jules/config/system-prompt.js +8 -1
package/src/agents/jules/fix-cycle.js +12 -372
package/src/agents/jules/loop.js +116 -26
package/src/agents/jules/pulse.js +10 -327
package/src/agents/jules/stream.js +13 -12
package/src/agents/jules/swarm/orchestrator.js +3 -3
package/src/agents/jules/swarm/sub-agent.js +6 -3
package/src/agents/jules/tools/aidenid-email.js +189 -0
package/src/agents/jules/tools/auth-audit.js +1187 -45
package/src/agents/jules/tools/dispatch.js +25 -12
package/src/agents/jules/tools/file-edit.js +2 -180
package/src/agents/jules/tools/file-read.js +2 -100
package/src/agents/jules/tools/glob.js +2 -168
package/src/agents/jules/tools/grep.js +2 -228
package/src/agents/jules/tools/path-guards.js +2 -161
package/src/agents/jules/tools/runtime-audit.js +6 -2
package/src/agents/jules/tools/shell.js +2 -383
package/src/agents/persona-visuals.js +64 -0
package/src/agents/shared-tools/dispatch-core.js +320 -0
package/src/agents/shared-tools/file-edit.js +180 -0
package/src/agents/shared-tools/file-read.js +100 -0
package/src/agents/shared-tools/glob.js +168 -0
package/src/agents/shared-tools/grep.js +228 -0
package/src/agents/shared-tools/index.js +46 -0
package/src/agents/shared-tools/path-guards.js +161 -0
package/src/agents/shared-tools/shell.js +383 -0
package/src/ai/aidenid.js +56 -7
package/src/ai/client.js +45 -0
package/src/ai/proxy.js +137 -0
package/src/auth/gate.js +290 -16
package/src/auth/http.js +450 -39
package/src/auth/service.js +262 -47
package/src/auth/session-store.js +475 -21
package/src/cli.js +5 -0
package/src/commands/audit.js +13 -8
package/src/commands/auth.js +53 -9
package/src/commands/omargate.js +10 -2
package/src/commands/scan.js +10 -4
package/src/commands/session.js +590 -0
package/src/commands/spec.js +62 -0
package/src/commands/watch.js +3 -2
package/src/daemon/assignment-ledger.js +196 -0
package/src/daemon/error-worker.js +599 -16
package/src/daemon/fix-cycle.js +384 -0
package/src/daemon/ingest-refresh.js +10 -9
package/src/daemon/jira-lifecycle.js +135 -0
package/src/daemon/pulse.js +327 -0
package/src/daemon/scope-engine.js +1068 -0
package/src/events/schema.js +190 -0
package/src/interactive/index.js +18 -16
package/src/legacy-cli.js +606 -37
package/src/prompt/generator.js +19 -1
package/src/review/ai-review.js +11 -1
package/src/review/local-review.js +75 -19
package/src/review/omargate-interactive.js +68 -0
package/src/review/omargate-orchestrator.js +404 -0
package/src/review/persona-prompts.js +296 -0
package/src/review/scan-modes.js +48 -0
package/src/scan/generator.js +1 -1
package/src/session/agent-registry.js +352 -0
package/src/session/daemon.js +801 -0
package/src/session/paths.js +33 -0
package/src/session/runtime-bridge.js +739 -0
package/src/session/store.js +388 -0
package/src/session/stream.js +325 -0
package/src/spec/generator.js +100 -0
package/src/telemetry/session-tracker.js +148 -32
package/src/telemetry/sync.js +6 -2
package/src/ui/command-hints.js +13 -0

package/src/commands/auth.js CHANGED Viewed

@@ -14,6 +14,10 @@ import {
 } from "../auth/service.js";
 import { resolveCredentialsFilePath } from "../auth/session-store.js";
 import { CLI_VERSION } from "../legacy-cli.js";
+import { authLoginHint } from "../ui/command-hints.js";
+const AUTH_DEBUG_ENV = "SENTINELAYER_DEBUG_ERRORS";
+const AUTH_UNMASK_REQUEST_IDS_ENV = "SENTINELAYER_UNMASK_REQUEST_IDS";
 function shouldEmitJson(options, command) {
   const local = Boolean(options && options.json);
@@ -53,12 +57,39 @@ function formatApiError(error) {
   if (!(error instanceof SentinelayerApiError)) {
     return error instanceof Error ? error.message : String(error || "Unknown error");
   }
-  const requestId = error.requestId ? ` request_id=${error.requestId}` : "";
+  const requestIdValue = error.requestId
+    ? (shouldExposeSensitiveAuthInfo() ? error.requestId : maskIdentifier(error.requestId))
+    : "";
+  const requestId = requestIdValue ? ` request_id=${requestIdValue}` : "";
   return `${error.message} [${error.code}] status=${error.status}${requestId}`;
 }
+function shouldExposeSensitiveAuthInfo() {
+  const normalized = String(process.env[AUTH_DEBUG_ENV] || "").trim().toLowerCase();
+  const unmask = String(process.env[AUTH_UNMASK_REQUEST_IDS_ENV] || "").trim().toLowerCase();
+  const isTty = Boolean(process.stdout && process.stdout.isTTY);
+  const nodeEnv = String(process.env.NODE_ENV || "").trim().toLowerCase();
+  const isDev = nodeEnv === "development";
+  const debugEnabled = normalized === "true" || normalized === "1" || normalized === "yes";
+  const unmaskEnabled = unmask === "true" || unmask === "1" || unmask === "yes";
+  return debugEnabled && unmaskEnabled && isTty && isDev;
+}
+function shouldRevealTokenIdentifiers() {
+  return shouldExposeSensitiveAuthInfo();
+}
+function maskIdentifier(value) {
+  const raw = String(value || "").trim();
+  if (!raw) return "";
+  if (raw.length <= 6) {
+    return `${raw.slice(0, 2)}…`;
+  }
+  return `${raw.slice(0, 4)}…${raw.slice(-2)}`;
+}
 function printAuthHint() {
-  console.log(pc.gray("Run `sl auth login` to create a persistent CLI session."));
+  console.log(pc.gray(`Run \`${authLoginHint()}\` to create a persistent CLI session.`));
 }
 export function registerAuthCommand(program) {
@@ -192,10 +223,16 @@ export function registerAuthCommand(program) {
         const displayUser = status.remoteUser || status.user || {};
         console.log(pc.green(`Authenticated as ${renderUserSummary(displayUser)}`));
-        if (status.aidenid && status.aidenid.orgId) {
-          console.log(pc.green(`AIdenID: provisioned (org: ${status.aidenid.orgId}, project: ${status.aidenid.projectId || "unknown"})`));
-          if (status.aidenid.apiKeyPrefix) {
-            console.log(pc.gray(`  API key prefix: ${status.aidenid.apiKeyPrefix}`));
+        if (status.aidenid && (status.aidenid.orgId || status.aidenid.projectId)) {
+          if (shouldExposeSensitiveAuthInfo()) {
+            const orgDisplay = status.aidenid.orgId ? maskIdentifier(status.aidenid.orgId) : "unknown";
+            const projectDisplay = status.aidenid.projectId ? maskIdentifier(status.aidenid.projectId) : "unknown";
+            console.log(pc.green(`AIdenID: provisioned (org: ${orgDisplay}, project: ${projectDisplay})`));
+            if (status.aidenid.apiKeyPrefix) {
+              console.log(pc.gray(`  API key prefix: ${maskIdentifier(status.aidenid.apiKeyPrefix)}`));
+            }
+          } else {
+            console.log(pc.green("AIdenID: provisioned"));
           }
         } else {
           console.log(pc.gray("AIdenID: not provisioned (will provision on next login)"));
@@ -205,10 +242,15 @@ export function registerAuthCommand(program) {
       if (status.remoteError) {
         console.log(pc.red(`Remote validation failed: ${status.remoteError.message}`));
+        const requestIdValue = status.remoteError.requestId
+          ? (shouldExposeSensitiveAuthInfo()
+            ? status.remoteError.requestId
+            : maskIdentifier(status.remoteError.requestId))
+          : "";
         console.log(
           pc.gray(
             `Error code: ${status.remoteError.code} status=${status.remoteError.status}${
-              status.remoteError.requestId ? ` request_id=${status.remoteError.requestId}` : ""
+              requestIdValue ? ` request_id=${requestIdValue}` : ""
             }`
           )
         );
@@ -260,7 +302,8 @@ export function registerAuthCommand(program) {
           `${renderUserSummary(session.user)} | source=${session.source} | storage=${session.storage || "unknown"}`
         );
         if (session.tokenId) {
-          console.log(pc.gray(`  token_id: ${session.tokenId}`));
+          const tokenDisplay = shouldRevealTokenIdentifiers() ? session.tokenId : maskIdentifier(session.tokenId);
+          console.log(pc.gray(`  token_id: ${tokenDisplay}`));
         }
         if (session.tokenExpiresAt) {
           console.log(pc.gray(`  expires_at: ${session.tokenExpiresAt}`));
@@ -303,7 +346,8 @@ export function registerAuthCommand(program) {
         return;
       }
-      console.log(pc.green(`Revoked token: ${result.tokenId}`));
+      const tokenDisplay = shouldRevealTokenIdentifiers() ? result.tokenId : maskIdentifier(result.tokenId);
+      console.log(pc.green(`Revoked token: ${tokenDisplay}`));
       console.log(pc.gray(`API: ${result.apiUrl}`));
       if (result.matchedStoredSession) {
         console.log(

package/src/commands/omargate.js CHANGED Viewed

@@ -3,13 +3,21 @@ import { buildLegacyArgs } from "./legacy-args.js";
 export function registerOmarGateCommand(program, invokeLegacy) {
   const omargate = program
     .command("omargate")
-    .description("Run local Omar Gate checks");
+    .description("Run local Omar Gate security analysis (deterministic + AI persona swarm)");
   omargate
     .command("deep")
-    .description("Run local credential/policy scan")
+    .description("Run full Omar Gate deep scan with 22-rule deterministic + multi-persona AI analysis")
     .option("--path <path>", "Target repository path")
     .option("--output-dir <path>", "Artifact root for report output")
+    .option("--no-ai", "Skip AI review layer (deterministic only)")
+    .option("--ai-dry-run", "Run AI layer in dry-run mode (no LLM call)")
+    .option("--scan-mode <mode>", "Scan depth: baseline (1 persona), deep (6), full-depth (13)")
+    .option("--max-parallel <n>", "Max concurrent persona calls (default: 4)")
+    .option("--model <id>", "LLM model override (default: gpt-5.3-codex)")
+    .option("--provider <name>", "LLM provider: sentinelayer, openai, anthropic, google")
+    .option("--max-cost <usd>", "Maximum AI layer cost in USD (default: 5.0)")
+    .option("--stream", "Emit NDJSON events to stdout as personas run")
     .option("--json", "Emit machine-readable output")
     .action(async (options, command) => {
       const legacyArgs = buildLegacyArgs(["/omargate", "deep"], {

package/src/commands/scan.js CHANGED Viewed

@@ -30,7 +30,8 @@ import {
 } from "../scan/generator.js";
 import { detectRepoSlug, setupSecrets } from "../scan/gh-secrets.js";
 import { appendRunEvent, deriveStopClassFromBudget } from "../telemetry/ledger.js";
-import { readStoredSession } from "../auth/session-store.js";
+import { resolveActiveAuthSession } from "../auth/service.js";
+import { authLoginHint } from "../ui/command-hints.js";
 const LEGACY_SCAN_WORKFLOW_PATH = ".github/workflows/security-review.yml";
@@ -832,16 +833,21 @@ export function registerScanCommand(program) {
       let tokenValue = "";
       try {
-        const session = await readStoredSession();
+        const session = await resolveActiveAuthSession({
+          cwd: targetPath,
+          env: process.env,
+          autoRotate: false,
+        });
         if (session && session.token) {
           tokenValue = session.token;
         }
       } catch {
-        /* no stored session */
+        /* no active auth session */
       }
       if (!tokenValue) {
-        const msg = "No SentinelLayer token found. Run 'sl auth login' first, or use --dry-run for instructions.";
+        const msg =
+          `No SentinelLayer token found. Run '${authLoginHint()}', set SENTINELAYER_TOKEN, or use --dry-run for instructions.`;
         if (emitJson) {
           console.log(JSON.stringify({ command: "scan setup-secrets", ok: false, reason: msg }, null, 2));
         } else {