sentinelayer-cli 0.8.0 → 0.8.2

package/src/auth/gate.js

@@ -292,25 +292,6 @@ function hasTrustedBypassContext(args = []) {
   return consumeNonceEnvelope(nonceEnvelope.nonceFile);
 }
 
-function isValidSessionToken(session) {
-  const token = String(session?.token || "");
-  if (!token || token !== token.trim()) {
-    return false;
-  }
-  if (/\s/.test(token)) {
-    return false;
-  }
-  // Require printable ASCII only for bearer token material in local metadata.
-  if (/[^\x21-\x7E]/.test(token)) {
-    return false;
-  }
-  const tokenPrefix = String(session?.tokenPrefix || "").trim();
-  if (tokenPrefix && !token.includes(tokenPrefix)) {
-    return false;
-  }
-  return true;
-}
-
 function isSessionUnexpired(tokenExpiresAt) {
   const normalized = String(tokenExpiresAt || "").trim();
   if (!normalized) {
@@ -323,13 +304,25 @@ function isSessionUnexpired(tokenExpiresAt) {
   return expiresAt >= Date.now();
 }
 
+// Gate-level session validation.
+//
+// Design principle: the gate is a "do they have a token?" check, not a
+// "is the token cryptographically well-formed?" check. Server-side /auth/me
+// and per-call bearer validation are the authoritative gate on the token
+// material itself. Over-strict client-side checks (ASCII-only, exact-prefix
+// inclusion, etc.) surface as "Authentication required" even when the user
+// has a perfectly valid keyring entry, forcing them to logout/login repeatedly
+// without fixing anything.
+//
+// So the gate checks:
+//   - session.token is present and non-empty
+//   - for source === "session", expiry is in the future
+//   - for source === "env" or "config", the downstream API call is the gate
 function isAuthenticatedSessionValid(session) {
-  if (!isValidSessionToken(session)) {
+  const token = String(session?.token || "").trim();
+  if (!token) {
     return false;
   }
-
-  // Persisted sessions must include a valid expiry bound. Env/config tokens
-  // are accepted as active auth sources and validated downstream by API calls.
   if (String(session?.source || "").trim() === "session") {
     return isSessionUnexpired(session?.tokenExpiresAt);
   }
@@ -341,28 +334,29 @@ function isAuthenticatedSessionValid(session) {
  * Returns true if auth is required but user is not logged in.
  *
  * @param {string[]} args - CLI arguments (after normalization)
- * @returns {Promise<{ authenticated: boolean, session: object|null, bypassReason: string|null }>}
+ * @returns {Promise<{ authenticated: boolean, session: object|null, bypassReason: string|null, failureReason: string|null }>}
  */
 export async function checkAuthGate(args) {
   const first = String(args[0] || "").trim().toLowerCase();
 
   if (!first || AUTH_BYPASS_COMMANDS.has(first)) {
-    return { authenticated: true, session: null, bypassReason: "auth_bypass_command" };
+    return { authenticated: true, session: null, bypassReason: "auth_bypass_command", failureReason: null };
   }
 
   if (NO_AUTH_REQUIRED.has(first)) {
-    return { authenticated: true, session: null, bypassReason: "no_auth_required" };
+    return { authenticated: true, session: null, bypassReason: "no_auth_required", failureReason: null };
   }
 
   if (isSessionNoAuthCommand(args)) {
-    return { authenticated: true, session: null, bypassReason: "session_no_auth_required" };
+    return { authenticated: true, session: null, bypassReason: "session_no_auth_required", failureReason: null };
   }
 
   if (process.env.SENTINELAYER_CLI_SKIP_AUTH === "1" && hasTrustedBypassContext(args)) {
-    return { authenticated: true, session: null, bypassReason: "env_bypass_guarded" };
+    return { authenticated: true, session: null, bypassReason: "env_bypass_guarded", failureReason: null };
   }
 
   // Check for active auth session across env -> config -> stored session.
+  let resolveError = null;
   try {
     const session = await resolveActiveAuthSession({
       cwd: process.cwd(),
@@ -370,31 +364,65 @@ export async function checkAuthGate(args) {
       autoRotate: false,
     });
     if (session && isAuthenticatedSessionValid(session)) {
-      return { authenticated: true, session, bypassReason: null };
+      return { authenticated: true, session, bypassReason: null, failureReason: null };
     }
-  } catch {
-    // Session read failed — treat as not authenticated
+    if (session) {
+      // Session resolved but failed validation (empty token or expired).
+      const tokenPresent = Boolean(String(session?.token || "").trim());
+      if (!tokenPresent) {
+        resolveError = "session_token_missing";
+      } else if (String(session?.source || "").trim() === "session" && !isSessionUnexpired(session?.tokenExpiresAt)) {
+        resolveError = "session_expired";
+      } else {
+        resolveError = "session_invalid";
+      }
+    } else {
+      resolveError = "no_session";
+    }
+  } catch (error) {
+    resolveError = error instanceof Error ? `session_read_error: ${error.message}` : "session_read_error";
   }
 
-  return { authenticated: false, session: null, bypassReason: null };
+  return { authenticated: false, session: null, bypassReason: null, failureReason: resolveError };
 }
 
 /**
- * Print auth required message and exit.
+ * Print auth required message and exit. Optional failureReason surfaces the
+ * specific reason so users can diagnose stale sessions, expired tokens, and
+ * keyring failures without a round trip.
  */
-export function printAuthRequired() {
+export function printAuthRequired(failureReason = null) {
+  const reason = String(failureReason || "").trim();
   console.error("");
   console.error(pc.bold(pc.red("Authentication required.")));
   console.error("");
-  console.error("  Log in to SentinelLayer to use CLI commands:");
+  if (reason === "session_expired") {
+    console.error("  Your stored session has expired. Log in again:");
+  } else if (reason === "session_token_missing") {
+    console.error("  Your session metadata is present but the token is missing");
+    console.error("  (likely a keyring read failure or mismatched storage).");
+    console.error("");
+    console.error("  " + pc.yellow("Fix:") + " log out to clear the stale metadata, then log in:");
+    console.error("    " + pc.cyan("sentinelayer-cli auth logout"));
+  } else if (reason && reason.startsWith("session_read_error")) {
+    console.error("  Session read failed: " + pc.yellow(reason.replace(/^session_read_error:\s*/, "")));
+    console.error("  Log out and back in to reset local state:");
+    console.error("    " + pc.cyan("sentinelayer-cli auth logout"));
+  } else {
+    console.error("  Log in to SentinelLayer to use CLI commands:");
+  }
   console.error("");
   console.error("    " + pc.cyan(authLoginHint()));
   console.error("");
   console.error("  This opens your browser to authenticate via GitHub or Google.");
   console.error("  Your session is encrypted and stored locally.");
   console.error("");
-  console.error("  " + pc.gray("Why? All CLI operations sync to your SentinelLayer account —"));
-  console.error("  " + pc.gray("audit reports, findings, cost tracking, and run history."));
+  if (!reason || reason === "no_session") {
+    console.error("  " + pc.gray("Why? All CLI operations sync to your SentinelLayer account —"));
+    console.error("  " + pc.gray("audit reports, findings, cost tracking, and run history."));
+  } else {
+    console.error("  " + pc.gray(`Diagnostic: ${reason}`));
+  }
   console.error("");
   process.exitCode = 1;
 }

package/src/cli.js

@@ -239,7 +239,7 @@ export async function runCli(rawArgs = process.argv.slice(2)) {
   const { checkAuthGate, printAuthRequired } = await import("./auth/gate.js");
   const authResult = await checkAuthGate(normalizedArgs);
   if (!authResult.authenticated) {
-    printAuthRequired();
+    printAuthRequired(authResult.failureReason);
     return;
   }
 

package/src/commands/chat.js

@@ -10,6 +10,7 @@ import {
   resolveProvider,
 } from "../ai/client.js";
 import { resolveOutputRoot } from "../config/service.js";
+import { estimateTokens } from "../cost/tokenizer.js";
 
 function shouldEmitJson(options, command) {
   const local = Boolean(options && options.json);
@@ -24,14 +25,6 @@ function createSessionId() {
   return `${stamp}-${random}`;
 }
 
-function estimateTokens(text) {
-  const normalized = String(text || "");
-  if (!normalized) {
-    return 0;
-  }
-  return Math.max(1, Math.ceil(normalized.length / 4));
-}
-
 async function readPromptFromStdin() {
   if (process.stdin.isTTY) {
     return "";
@@ -132,8 +125,8 @@ export function registerChatCommand(program) {
 
       const durationMs = Date.now() - startedAt;
       const generatedAt = new Date().toISOString();
-      const inputTokens = estimateTokens(prompt);
-      const outputTokens = estimateTokens(responseText);
+      const inputTokens = estimateTokens(prompt, { model });
+      const outputTokens = estimateTokens(responseText, { model });
 
       await appendTranscriptEntries({
         transcriptPath,

package/src/commands/legacy-args.js

@@ -19,6 +19,13 @@ function appendOutputDirFlag(args, maybeOutputDir) {
   }
 }
 
+function appendPassthroughFlag(args, flagName, maybeValue) {
+  const value = String(maybeValue || "").trim();
+  if (value) {
+    args.push(flagName, value);
+  }
+}
+
 export function buildLegacyArgs(baseArgs, { commandOptions = {}, command } = {}) {
   const args = [...baseArgs];
   appendPathFlag(args, commandOptions.path);
@@ -26,5 +33,8 @@ export function buildLegacyArgs(baseArgs, { commandOptions = {}, command } = {})
   if (wantsJsonOutput(commandOptions, command)) {
     args.push("--json");
   }
+  // Omar Gate per-persona filter flags (A-CLI-1).
+  appendPassthroughFlag(args, "--persona", commandOptions.persona);
+  appendPassthroughFlag(args, "--skip-persona", commandOptions.skipPersona);
   return args;
 }

package/src/commands/omargate.js

@@ -12,11 +12,13 @@ export function registerOmarGateCommand(program, invokeLegacy) {
     .option("--output-dir <path>", "Artifact root for report output")
     .option("--no-ai", "Skip AI review layer (deterministic only)")
     .option("--ai-dry-run", "Run AI layer in dry-run mode (no LLM call)")
-    .option("--scan-mode <mode>", "Scan depth: baseline (1 persona), deep (6), full-depth (13)")
+    .option("--scan-mode <mode>", "Scan depth: baseline (1 persona), deep (13), full-depth (13)")
     .option("--max-parallel <n>", "Max concurrent persona calls (default: 4)")
     .option("--model <id>", "LLM model override (default: gpt-5.3-codex)")
-    .option("--provider <name>", "LLM provider: sentinelayer, openai, anthropic, google")
+    .option("--provider <name>", "LLM provider: sentinelayer, openai, anthropic")
     .option("--max-cost <usd>", "Maximum AI layer cost in USD (default: 5.0)")
+    .option("--persona <csv>", "Only run these personas (comma-separated IDs); unknown IDs are dropped + warned")
+    .option("--skip-persona <csv>", "Skip these personas (comma-separated IDs)")
     .option("--stream", "Emit NDJSON events to stdout as personas run")
     .option("--json", "Emit machine-readable output")
     .action(async (options, command) => {
@@ -26,4 +28,36 @@ export function registerOmarGateCommand(program, invokeLegacy) {
       });
       await invokeLegacy(legacyArgs);
     });
+
+  // Investor-DD mode (docs/INVESTOR_DD_ARCHITECTURE.md). Per-file agentic
+  // review across all 13 personas with deterministic file routing,
+  // reproducibility chain per finding, Senti session streaming, and a
+  // final report shipped via email + dashboard card. Trades runtime +
+  // cost for depth — budgets default to 45min / $25 vs deep's 2min / $5.
+  omargate
+    .command("investor-dd")
+    .description("Investor-grade due-diligence audit: per-file agentic review + reproducibility chain + email/dashboard report")
+    .option("--path <path>", "Target repository path")
+    .option("--output-dir <path>", "Artifact root for report output")
+    .option("--max-cost <usd>", "Maximum LLM cost in USD (default: 25.0)")
+    .option("--max-runtime-minutes <n>", "Maximum wall-clock runtime (default: 45)")
+    .option("--max-parallel <n>", "Max concurrent persona loops (default: 3)")
+    .option("--model <id>", "LLM model override (default: gpt-5.3-codex)")
+    .option("--provider <name>", "LLM provider: sentinelayer, openai, anthropic")
+    .option("--persona <csv>", "Only run these personas (comma-separated IDs)")
+    .option("--skip-persona <csv>", "Skip these personas (comma-separated IDs)")
+    .option("--stream", "Emit NDJSON events to stdout as personas work file-by-file")
+    .option("--notify-email <addr>", "Send final report to this email (default: account email)")
+    .option("--notify-session <session-id>", "Stream progress into this Senti session (default: auto-start)")
+    .option("--no-email", "Skip email dispatch")
+    .option("--no-dashboard", "Skip dashboard card persistence")
+    .option("--dry-run", "Validate config + emit plan.json; skip LLM calls")
+    .option("--json", "Emit machine-readable final output")
+    .action(async (options, command) => {
+      const legacyArgs = buildLegacyArgs(["/omargate", "investor-dd"], {
+        commandOptions: options,
+        command,
+      });
+      await invokeLegacy(legacyArgs);
+    });
 }

package/src/commands/persona.js

@@ -1,9 +1,16 @@
+import process from "node:process";
+
+import { PERSONA_MODES } from "../agents/mode.js";
+import {
+  SUPPORTED_PERSONA_IDS,
+  runPersona,
+} from "../agents/run-persona.js";
 import { buildLegacyArgs } from "./legacy-args.js";
 
 export function registerPersonaCommand(program, invokeLegacy) {
   const persona = program
     .command("persona")
-    .description("Generate orchestrator persona context");
+    .description("Run persona-scoped domain-tool sweeps or orchestrator reports");
 
   persona
     .command("orchestrator")
@@ -24,4 +31,42 @@ export function registerPersonaCommand(program, invokeLegacy) {
       });
       await invokeLegacy(legacyArgs);
     });
+
+  persona
+    .command("run <personaId>")
+    .description(
+      `Run a single persona's domain tools over the repo and emit findings. Supported ids: ${SUPPORTED_PERSONA_IDS.join(", ")}.`
+    )
+    .option(
+      "--mode <mode>",
+      `Persona mode: ${PERSONA_MODES.join("|")}. Audit emits findings; codegen attaches allowed-tools + prompt-suffix plan so callers can drive the LLM edit loop.`,
+      "audit"
+    )
+    .option("--path <path>", "Repository root to scan (default: cwd)", ".")
+    .option(
+      "--files <csv>",
+      "Optional comma-separated list of files to focus the sweep. Empty = whole repo."
+    )
+    .option(
+      "--json",
+      "Always-on for this subcommand; kept for interface parity. Output is a single-line JSON object on stdout.",
+      true
+    )
+    .action(async (personaId, options) => {
+      try {
+        const result = await runPersona({
+          personaId,
+          mode: options.mode,
+          rootPath: options.path,
+          files: options.files,
+        });
+        process.stdout.write(JSON.stringify(result));
+        process.stdout.write("\n");
+        process.exitCode = 0;
+      } catch (err) {
+        const message = err && err.message ? err.message : String(err);
+        process.stderr.write(`persona run failed: ${message}\n`);
+        process.exitCode = 2;
+      }
+    });
 }

package/src/commands/scan.js

@@ -15,6 +15,7 @@ import { loadConfig, resolveOutputRoot } from "../config/service.js";
 import { evaluateBudget } from "../cost/budget.js";
 import { appendCostEntry, summarizeCostHistory } from "../cost/history.js";
 import { estimateModelCost } from "../cost/tracker.js";
+import { estimateTokens } from "../cost/tokenizer.js";
 import {
   applyPolicyPackToScanProfile,
   resolveActivePolicyPack,
@@ -168,14 +169,6 @@ function parsePercent(rawValue, field) {
   return normalized;
 }
 
-function estimateTokenCount(text) {
-  const normalized = String(text || "");
-  if (!normalized) {
-    return 0;
-  }
-  return Math.max(1, Math.ceil(normalized.length / 4));
-}
-
 function resolveConfiguredApiKey(provider, resolvedConfig = {}) {
   const normalizedProvider = String(provider || "").trim().toLowerCase();
   if (normalizedProvider === "openai") {
@@ -622,8 +615,8 @@ export function registerScanCommand(program) {
       await fsp.mkdir(path.dirname(reportPath), { recursive: true });
       await fsp.writeFile(reportPath, reportMarkdown, "utf-8");
 
-      const inputTokens = estimateTokenCount(prompt);
-      const outputTokens = estimateTokenCount(aiMarkdown);
+      const inputTokens = estimateTokens(prompt, { model: response.model });
+      const outputTokens = estimateTokens(aiMarkdown, { model: response.model });
       const modelCost = maybeEstimateModelCost({
         modelId: response.model,
         inputTokens,