sentinelayer-cli 0.8.10 → 0.8.12

package/src/audit/registry.js

@@ -1,6 +1,28 @@
 import fsp from "node:fs/promises";
 import path from "node:path";
 
+export const DEFAULT_AUDIT_AGENT_TOOLS = Object.freeze([
+  "FileRead",
+  "Grep",
+  "Glob",
+  "Shell",
+  "FileEdit",
+]);
+
+const TOOL_NAME_ALIASES = Object.freeze({
+  read: "FileRead",
+  file_read: "FileRead",
+  "file-read": "FileRead",
+  fileread: "FileRead",
+  grep: "Grep",
+  glob: "Glob",
+  shell: "Shell",
+  file_edit: "FileEdit",
+  "file-edit": "FileEdit",
+  fileedit: "FileEdit",
+  dispatch: "Dispatch",
+});
+
 const BUILTIN_AUDIT_AGENTS = Object.freeze([
   {
     id: "security",
@@ -173,16 +195,40 @@ function normalizeString(value) {
   return String(value || "").trim();
 }
 
+function normalizeToolName(value) {
+  const raw = normalizeString(value);
+  if (!raw) {
+    return "";
+  }
+  const alias = TOOL_NAME_ALIASES[raw.toLowerCase()];
+  if (alias) {
+    return alias;
+  }
+  return raw;
+}
+
+export function normalizeAuditAgentTools(tools = [], { useDefaultWhenEmpty = false } = {}) {
+  const normalized = Array.isArray(tools)
+    ? tools.map((item) => normalizeToolName(item)).filter(Boolean)
+    : [];
+  const unique = [...new Set(normalized)];
+  if (unique.length > 0) {
+    return unique;
+  }
+  return useDefaultWhenEmpty ? [...DEFAULT_AUDIT_AGENT_TOOLS] : [];
+}
+
 function normalizeAgentId(value) {
   return normalizeString(value).toLowerCase();
 }
 
 function normalizeAgentRecord(record = {}) {
+  const hasToolOverride = Object.prototype.hasOwnProperty.call(record, "tools");
   return {
     id: normalizeAgentId(record.id),
     persona: normalizeString(record.persona),
     domain: normalizeString(record.domain),
-    tools: Array.isArray(record.tools) ? record.tools.map((item) => normalizeString(item)).filter(Boolean) : [],
+    tools: normalizeAuditAgentTools(record.tools, { useDefaultWhenEmpty: !hasToolOverride }),
     permissionMode: normalizeString(record.permissionMode || "plan") || "plan",
     maxTurns: Math.max(1, Math.floor(Number(record.maxTurns || 1))),
     confidenceFloor: Math.max(0, Math.min(1, Number(record.confidenceFloor || 0))),
@@ -206,6 +252,11 @@ function mergeRegistry(builtinAgents = [], overrideAgents = []) {
       continue;
     }
     const existing = byId.get(normalized.id) || {};
+    if (!Object.prototype.hasOwnProperty.call(override, "tools")) {
+      normalized.tools = Array.isArray(existing.tools) && existing.tools.length > 0
+        ? [...existing.tools]
+        : [...DEFAULT_AUDIT_AGENT_TOOLS];
+    }
     byId.set(normalized.id, {
       ...existing,
       ...normalized,
@@ -223,7 +274,12 @@ function parseAgentFilter(rawValue) {
 }
 
 export function listBuiltinAuditAgents() {
-  return BUILTIN_AUDIT_AGENTS.map((agent) => ({ ...agent }));
+  return BUILTIN_AUDIT_AGENTS.map((agent) =>
+    normalizeAgentRecord({
+      ...agent,
+      tools: DEFAULT_AUDIT_AGENT_TOOLS,
+    })
+  );
 }
 
 export async function loadAuditRegistry({ registryFile = "" } = {}) {

package/src/commands/audit.js

@@ -26,6 +26,14 @@ function parseMaxParallel(rawValue) {
   return Math.floor(normalized);
 }
 
+function parseIsolationMode(rawValue) {
+  const normalized = String(rawValue || "strict").trim().toLowerCase();
+  if (normalized === "strict" || normalized === "relaxed") {
+    return normalized;
+  }
+  throw new Error("isolation must be one of: strict, relaxed.");
+}
+
 function printAuditSummary(result) {
   console.log(pc.bold("Audit orchestrator complete"));
   console.log(pc.gray(`Run: ${result.runId}`));
@@ -34,6 +42,11 @@ function printAuditSummary(result) {
   if (result.sharedMemory?.artifactPath) {
     console.log(pc.gray(`Shared memory: ${result.sharedMemory.artifactPath}`));
   }
+  if (result.omargateReuse?.used) {
+    console.log(pc.gray(`Reused OmarGate run: ${result.omargateReuse.runId}`));
+  } else if (result.omargateReuse?.requested) {
+    console.log(pc.gray(`OmarGate reuse unavailable: ${result.omargateReuse.reason || "not_found"}`));
+  }
   if (result.ddPackage?.executiveSummaryPath) {
     console.log(pc.gray(`DD package: ${result.ddPackage.executiveSummaryPath}`));
   }
@@ -51,6 +64,15 @@ function printAuditSummary(result) {
   console.log(`Agents: ${result.agentResults.length}, max_parallel=${result.maxParallel}`);
 }
 
+function buildAuditOrchestratorEventHandler(emitStream) {
+  if (!emitStream) {
+    return null;
+  }
+  return (evt) => {
+    console.log(JSON.stringify(evt));
+  };
+}
+
 export function registerAuditCommand(program, invokeLegacy) {
   const audit = program
     .command("audit")
@@ -63,9 +85,14 @@ export function registerAuditCommand(program, invokeLegacy) {
     .option("--output-dir <path>", "Optional artifact output root override")
     .option("--refresh", "Refresh CODEBASE_INGEST before running audit")
     .option("--dry-run", "Skip deterministic baseline and run orchestration planning only")
+    .option("--isolation <mode>", "Persona isolation mode: strict | relaxed", "strict")
+    .option("--no-seed-from-deterministic", "Run personas without deterministic baseline or specialist seed findings")
+    .option("--reuse-omargate <runId>", "Reuse deterministic findings from an OmarGate run id or latest")
+    .option("--stream", "Emit NDJSON agent events to stdout")
     .option("--json", "Emit machine-readable output")
     .action(async (targetPathArg, options, command) => {
       const emitJson = shouldEmitJson(options, command);
+      const emitStream = Boolean(options.stream);
       const targetPath = path.resolve(process.cwd(), String(options.path || targetPathArg || "."));
       const registry = await loadAuditRegistry({
         registryFile: options.registryFile,
@@ -85,6 +112,10 @@ export function registerAuditCommand(program, invokeLegacy) {
         outputDir: options.outputDir,
         dryRun: Boolean(options.dryRun),
         refreshIngest: Boolean(options.refresh),
+        isolation: parseIsolationMode(options.isolation),
+        seedFromDeterministic: options.seedFromDeterministic !== false,
+        reuseOmarGate: options.reuseOmargate,
+        onEvent: buildAuditOrchestratorEventHandler(emitStream),
       });
 
       const payload = {
@@ -99,6 +130,11 @@ export function registerAuditCommand(program, invokeLegacy) {
         registryFile: registry.registryFile,
         selectedAgents: result.selectedAgents,
         maxParallel: result.maxParallel,
+        isolation: result.isolation,
+        seedFromDeterministic: result.seedFromDeterministic !== false,
+        omargateReuse: result.omargateReuse || null,
+        reusedOmarGateRunId: result.omargateReuse?.used ? result.omargateReuse.runId : "",
+        reusedOmarGateDeterministicPath: result.omargateReuse?.used ? result.omargateReuse.artifactPath : "",
         summary: result.summary,
         agentCount: result.agentResults.length,
         sharedMemoryPath: result.sharedMemory?.artifactPath || "",
@@ -112,7 +148,7 @@ export function registerAuditCommand(program, invokeLegacy) {
 
       if (emitJson) {
         console.log(JSON.stringify(payload, null, 2));
-      } else {
+      } else if (!emitStream) {
         printAuditSummary(result);
       }
 
@@ -211,6 +247,8 @@ export function registerAuditCommand(program, invokeLegacy) {
         outputDir: options.outputDir,
         dryRun: Boolean(baseReport.dryRun),
         refreshIngest: Boolean(options.refresh),
+        isolation: baseReport.isolation || "strict",
+        seedFromDeterministic: baseReport.seedFromDeterministic !== false,
       });
 
       const comparison = await writeAuditComparisonArtifact({
@@ -231,6 +269,8 @@ export function registerAuditCommand(program, invokeLegacy) {
         deterministicEquivalent: comparison.comparison.deterministicEquivalent,
         addedCount: comparison.comparison.addedCount,
         removedCount: comparison.comparison.removedCount,
+        isolation: replayResult.isolation,
+        seedFromDeterministic: replayResult.seedFromDeterministic !== false,
         ingestRefresh: replayResult.ingest?.refresh || null,
       };
 
@@ -717,6 +757,7 @@ export function registerAuditCommand(program, invokeLegacy) {
     .description("Compatibility mode: run legacy local readiness + policy audit")
     .option("--path <path>", "Target repository path")
     .option("--output-dir <path>", "Artifact root for report output")
+    .option("--reuse-omargate <runId>", "Reuse deterministic findings from an OmarGate run id or latest")
     .option("--json", "Emit machine-readable output")
     .action(async (options, command) => {
       const legacyArgs = buildLegacyArgs(["/audit"], {

package/src/commands/legacy-args.js

@@ -20,12 +20,24 @@ function appendOutputDirFlag(args, maybeOutputDir) {
 }
 
 function appendPassthroughFlag(args, flagName, maybeValue) {
-  const value = String(maybeValue || "").trim();
+  const value = maybeValue === undefined || maybeValue === null ? "" : String(maybeValue).trim();
   if (value) {
     args.push(flagName, value);
   }
 }
 
+function appendBooleanFlag(args, flagName, maybeValue) {
+  if (Boolean(maybeValue)) {
+    args.push(flagName);
+  }
+}
+
+function appendNegatedBooleanFlag(args, flagName, maybeValue) {
+  if (maybeValue === false) {
+    args.push(flagName);
+  }
+}
+
 export function buildLegacyArgs(baseArgs, { commandOptions = {}, command } = {}) {
   const args = [...baseArgs];
   appendPathFlag(args, commandOptions.path);
@@ -33,6 +45,21 @@ export function buildLegacyArgs(baseArgs, { commandOptions = {}, command } = {})
   if (wantsJsonOutput(commandOptions, command)) {
     args.push("--json");
   }
+  appendNegatedBooleanFlag(args, "--no-ai", commandOptions.ai);
+  appendBooleanFlag(args, "--ai-dry-run", commandOptions.aiDryRun);
+  appendBooleanFlag(args, "--stream", commandOptions.stream);
+  appendBooleanFlag(args, "--dry-run", commandOptions.dryRun);
+  appendNegatedBooleanFlag(args, "--no-email", commandOptions.email);
+  appendNegatedBooleanFlag(args, "--no-dashboard", commandOptions.dashboard);
+  appendPassthroughFlag(args, "--scan-mode", commandOptions.scanMode);
+  appendPassthroughFlag(args, "--max-parallel", commandOptions.maxParallel);
+  appendPassthroughFlag(args, "--max-cost", commandOptions.maxCost);
+  appendPassthroughFlag(args, "--max-runtime-minutes", commandOptions.maxRuntimeMinutes);
+  appendPassthroughFlag(args, "--model", commandOptions.model);
+  appendPassthroughFlag(args, "--provider", commandOptions.provider);
+  appendPassthroughFlag(args, "--reuse-omargate", commandOptions.reuseOmargate);
+  appendPassthroughFlag(args, "--notify-email", commandOptions.notifyEmail);
+  appendPassthroughFlag(args, "--notify-session", commandOptions.notifySession);
   // Omar Gate per-persona filter flags (A-CLI-1).
   appendPassthroughFlag(args, "--persona", commandOptions.persona);
   appendPassthroughFlag(args, "--skip-persona", commandOptions.skipPersona);

package/src/commands/session.js

@@ -57,6 +57,7 @@ import {
 } from "../session/sync.js";
 import { hydrateSessionFromRemote } from "../session/remote-hydrate.js";
 import { mergeLiveSources } from "../session/live-source.js";
+import { deriveSessionTitle } from "../session/senti-naming.js";
 import {
   buildDashboardUrl,
   buildTemplateLaunchPlan,
@@ -302,30 +303,80 @@ export function registerSessionCommand(program) {
         3600,
       );
 
-      // Auto-resume: if there's an active local session for this same
-      // workspace path created in the last `reuseWindowSeconds`, reuse
-      // it instead of minting a new id. Kills the orphan-creation
-      // pattern where every CLI invocation produced a fresh empty
-      // session. `--force-new` opts back into the old behavior.
+      // Auto-resume: prefer an existing active session for this codebase
+      // over minting a new one. We check both local filesystem state and the
+      // remote registry — local-only resume meant a fresh checkout / second
+      // machine would orphan the room each time, exactly the mess Carter
+      // surfaced ("all of them look like one chat re-created").
+      //
+      // Order:
+      //   1. Local session for the same targetPath inside the reuse window.
+      //   2. Remote active session whose codebasePath matches the absolute
+      //      targetPath, sorted by last activity. We fold these into the
+      //      candidate pool so a session minted on another machine can be
+      //      rejoined rather than duplicated.
+      // `--force-new` opts back into the old "always mint" behavior.
       let resumed = null;
       if (!options.forceNew) {
+        const cutoffMs = Date.now() - reuseWindowSeconds * 1000;
+        const candidates = [];
         try {
           const active = await listActiveSessions({ targetPath });
-          const cutoffMs = Date.now() - reuseWindowSeconds * 1000;
-          const candidates = active.filter((entry) => {
+          for (const entry of active) {
             const createdMs = Date.parse(entry.createdAt || "");
-            return Number.isFinite(createdMs) && createdMs >= cutoffMs;
+            if (Number.isFinite(createdMs) && createdMs >= cutoffMs) {
+              candidates.push({ ...entry, _source: "local" });
+            }
+          }
+        } catch {
+          /* local lookup failure is non-fatal */
+        }
+        try {
+          const remote = await listSessionsFromApi({
+            targetPath,
+            includeArchived: false,
+            limit: 50,
           });
-          candidates.sort((a, b) =>
+          if (remote && remote.ok) {
+            const normalizedTarget = String(targetPath).toLowerCase();
+            for (const entry of remote.sessions || []) {
+              const codebase = String(entry.codebasePath || "").toLowerCase();
+              if (!codebase || codebase !== normalizedTarget) continue;
+              if (entry.archiveStatus && entry.archiveStatus !== "active") continue;
+              const lastMs = Date.parse(entry.lastActivityAt || entry.createdAt || "");
+              if (Number.isFinite(lastMs) && lastMs >= cutoffMs) {
+                candidates.push({
+                  sessionId: entry.sessionId,
+                  createdAt: entry.createdAt,
+                  lastActivityAt: entry.lastActivityAt,
+                  expiresAt: entry.expiresAt,
+                  status: entry.status || "active",
+                  template: entry.templateName || null,
+                  title: entry.title || null,
+                  _source: "remote",
+                });
+              }
+            }
+          }
+        } catch {
+          /* remote lookup failure is non-fatal */
+        }
+        if (candidates.length > 0) {
+          // Prefer the most recent activity. Local + remote may name the
+          // same session; dedupe on sessionId before picking.
+          const seen = new Set();
+          const deduped = [];
+          for (const entry of candidates) {
+            if (seen.has(entry.sessionId)) continue;
+            seen.add(entry.sessionId);
+            deduped.push(entry);
+          }
+          deduped.sort((a, b) =>
             String(b.lastActivityAt || b.createdAt || "").localeCompare(
               String(a.lastActivityAt || a.createdAt || ""),
             ),
           );
-          if (candidates.length > 0) {
-            resumed = candidates[0];
-          }
-        } catch (error) {
-          // listActiveSessions failure is non-fatal; fall through to fresh create.
+          resumed = deduped[0];
         }
       }
 
@@ -358,11 +409,19 @@ export function registerSessionCommand(program) {
       const durationMs = Date.now() - startedAt;
       const launchPlan = template ? buildTemplateLaunchPlan(created.sessionId, template) : [];
       const dashboardUrl = buildDashboardUrl(created.sessionId);
+      // Default the title to a stable codebase+date slug so the web sidebar
+      // never fills with anonymous "<null>" rows. The caller can still
+      // override with --title. We skip the auto-title for resumed sessions
+      // because the room already has a name we don't want to clobber.
       const titleArg = normalizeString(options.title);
-
-      // If the caller passed --title, push it to the API so the web
-      // sidebar shows the label (best-effort, non-blocking).
-      if (titleArg) {
+      const autoTitle = !resumed && !titleArg ? deriveSessionTitle(targetPath) : "";
+      const effectiveTitle = titleArg || autoTitle;
+
+      // If a title needs to land on the dashboard, push it. We always push
+      // when the caller passed --title, AND we push the auto-derived title
+      // for fresh (non-resumed) sessions so the room is never anonymous on
+      // the web. Best-effort, non-blocking.
+      if (effectiveTitle) {
         void (async () => {
           try {
             const session = await resolveActiveAuthSession({
@@ -378,7 +437,7 @@ export function registerSessionCommand(program) {
                 method: "POST",
                 operationName: "session.set_title",
                 headers: { Authorization: `Bearer ${session.token}` },
-                body: { title: titleArg },
+                body: { title: effectiveTitle },
               },
             );
           } catch (_error) {
@@ -405,7 +464,8 @@ export function registerSessionCommand(program) {
         launchPlan,
         dashboardUrl,
         resumed: Boolean(resumed),
-        title: titleArg || null,
+        title: effectiveTitle || null,
+        titleAuto: Boolean(autoTitle && !titleArg),
       };
 
       // Best-effort admin visibility sync. Session creation remains local-first.

package/src/cost/history.js

@@ -7,6 +7,7 @@ import { rollupUsage } from "./tracker.js";
 
 const HISTORY_VERSION = 1;
 const HISTORY_FILE_NAME = "cost-history.json";
+const costHistoryWriteQueues = new Map();
 
 function normalizeNumber(value, field) {
   const normalized = Number(value || 0);
@@ -76,6 +77,14 @@ export async function resolveCostHistoryPath({
 
 export async function loadCostHistory(options = {}) {
   const filePath = await resolveCostHistoryPath(options);
+  const history = await readCostHistoryFile(filePath);
+  return {
+    filePath,
+    history,
+  };
+}
+
+async function readCostHistoryFile(filePath) {
   try {
     const raw = await fsp.readFile(filePath, "utf-8");
     const parsed = JSON.parse(raw);
@@ -83,20 +92,14 @@ export async function loadCostHistory(options = {}) {
       throw new Error("Invalid cost history payload.");
     }
     return {
-      filePath,
-      history: {
-        version: Number(parsed.version || HISTORY_VERSION),
-        entries: parsed.entries,
-      },
+      version: Number(parsed.version || HISTORY_VERSION),
+      entries: parsed.entries,
     };
   } catch (error) {
     if (error && typeof error === "object" && error.code === "ENOENT") {
       return {
-        filePath,
-        history: {
-          version: HISTORY_VERSION,
-          entries: [],
-        },
+        version: HISTORY_VERSION,
+        entries: [],
       };
     }
     throw error;
@@ -114,17 +117,34 @@ export async function saveCostHistory({ filePath, history }) {
 
 export async function appendCostEntry(options = {}, entry = {}) {
   const normalizedEntry = normalizeEntry(entry);
-  const { filePath, history } = await loadCostHistory(options);
-  const nextHistory = {
-    version: HISTORY_VERSION,
-    entries: [...history.entries, normalizedEntry],
-  };
-  await saveCostHistory({ filePath, history: nextHistory });
-  return {
-    filePath,
-    entry: normalizedEntry,
-    history: nextHistory,
-  };
+  const filePath = await resolveCostHistoryPath(options);
+  return withCostHistoryWriteQueue(filePath, async () => {
+    const history = await readCostHistoryFile(filePath);
+    const nextHistory = {
+      version: HISTORY_VERSION,
+      entries: [...history.entries, normalizedEntry],
+    };
+    await saveCostHistory({ filePath, history: nextHistory });
+    return {
+      filePath,
+      entry: normalizedEntry,
+      history: nextHistory,
+    };
+  });
+}
+
+async function withCostHistoryWriteQueue(filePath, fn) {
+  const previous = costHistoryWriteQueues.get(filePath) || Promise.resolve();
+  const next = previous.catch(() => {}).then(fn);
+  const queued = next.catch(() => {});
+  costHistoryWriteQueues.set(filePath, queued);
+  try {
+    return await next;
+  } finally {
+    if (costHistoryWriteQueues.get(filePath) === queued) {
+      costHistoryWriteQueues.delete(filePath);
+    }
+  }
 }
 
 function summarizeSessionEntries(entries) {

package/src/events/schema.js

@@ -1,5 +1,31 @@
 const AGENT_EVENT_STREAM = "sl_event";
 const LEGACY_AGENT_ID = "legacy-emitter";
+const AGENT_EVENT_TYPES = Object.freeze([
+  "agent_start",
+  "agent_complete",
+  "agent_abort",
+  "agent_error",
+  "progress",
+  "heartbeat",
+  "tool_call",
+  "tool_result",
+  "finding",
+  "reasoning",
+  "budget_warning",
+  "budget_stop",
+  "swarm_start",
+  "swarm_complete",
+  "phase_start",
+  "phase_complete",
+  "orchestrator_start",
+  "dispatch",
+  "reconcile_start",
+  "reconcile_complete",
+  "orchestrator_complete",
+  "convergence_expansion",
+  "coverage_gap",
+  "llm_error",
+]);
 
 function isPlainObject(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
@@ -187,4 +213,4 @@ export function validateAgentEvent(evt, options = {}) {
   return Boolean(normalizeAgentEvent(evt, options));
 }
 
-export { AGENT_EVENT_STREAM };
+export { AGENT_EVENT_STREAM, AGENT_EVENT_TYPES };