sentinelayer-cli 0.9.7 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/src/ai/proxy.js +49 -9
  3. package/src/auth/session-store.js +55 -30
  4. package/src/commands/session.js +8 -0
  5. package/src/session/daemon.js +13 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sentinelayer-cli",
3
- "version": "0.9.7",
3
+ "version": "0.10.0",
4
4
  "description": "Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.",
5
5
  "type": "module",
6
6
  "scripts": {
package/src/ai/proxy.js CHANGED
@@ -27,7 +27,15 @@ const PROXY_RETRY_STATUSES = new Set([429, 502, 503, 504]);
27
27
  * @param {number} [options.temperature] - Temperature (default: 0.1)
28
28
  * @param {string} [options.apiUrl] - Override API URL
29
29
  * @param {string} [options.token] - Override Bearer token
30
- * @returns {Promise<{ text: string, usage: { inputTokens: number, outputTokens: number, costUsd: number, model: string, provider: string, latencyMs: number } }>}
30
+ * @param {string} [options.sessionId] - Optional Senti session id for server-side usage metering
31
+ * @param {string} [options.agentId] - Optional session agent id for server-side usage metering
32
+ * @param {string} [options.action] - Optional metered action, defaults server-side when omitted
33
+ * @param {string} [options.usageIdempotencyKey] - Stable per-intent key for proxy + ledger idempotency
34
+ * @param {string} [options.billingTier] - Optional billing tier hint
35
+ * @param {string} [options.customerPricingPolicy] - Optional customer pricing policy hint
36
+ * @param {object} [options.metadata] - Optional allowlisted billing metadata
37
+ * @param {Function} [options.fetchImpl] - Optional fetch implementation for tests
38
+ * @returns {Promise<{ text: string, usage: { inputTokens: number, outputTokens: number, costUsd: number, model: string, provider: string, latencyMs: number }, usageLedger: object | null }>}
31
39
  */
32
40
  export async function invokeViaProxy({
33
41
  prompt,
@@ -37,6 +45,14 @@ export async function invokeViaProxy({
37
45
  temperature = 0.1,
38
46
  apiUrl = "",
39
47
  token = "",
48
+ sessionId = "",
49
+ agentId = "",
50
+ action = "",
51
+ usageIdempotencyKey = "",
52
+ billingTier = "",
53
+ customerPricingPolicy = "",
54
+ metadata = null,
55
+ fetchImpl = fetch,
40
56
  } = {}) {
41
57
  // Resolve credentials from session if not provided
42
58
  let resolvedApiUrl = String(apiUrl || "").trim();
@@ -59,13 +75,40 @@ export async function invokeViaProxy({
59
75
 
60
76
  const url = `${resolvedApiUrl.replace(/\/+$/, "")}/api/v1/proxy/llm`;
61
77
 
62
- const body = JSON.stringify({
78
+ const requestBody = {
63
79
  model,
64
80
  system_prompt: systemPrompt || "You are a code reviewer.",
65
81
  user_content: String(prompt || ""),
66
82
  max_tokens: maxTokens,
67
83
  temperature,
68
- });
84
+ };
85
+
86
+ const normalizedSessionId = String(sessionId || "").trim();
87
+ const normalizedAgentId = String(agentId || "").trim();
88
+ const normalizedAction = String(action || "").trim();
89
+ const normalizedUsageIdempotencyKey = String(usageIdempotencyKey || "").trim();
90
+ const normalizedBillingTier = String(billingTier || "").trim();
91
+ const normalizedCustomerPricingPolicy = String(customerPricingPolicy || "").trim();
92
+ if (normalizedSessionId) requestBody.session_id = normalizedSessionId;
93
+ if (normalizedAgentId) requestBody.agent_id = normalizedAgentId;
94
+ if (normalizedAction) requestBody.action = normalizedAction;
95
+ if (normalizedUsageIdempotencyKey) requestBody.usage_idempotency_key = normalizedUsageIdempotencyKey;
96
+ if (normalizedBillingTier) requestBody.billing_tier = normalizedBillingTier;
97
+ if (normalizedCustomerPricingPolicy) requestBody.customer_pricing_policy = normalizedCustomerPricingPolicy;
98
+ if (metadata && typeof metadata === "object" && !Array.isArray(metadata)) {
99
+ requestBody.metadata = metadata;
100
+ }
101
+
102
+ const headers = {
103
+ "Content-Type": "application/json",
104
+ Authorization: `Bearer ${resolvedToken}`,
105
+ Accept: "application/json",
106
+ };
107
+ if (normalizedUsageIdempotencyKey) {
108
+ headers["Idempotency-Key"] = normalizedUsageIdempotencyKey;
109
+ }
110
+
111
+ const body = JSON.stringify(requestBody);
69
112
 
70
113
  let response = null;
71
114
  let lastError = null;
@@ -75,13 +118,9 @@ export async function invokeViaProxy({
75
118
  const controller = new AbortController();
76
119
  const timeoutHandle = setTimeout(() => controller.abort(), PROXY_TIMEOUT_MS);
77
120
  try {
78
- response = await fetch(url, {
121
+ response = await fetchImpl(url, {
79
122
  method: "POST",
80
- headers: {
81
- "Content-Type": "application/json",
82
- Authorization: `Bearer ${resolvedToken}`,
83
- Accept: "application/json",
84
- },
123
+ headers,
85
124
  body,
86
125
  signal: controller.signal,
87
126
  });
@@ -131,6 +170,7 @@ export async function invokeViaProxy({
131
170
  provider: result.usage?.provider || "sentinelayer",
132
171
  latencyMs: result.usage?.latency_ms || 0,
133
172
  },
173
+ usageLedger: result.usageLedger || result.usage_ledger || null,
134
174
  };
135
175
  }
136
176
 
package/src/auth/session-store.js CHANGED
@@ -17,6 +17,8 @@ const SESSION_WARNING_ALLOWED_FIELDS = new Set([
17
17
  "codeHint",
18
18
  "requestIdHash",
19
19
  ]);
20
+ const emittedSessionWarningKeys = new Set();
21
+ let keytarClientOverrideForTests;
20
22
 
21
23
  function nowIso() {
22
24
  return new Date().toISOString();
@@ -69,26 +71,45 @@ function sanitizeSessionWarningDetails(details) {
69
71
 
70
72
  function emitSessionWarning(code, details = {}) {
71
73
  const sanitizedDetails = sanitizeSessionWarningDetails(details);
74
+ const normalizedCode = String(code || "SESSION_WARNING").toUpperCase();
75
+ const allowedDetails = {};
76
+ for (const [key, value] of Object.entries(sanitizedDetails)) {
77
+ allowedDetails[key] = SESSION_WARNING_ALLOWED_FIELDS.has(key) ? value : "[OMITTED]";
78
+ }
79
+ const warningKey = `${normalizedCode}:${JSON.stringify(allowedDetails)}`;
80
+ if (emittedSessionWarningKeys.has(warningKey)) {
81
+ return;
82
+ }
83
+ emittedSessionWarningKeys.add(warningKey);
84
+
72
85
  const payload = {
73
86
  level: "warn",
74
- code: String(code || "SESSION_WARNING").toUpperCase(),
87
+ code: normalizedCode,
75
88
  warningId: createSessionWarningId(),
76
89
  timestamp: nowIso(),
77
90
  };
78
- for (const [key, value] of Object.entries(sanitizedDetails)) {
79
- if (SESSION_WARNING_ALLOWED_FIELDS.has(key)) {
80
- payload[key] = value;
81
- } else {
82
- payload[key] = "[OMITTED]";
83
- }
91
+ for (const [key, value] of Object.entries(allowedDetails)) {
92
+ payload[key] = value;
84
93
  }
85
94
  try {
86
- console.warn(`${SESSION_WARNING_PREFIX} ${JSON.stringify(payload)}`);
95
+ process.stderr.write(`${SESSION_WARNING_PREFIX} ${JSON.stringify(payload)}\n`);
87
96
  } catch {
88
- console.warn(`${SESSION_WARNING_PREFIX} ${payload.code}`);
97
+ console.error(`${SESSION_WARNING_PREFIX} ${payload.code}`);
89
98
  }
90
99
  }
91
100
 
101
+ export function resetSessionWarningsForTests() {
102
+ emittedSessionWarningKeys.clear();
103
+ }
104
+
105
+ export function setKeytarClientForTests(client) {
106
+ const previous = keytarClientOverrideForTests;
107
+ keytarClientOverrideForTests = client || null;
108
+ return () => {
109
+ keytarClientOverrideForTests = previous;
110
+ };
111
+ }
112
+
92
113
  function resolveHomeDir(homeDir) {
93
114
  return path.resolve(String(homeDir || os.homedir()));
94
115
  }
@@ -356,7 +377,10 @@ async function replaceWithBackup(tmpPath, filePath) {
356
377
  }
357
378
  }
358
379
 
359
- async function loadKeytarClient() {
380
+ async function loadKeytarClient({ allowImplicit = false } = {}) {
381
+ if (keytarClientOverrideForTests !== undefined) {
382
+ return keytarClientOverrideForTests;
383
+ }
360
384
  const disableKeyring = String(process.env.SENTINELAYER_DISABLE_KEYRING || "")
361
385
  .trim()
362
386
  .toLowerCase();
@@ -372,7 +396,7 @@ async function loadKeytarClient() {
372
396
  keyringMode === "on" ||
373
397
  keyringMode === "true" ||
374
398
  keyringMode === "1";
375
- if (!enableKeyring) {
399
+ if (!enableKeyring && !allowImplicit) {
376
400
  return null;
377
401
  }
378
402
  try {
@@ -394,6 +418,20 @@ async function loadKeytarClient() {
394
418
  }
395
419
  }
396
420
 
421
+ async function encryptTokenForFileFallback(token, { homeDir } = {}) {
422
+ const key = await loadOrCreateFileKey({ homeDir });
423
+ return encryptToken(token, key);
424
+ }
425
+
426
+ async function attachEncryptedTokenFallback(metadata, token, { homeDir } = {}) {
427
+ const encrypted = await encryptTokenForFileFallback(token, { homeDir });
428
+ metadata.tokenEncrypted = encrypted.tokenEncrypted;
429
+ metadata.tokenIv = encrypted.tokenIv;
430
+ metadata.tokenTag = encrypted.tokenTag;
431
+ metadata.token = null;
432
+ return metadata;
433
+ }
434
+
397
435
  async function readMetadata({ homeDir } = {}) {
398
436
  const filePath = resolveCredentialsFilePath({ homeDir });
399
437
  try {
@@ -480,20 +518,12 @@ async function migratePlaintextTokenIfNeeded({ metadata, filePath, homeDir } = {
480
518
  nextMetadata.storage = "keyring";
481
519
  nextMetadata.keyringService = KEYRING_SERVICE;
482
520
  nextMetadata.keyringAccount = keyringAccount;
483
- const key = await loadOrCreateFileKey({ homeDir });
484
- const encrypted = encryptToken(plaintextToken, key);
485
- nextMetadata.tokenEncrypted = encrypted.tokenEncrypted;
486
- nextMetadata.tokenIv = encrypted.tokenIv;
487
- nextMetadata.tokenTag = encrypted.tokenTag;
521
+ await attachEncryptedTokenFallback(nextMetadata, plaintextToken, { homeDir });
488
522
  } else {
489
- const key = await loadOrCreateFileKey({ homeDir });
490
- const encrypted = encryptToken(plaintextToken, key);
491
523
  nextMetadata.storage = "file";
492
524
  nextMetadata.keyringService = KEYRING_SERVICE;
493
525
  nextMetadata.keyringAccount = "";
494
- nextMetadata.tokenEncrypted = encrypted.tokenEncrypted;
495
- nextMetadata.tokenIv = encrypted.tokenIv;
496
- nextMetadata.tokenTag = encrypted.tokenTag;
526
+ await attachEncryptedTokenFallback(nextMetadata, plaintextToken, { homeDir });
497
527
  }
498
528
 
499
529
  await writeMetadata(filePath, nextMetadata);
@@ -570,7 +600,7 @@ export async function readStoredSession({ homeDir } = {}) {
570
600
  }
571
601
 
572
602
  if (metadata.storage === "keyring") {
573
- const keytar = await loadKeytarClient();
603
+ const keytar = await loadKeytarClient({ allowImplicit: true });
574
604
  let keyringError = null;
575
605
  if (keytar && metadata.keyringAccount) {
576
606
  try {
@@ -763,17 +793,12 @@ export async function writeStoredSession(
763
793
  nextMetadata.storage = "keyring";
764
794
  nextMetadata.keyringService = KEYRING_SERVICE;
765
795
  nextMetadata.keyringAccount = keyringAccount;
766
- nextMetadata.token = null;
796
+ await attachEncryptedTokenFallback(nextMetadata, normalizedToken, { homeDir });
767
797
  } else {
768
798
  nextMetadata.storage = "file";
769
799
  nextMetadata.keyringService = KEYRING_SERVICE;
770
800
  nextMetadata.keyringAccount = "";
771
- const key = await loadOrCreateFileKey({ homeDir });
772
- const encrypted = encryptToken(normalizedToken, key);
773
- nextMetadata.token = null;
774
- nextMetadata.tokenEncrypted = encrypted.tokenEncrypted;
775
- nextMetadata.tokenIv = encrypted.tokenIv;
776
- nextMetadata.tokenTag = encrypted.tokenTag;
801
+ await attachEncryptedTokenFallback(nextMetadata, normalizedToken, { homeDir });
777
802
  }
778
803
 
779
804
  await writeMetadata(filePath, nextMetadata);
@@ -794,7 +819,7 @@ export async function writeStoredSession(
794
819
  export async function clearStoredSession({ homeDir } = {}) {
795
820
  const { filePath, metadata } = await readMetadata({ homeDir });
796
821
  if (metadata && metadata.storage === "keyring") {
797
- const keytar = await loadKeytarClient();
822
+ const keytar = await loadKeytarClient({ allowImplicit: true });
798
823
  if (keytar && metadata.keyringAccount) {
799
824
  await keytar.deletePassword(metadata.keyringService || KEYRING_SERVICE, metadata.keyringAccount);
800
825
  }
package/src/commands/session.js CHANGED
@@ -1690,6 +1690,14 @@ export function registerSessionCommand(program) {
1690
1690
  let hydration = null;
1691
1691
  let remoteTail = null;
1692
1692
  if (options.remote) {
1693
+ const authSession = await resolveActiveAuthSession({
1694
+ cwd: targetPath,
1695
+ env: process.env,
1696
+ autoRotate: false,
1697
+ });
1698
+ if (!authSession || !authSession.token) {
1699
+ throw new Error(`Remote session read requires authentication. Run \`${authLoginHint()}\` first.`);
1700
+ }
1693
1701
  hydration = await hydrateSessionFromRemote({
1694
1702
  sessionId: normalizedSessionId,
1695
1703
  targetPath,
package/src/session/daemon.js CHANGED
@@ -453,6 +453,10 @@ async function buildHelpResponseMessage(
453
453
  normalizePositiveInteger(daemonState.helpRequestTimeoutMs, HELP_REQUEST_TIMEOUT_MS) * 2
454
454
  )
455
455
  );
456
+ const requestCorrelationId =
457
+ normalizeString(requestEvent?.payload?.requestId) ||
458
+ normalizeString(requestEvent?.requestId) ||
459
+ normalizeIsoTimestamp(requestEvent?.ts, daemonState.startedAt);
456
460
 
457
461
  try {
458
462
  const llmResult = await runWithTimeout(
@@ -463,6 +467,15 @@ async function buildHelpResponseMessage(
463
467
  prompt: userPrompt,
464
468
  maxTokens: 320,
465
469
  temperature: 0.1,
470
+ sessionId: daemonState.sessionId,
471
+ agentId: SENTI_IDENTITY.id,
472
+ action: "proxy_llm",
473
+ usageIdempotencyKey: `senti:${daemonState.sessionId}:help:${requestCorrelationId}`,
474
+ billingTier: "internal",
475
+ metadata: {
476
+ purpose: "senti_help_response",
477
+ runId: requestCorrelationId,
478
+ },
466
479
  })
467
480
  ),
468
481
  llmTimeoutMs,