Skip to content

fix(#2806): resolve host_files relative src paths for URL bases#2808

Merged
ggallen merged 1 commit into
mainfrom
agent/2806-host-files-url-resolution
Jun 30, 2026
Merged

fix(#2806): resolve host_files relative src paths for URL bases#2808
ggallen merged 1 commit into
mainfrom
agent/2806-host-files-url-resolution

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown
Contributor

When a harness is sourced from a URL (via base: composition or config-registered agents), host_files entries with relative src paths were not being resolved. resolveBaseScripts handles scripts and resolveBaseResources handles agent/policy/skills, but neither handled host_files[].src. Relative paths remained as unresolved strings and failed at sandbox setup time.

Add resolveBaseHostFiles() which iterates host_files entries, detects relative src paths (skipping ${VAR} env var references, URLs, and absolute paths), fetches them from the base URL using the existing fetchBaseFile infrastructure, caches them content-addressed, and rewrites src to the local cache path. The function is called from loadBaseChain alongside the existing resolveBaseScripts and resolveBaseResources calls.

Note: pre-commit could not run in sandbox due to shellcheck install failure (network restriction). Post-script runs pre-commit authoritatively.


Closes #2806

Post-script verification

  • Branch is not main/master (agent/2806-host-files-url-resolution)
  • Secret scan passed (gitleaks — e5bbbf48f09f3bc0f7ea2abf24afafd88a8e8d56..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

When a harness is sourced from a URL (via base: composition or
config-registered agents), host_files entries with relative src
paths were not being resolved. resolveBaseScripts handles scripts
and resolveBaseResources handles agent/policy/skills, but neither
handled host_files[].src. Relative paths remained as unresolved
strings and failed at sandbox setup time.

Add resolveBaseHostFiles() which iterates host_files entries,
detects relative src paths (skipping ${VAR} env var references,
URLs, and absolute paths), fetches them from the base URL using
the existing fetchBaseFile infrastructure, caches them
content-addressed, and rewrites src to the local cache path.
The function is called from loadBaseChain alongside the existing
resolveBaseScripts and resolveBaseResources calls.

Note: pre-commit could not run in sandbox due to shellcheck
install failure (network restriction). Post-script runs
pre-commit authoritatively.

Closes #2806
@fullsend-ai-coder fullsend-ai-coder Bot requested a review from a team as a code owner June 30, 2026 22:10
@fullsend-ai-coder fullsend-ai-coder Bot added the ready-for-review Agent PR ready for human review label Jun 30, 2026
@github-actions

Copy link
Copy Markdown

Site preview

Preview: https://581a7051-site.fullsend-ai.workers.dev

Commit: 03ed46ad63e1074fa0084146943dd5e945b29daa

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.81818% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/harness/compose.go 81.81% 2 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

@ggallen

ggallen commented Jun 30, 2026

Copy link
Copy Markdown
Member

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 11:14 PM UTC · Completed 11:22 PM UTC
Commit: e6b1ae3 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Looks good to me


Labels: PR fixes a bug in the harness compose pipeline (internal/harness/compose.go)

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge component/harness Agent harness, config, and skills loading type/bug Confirmed defect in existing behavior labels Jun 30, 2026
@ggallen ggallen added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 6649b42 Jun 30, 2026
29 of 33 checks passed
@ggallen ggallen deleted the agent/2806-host-files-url-resolution branch June 30, 2026 23:39
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jun 30, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 11:43 PM UTC · Completed 11:49 PM UTC
Commit: 03ed46a · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2808 — resolve host_files relative src paths for URL bases

Workflow quality: Excellent. This was a clean end-to-end autonomous workflow with no rework cycles.

Timeline

Time (UTC) Event
21:53 Issue #2806 filed by human with detailed bug report (specific files, line numbers, affected code)
21:53 Triage agent ran — labeled ready-to-code
22:00 Code agent ran — produced fix in ~10 minutes
22:10 PR #2808 opened (2 files, 239 additions, 198 lines of tests)
23:12 Human triggered /fs-review
23:22 Review agent approved — 4 sub-agents (correctness, security, style, intent), no findings above medium threshold
23:26 Human approved
23:39 Merged

Total time: ~1h46m from issue to merge. Zero rework iterations.

What went well

  • Code agent produced clean, well-structured code on first attempt. The new resolveBaseHostFiles() function follows the exact same pattern as existing resolveBaseScripts() and resolveBaseResources(), with 198 lines of comprehensive tests.
  • Review agent dispatched appropriate sub-agents. The security sub-agent verified path traversal defense (validateBaseRelPath), allowlist enforcement (fetchBaseFile), ${VAR} skip logic, and SSRF protection.
  • Issue quality was a key enabler — the human-filed issue included specific file paths, line numbers, and a concrete example, giving the code agent excellent context.

Marginal improvements (already tracked)

The only observations I identified are already covered by existing open issues:

  • Generic LGTM message: The review agent's "Looks good to me" summary could surface suppressed low-severity findings for transparency → #2609, #2469
  • Coverage gap not surfaced: Codecov reported 81.81% patch coverage (4 lines missing), but the review agent didn't mention it → #2589
  • Retro on clean workflows: This clean approval with no findings is a candidate for retro skip → #2749, #2638

No new proposals filed — all improvement opportunities are already tracked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component/harness Agent harness, config, and skills loading ready-for-merge All reviewers approved — ready to merge ready-for-review Agent PR ready for human review type/bug Confirmed defect in existing behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

harness: host_files with relative src paths not resolved for URL-sourced harnesses

1 participant