Skip to content

Commit ca90b48

Browse files
durandomclaude
andcommitted
feat: add debug subcommand and custom agent docs to /fullsend skill
Add references/debug.md documenting the debug agent architecture — serves as both usage guide and template for building custom agents. Update trigger.md with debug agent (custom dispatch vs built-in). Add debug to SKILL.md command table and routing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent d50cbcc commit ca90b48

4 files changed

Lines changed: 121 additions & 11 deletions

File tree

.claude/skills/fullsend/SKILL.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ description: |
99
to set up env vars for the sandbox.
1010
Also use when asked to trigger a fullsend agent, post a slash command on an issue,
1111
watch or monitor a fullsend run, comment on an issue, or manage labels.
12+
Also use when asked to run sandbox diagnostics, debug the sandbox environment,
13+
check if yarn/corepack/openspec work, or build a custom fullsend agent.
1214
---
1315

1416
# /fullsend
@@ -86,6 +88,7 @@ To add a variable, create an env file and wire it via `host_files` in the harnes
8688
| `inspect <run-id \| #issue>` | Investigate a fullsend agent run — status, timing, output, logs |
8789
| `trigger <agent> <#issue\|#PR> [--repo] [--force]` | Post a fullsend slash command to start an agent |
8890
| `watch <#issue\|run-id> [--repo]` | Monitor a triggered run until completion, then auto-inspect |
91+
| `debug <#issue> [--repo]` | Run sandbox diagnostics (shortcut for `trigger debug`) |
8992
| `comment <#issue> <message> [--repo]` | Post a comment on an issue or PR |
9093
| `label <#issue> <add\|remove> <label> [--repo]` | Add or remove a label on an issue or PR |
9194

@@ -105,6 +108,7 @@ Parse the first word after `/fullsend` as the subcommand.
105108
| `inspect` | `references/inspect.md` |
106109
| `trigger` | `references/trigger.md` |
107110
| `watch` | `references/watch.md` |
111+
| `debug` | `references/debug.md` |
108112
| `comment` | `references/comment.md` |
109113
| `label` | `references/label.md` |
110114

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
# debug
2+
3+
Run sandbox environment diagnostics to verify the agent runtime is healthy.
4+
5+
The debug agent is a **custom fullsend agent** — the first one built outside the built-in dispatch chain. It reuses the code agent's sandbox identity (same image, policy, host_files, coder token) but only performs diagnostics. Results are posted as a comment on the triggering issue.
6+
7+
## Usage
8+
9+
```
10+
/fullsend debug <#issue> [--repo owner/name]
11+
```
12+
13+
This is a shortcut for `/fullsend trigger debug <#issue>`. See `trigger.md` for the full procedure.
14+
15+
### Direct dispatch (fallback)
16+
17+
If the `/fs-debug` slash-command dispatch fails (GITHUB_TOKEN permission issues), trigger directly:
18+
19+
```bash
20+
gh workflow run fullsend-debug.yml --repo <owner/name> --ref main \
21+
-f issue_key="<N>" -f issue_source="github"
22+
```
23+
24+
## What it checks
25+
26+
| Group | Checks | Why it matters |
27+
|-------|--------|---------------|
28+
| Env vars | COREPACK, YARN, PROXY, NODE, GCP vars | Confirms .env.d files were sourced |
29+
| Yarn & corepack | which, version, readlink | Confirms toolchain is on PATH |
30+
| COREPACK_HOME | Set? Writable? | Must be `/tmp/corepack` (not /usr) |
31+
| Network / proxy | node fetch to npm, yarn config, gh api, curl (expect blocked) | Confirms policy + proxy work |
32+
| Node & tools | node, openspec, gh versions | Confirms image has expected tools |
33+
| Filesystem | /tmp writable, /usr not writable, whoami, disk space | Confirms sandbox isolation |
34+
| .env.d files | List files in /sandbox/workspace/.env.d/ | Confirms host_files delivery |
35+
| GCP credentials | Credential JSON + OIDC token present | Confirms auth will work |
36+
37+
## Output
38+
39+
The agent posts a structured summary as a comment on the triggering issue (via `post-debug.sh`). The comment is tagged with `<!-- fullsend:debug-agent -->` for identification.
40+
41+
The full transcript is also available in the `fullsend-debug` artifact.
42+
43+
## Architecture (template for custom agents)
44+
45+
```
46+
.github/workflows/
47+
fullsend-debug-dispatch.yml ← slash-command listener (/fs-debug)
48+
fullsend-debug.yml ← standalone agent workflow
49+
50+
.fullsend/customized/
51+
agents/debug.md ← agent prompt (diagnostic checks)
52+
harness/debug.yaml ← sandbox config (reuses code policy)
53+
scripts/post-debug.sh ← posts results to issue (untrusted output!)
54+
```
55+
56+
### Workflow steps (fullsend-debug.yml)
57+
58+
1. Checkout repo + target-repo + upstream defaults (scaffold)
59+
2. Prepare workspace (layer scaffold defaults → customized overrides)
60+
3. Validate enrollment
61+
4. Mint coder token (same GitHub App identity as code agent)
62+
5. Setup GCP via WIF + prepare sandbox credentials
63+
6. Setup agent env (DEBUG_ prefix)
64+
7. Install fullsend CLI
65+
8. `fullsend run debug`
66+
9. Upload artifact (always)
67+
68+
### Security: post-script and untrusted output
69+
70+
The agent runs inside an untrusted sandbox. `post-debug.sh` treats all agent output as untrusted:
71+
72+
- Text extracted via `jq` (no shell eval of agent strings)
73+
- Truncated to 60k chars (GitHub comment limit is 65536)
74+
- Posted via `--body-file -` (piped stdin, no shell interpolation)
75+
- `ISSUE_NUMBER` validated as numeric, `REPO_FULL_NAME` validated as `owner/repo`
76+
77+
### Known issues
78+
79+
- **Dispatch 401**: The `fullsend-debug-dispatch.yml` uses `GITHUB_TOKEN` for `gh workflow run`, which calls GraphQL to resolve the default branch. Some repos restrict `GITHUB_TOKEN` GraphQL access. Workaround: pass `--ref main` explicitly, or use direct `gh workflow run` from the CLI.
80+
81+
- **Only in rhdh-agentic**: The debug agent is currently only set up in rhdh-agentic. To use in rhdh-plugins, port the four files listed above.
82+
83+
## Building more custom agents
84+
85+
The debug agent follows the pattern from [fullsend PR #1179](https://github.com/fullsend-ai/fullsend/pull/1179) (building-custom-agents guide). To create a new custom agent:
86+
87+
1. **Agent prompt** (`agents/<name>.md`) — YAML frontmatter + markdown instructions
88+
2. **Harness** (`harness/<name>.yaml`) — image, policy, host_files, timeout, post_script
89+
3. **Workflow** (`.github/workflows/fullsend-<name>.yml`) — standalone, replicates workspace layering + auth
90+
4. **Dispatch** (`.github/workflows/fullsend-<name>-dispatch.yml`) — slash-command listener
91+
5. **Post-script** (optional, `scripts/post-<name>.sh`) — acts on output, treats it as untrusted
92+
93+
No changes to `config.yaml` needed — `fullsend run` does not validate config.yaml roles for standalone workflows.

.claude/skills/fullsend/references/trigger.md

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ If this fails, stop and ask the user to install and authenticate `gh`.
1515
/fullsend trigger <agent> <#issue|#PR> [--repo owner/name] [--force]
1616
```
1717

18-
- `<agent>`: one of `code`, `fix`, `triage`, `review`, `retro`, `prioritize`
18+
- `<agent>`: one of `code`, `fix`, `triage`, `review`, `retro`, `prioritize`, `debug`
1919
- `<#issue|#PR>`: issue or PR number (with or without `#` prefix)
2020
- `--repo owner/name`: override repo resolution
2121
- `--force`: append `--force` to the comment body (only meaningful for `code`)
@@ -30,16 +30,25 @@ Follow the repo resolution order from the SKILL.md `<repo_resolution>` section.
3030

3131
Map the agent argument to the slash command:
3232

33-
| Agent | Slash command |
34-
|-------|---------------|
35-
| `triage` | `/fs-triage` |
36-
| `code` | `/fs-code` |
37-
| `review` | `/fs-review` |
38-
| `fix` | `/fs-fix` |
39-
| `retro` | `/fs-retro` |
40-
| `prioritize` | `/fs-prioritize` |
33+
| Agent | Slash command | Dispatch |
34+
|-------|---------------|----------|
35+
| `triage` | `/fs-triage` | built-in |
36+
| `code` | `/fs-code` | built-in |
37+
| `review` | `/fs-review` | built-in |
38+
| `fix` | `/fs-fix` | built-in |
39+
| `retro` | `/fs-retro` | built-in |
40+
| `prioritize` | `/fs-prioritize` | built-in |
41+
| `debug` | `/fs-debug` | custom workflow |
4142

42-
If the agent name is not in this list, abort with "Unknown agent: &lt;name&gt;. Valid agents: code, fix, triage, review, retro, prioritize."
43+
**Built-in agents** are routed through `reusable-dispatch.yml`. **Custom agents** (like `debug`) use their own dispatch workflow — `/fs-debug` triggers `fullsend-debug-dispatch.yml`, which dispatches `fullsend-debug.yml` via `gh workflow run`.
44+
45+
If the `/fs-debug` dispatch fails (common with `GITHUB_TOKEN` permission issues), fall back to direct dispatch:
46+
```bash
47+
gh workflow run fullsend-debug.yml --repo <owner/name> --ref main \
48+
-f issue_key="<N>" -f issue_source="github"
49+
```
50+
51+
If the agent name is not in this list, abort with "Unknown agent: &lt;name&gt;. Valid agents: code, fix, triage, review, retro, prioritize, debug."
4352

4453
Also accept the full slash command form (e.g., user types `fs-code` or `/fs-code`); normalize to the agent name.
4554

.claude/skills/fullsend/scripts/command-metadata.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,13 @@
88
"argumentHint": "<run-id | #issue>"
99
},
1010
"trigger": {
11-
"description": "Post a fullsend slash command on a GitHub issue or PR to start an agent run. Use when triggering /fs-code, /fs-triage, /fs-review, /fs-fix, /fs-retro, or /fs-prioritize.",
11+
"description": "Post a fullsend slash command on a GitHub issue or PR to start an agent run. Use when triggering /fs-code, /fs-triage, /fs-review, /fs-fix, /fs-retro, /fs-prioritize, or /fs-debug.",
1212
"argumentHint": "<agent> <#issue|#PR> [--repo owner/name] [--force]"
1313
},
14+
"debug": {
15+
"description": "Run sandbox environment diagnostics — checks env vars, corepack, yarn, proxy, network, filesystem, and GCP credentials. Posts results as a comment on the issue. Also documents the custom agent architecture for building new agents.",
16+
"argumentHint": "<#issue> [--repo owner/name]"
17+
},
1418
"watch": {
1519
"description": "Monitor a triggered fullsend run until completion, then auto-inspect it. Use when waiting for a fullsend agent run to finish.",
1620
"argumentHint": "<#issue|run-id> [--repo owner/name]"

0 commit comments

Comments
 (0)