### Install Dependencies and Run Development Server Source: https://github.com/fullsend-ai/fullsend/blob/main/web/admin/README.md Installs project dependencies and starts the local development server. Use this to run the site locally for development. ```bash npm ci npm run dev ``` -------------------------------- ### Fullsend GitHub Setup Command Example Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/getting-started/getting-inference.md An example command to set up GitHub integration with Fullsend, using the previously provisioned WIF provider URL. Replace placeholders with your actual organization, repository, and GCP project details. ```bash fullsend github setup / \ --inference-project= \ --inference-wif-provider=projects//locations/global/workloadIdentityPools/fullsend-inference/providers/gh-- ``` -------------------------------- ### Unified Install Pipeline Overview Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/dev/cli-internals.md This diagram illustrates the shared installation pipeline for both per-organization and per-repository modes. It outlines the sequence of phases: Discover, App setup, Mint provisioning, WIF provisioning, and Write scaffold + config files. ```text ┌─────────────────────────────────────────────────────────────────┐ │ Unified Install Pipeline (both modes) │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ fullsend admin install │ │ ┌──────────────────────┐ │ │ │ Parse target │ │ │ │ "acme" → org │ │ │ │ "acme/repo" → repo │ │ │ └──────────┬───────────┘ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────┐ │ │ │ Phase 1: Discover (read-only) │ │ │ │ │ │ │ │ a. Discover mint --mint-url / --mint-project / default │ │ │ │ └─ DiscoverMint() → check if GCF exists, get URL │ │ │ │ b. Resolve existing app IDs from mint env vars │ │ │ │ └─ ROLE_APP_IDS (role → app ID, shared) → skip app │ │ │ │ creation when all roles are present │ │ │ └──────────┬─────────────────────────────────────────────────┘ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────┐ │ │ │ Phase 2: App setup (shared: runAppSetup) │ │ │ │ │ │ │ │ For each role in --agents: │ │ │ │ - Create/reuse GitHub App ({appSet}-{role} via --app-set)│ │ │ │ - Download PEM key from App creation flow │ │ │ │ - Store PEM in GCP Secret Manager │ │ │ │ - Record App ID + Client ID │ │ │ │ │ │ │ │ Shared code: runAppSetup() → []AgentCredentials │ │ │ └──────────┬─────────────────────────────────────────────────┘ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────┐ │ │ │ Phase 3: Mint provisioning │ │ │ │ │ │ │ │ If mint not found → deploy GCF (Provision) │ │ │ │ If mint exists → register org (EnsureOrgInMint) │ │ │ │ → store PEMs in Secret Manager │ │ │ │ │ │ │ │ Both modes use gcf.NewProvisioner with same Config{} │ │ │ │ ┌──────────────────────────────────────────┐ │ │ │ │ │ Per-repo adds: RegisterPerRepoWIF() │ │ │ │ │ │ (adds repo to PER_REPO_WIF_REPOS env) │ │ │ │ │ └──────────────────────────────────────────┘ │ │ │ └──────────┬─────────────────────────────────────────────────┘ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────┐ │ │ │ Phase 4: WIF provisioning (inference auth) │ │ │ │ │ │ │ │ Both modes: ProvisionWIF() → create pool, provider, IAM │ │ │ │ ┌──────────────────────────────────────────┐ │ │ │ │ │ Per-org: org-wide WIF provider │ │ │ │ │ │ Per-repo: repo-scoped (mintcore.BuildRepoProviderID)│ │ │ │ │ └──────────────────────────────────────────┘ │ │ │ └──────────┬─────────────────────────────────────────────────┘ │ │ ▼ │ │ ┌────────────────────────────────────────────────────────────┐ │ │ │ Phase 5: Write scaffold + config files │ │ │ │ │ │ │ │ Both modes: write workflow files + customized/ dirs │ │ │ │ CommitScaffoldFiles() delivery modes: │ │ │ │ Default (PR): create feature branch → commit → open PR │ │ │ │ --direct: try CommitFiles (default branch) │ │ │ │ if ErrBranchProtected → fall back to PR mode │ │ │ │ ┌──────────────────────────────────────────┐ │ │ │ │ │ Per-org: create .fullsend config repo │ │ │ │ │ │ push reusable workflows │ │ │ │ │ │ vendor fullsend binary (opt) │ │ │ ``` -------------------------------- ### Fullsend Admin Install Command Breakdown Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/github-setup.md Illustrates how the `fullsend admin install` command is composed of standalone subcommands for mint deployment, enrollment, inference provisioning, and GitHub setup. ```bash fullsend admin install ├── mint deploy + mint enroll → fullsend mint deploy + fullsend mint enroll ├── inference provision → fullsend inference provision └── github setup → fullsend github setup --mint-url=... --inference-wif-provider=... ``` -------------------------------- ### WIF Provider Output Example Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/getting-started/org-mode.md This output shows the successful provisioning of WIF infrastructure and provides the WIF Provider URL needed for GitHub setup. ```text ⚡ fullsend Autonomous agentic development for GitHub organizations → Provisioning WIF for org-scoped inference: • Provisioning WIF infrastructure ✓ WIF infrastructure ready WIF Provider: projects//locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc Pass this value to the GitHub setup command: fullsend github setup \ --inference-project= \ --inference-wif-provider=projects//locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc ``` -------------------------------- ### Run Agent with Rootless Podman Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/plans/agent-execution-environment.md This example demonstrates running the agent using rootless Podman. Ensure Podman is installed and the agent image is available. ```bash # Install Podman sudo apt-get install -y podman # Run agent with rootless Podman podman run --rm \ -e AGENT_NAME=triage \ ghcr.io/fullsend-ai/agent-sandbox:v1.2.3 ``` -------------------------------- ### Build Empty Installations Hint Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/superpowers/plans/2026-04-29-admin-spa-org-list-installations.md Provides a user-friendly message when no GitHub organizations have the Fullsend app installed. Guides the user to install the app. ```typescript export function buildEmptyInstallationsHint(): string { return ( "No GitHub organisations in this list have the Fullsend app installed for your account yet. " + "Use “Add the app…” below to install it on the organisations you administer." ); } ``` -------------------------------- ### Per-Repo Installation Steps Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Outlines the sequence of actions performed during a per-repository Fullsend installation, from infrastructure discovery to scaffold file generation and commit. ```text 1. Discovers existing infrastructure: auto-discovers mint URL and app IDs from `--mint-project`/`--mint-region` in a single API call. 2. If apps are missing and `--skip-app-setup` is not set: creates GitHub Apps via the browser-based manifest flow (same as per-org). PEMs are stored in Secret Manager. 3. If no mint exists: deploys the token mint Cloud Function (same provisioner path as per-org). 4. If a mint already exists: validates PEMs, registers the org, and sets up per-repo WIF. 5. Auto-provisions inference WIF pool/provider if `--inference-wif-provider` is omitted. 6. Generates scaffold files (`.github/workflows/fullsend.yaml`, `.fullsend/config.yaml`, `.fullsend/customized/` directories). 7. Commits all scaffold files to the target repo via the GitHub API. 8. Sets repository variables (`FULLSEND_MINT_URL`, `FULLSEND_GCP_REGION`, `FULLSEND_PER_REPO_INSTALL`). 9. Sets repository secrets (`FULLSEND_GCP_PROJECT_ID`, WIF credentials). ``` -------------------------------- ### Per-Org vs. Per-Repo Installation CLI Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Illustrates the command-line syntax for installing Fullsend in per-organization and per-repository modes. ```bash fullsend admin install # per-org installation fullsend admin install # per-repo installation ``` -------------------------------- ### Install FullSend with Assisted Installation (Platform Project Access) Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md Use this command if you have IAM access to the platform operator's GCP project. The installer can discover shared apps and handle validation automatically. ```bash fullsend admin install "$ORG_NAME/$REPO_NAME" \ --inference-project "$GCP_PROJECT" \ --mint-url "$PLATFORM_MINT_URL" \ --mint-project "$PLATFORM_MINT_PROJECT" \ --mint-region "$PLATFORM_MINT_REGION" ``` -------------------------------- ### FullSend CLI Install Mode Detection Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/dev/cli-internals.md Demonstrates how the `install` command detects installation mode based on the provided positional argument. ```bash fullsend admin install → Per-org mode (full infrastructure) fullsend admin install / → Per-repo mode (single repo bootstrap) ``` -------------------------------- ### Run FullSend Installer Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md Execute the FullSend installer with specified organization and GCP projects for inference and minting. ```bash fullsend admin install "$ORG_NAME" \ --inference-project "$GCP_PROJECT" \ --mint-project "$GCP_PROJECT" ``` -------------------------------- ### Install Binary Locally Source: https://github.com/fullsend-ai/fullsend/blob/main/skills/cutting-releases/SKILL.md Download, verify, and install a specific version of the binary locally using the provided script. An optional installation directory can be specified. ```bash bash skills/cutting-releases/scripts/install-binary.sh [install-dir] ``` -------------------------------- ### Local Preview: Static Tree + Worker Setup Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/site-deployment.md This script sets up a local preview environment that closely mimics the production asset layout. It installs dependencies, builds the project, copies static assets to the correct directory structure, and then runs the Cloudflare Worker locally using Wrangler. ```bash npm ci npm run build mkdir -p cloudflare_site/public/assets mkdir -p cloudflare_site/public/admin mkdir -p cloudflare_site/public/docs cp web/public/index.html cloudflare_site/public/index.html cp web/public/graph.html cloudflare_site/public/graph.html cp -a web/dist/assets/. cloudflare_site/public/assets/ cp -a web/dist/admin/. cloudflare_site/public/admin/ cp -a web/dist/docs/. cloudflare_site/public/docs/ cd cloudflare_site && npx wrangler@4 dev ``` -------------------------------- ### Start REST Server and Create Sandbox Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/plans/agent-execution-environment.md The fullsend harness starts the REST server before creating the agent sandbox. This snippet shows the harness steps, including reading agent config, starting the REST server, creating the sandbox with network policies, executing the agent, and cleaning up. ```bash # Inside the container fullsend run triage --event-payload "$EVENT_PAYLOAD" # Harness steps: # 1. Read agent config (/opt/fullsend/agents/triage/config.yaml) # 2. Start REST server if required: # /opt/fullsend/servers/github-rest-server --port 8081 --token $GITHUB_TOKEN & # SERVER_PID=$! # 3. Create OpenShell sandbox with L7 policy allowing http://127.0.0.1:8081/repos/*/*/issues (GET only) # 4. Execute agent inside sandbox # 5. Wait for agent completion # 6. Kill REST server (kill $SERVER_PID) # 7. Clean up sandbox namespace ``` -------------------------------- ### Install OpenShell Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/user/running-agents-locally.md Installs the OpenShell sandbox runtime using a script from GitHub. Ensure the OPENSHELL_VERSION matches your Fullsend workflow for reproducibility. ```bash export OPENSHELL_VERSION=0.0.63 curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/v${OPENSHELL_VERSION}/install.sh | OPENSHELL_VERSION=v${OPENSHELL_VERSION} sh openshell --version ``` -------------------------------- ### Example Agent Configuration Variables Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0049-agent-configuration-env-var-convention.md Illustrates specific examples of agent configuration variables following the defined convention. These variables control agent behavior and settings. ```text REVIEW_SEVERITY_THRESHOLD CODE_MAX_FILE_SIZE REVIEW_POST_INLINE TRIAGE_SKIP_DUPLICATE_CHECK ``` -------------------------------- ### First-time FullSend Install (No Prior Infrastructure) Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md This command is for initial installations where no GitHub Apps or token mints exist. It will discover existing infrastructure and create any missing components, such as Cloud Functions for the mint. ```bash export ORG_NAME="" export REPO_NAME="" export GCP_PROJECT="" ``` ```bash fullsend admin install "$ORG_NAME/$REPO_NAME" \ --inference-project "$GCP_PROJECT" \ --mint-project "$GCP_PROJECT" ``` -------------------------------- ### Migration: Per-Org to Per-Repo Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Steps to migrate from a per-organization Fullsend installation to a per-repository setup. ```text - Per-org → per-repo: Remove from enrollment, run `fullsend admin install owner/repo` (sets the guard variable and writes the per-repo shim). ``` -------------------------------- ### Per-Repo GitHub Setup Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/github-setup.md Use this command to bootstrap a single repository with Fullsend. Ensure you replace placeholders like with your actual values. This command is for repo admins without org access. ```bash fullsend github setup acme-corp/my-service \ --mint-url= \ --inference-project=my-gcp-project \ --inference-wif-provider=projects/123456789/locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc ``` -------------------------------- ### Migration: Per-Repo to Per-Org Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Steps to migrate from a per-repository Fullsend installation to a per-organization setup. ```text - Per-repo → per-org: Remove `FULLSEND_PER_REPO_INSTALL` variable from the repo, remove workflow file, add to `.fullsend/config.yaml` enrollment. ``` -------------------------------- ### Per-Org GitHub Setup Skipping App Installation Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/github-setup.md This command is used when GitHub Apps are already installed on your organization. It bypasses the automatic GitHub App creation and installation steps, proceeding directly to configuring secrets and variables. This is useful if an owner has pre-installed the necessary apps. ```bash # Org owner has already installed fullsend-ai apps on acme-corp fullsend github setup acme-corp \ --mint-url= \ --inference-project=my-gcp-project \ --inference-wif-provider=projects/123456789/locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc \ --skip-app-setup ``` -------------------------------- ### Build and Preview Production Site Source: https://github.com/fullsend-ai/fullsend/blob/main/web/admin/README.md Builds a production-ready static bundle of the site and then starts a local preview server. Use for testing the production build. ```bash npm run build npm run preview ``` -------------------------------- ### Example Harness Configuration Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/plans/universal-harness-access-phase2.md This YAML configuration demonstrates how to set up an agent, policy, and skills for `fullsend run`, including remote skill URLs and allowed remote resources. ```yaml agent: agents/code.md policy: policies/code.yaml skills: - skills/local-skill - https://github.com/fullsend-ai/library/tree/8cd3799.../skills/rust-conventions#sha256=... allowed_remote_resources: - https://github.com/fullsend-ai/library/ ``` -------------------------------- ### Example of Universal Harness Execution Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/plans/universal-harness-access.md Demonstrates how to run a harness directly from a URL. The runner will fetch the harness definition, discover and recursively fetch all dependencies, validate integrity, apply security policies, provision the sandbox, and execute the agent. ```bash fullsend run https://github.com/fullsend-ai/library/harness/rust-linter.yaml ``` -------------------------------- ### Common Linting Commands Source: https://github.com/fullsend-ai/fullsend/blob/main/internal/scaffold/fullsend-repo/skills/code-implementation/SKILL.md Examples of linting commands for various project types. Use the command appropriate for your repository's setup. ```bash make lint ``` ```bash golangci-lint run ./... ``` ```bash uv run ruff check src/ tests/ ``` ```bash npm run lint ``` ```bash eslint src/ ``` -------------------------------- ### Start Development Server Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/superpowers/plans/2026-05-05-docs-browser-enhancements.md Launches the development server for the documentation site. Used for manual testing of routing and lazy loading features. ```bash npm run dev ``` -------------------------------- ### Per-Org Flow Example Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Illustrates the call chain in a per-organization Fullsend setup, showing how an enrolled repository's shim interacts with the central dispatch and caller workflows, ultimately utilizing reusable workflows from the main Fullsend repository. ```yaml enrolled repo (shim, ~70 lines) └─ workflow_call ─→ .fullsend/dispatch.yml (routing, ~370 lines) └─ workflow_call ───→ .fullsend/code.yml (thin caller, ~43 lines) └─ uses: fullsend-ai/fullsend/reusable-code.yml@v1 (workspace prep, mint-token, agent run) ``` -------------------------------- ### Deploy Mint with PEM Bootstrap Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/infrastructure/mint-administration.md For first-time setup, use the `--pem-dir` flag to seed PEM secrets during deployment. This allows `mint enroll` to function immediately. The directory must contain `{role}.pem` files for each agent role. ```bash # First-time bootstrap with PEMs: fullsend mint deploy --project="$GCP_PROJECT" --pem-dir=/path/to/pems ``` -------------------------------- ### Install pre-commit if not found Source: https://github.com/fullsend-ai/fullsend/blob/main/internal/scaffold/fullsend-repo/skills/code-implementation/SKILL.md Installs the pre-commit package using pip or pip3 if the command is not already available on the system's PATH. Errors during installation are suppressed. ```bash if ! command -v pre-commit &>/dev/null; then pip install pre-commit 2>/dev/null || pip3 install pre-commit 2>/dev/null fi ``` -------------------------------- ### Install FullSend with Platform Infrastructure (Recommended) Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md Use this command when platform operators have pre-provisioned shared GitHub Apps and a token mint. It requires only a GCP project for inference and skips app discovery and mint validation. ```bash fullsend admin install "$ORG_NAME/$REPO_NAME" \ --inference-project "$GCP_PROJECT" \ --mint-url "$PLATFORM_MINT_URL" \ --skip-mint-check ``` -------------------------------- ### Analyze Fullsend Installation Status Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md Check the current state of a Fullsend installation, reporting what is installed, missing, or needs updating. This command is read-only and requires specific scopes. ```bash fullsend admin analyze "$ORG_NAME" ``` -------------------------------- ### Pass WIF Provider to Fullsend Installer Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/installation.md Configure the Fullsend installer with the pre-configured WIF provider details. This command installs Fullsend for the specified organization, using the custom WIF provider for inference and minting projects. ```bash export WIF_PROVIDER="projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc" fullsend admin install "$ORG_NAME" \ --inference-project "$GCP_PROJECT" \ --inference-wif-provider "$WIF_PROVIDER" \ --mint-project "$GCP_PROJECT" ``` -------------------------------- ### Per-Org GitHub Setup Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/reference/github-setup.md Use this command to set up Fullsend AI for an entire organization. It creates a config repository, deploys workflows, and configures secrets and variables. Ensure you replace placeholders like with your actual values. ```bash fullsend github setup acme-corp \ --mint-url= \ --inference-project=my-gcp-project \ --inference-wif-provider=projects/123456789/locations/global/workloadIdentityPools/fullsend-inference/providers/github-oidc \ --inference-region=global ``` -------------------------------- ### Commit Bugfix Workflow Guide Changes Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/superpowers/plans/2026-05-04-retro-agent.md Stage and commit the updated bugfix workflow guide. ```bash git add docs/guides/user/bugfix-workflow.md git commit -m "docs: update bugfix workflow with retro agent details" ``` -------------------------------- ### Install Octokit REST Dependency Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/superpowers/plans/2026-04-12-fullsend-admin-spa.md Command to install a specific version of the `@octokit/rest` package using npm. ```bash npm install @octokit/rest@^21.0.0 ``` -------------------------------- ### Configure Fullsend GCP Environment Variables Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/user/running-agents-locally.md Sets up an environment file with necessary GCP project and credentials configuration for Fullsend. Ensure this file is stored securely. ```bash # fullsend-gcp.env ANTHROPIC_VERTEX_PROJECT_ID={project-id} GOOGLE_CLOUD_PROJECT={project-id} CLOUD_ML_REGION=global GOOGLE_APPLICATION_CREDENTIALS=fullsend-local-credentials.json ``` -------------------------------- ### Install Mint Infrastructure in First Organization Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/guides/infrastructure/mint-administration.md This command installs the minting infrastructure and creates public unlisted GitHub Apps in the first organization. It requires specifying the GitHub organization and GCP project. Use the --public flag to make apps discoverable by other organizations. ```bash export FIRST_ORG="" export GCP_PROJECT="" fullsend admin install "$FIRST_ORG" \ --inference-project "$GCP_PROJECT" \ --mint-project "$GCP_PROJECT" \ --public ``` -------------------------------- ### Per-Repo Directory Layout Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Illustrates the file structure for the per-repo installation mode, showing the main `fullsend.yml` workflow, the optional `.fullsend/` configuration directory, and its subdirectories for customization. ```text target-repo/ ├── .github/workflows/fullsend.yml ← single workflow file (~70 lines, shim) ├── .fullsend/ ← in-repo config workspace (optional) │ ├── customized/ ← user overrides (same convention as per-org) │ │ ├── agents/ ← agent prompt overrides │ │ ├── harness/ ← harness config overrides │ │ ├── policies/ ← sandbox policies │ │ ├── skills/ ← repo-specific skills │ │ └── scripts/ ← pre/post scripts │ └── config.yaml ← repo-level config ├── AGENTS.md └── ... (source code) ``` -------------------------------- ### Install GitLab Runner Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/plans/agent-execution-environment.md Installs the GitLab Runner package on Debian-based systems. Ensure you have curl and sudo privileges. ```bash curl -L "https://packages.gitlab.com/install/repositories/runner/gitlab-runner/script.deb.sh" | sudo bash sudo apt-get install gitlab-runner ``` -------------------------------- ### Per-Repo Install Guard Variable Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0033-per-repo-installation-mode.md Explains how the `FULLSEND_PER_REPO_INSTALL=true` variable prevents per-org enrollment from overriding per-repo installations. ```text Per-repo install requires only `repo` and `workflow` OAuth scopes when reusing existing infrastructure. When creating apps, scope escalation to `admin:org` is required (same as per-org). Per-repo and per-org coexist within the same org. Some repos use the org `.fullsend` config repo (per-org), others run independently (per-repo). They use different dispatch paths, credential stores, and shim templates. To prevent per-org enrollment from overriding a per-repo installation, per-repo install sets a repository Actions variable `FULLSEND_PER_REPO_INSTALL=true`. The per-org enrollment flow checks this guard at three points: 1. **CLI (`--enroll-all`)**: Skips repos with `FULLSEND_PER_REPO_INSTALL=true`. Prompts interactively if the guard exists but is not `true` (e.g., admin cleared it). Fails closed on API errors (skips the repo rather than risking overwrite). 2. **`reconcile-repos.sh`**: Checks the guard via the GitHub API before both enrollment and unenrollment. Skips repos with `true`. Fails closed on non-404 API errors. 3. **Enrollment `Analyze`**: Reports per-repo repos as "per-repo install, skipped" and excludes them from drift calculation. ``` -------------------------------- ### Full Harness Configuration Example Source: https://github.com/fullsend-ai/fullsend/blob/main/docs/ADRs/0045-forge-portable-harness-schema.md This example demonstrates a complete harness configuration file, showcasing platform-neutral top-level fields and forge-specific configurations for GitHub and GitLab. It includes agent definitions, model selection, image, role, shared skills, runner environment variables, forge-specific scripts, and host file mappings. ```yaml harness/triage.yaml agent: agents/triage.md model: opus image: ghcr.io/fullsend-ai/fullsend-sandbox:latest policy: policies/triage.yaml role: triage slug: fullsend-ai-triage # Shared across all forges skills: - skills/issue-labels validation_loop: script: scripts/validate-output-schema.sh max_iterations: 2 runner_env: FULLSEND_OUTPUT_SCHEMA: ${FULLSEND_DIR}/schemas/triage-result.schema.json forge: github: pre_script: scripts/pre-triage.sh post_script: scripts/post-triage.sh skills: - skills/github-issue-triage runner_env: GH_TOKEN: ${GH_TOKEN} GITHUB_ISSUE_URL: ${GITHUB_ISSUE_URL} gitlab: pre_script: scripts/pre-triage-gl.sh post_script: scripts/post-triage-gl.sh skills: - skills/gitlab-issue-triage runner_env: GITLAB_TOKEN: ${GITLAB_TOKEN} GITLAB_ISSUE_URL: ${GITLAB_ISSUE_URL} host_files: - src: env/gcp-vertex.env dest: /tmp/workspace/.env.d/gcp-vertex.env expand: true - src: ${GOOGLE_APPLICATION_CREDENTIALS} dest: /tmp/workspace/.gcp-credentials.json - src: ${GCP_OIDC_TOKEN_FILE} dest: /tmp/workspace/.gcp-oidc-token optional: true - src: env/triage.env dest: /tmp/workspace/.env.d/triage.env expand: true timeout_minutes: 10 ```