Skip to content

fix(#190): remove Jira remnants and add issues:write to custom agent guide#209

Open
fullsend-ai-coder[bot] wants to merge 2 commits into
mainfrom
agent/190-fix-docs-building-custom-agents
Open

fix(#190): remove Jira remnants and add issues:write to custom agent guide#209
fullsend-ai-coder[bot] wants to merge 2 commits into
mainfrom
agent/190-fix-docs-building-custom-agents

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown

Remove the Jira code path from the pre-script example (which left an orphaned elif after PR fullsend-ai#2568 removed Jira support), consolidate permissions into a single block with contents:read, id-token:write, and issues:write, and drop the now-unused issue_source workflow input.


Closes #190

Post-script verification

  • Branch is not main/master (agent/190-fix-docs-building-custom-agents)
  • Secret scan passed (gitleaks — f96750babbed5ada406a9ae04e8068449701d9c7..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

…guide

Remove the Jira code path from the pre-script example (which left an
orphaned elif after PR fullsend-ai#2568 removed Jira support), consolidate
permissions into a single block with contents:read, id-token:write, and
issues:write, and drop the now-unused issue_source workflow input.
@fullsend-ai-review

fullsend-ai-review Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review — PR #209

Verdict: ✅ Approve

Clean, well-scoped documentation fix that addresses all three items authorized by issue #190: the broken elif syntax, the missing issues: write permission, and the vestigial issue_source input.

What was checked

Dimension Result
Correctness ✅ Pre-script bash is syntactically valid after replacing the if/elif/fi block with a bare gh issue view. The issues: write permission is correctly placed. All seven issue_source/ISSUE_SOURCE references within the file are removed. CLI examples, UI instructions, and slash-command dispatch are internally consistent.
Security ✅ No secrets leaked or left dangling after Jira credential handling removal. The issues: write example permission is explicitly requested by #190, annotated with a least-privilege comment, and consistent with other workflows in the repo. This is a documentation code fence, not a live workflow. No injection risks or prompt injection patterns detected.
Intent & coherence ✅ Scope matches #190 exactly. No scope creep. Removing the entire Jira block (rather than just fixing elif → if) is the architecturally correct choice — the guide should show the recommended pattern, and Jira-specific integration is organization-specific.
Style ✅ Indentation, comment syntax (#), and YAML formatting are consistent with the rest of the file.
Docs currency ✅ Cross-file references to issue_source/ISSUE_SOURCE in production files (qualityflow.yaml, agent specs, pre-scripts) are legitimate — those files still support Jira integration. They are not stale.
Cross-repo contracts ⏭ Skipped — no exported interfaces modified.

Minor observation (low, non-blocking)

Stale Jira mention in policy design principles (docs/guides/user/building-custom-agents.md, line 223):

"Never allow Jira/internal APIs from the sandbox. All Jira reads happen in pre-scripts; all Jira writes happen in post-scripts."

After this PR removes all Jira example code from the guide, this policy bullet is the only remaining Jira-specific reference. The guidance is still architecturally valid (the platform supports Jira integration in qualityflow), but updating it to be more general (e.g., "Never allow external/internal APIs from the sandbox") would improve consistency with the guide's now GitHub-only examples. Consider addressing in a follow-up.

Previous run

Review — PR #209

Verdict: approve

Summary

This PR correctly fixes the two documentation bugs described in #190: the orphaned elif in the pre-script example and the missing issues: write permission. It goes beyond the minimal fix by removing the entire Jira code path rather than just converting elif to if, which is the right approach since Jira support was already removed from the guide's examples upstream (PR fullsend-ai#2568). The cleanup is thorough — all references to issue_source/ISSUE_SOURCE and the Jira credential variables within the guide are addressed consistently across the pre-script, workflow YAML, trigger docs, and slash-command dispatch examples.

Findings

Severity Category File Description
low excessive-permission building-custom-agents.md:345 The example workflow adds issues: write but the only issue operation demonstrated is gh issue view --json (read-only). issues: read would suffice for the operations shown. Since this is a template and post-scripts commonly need write access to create/edit issues from agent output, the permission isn't wrong — but a brief inline comment noting when users can downscope to issues: read would improve the guidance.

Dimensions Reviewed

  • Correctness ✅ — Pre-script example is syntactically valid bash after the change. Workflow YAML has exactly one permissions: block with all three required permissions. No stale references to removed identifiers outside the changed file (other uses of ISSUE_SOURCE in the repo are working qualityflow agents, not leftovers from this guide).
  • Security ✅ — Jira credential-handling pattern removed from the example (positive change). No secrets, injection, or steganography patterns detected. The issues: write permission is authorized by Fix elif syntax error and duplicate permissions block in building-custom-agents guide #190 and consistent with the guide's post-script pattern, though the demonstrated operations only require read access.
  • Intent & coherence ✅ — All changes trace to issue Fix elif syntax error and duplicate permissions block in building-custom-agents guide #190's authorization. Removing the full Jira code path (rather than just fixing elifif) is within scope per the issue's optional cleanup clause and is the correct approach since Jira support was already removed from these examples upstream.
  • Style & conventions ✅ — Formatting, indentation, and permission ordering are consistent with the rest of the file and sibling documents.
  • Documentation currency ✅ — No stale references to removed identifiers in other documentation files. The remaining Jira mention at line 223 ("Never allow Jira/internal APIs from the sandbox") is a general security design principle applicable to any agent, not a reference to the removed example code.
Previous run (2)

Review

Findings

Low

  • [permission-expansion] docs/guides/user/building-custom-agents.md:345 — The diff adds issues: write to the main agent workflow example (Step 7), but the pre-script only uses gh issue view (a read operation) and the example post-script does not write to issues. At most issues: read is needed for the example as written. Granting issues: write in example code that users will copy violates least-privilege.
    Remediation: Replace issues: write with issues: read in the main workflow example, since only gh issue view is used. Add an inline comment noting that users should upgrade to issues: write if their post-script creates or updates issues.

Labels: PR fixes documentation bugs in user guide

Previous run (3)

Review

Findings

Medium

  • [edge-case] docs/guides/user/building-custom-agents.md:265 — The pre-script example references $REPO_FULL_NAME, but this variable is never defined in the workflow env block (Step 7) or in the harness runner_env (Step 2). With set -euo pipefail, the script will fail immediately with an unbound variable error. This was pre-existing (the old elif branch had the same issue), but the PR promotes it from a conditional branch to unconditional code, making it a guaranteed failure for anyone who copies the example verbatim.
    Remediation: Replace "$REPO_FULL_NAME" with "$GITHUB_REPOSITORY" (automatically available in GitHub Actions), or add REPO_FULL_NAME: ${{ github.repository }} to the workflow env block.

Low

  • [stale-reference] docs/guides/user/building-custom-agents.md:223 — The policy design principles section still references Jira ("Never allow Jira/internal APIs from the sandbox...") while the PR removes all Jira examples from the guide. Consider generalizing to "Never allow external issue-tracking APIs from the sandbox. All external reads happen in pre-scripts; all writes happen in post-scripts."
  • [permission-expansion] docs/guides/user/building-custom-agents.md:345issues: write is added to the main workflow template's permissions block, but the example workflow contains no code that writes to issues. The GH_TOKEN with this permission flows through the harness and potentially into the sandbox. The slash-command dispatch workflow later in the guide already correctly scopes issues: write to just the dispatch job. Consider removing it from the main workflow or adding a comment explaining when it is needed.

@guyoron1

guyoron1 commented Jul 8, 2026

Copy link
Copy Markdown
Owner

/fs-review

fullsend-ai-review[bot]

This comment was marked as outdated.

@guyoron1

Copy link
Copy Markdown
Owner

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 11, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 10:19 AM UTC · Completed 10:28 AM UTC
Commit: a2afa8b · View workflow run →

fullsend-ai-review[bot]

This comment was marked as outdated.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge and removed ready-for-merge All reviewers approved — ready to merge labels Jul 11, 2026
@guyoron1

Copy link
Copy Markdown
Owner

/fs-fix

@fullsend-ai-coder

fullsend-ai-coder Bot commented Jul 11, 2026

Copy link
Copy Markdown
Author

🤖 Finished Fix · ✅ Success · Started 11:12 AM UTC · Completed 11:19 AM UTC
Commit: a2afa8b · View workflow run →

Add inline YAML comment clarifying that issues: read suffices when the
post-script does not create or edit issues, addressing the excessive
permission review finding.

Addresses review feedback on #209
@fullsend-ai-coder

Copy link
Copy Markdown
Author

🔧 Fix agent — iteration 1 (human-triggered)

Addressed 1 review finding: added a YAML comment to the workflow example clarifying that issues: read is sufficient when the post-script does not create or edit issues. The issues: write permission is retained since post-scripts commonly need write access, but users now have clear guidance on when to downscope.

Fixed (1):

  1. excessive issues: write permission in workflow example: Added inline YAML comment clarifying that issues: read suffices if the post-script does not create or edit issues, per reviewer suggestion

Tests: passed

Updated by fullsend fix agent

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 11, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 11:24 AM UTC · Completed 11:32 AM UTC
Commit: a2afa8b · View workflow run →

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation ready-for-merge All reviewers approved — ready to merge

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fix elif syntax error and duplicate permissions block in building-custom-agents guide

1 participant