@sentry/junior-github 0.21.0 → 0.22.0

package/README.md

@@ -1,6 +1,6 @@
 # @sentry/junior-github
 
-`@sentry/junior-github` adds GitHub issue workflows to Junior using a GitHub App.
+`@sentry/junior-github` adds GitHub issue, pull request, and repository workflows to Junior using a GitHub App.
 
 Install it alongside `@sentry/junior`:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/junior-github",
-  "version": "0.21.0",
+  "version": "0.22.0",
   "private": false,
   "publishConfig": {
     "access": "public"

package/plugin.yaml

@@ -4,8 +4,6 @@ description: GitHub issue management via GitHub App
 capabilities:
   - issues.read
   - issues.write
-  - issues.comment
-  - labels.write
   - contents.read
   - contents.write
   - pull-requests.read
@@ -27,6 +25,9 @@ credentials:
 target:
   type: repo
   config-key: repo
+  command-flags:
+    - --repo
+    - -R
 
 runtime-dependencies:
   - type: system

package/skills/github/README.md

@@ -5,28 +5,40 @@ This skill uses host-issued GitHub App installation tokens.
 ## 1) Create/install GitHub App
 
 In GitHub:
+
 1. Go to `Settings -> Developer settings -> GitHub Apps -> New GitHub App`.
 2. Set app name and callback URL (any valid HTTPS URL is fine if you do not use web flow).
 3. Under repository permissions, grant:
+
 - Issues: Read and write
+- Contents: Read and write
+- Pull requests: Read and write
 - Metadata: Read
+
 4. Create the app and generate a private key.
 5. Install the app on the target org/repo(s).
 
 Install the app on target repos/orgs and collect:
+
 - `GITHUB_APP_ID`
 - `GITHUB_APP_PRIVATE_KEY` (PEM)
 
 ## 2) Configure host runtime
 
 Set on the harness host (never in skill files):
+
 - `GITHUB_APP_ID`
 - `GITHUB_APP_PRIVATE_KEY`
 - `GITHUB_INSTALLATION_ID`
 
+Current limitation: one Junior deployment uses one GitHub App installation ID.
+That works for repositories covered by the same installation, but not for repositories that live
+under different app installations across orgs/accounts.
+
 ### Vercel env setup (multiline-safe)
 
 `GITHUB_APP_PRIVATE_KEY` is accepted as:
+
 - Raw PEM (multiline)
 - Escaped-newline PEM (single-line with `\n`)
 - Base64-encoded PEM
@@ -70,15 +82,34 @@ git -C repo fetch --depth=50 origin
 git -C repo fetch --unshallow
 ```
 
-Issue operations still require scoped credentials:
+GitHub operations still require scoped credentials:
 
 ```bash
-jr-rpc issue-credential github.issues.write
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue create --repo owner/repo --title "Example issue" --body-file /vercel/sandbox/tmp/issue.md
 ```
 
 `gh` supports either direct `GITHUB_TOKEN` (for local debugging) or sandbox-level header injection.
-Use `github.issues.read` for read-only commands (`view`, comment reads via `gh api`), `github.issues.comment` for comments, and `github.labels.write` for label updates.
+Use `github.issues.read` for read-only issue commands, `github.issues.write` for issue edits, comments, and labels, `github.contents.write` for pushes and merge operations, and `github.pull-requests.write` for PR mutations after the branch is already on the remote.
+
+GitHub capability scoping is a safety rail, not a hard sandbox boundary. It helps prevent accidental write scope and wrong-repo mutations, but the host runtime still decides when to mint credentials and the agent can request broader GitHub capabilities when the task requires them.
+
+Be careful with mixed-surface PR commands:
+
+- `gh pr edit` title/body/base/reviewer changes fit `github.pull-requests.write`.
+- `gh pr edit` label changes fit `github.issues.write`.
+- `gh pr edit` assignee/milestone changes fit `github.issues.write`.
+- `gh pr close --comment` may need `github.issues.write`.
+- `gh pr close --delete-branch` needs `github.contents.write`.
+
+For PR creation in automation, push explicitly and use `--head`:
+
+```bash
+jr-rpc issue-credential github.contents.write --target owner/repo
+git -C repo push -u origin BRANCH
+jr-rpc issue-credential github.pull-requests.write --target owner/repo
+gh pr create --repo owner/repo --head BRANCH --base main --title "Example PR" --body-file /vercel/sandbox/tmp/pr.md
+```
 
 Optional: set a default repository once per channel/thread context so `--repo` is not needed each turn:
 
@@ -91,7 +122,8 @@ jr-rpc config set github.repo getsentry/junior
 - `pnpm skills:check`
 - Create issue in a test repo.
 - Update/comment/label the same issue.
-- Use read-only commands (`gh issue view`, `gh api .../comments`) for issue inspection.
+- Push a test branch and create a draft PR with `--head`.
+- Use read-only commands (`gh issue view`, `gh api .../comments`, `gh pr view`) for issue inspection.
 
 ## 6) Production verification (step-by-step)
 
@@ -104,13 +136,16 @@ jr-rpc config set github.repo getsentry/junior
 4. Run `/github` to create an issue in a safe test repo.
 5. Verify the issue is authored by the GitHub App identity.
 6. Run `/github` to update title/body, add/remove labels, and add a comment.
-7. Verify all mutations succeed and are attributed to the app.
-8. Verify GitHub API calls succeed while this skill is active without writing tokens into sandbox env/files.
-9. Verify raw token values are never printed in output or logs.
-10. Check logs for:
-   - `credential_issue_request`
-   - `credential_issue_success`
-   - `credential_inject_start`
-   - `credential_inject_cleanup`
-11. Verify logs contain no token/private-key values.
-12. Negative test: target a repo without app installation and confirm explicit failure.
+7. Push a test branch and run `/github` to create a draft PR using explicit repo targeting and `--head`.
+8. Verify all mutations succeed and are attributed to the app.
+9. Verify GitHub API calls succeed while this skill is active without writing tokens into sandbox env/files.
+10. Verify raw token values are never printed in output or logs.
+11. Check logs for:
+
+- `credential_issue_request`
+- `credential_issue_success`
+- `credential_inject_start`
+- `credential_inject_cleanup`
+
+12. Verify logs contain no token/private-key values.
+13. Negative test: target a repo without app installation and confirm explicit failure.

package/skills/github/SKILL.md

@@ -1,47 +1,51 @@
 ---
 name: github
 description: Manage GitHub issue workflows, pull request operations, and repository checkout via GitHub CLI with concise, evidence-backed content. Use when users ask to open, edit, label, comment on, close/reopen, or inspect GitHub issues, view or create pull requests, or when they need `gh repo clone` guidance, especially shallow-clone defaults and exact CLI commands.
-requires-capabilities: github.issues.read github.issues.write github.issues.comment github.labels.write github.contents.read github.contents.write github.pull-requests.read github.pull-requests.write
+requires-capabilities: github.issues.read github.issues.write github.contents.read github.contents.write github.pull-requests.read github.pull-requests.write
 uses-config: github.repo
 allowed-tools: bash
 ---
 
 # GitHub Operations
 
-Issue workflows and repository checkout via `gh` CLI.
+Issue workflows, pull request operations, and repository checkout via `gh` CLI.
 
 ## Reference loading
 
 Load references conditionally based on the operation:
 
-| Operation          | Load                                                                                                                                                                                        |
-| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Any operation      | [references/api-surface.md](references/api-surface.md)                                                                                                                                      |
-| `clone`            | [references/common-use-cases.md](references/common-use-cases.md)                                                                                                                            |
-| `create`, `update` | [references/issue-examples.md](references/issue-examples.md), the matching type-specific template and type-specific rules, and [references/research-rules.md](references/research-rules.md) |
-| On failure         | [references/troubleshooting-workarounds.md](references/troubleshooting-workarounds.md)                                                                                                      |
+| Operation                            | Load                                                                                                                                                                                        |
+| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Any operation                        | [references/api-surface.md](references/api-surface.md)                                                                                                                                      |
+| `clone`, `pull request create`       | [references/common-use-cases.md](references/common-use-cases.md)                                                                                                                            |
+| `issue create`, `issue body rewrite` | [references/issue-examples.md](references/issue-examples.md), the matching type-specific template and type-specific rules, and [references/research-rules.md](references/research-rules.md) |
+| On failure                           | [references/troubleshooting-workarounds.md](references/troubleshooting-workarounds.md)                                                                                                      |
 
 ## Workflow
 
 ### 1. Resolve operation and target
 
-- Determine whether the task is `clone` or an issue operation (`create`, `update`, `comment`, `labels`, `state`, or read-only inspection).
+- Determine whether the task is `clone`, an issue operation (`create`, `update`, `comment`, `labels`, `state`, or read-only inspection), a pull request inspection (`view`, `list`, `diff`, or `checks`), or a pull request mutation (`create`, `update`, `close`, or `merge`).
 - Resolve repository (`owner/repo`). If it is not explicit, query channel config with `jr-rpc config get github.repo`.
 - If config exists and is valid `owner/repo`, use it as the default.
 - If repository is still missing, ask the user for `owner/repo`.
 - Resolve the issue number for non-create issue operations.
+- Resolve the pull request number for pull request operations that target an existing PR.
+- Keep `owner/repo` explicit on both `jr-rpc issue-credential --target ...` and `gh` commands whenever the task targets a specific repository. Do not rely on a stale `github.repo` default when hopping between repos.
 
 ### 2. Execute by operation type
 
 **Clone** → Follow the clone path below.
 **Issue operation** → Follow the issue path below.
+**Pull request inspection** → Follow the pull request inspection path below.
+**Pull request mutation** → Follow the pull request mutation path below.
 
 ---
 
 ### Clone path
 
 - Issue a `contents.read` credential scoped to the target repository before cloning:
-  - `jr-rpc issue-credential github.contents.read --repo owner/repo`
+  - `jr-rpc issue-credential github.contents.read --target owner/repo`
 - Default to a shallow clone.
 - Use exact command forms from [references/api-surface.md](references/api-surface.md) or [references/common-use-cases.md](references/common-use-cases.md).
 - Deepen incrementally only when the task needs repository history.
@@ -85,9 +89,11 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 #### 5. Execute operation
 
 - Issue the narrowest matching capability credential before executing.
+- Pass `--target owner/repo` when issuing repo-scoped GitHub credentials.
 - Use fully specified, non-interactive `gh` commands from [references/api-surface.md](references/api-surface.md).
 - Use [references/common-use-cases.md](references/common-use-cases.md) only when you need a concrete command pattern.
 - Check duplicates silently before creating a new issue. Only mention duplicates when relevant matches are actually found.
+- Treat GitHub capability scoping as an operational safety rail that reduces accidental writes and wrong-repo mutations. It is not a perfect command-by-command permission model.
 
 #### 6. Report result
 
@@ -96,6 +102,46 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 - Keep routine issue-creation steps silent. Do not post progress chatter about duplicate checks, drafting, credential issuance, or command execution before the final result.
 - If duplicate checking found no relevant matches, omit that fact entirely and report only the created issue, for example `Created issue #123: ...`, not `No duplicates found. Creating the issue now.`
 
+---
+
+### Pull request inspection path
+
+#### 3. Execute inspection
+
+- Issue `github.pull-requests.read --target owner/repo` before authenticated read-only PR commands.
+- Use exact read-only `gh pr` commands from [references/api-surface.md](references/api-surface.md).
+- Skip branch resolution and push logic for inspection-only work.
+
+#### 4. Report result
+
+- Return canonical PR URL, PR number when available, target repository, and the fields the user asked to inspect.
+- If the requested PR cannot be resolved, report the exact not-found or auth failure and stop.
+
+---
+
+### Pull request mutation path
+
+#### 3. Resolve mutation inputs
+
+- For PR creation, resolve the base branch. Use the explicit user request when present; otherwise use the repository default branch.
+- For PR creation, resolve the head branch from the current checkout or user request.
+- For PR creation, if the current branch may not exist on the remote yet, push it explicitly before PR creation.
+
+#### 4. Execute pull request operation
+
+- Issue the narrowest matching capability credential before executing, and pass `--target owner/repo` for repo-scoped work.
+- For PR creation, do not rely on `gh pr create` to push or fork implicitly.
+- For PR creation, if the head branch is not already on the remote, first issue `github.contents.write --target owner/repo` and run `git push`.
+- For PR creation, then issue `github.pull-requests.write --target owner/repo` and run `gh pr create --repo owner/repo --head BRANCH ...`.
+- For PR creation, use `--head` so `gh` skips its hidden push/fork flow.
+- Treat `gh pr merge` as a contents mutation: it requires `github.contents.write`, not just `github.pull-requests.write`.
+- Treat issue comments and label edits as `github.issues.write`.
+
+#### 5. Report result
+
+- Return canonical PR URL, PR number when available, target repository, and applied changes.
+- If PR creation fails after explicit push + explicit repo scoping, report the exact auth or validation failure and stop.
+
 ## Guardrails
 
 ### Execution

package/skills/github/references/api-surface.md

@@ -5,24 +5,24 @@ All operations use `gh` CLI. Commands must be deterministic and non-interactive.
 ## Authentication
 
 Issue credentials with `jr-rpc issue-credential <capability>` before executing commands. The runtime handles token injection transparently.
+GitHub capabilities are repo-scoped. Pass `--target owner/repo` to `jr-rpc issue-credential` and `--repo owner/repo` to `gh` unless you intentionally rely on a verified `github.repo` default for the same repository.
+Treat capability scope as a safety rail that reduces accidental writes and wrong-repo mutations, not as a perfect command-by-command security boundary.
 
 ## Capability to command mapping
 
-| Capability                   | Commands                                                                |
-| ---------------------------- | ----------------------------------------------------------------------- |
-| `github.contents.read`       | `gh repo clone`, `git fetch`                                            |
-| `github.contents.write`      | `git push`, `gh api` (create/update file contents)                      |
-| `github.issues.read`         | `gh issue view`, `gh api /repos/.../comments`                           |
-| `github.issues.write`        | `gh issue create`, `gh issue edit`, `gh issue close`, `gh issue reopen` |
-| `github.issues.comment`      | `gh issue comment`                                                      |
-| `github.labels.write`        | `gh issue edit --add-label/--remove-label`                              |
-| `github.pull-requests.read`  | `gh pr view`, `gh pr list`, `gh pr diff`, `gh pr checks`                |
-| `github.pull-requests.write` | `gh pr create`, `gh pr edit`, `gh pr merge`, `gh pr close`              |
+| Capability                   | Commands                                                                                    |
+| ---------------------------- | ------------------------------------------------------------------------------------------- |
+| `github.contents.read`       | `gh repo clone`, `git fetch`                                                                |
+| `github.contents.write`      | `git push`, `gh api` (create/update file contents), `gh pr merge`                           |
+| `github.issues.read`         | `gh issue view`, `gh api /repos/.../comments`                                               |
+| `github.issues.write`        | `gh issue create`, `gh issue edit`, `gh issue comment`, `gh issue close`, `gh issue reopen` |
+| `github.pull-requests.read`  | `gh pr view`, `gh pr list`, `gh pr diff`, `gh pr checks`                                    |
+| `github.pull-requests.write` | `gh pr create --head <branch>` after explicit push, `gh pr edit`, `gh pr close`             |
 
 ## Command matrix
 
 | Operation                          | Command                                                                                                       |
-| ---------------------------------- | ------------------------------------------------------------------------------------------------------------- |
+| ---------------------------------- | ------------------------------------------------------------------------------------------------------------- | -------- | ---------- |
 | Clone repository (default shallow) | `gh repo clone owner/repo [DIRECTORY] -- --depth=1`                                                           |
 | Deepen shallow clone               | `git -C DIRECTORY fetch --depth=N origin`                                                                     |
 | Convert shallow clone to full      | `git -C DIRECTORY fetch --unshallow`                                                                          |
@@ -35,6 +35,11 @@ Issue credentials with `jr-rpc issue-credential <capability>` before executing c
 | Add comment                        | `gh issue comment NUMBER --repo owner/repo --body-file PATH`                                                  |
 | Read issue                         | `gh issue view NUMBER --repo owner/repo --json number,title,state,labels,assignees,author,url,body`           |
 | Read comments                      | `gh api /repos/owner/repo/issues/NUMBER/comments --method GET --header "Accept: application/vnd.github+json"` |
+| Push branch before PR creation     | `git -C DIRECTORY push -u origin BRANCH`                                                                      |
+| Create pull request                | `gh pr create --repo owner/repo --head BRANCH --base BASE --title "..." --body-file PATH`                     |
+| Update pull request                | `gh pr edit NUMBER --repo owner/repo [--title "..."] [--body-file PATH]`                                      |
+| Close pull request                 | `gh pr close NUMBER --repo owner/repo`                                                                        |
+| Merge pull request                 | `gh pr merge NUMBER --repo owner/repo [--merge                                                                | --squash | --rebase]` |
 
 ## Credential and config helpers
 
@@ -53,14 +58,12 @@ jr-rpc config set github.repo owner/repo
 Issue scoped credentials:
 
 ```bash
-jr-rpc issue-credential github.contents.read --repo owner/repo
-jr-rpc issue-credential github.contents.write --repo owner/repo
-jr-rpc issue-credential github.issues.read
-jr-rpc issue-credential github.issues.write
-jr-rpc issue-credential github.issues.comment
-jr-rpc issue-credential github.labels.write
-jr-rpc issue-credential github.pull-requests.read
-jr-rpc issue-credential github.pull-requests.write
+jr-rpc issue-credential github.contents.read --target owner/repo
+jr-rpc issue-credential github.contents.write --target owner/repo
+jr-rpc issue-credential github.issues.read --target owner/repo
+jr-rpc issue-credential github.issues.write --target owner/repo
+jr-rpc issue-credential github.pull-requests.read --target owner/repo
+jr-rpc issue-credential github.pull-requests.write --target owner/repo
 ```
 
 ## Behavior notes
@@ -69,4 +72,8 @@ jr-rpc issue-credential github.pull-requests.write
 - Use `gh api` for endpoints not fully covered by `gh issue` subcommands.
 - Pass extra `git clone` flags after `--` (e.g. `gh repo clone owner/repo -- --depth=1`).
 - For automation, always fully specify `gh issue create` with `--title` and `--body` or `--body-file`; never rely on interactive prompts.
+- Before `gh pr create`, push the head branch explicitly with `github.contents.write`, then use `--head` so `gh` does not trigger hidden push/fork behavior.
+- Keep `--repo owner/repo` explicit on authenticated GitHub commands when working across repositories.
+- `gh pr edit` is not a single-permission command: title/body/base/reviewer changes fit `github.pull-requests.write`, label, assignee, and milestone changes fit `github.issues.write`, and project flags are outside the current GitHub App capability model.
+- `gh pr close --comment` may need `github.issues.write`, and `gh pr close --delete-branch` needs `github.contents.write`.
 - Return actionable errors for auth, permission, not-found, and validation failures.

package/skills/github/references/common-use-cases.md

@@ -7,14 +7,14 @@ Use these patterns as direct execution playbooks.
 Issue credentials first, then default to a shallow clone:
 
 ```bash
-jr-rpc issue-credential github.contents.read --repo owner/repo
+jr-rpc issue-credential github.contents.read --target owner/repo
 gh repo clone owner/repo -- --depth=1
 ```
 
 Clone into a specific directory:
 
 ```bash
-jr-rpc issue-credential github.contents.read --repo owner/repo
+jr-rpc issue-credential github.contents.read --target owner/repo
 gh repo clone owner/repo worktree/repo -- --depth=1
 ```
 
@@ -33,7 +33,7 @@ git -C worktree/repo fetch --unshallow
 ## 3) Create a bug issue
 
 ```bash
-jr-rpc issue-credential github.issues.write
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue create --repo owner/repo --title "OAuth token refresh fails in long-running thread" --body-file /vercel/sandbox/tmp/issue.md
 ```
 
@@ -46,14 +46,14 @@ Action taken on behalf of Jane Doe.
 ## 4) Patch issue title/body
 
 ```bash
-jr-rpc issue-credential github.issues.write
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue edit 123 --repo owner/repo --title "Clarify retry semantics for lock contention" --body-file /vercel/sandbox/tmp/revised-issue.md
 ```
 
 ## 5) Close or reopen issue
 
 ```bash
-jr-rpc issue-credential github.issues.write
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue close 123 --repo owner/repo --comment "Fixed in #456"
 ```
 
@@ -66,14 +66,14 @@ gh issue reopen 123 --repo owner/repo
 ## 6) Add implementation comment
 
 ```bash
-jr-rpc issue-credential github.issues.comment
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue comment 123 --repo owner/repo --body-file /vercel/sandbox/tmp/comment.md
 ```
 
 ## 7) Apply triage labels
 
 ```bash
-jr-rpc issue-credential github.labels.write
+jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue edit 123 --repo owner/repo --add-label bug --add-label needs-triage
 ```
 
@@ -86,13 +86,25 @@ gh issue edit 123 --repo owner/repo --remove-label needs-triage
 ## 8) Read issue details before mutation
 
 ```bash
-jr-rpc issue-credential github.issues.read
+jr-rpc issue-credential github.issues.read --target owner/repo
 gh issue view 123 --repo owner/repo --json number,title,state,labels,assignees,author,url,body
 ```
 
 ## 9) Read comment history in JSON
 
 ```bash
-jr-rpc issue-credential github.issues.read
+jr-rpc issue-credential github.issues.read --target owner/repo
 gh api /repos/owner/repo/issues/123/comments --method GET --header "Accept: application/vnd.github+json"
 ```
+
+## 10) Create a pull request safely in automation
+
+Push the branch explicitly before creating the PR. This avoids `gh pr create`
+trying to push or fork implicitly.
+
+```bash
+jr-rpc issue-credential github.contents.write --target owner/repo
+git -C worktree/repo push -u origin BRANCH
+jr-rpc issue-credential github.pull-requests.write --target owner/repo
+gh pr create --repo owner/repo --head BRANCH --base main --title "fix(repo): narrow GitHub repo scoping" --body-file /vercel/sandbox/tmp/pr.md
+```

package/skills/github/references/troubleshooting-workarounds.md

@@ -2,19 +2,21 @@
 
 Use this table to recover quickly while keeping operations deterministic.
 
-| Symptom                                                               | Likely cause                                          | Fix                                                                                                                                             |
-| --------------------------------------------------------------------- | ----------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
-| `unknown command "issue"` from `gh`                                   | CLI version too old or wrong binary.                  | Verify `gh --version`; ensure GitHub CLI from `gh-cli` repo is installed.                                                                       |
-| `unknown flag: --depth` from `gh repo clone`                          | `git clone` flags were passed before `--`.            | Pass clone flags after `--`, for example `gh repo clone owner/repo -- --depth=1`.                                                               |
-| `Missing required option --repo`                                      | Repo not passed and no default was resolved.          | Resolve with `jr-rpc config get github.repo`; pass `--repo owner/repo` explicitly when missing.                                                 |
-| `GraphQL: Could not resolve to a Repository`                          | Repo slug is wrong or inaccessible.                   | Validate `owner/repo` and confirm app installation on target repository.                                                                        |
-| 401 Unauthorized                                                      | Credential not issued for current command scope.      | Run `jr-rpc issue-credential <capability>` for the exact command and retry once.                                                                |
-| 403 Forbidden                                                         | App lacks required permission on repo.                | Confirm GitHub App permissions and installation scope.                                                                                          |
-| 404 Not Found                                                         | Issue number or repo is wrong.                        | Validate repo + issue ID with `gh issue view NUMBER --repo owner/repo`.                                                                         |
-| `git blame`, long log history, or old commits are missing after clone | Repo was cloned shallow by design.                    | Deepen incrementally with `git -C DIRECTORY fetch --depth=N origin`, or use `git -C DIRECTORY fetch --unshallow` when full history is required. |
-| `sandbox setup failed (dnf install gh failed ...)`                    | `gh` package not available in default repos.          | Configure/install from GitHub RPM repo (`gh-cli`) in sandbox dependency bootstrap, then retry.                                                  |
-| `gh issue edit` does not change labels                                | Wrong flag usage or missing label capability context. | Use repeated `--add-label/--remove-label` flags and issue `github.labels.write` credential first.                                               |
-| Comment command fails with empty body                                 | Body file missing/empty.                              | Ensure comment file exists and has content before `gh issue comment`.                                                                           |
+| Symptom                                                                         | Likely cause                                                                  | Fix                                                                                                                                                                                                      |
+| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `unknown command "issue"` from `gh`                                             | CLI version too old or wrong binary.                                          | Verify `gh --version`; ensure GitHub CLI from `gh-cli` repo is installed.                                                                                                                                |
+| `unknown flag: --depth` from `gh repo clone`                                    | `git clone` flags were passed before `--`.                                    | Pass clone flags after `--`, for example `gh repo clone owner/repo -- --depth=1`.                                                                                                                        |
+| `Missing required option --repo`                                                | Repo not passed and no default was resolved.                                  | Resolve with `jr-rpc config get github.repo`; pass `--repo owner/repo` explicitly when missing.                                                                                                          |
+| GitHub command affects or authenticates against the wrong repo                  | Stale `github.repo` default or credential issued without explicit repo scope. | Pass `--target owner/repo` to `jr-rpc issue-credential ...` and `--repo owner/repo` to the `gh` command for the target repository.                                                                       |
+| `GraphQL: Could not resolve to a Repository`                                    | Repo slug is wrong or inaccessible.                                           | Validate `owner/repo` and confirm app installation on target repository.                                                                                                                                 |
+| 401 Unauthorized                                                                | Credential not issued for current command scope.                              | Run `jr-rpc issue-credential <capability>` for the exact command and retry once.                                                                                                                         |
+| 403 Forbidden                                                                   | App lacks required permission on repo.                                        | Confirm GitHub App permissions and installation scope.                                                                                                                                                   |
+| 404 Not Found                                                                   | Issue number or repo is wrong.                                                | Validate repo + issue ID with `gh issue view NUMBER --repo owner/repo`.                                                                                                                                  |
+| `gh pr create` fails with auth/permission errors or tries to push interactively | `gh pr create` entered its push/fork path, but only PR-write auth was issued. | Issue `github.contents.write --target owner/repo`, push the branch explicitly, then issue `github.pull-requests.write --target owner/repo` and rerun `gh pr create --repo owner/repo --head BRANCH ...`. |
+| `git blame`, long log history, or old commits are missing after clone           | Repo was cloned shallow by design.                                            | Deepen incrementally with `git -C DIRECTORY fetch --depth=N origin`, or use `git -C DIRECTORY fetch --unshallow` when full history is required.                                                          |
+| `sandbox setup failed (dnf install gh failed ...)`                              | `gh` package not available in default repos.                                  | Configure/install from GitHub RPM repo (`gh-cli`) in sandbox dependency bootstrap, then retry.                                                                                                           |
+| `gh issue edit` does not change labels                                          | Wrong flag usage or missing issue-write capability context.                   | Use repeated `--add-label/--remove-label` flags and issue `github.issues.write` credential first.                                                                                                        |
+| Comment command fails with empty body                                           | Body file missing/empty.                                                      | Ensure comment file exists and has content before `gh issue comment`.                                                                                                                                    |
 
 ## Retry guidance