@sentry/junior-github 0.24.0 → 0.25.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/junior-github",
-  "version": "0.24.0",
+  "version": "0.25.0",
   "private": false,
   "publishConfig": {
     "access": "public"

package/skills/github/README.md

@@ -61,9 +61,9 @@ Repeat for `preview` and `development` as needed. After env changes, redeploy so
 
 ## 3) Runtime behavior
 
-- Credentials are issued lazily when `jr-rpc issue-credential <capability>` is run.
-- Issued credentials are reused for the rest of the current turn.
-- Sandbox does not receive raw tokens via env; host applies scoped Authorization header transforms for GitHub API calls.
+- When the GitHub skill is active, authenticated `gh` and `git` commands cause the runtime to inject GitHub credentials automatically for the current turn.
+- Issued credentials are reused only within the current turn.
+- Sandbox does not receive raw tokens via env; host applies Authorization header transforms for GitHub API calls.
 
 ## 4) CLI usage
 
@@ -82,17 +82,17 @@ git -C repo fetch --depth=50 origin
 git -C repo fetch --unshallow
 ```
 
-GitHub operations still require scoped credentials:
+GitHub operations still require the GitHub skill, but the runtime injects
+credentials automatically when the skill is active:
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue create --repo owner/repo --title "Example issue" --body-file /vercel/sandbox/tmp/issue.md
 ```
 
 `gh` supports either direct `GITHUB_TOKEN` (for local debugging) or sandbox-level header injection.
-Use `github.issues.read` for read-only issue commands, `github.issues.write` for issue edits, comments, and labels, `github.contents.write` for pushes and merge operations, and `github.pull-requests.write` for PR mutations after the branch is already on the remote.
+The runtime uses `github.issues.read` for read-only issue commands, `github.issues.write` for issue edits, comments, and labels, `github.contents.write` for pushes and merge operations, and `github.pull-requests.write` for PR mutations after the branch is already on the remote.
 
-GitHub capability scoping is a safety rail, not a hard sandbox boundary. It helps prevent accidental write scope and wrong-repo mutations, but the host runtime still decides when to mint credentials and the agent can request broader GitHub capabilities when the task requires them.
+GitHub capability scoping is a safety rail, not a hard sandbox boundary. It helps prevent accidental write scope and wrong-repo mutations, and the host runtime still decides when to mint credentials. Credential injection is skill-scoped: load the active GitHub skill first, keep repo context explicit, and let the runtime choose the required capability for the command.
 
 Be careful with mixed-surface PR commands:
 
@@ -105,9 +105,7 @@ Be careful with mixed-surface PR commands:
 For PR creation in automation, push explicitly and use `--head`:
 
 ```bash
-jr-rpc issue-credential github.contents.write --target owner/repo
 git -C repo push -u origin BRANCH
-jr-rpc issue-credential github.pull-requests.write --target owner/repo
 gh pr create --repo owner/repo --head BRANCH --base main --title "Example PR" --body-file /vercel/sandbox/tmp/pr.md
 ```
 

package/skills/github/SKILL.md

@@ -1,7 +1,6 @@
 ---
 name: github
-description: Manage GitHub issue workflows, pull request operations, and repository checkout via GitHub CLI with concise, evidence-backed content. Use when users ask to open, edit, label, comment on, close/reopen, or inspect GitHub issues, view or create pull requests, or when they need `gh repo clone` guidance, especially shallow-clone defaults and exact CLI commands.
-requires-capabilities: github.issues.read github.issues.write github.contents.read github.contents.write github.pull-requests.read github.pull-requests.write
+description: Manage GitHub issue workflows, source-code investigation, pull request operations, repository checkout, and implicit GitHub credentials via GitHub CLI with concise, evidence-backed content. Use when users ask to inspect implementation details in a repository, clone code, edit files, answer source-code questions from repo evidence, open/edit/view pull requests, or open/edit/inspect GitHub issues. Prefer this skill for repository and code tasks even when the repo concerns Sentry products.
 uses-config: github.repo
 allowed-tools: bash
 ---
@@ -18,6 +17,7 @@ Load references conditionally based on the operation:
 | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Any operation                        | [references/api-surface.md](references/api-surface.md)                                                                                                                                      |
 | `clone`, `pull request create`       | [references/common-use-cases.md](references/common-use-cases.md)                                                                                                                            |
+| `source-code investigation`          | [references/research-rules.md](references/research-rules.md)                                                                                                                                |
 | `issue create`, `issue body rewrite` | [references/issue-examples.md](references/issue-examples.md), the matching type-specific template and type-specific rules, and [references/research-rules.md](references/research-rules.md) |
 | On failure                           | [references/troubleshooting-workarounds.md](references/troubleshooting-workarounds.md)                                                                                                      |
 
@@ -25,17 +25,18 @@ Load references conditionally based on the operation:
 
 ### 1. Resolve operation and target
 
-- Determine whether the task is `clone`, an issue operation (`create`, `update`, `comment`, `labels`, `state`, or read-only inspection), a pull request inspection (`view`, `list`, `diff`, or `checks`), or a pull request mutation (`create`, `update`, `close`, or `merge`).
-- Resolve repository (`owner/repo`). If it is not explicit, query channel config with `jr-rpc config get github.repo`.
-- If config exists and is valid `owner/repo`, use it as the default.
+- Determine whether the task is `clone`, `source-code investigation`, an issue operation (`create`, `update`, `comment`, `labels`, `state`, or read-only inspection), a pull request inspection (`view`, `list`, `diff`, or `checks`), or a pull request mutation (`create`, `update`, `close`, or `merge`).
+- Resolve repository (`owner/repo`). If it is not explicit, query channel config with `jr-rpc config get github.repo` before running any `gh` or `git` command.
+- If config exists and is valid `owner/repo`, use it as the default and still pass it explicitly on subsequent `gh` commands instead of relying on ambient CLI context.
 - If repository is still missing, ask the user for `owner/repo`.
 - Resolve the issue number for non-create issue operations.
 - Resolve the pull request number for pull request operations that target an existing PR.
-- Keep `owner/repo` explicit on both `jr-rpc issue-credential --target ...` and `gh` commands whenever the task targets a specific repository. Do not rely on a stale `github.repo` default when hopping between repos.
+- Keep `owner/repo` explicit on `gh` commands whenever the task targets a specific repository. This keeps the command pointed at the right repo and avoids accidental cross-repo mutations. Do not rely on a stale `github.repo` default when hopping between repos.
 
 ### 2. Execute by operation type
 
 **Clone** → Follow the clone path below.
+**Source-code investigation** → Follow the source-code path below.
 **Issue operation** → Follow the issue path below.
 **Pull request inspection** → Follow the pull request inspection path below.
 **Pull request mutation** → Follow the pull request mutation path below.
@@ -44,8 +45,6 @@ Load references conditionally based on the operation:
 
 ### Clone path
 
-- Issue a `contents.read` credential scoped to the target repository before cloning:
-  - `jr-rpc issue-credential github.contents.read --target owner/repo`
 - Default to a shallow clone.
 - Use exact command forms from [references/api-surface.md](references/api-surface.md) or [references/common-use-cases.md](references/common-use-cases.md).
 - Deepen incrementally only when the task needs repository history.
@@ -54,6 +53,18 @@ Load references conditionally based on the operation:
 
 ---
 
+### Source-code investigation path
+
+- Use this path for questions like "where is this implemented?", "how does this workflow work in code?", "is there already logic for X?", or "verify this from the repo."
+- Resolve repository (`owner/repo`). If the current workspace already contains the target repository, inspect local files directly before cloning anything.
+- If you need repository access outside the current workspace, keep `owner/repo` explicit on the authenticated command so the command itself targets the correct repository.
+- Default to a shallow clone when you need a fresh checkout; deepen only if the question truly needs history.
+- Prefer the narrowest deterministic evidence that answers the question: local file search, exact file reads, targeted clone inspection, existing issues/PRs, and tests.
+- Cite repository evidence in the reply: file paths, symbols, issue/PR numbers, or commit references when known.
+- If the available evidence is incomplete, say what is unknown instead of guessing.
+
+---
+
 ### Issue path
 
 #### 3. Classify issue type
@@ -88,18 +99,17 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 
 #### 5. Execute operation
 
-- Issue the narrowest matching capability credential before executing.
-- Pass `--target owner/repo` when issuing repo-scoped GitHub credentials.
 - Use fully specified, non-interactive `gh` commands from [references/api-surface.md](references/api-surface.md).
 - Use [references/common-use-cases.md](references/common-use-cases.md) only when you need a concrete command pattern.
 - Check duplicates silently before creating a new issue. Only mention duplicates when relevant matches are actually found.
-- Treat GitHub capability scoping as an operational safety rail that reduces accidental writes and wrong-repo mutations. It is not a perfect command-by-command permission model.
+- Treat GitHub auth as plugin-owned and turn-scoped. The skill determines whether GitHub credentials are available for the turn; explicit repo flags are still for command correctness and mutation safety.
 
 #### 6. Report result
 
 - Return canonical issue URL, issue number, issue type, applied changes, and confidence.
 - Include references used for verified claims.
 - Keep routine issue-creation steps silent. Do not post progress chatter about duplicate checks, drafting, credential issuance, or command execution before the final result.
+- Never mention silent duplicate checking in the final reply unless you actually found a relevant duplicate that changed the outcome.
 - If duplicate checking found no relevant matches, omit that fact entirely and report only the created issue, for example `Created issue #123: ...`, not `No duplicates found. Creating the issue now.`
 
 ---
@@ -108,7 +118,6 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 
 #### 3. Execute inspection
 
-- Issue `github.pull-requests.read --target owner/repo` before authenticated read-only PR commands.
 - Use exact read-only `gh pr` commands from [references/api-surface.md](references/api-surface.md).
 - Skip branch resolution and push logic for inspection-only work.
 
@@ -129,13 +138,13 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 
 #### 4. Execute pull request operation
 
-- Issue the narrowest matching capability credential before executing, and pass `--target owner/repo` for repo-scoped work.
 - For PR creation, do not rely on `gh pr create` to push or fork implicitly.
-- For PR creation, if the head branch is not already on the remote, first issue `github.contents.write --target owner/repo` and run `git push`.
-- For PR creation, then issue `github.pull-requests.write --target owner/repo` and run `gh pr create --repo owner/repo --head BRANCH ...`.
+- For PR creation, if the head branch is not already on the remote, run `git push` first. That push step needs GitHub write access for the remote repository.
+- If `git push` returns 401, 403, or another auth/permission error, verify the command is still targeting the right repository and retry once. If the error still clearly indicates bad or revoked credentials, rerun the real GitHub command and let the runtime trigger a reconnect flow.
+- After the branch exists remotely, run `gh pr create --repo owner/repo --head BRANCH ...`.
 - For PR creation, use `--head` so `gh` skips its hidden push/fork flow.
-- Treat `gh pr merge` as a contents mutation: it requires `github.contents.write`, not just `github.pull-requests.write`.
-- Treat issue comments and label edits as `github.issues.write`.
+- Treat `gh pr merge` as a contents mutation and keep repository context explicit so the command cannot hit the wrong repository.
+- Treat issue comments and label edits as issue mutations and keep repository context explicit on the command.
 
 #### 5. Report result
 
@@ -153,6 +162,7 @@ Follow [references/research-rules.md](references/research-rules.md) for cross-ty
 ### Quality
 
 - Never claim verification without citing sources.
+- Answer source-code and implementation questions from repository evidence, not product framing or generic memory.
 - For `bug` issues, do not present a fix as definitive unless root-cause evidence is explicit.
 - If no relevant duplicates are found, continue directly to draft and create the issue, then report the created issue.
 

package/skills/github/references/api-surface.md

@@ -4,9 +4,10 @@ All operations use `gh` CLI. Commands must be deterministic and non-interactive.
 
 ## Authentication
 
-Issue credentials with `jr-rpc issue-credential <capability>` before executing commands. The runtime handles token injection transparently.
-GitHub capabilities are repo-scoped. Pass `--target owner/repo` to `jr-rpc issue-credential` and `--repo owner/repo` to `gh` unless you intentionally rely on a verified `github.repo` default for the same repository.
-Treat capability scope as a safety rail that reduces accidental writes and wrong-repo mutations, not as a perfect command-by-command security boundary.
+Load the GitHub skill first, then keep `--repo owner/repo` explicit on authenticated `gh` commands unless you intentionally rely on a verified `github.repo` default for the same repository.
+When the user omits `owner/repo`, resolve `github.repo` first with `jr-rpc config get github.repo`, then pass the resolved repo explicitly on the actual `gh` command.
+The runtime injects GitHub credentials implicitly for the current turn once the GitHub skill is active.
+Treat explicit repo flags as command-targeting safety rails that reduce accidental writes and wrong-repo mutations, not as a credential-scoping mechanism.
 
 ## Capability to command mapping
 
@@ -41,7 +42,7 @@ Treat capability scope as a safety rail that reduces accidental writes and wrong
 | Close pull request                 | `gh pr close NUMBER --repo owner/repo`                                                                        |
 | Merge pull request                 | `gh pr merge NUMBER --repo owner/repo [--merge                                                                | --squash | --rebase]` |
 
-## Credential and config helpers
+## Config helpers
 
 Resolve repo default:
 
@@ -55,24 +56,15 @@ Set repo default:
 jr-rpc config set github.repo owner/repo
 ```
 
-Issue scoped credentials:
-
-```bash
-jr-rpc issue-credential github.contents.read --target owner/repo
-jr-rpc issue-credential github.contents.write --target owner/repo
-jr-rpc issue-credential github.issues.read --target owner/repo
-jr-rpc issue-credential github.issues.write --target owner/repo
-jr-rpc issue-credential github.pull-requests.read --target owner/repo
-jr-rpc issue-credential github.pull-requests.write --target owner/repo
-```
-
 ## Behavior notes
 
 - Prefer `--json` output for machine-readable parsing where available.
 - Use `gh api` for endpoints not fully covered by `gh issue` subcommands.
 - Pass extra `git clone` flags after `--` (e.g. `gh repo clone owner/repo -- --depth=1`).
 - For automation, always fully specify `gh issue create` with `--title` and `--body` or `--body-file`; never rely on interactive prompts.
-- Before `gh pr create`, push the head branch explicitly with `github.contents.write`, then use `--head` so `gh` does not trigger hidden push/fork behavior.
+- Before `gh pr create`, push the head branch explicitly, then use `--head` so `gh` does not trigger hidden push/fork behavior.
+- That explicit `git push` step requires GitHub write access to the remote repository.
+- If that explicit `git push` fails with 401/403 or another auth/permission error, verify the repo context and retry the same push once after clearing stale GitHub auth only when the error explicitly indicates bad credentials.
 - Keep `--repo owner/repo` explicit on authenticated GitHub commands when working across repositories.
 - `gh pr edit` is not a single-permission command: title/body/base/reviewer changes fit `github.pull-requests.write`, label, assignee, and milestone changes fit `github.issues.write`, and project flags are outside the current GitHub App capability model.
 - `gh pr close --comment` may need `github.issues.write`, and `gh pr close --delete-branch` needs `github.contents.write`.

package/skills/github/references/common-use-cases.md

@@ -4,17 +4,15 @@ Use these patterns as direct execution playbooks.
 
 ## 1) Clone a repository for local work
 
-Issue credentials first, then default to a shallow clone:
+Default to a shallow clone:
 
 ```bash
-jr-rpc issue-credential github.contents.read --target owner/repo
 gh repo clone owner/repo -- --depth=1
 ```
 
 Clone into a specific directory:
 
 ```bash
-jr-rpc issue-credential github.contents.read --target owner/repo
 gh repo clone owner/repo worktree/repo -- --depth=1
 ```
 
@@ -33,7 +31,6 @@ git -C worktree/repo fetch --unshallow
 ## 3) Create a bug issue
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue create --repo owner/repo --title "OAuth token refresh fails in long-running thread" --body-file /vercel/sandbox/tmp/issue.md
 ```
 
@@ -46,14 +43,12 @@ Action taken on behalf of Jane Doe.
 ## 4) Patch issue title/body
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue edit 123 --repo owner/repo --title "Clarify retry semantics for lock contention" --body-file /vercel/sandbox/tmp/revised-issue.md
 ```
 
 ## 5) Close or reopen issue
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue close 123 --repo owner/repo --comment "Fixed in #456"
 ```
 
@@ -66,14 +61,12 @@ gh issue reopen 123 --repo owner/repo
 ## 6) Add implementation comment
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue comment 123 --repo owner/repo --body-file /vercel/sandbox/tmp/comment.md
 ```
 
 ## 7) Apply triage labels
 
 ```bash
-jr-rpc issue-credential github.issues.write --target owner/repo
 gh issue edit 123 --repo owner/repo --add-label bug --add-label needs-triage
 ```
 
@@ -86,14 +79,12 @@ gh issue edit 123 --repo owner/repo --remove-label needs-triage
 ## 8) Read issue details before mutation
 
 ```bash
-jr-rpc issue-credential github.issues.read --target owner/repo
 gh issue view 123 --repo owner/repo --json number,title,state,labels,assignees,author,url,body
 ```
 
 ## 9) Read comment history in JSON
 
 ```bash
-jr-rpc issue-credential github.issues.read --target owner/repo
 gh api /repos/owner/repo/issues/123/comments --method GET --header "Accept: application/vnd.github+json"
 ```
 
@@ -103,8 +94,6 @@ Push the branch explicitly before creating the PR. This avoids `gh pr create`
 trying to push or fork implicitly.
 
 ```bash
-jr-rpc issue-credential github.contents.write --target owner/repo
 git -C worktree/repo push -u origin BRANCH
-jr-rpc issue-credential github.pull-requests.write --target owner/repo
 gh pr create --repo owner/repo --head BRANCH --base main --title "fix(repo): narrow GitHub repo scoping" --body-file /vercel/sandbox/tmp/pr.md
 ```

package/skills/github/references/sandbox-runtime.md

@@ -11,6 +11,7 @@ This skill runs in the harness sandbox (`node22`) and commands execute via the `
 
 ## Credential strategy
 
-1. Issue credentials with `jr-rpc issue-credential <capability>` before executing commands. See [api-surface.md](api-surface.md) for the capability-to-command mapping.
-2. Credentials are scoped per command execution. Do not persist tokens in files.
-3. If 401/403 appears after credential issuance, reissue once, then stop with remediation guidance.
+1. After the GitHub skill is loaded, the runtime injects GitHub credentials implicitly for the current turn.
+2. Keep repository context explicit on `gh` and `git` commands so the command itself targets the correct repo.
+3. Credentials are valid only for the current turn. Do not persist tokens in files.
+4. If auth fails, verify the command still targets the correct repo, then retry the real GitHub command once so the runtime can reconnect automatically when needed.

package/skills/github/references/troubleshooting-workarounds.md

@@ -2,24 +2,25 @@
 
 Use this table to recover quickly while keeping operations deterministic.
 
-| Symptom                                                                         | Likely cause                                                                  | Fix                                                                                                                                                                                                      |
-| ------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `unknown command "issue"` from `gh`                                             | CLI version too old or wrong binary.                                          | Verify `gh --version`; ensure GitHub CLI from `gh-cli` repo is installed.                                                                                                                                |
-| `unknown flag: --depth` from `gh repo clone`                                    | `git clone` flags were passed before `--`.                                    | Pass clone flags after `--`, for example `gh repo clone owner/repo -- --depth=1`.                                                                                                                        |
-| `Missing required option --repo`                                                | Repo not passed and no default was resolved.                                  | Resolve with `jr-rpc config get github.repo`; pass `--repo owner/repo` explicitly when missing.                                                                                                          |
-| GitHub command affects or authenticates against the wrong repo                  | Stale `github.repo` default or credential issued without explicit repo scope. | Pass `--target owner/repo` to `jr-rpc issue-credential ...` and `--repo owner/repo` to the `gh` command for the target repository.                                                                       |
-| `GraphQL: Could not resolve to a Repository`                                    | Repo slug is wrong or inaccessible.                                           | Validate `owner/repo` and confirm app installation on target repository.                                                                                                                                 |
-| 401 Unauthorized                                                                | Credential not issued for current command scope.                              | Run `jr-rpc issue-credential <capability>` for the exact command and retry once.                                                                                                                         |
-| 403 Forbidden                                                                   | App lacks required permission on repo.                                        | Confirm GitHub App permissions and installation scope.                                                                                                                                                   |
-| 404 Not Found                                                                   | Issue number or repo is wrong.                                                | Validate repo + issue ID with `gh issue view NUMBER --repo owner/repo`.                                                                                                                                  |
-| `gh pr create` fails with auth/permission errors or tries to push interactively | `gh pr create` entered its push/fork path, but only PR-write auth was issued. | Issue `github.contents.write --target owner/repo`, push the branch explicitly, then issue `github.pull-requests.write --target owner/repo` and rerun `gh pr create --repo owner/repo --head BRANCH ...`. |
-| `git blame`, long log history, or old commits are missing after clone           | Repo was cloned shallow by design.                                            | Deepen incrementally with `git -C DIRECTORY fetch --depth=N origin`, or use `git -C DIRECTORY fetch --unshallow` when full history is required.                                                          |
-| `sandbox setup failed (dnf install gh failed ...)`                              | `gh` package not available in default repos.                                  | Configure/install from GitHub RPM repo (`gh-cli`) in sandbox dependency bootstrap, then retry.                                                                                                           |
-| `gh issue edit` does not change labels                                          | Wrong flag usage or missing issue-write capability context.                   | Use repeated `--add-label/--remove-label` flags and issue `github.issues.write` credential first.                                                                                                        |
-| Comment command fails with empty body                                           | Body file missing/empty.                                                      | Ensure comment file exists and has content before `gh issue comment`.                                                                                                                                    |
+| Symptom                                                                         | Likely cause                                                                | Fix                                                                                                                                             |
+| ------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
+| `unknown command "issue"` from `gh`                                             | CLI version too old or wrong binary.                                        | Verify `gh --version`; ensure GitHub CLI from `gh-cli` repo is installed.                                                                       |
+| `unknown flag: --depth` from `gh repo clone`                                    | `git clone` flags were passed before `--`.                                  | Pass clone flags after `--`, for example `gh repo clone owner/repo -- --depth=1`.                                                               |
+| `Missing required option --repo`                                                | Repo not passed and no default was resolved.                                | Resolve with `jr-rpc config get github.repo`; pass `--repo owner/repo` explicitly when missing.                                                 |
+| GitHub command affects or authenticates against the wrong repo                  | Stale `github.repo` default or authenticated command missing explicit repo. | Pass `--repo owner/repo` to the `gh` command for the target repository, or update `github.repo` before retrying.                                |
+| `GraphQL: Could not resolve to a Repository`                                    | Repo slug is wrong or inaccessible.                                         | Validate `owner/repo` and confirm app installation on target repository.                                                                        |
+| 401 Unauthorized                                                                | Repo context is missing, stale, or the stored GitHub auth needs reconnect.  | Verify `--repo owner/repo` or `github.repo`, then retry the real command once so the runtime can reconnect automatically when needed.           |
+| `git push` fails with 401/403 or auth/permission output                         | Write auth was stale or the command is targeting the wrong repo.            | Verify the remote and repo context, retry the same push once, then confirm app permissions and installation scope if the retry still fails.     |
+| 403 Forbidden                                                                   | App lacks required permission on repo or install scope is too narrow.       | Verify the repo context, then confirm GitHub App permissions and installation scope.                                                            |
+| 404 Not Found                                                                   | Issue number or repo is wrong.                                              | Validate repo + issue ID with `gh issue view NUMBER --repo owner/repo`.                                                                         |
+| `gh pr create` fails with auth/permission errors or tries to push interactively | The branch was not pushed first, or repo context is wrong.                  | Push the branch explicitly first, then rerun `gh pr create --repo owner/repo --head BRANCH ...`.                                                |
+| `git blame`, long log history, or old commits are missing after clone           | Repo was cloned shallow by design.                                          | Deepen incrementally with `git -C DIRECTORY fetch --depth=N origin`, or use `git -C DIRECTORY fetch --unshallow` when full history is required. |
+| `sandbox setup failed (dnf install gh failed ...)`                              | `gh` package not available in default repos.                                | Configure/install from GitHub RPM repo (`gh-cli`) in sandbox dependency bootstrap, then retry.                                                  |
+| `gh issue edit` does not change labels                                          | Wrong flag usage or wrong repo context.                                     | Use repeated `--add-label/--remove-label` flags and keep `--repo owner/repo` explicit.                                                          |
+| Comment command fails with empty body                                           | Body file missing/empty.                                                    | Ensure comment file exists and has content before `gh issue comment`.                                                                           |
 
 ## Retry guidance
 
-- Retry once for transient auth/transport failures after reissuing credentials.
+- Retry once for transient auth/transport failures after verifying repo context.
 - Do not loop retries on repeated 401/403/404 validation errors.
 - For persistent permission problems, return explicit remediation and stop.