Skip to content

docs: sandbox layout, skill precedence, and agent rule layering#2584

Merged
waynesun09 merged 1 commit into
mainfrom
docs-sandbox-skill-layering
Jun 25, 2026
Merged

docs: sandbox layout, skill precedence, and agent rule layering#2584
waynesun09 merged 1 commit into
mainfrom
docs-sandbox-skill-layering

Conversation

@waynesun09

Copy link
Copy Markdown
Member

Summary

  • customizing-with-skills.md: Fixes the skill overloading section which incorrectly stated that a repo skill with the same name as a built-in skill "replaces the built-in one at runtime." This is only true via customized/skills/ (ADR-0035 overlay). A repo .claude/skills/ with a colliding name is silently shadowed by fullsend's personal-level version. Separates into "Extending agents with repo skills" (additive) and "Overriding built-in skills" (via customized/) with skill precedence explanation.
  • customizing-with-agents-md.md: Adds "How AGENTS.md interacts with agent definitions" section explaining that agent definitions (system prompt) and project instructions (AGENTS.md/CLAUDE.md) are different layers that compose, not compete. Documents what AGENTS.md can and cannot do, and the injection handling for repos without these files.
  • cli-internals.md: Adds sandbox workspace layout diagram showing /sandbox/claude-config/ (personal level) vs /sandbox/workspace/<repo>/ (project level), agent rule layering diagram (3 layers: agent definition > project instructions > skills), and AGENTS.md injection logic.

Related issues: #237, #236, #2135, #1901

Test plan

  • Verify doc renders correctly on the fullsend docs site
  • Cross-reference skill precedence claims against internal/runtime/claude.go Bootstrap() and internal/cli/run.go runAgent()
  • Confirm sandbox layout diagram matches actual SandboxWorkspace and SandboxClaudeConfig constants in internal/sandbox/sandbox.go

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Docs: clarify sandbox layout and skill/agent rule precedence
📝 Documentation 🕐 10-20 Minutes

Grey Divider

Description

• Document sandbox directory layout and where personal vs project config lives.
• Clarify skill precedence and the difference between extending vs overriding skills.
• Explain how AGENTS.md/CLAUDE.md compose with agent definitions and injection behavior.
Diagram

graph TD
A["fullsend run"] --> B["Sandbox: claude-config"] --> C["Agent definition"]
A --> D["Sandbox: workspace/<repo>"] --> E["Project instructions"]
A --> F["Skills resolution"]
B --> F
D --> F
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use Mermaid diagrams instead of ASCII art
  • ➕ Easier to keep consistent formatting across docs pages
  • ➕ More readable on mobile and supports linking/labels cleanly
  • ➕ Simplifies future edits (no manual box alignment)
  • ➖ Depends on docs site supporting Mermaid rendering
  • ➖ May require docs build pipeline/config changes
2. Centralize precedence/layering docs into a single reference page
  • ➕ Avoids duplication across guides and reduces drift
  • ➕ Gives one canonical place to link from CLI internals + user guides
  • ➖ Adds navigation overhead for readers of focused guides
  • ➖ Requires more restructuring than this targeted fix

Recommendation: The PR’s approach (targeted clarifications where readers already look) is appropriate and low-risk. If the docs site supports Mermaid, consider migrating the new ASCII diagrams to Mermaid for maintainability; otherwise, the current additions are clear and sufficiently precise.

Files changed (3) +173 / -25

Documentation (3) +173 / -25
cli-internals.mdDocument sandbox layout, instruction layers, and injection/scanning logic +78/-0

Document sandbox layout, instruction layers, and injection/scanning logic

• Adds a sandbox directory layout walkthrough that distinguishes personal vs project config paths. Documents the three-layer instruction model (agent definition, project instructions, skills) including skill precedence rules. Summarizes AGENTS.md/CLAUDE.md injection behavior and notes context-file prompt-injection scanning.

docs/guides/dev/cli-internals.md

customizing-with-agents-md.mdExplain how AGENTS.md composes with agent definitions +46/-0

Explain how AGENTS.md composes with agent definitions

• Introduces a section clarifying that agent definitions (system prompt via --agent) and project instructions (CLAUDE.md/AGENTS.md) are separate layers that compose. Documents what AGENTS.md can/cannot do, plus injection behavior and prompt-injection scanning coverage.

docs/guides/user/customizing-with-agents-md.md

customizing-with-skills.mdFix skill overloading claim; define extend vs override and precedence +49/-25

Fix skill overloading claim; define extend vs override and precedence

• Replaces the incorrect 'repo skill overload replaces built-in' guidance with an extension-focused section for repo skills and explicit collision behavior. Adds a skill precedence explanation (personal config beats project skills) and a separate 'Overriding built-in skills' section describing 'customized/skills/' overlay semantics.

docs/guides/user/customizing-with-skills.md

@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 11:09 PM UTC · Ended 11:17 PM UTC
Commit: 6bd5f3a · View workflow run →

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0) 📜 Skill insights (1)

Context used
✅ Compliance rules (platform): 51 rules

Grey Divider


Action required

1. Misstated security pipeline 🐞 Bug ⛨ Security
Description
cli-internals.md states scanRepoContextFiles() uses InputPipeline including SSRF validation
and secret redaction, but InputPipeline() is only unicode normalization plus prompt-injection
scanning. This can create false confidence about what security checks actually run over repo context
files.
Code

docs/guides/dev/cli-internals.md[R470-473]

+All repo context files (CLAUDE.md, AGENTS.md, SKILL.md) are scanned for
+prompt injection via `scanRepoContextFiles()` before the agent starts. The
+scan uses the `InputPipeline` (context injection scanner, SSRF validator,
+secret redactor). Critical findings block the run in `fail_mode: closed`.
Relevance

⭐⭐⭐ High

Team accepts clarifying security pipeline claims to match implementation; similar security-doc fixes
merged.

PR-#1087
PR-#716
PR-#1017

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
scanRepoContextFiles() instantiates security.InputPipeline() and uses it to scan files, while
InputPipeline() only includes NewUnicodeNormalizer() and NewContextInjectionScanner(). SSRF
validation is performed separately in other scan commands, not in InputPipeline().

internal/security/scanner.go[82-102]
internal/cli/run.go[1695-1741]
internal/cli/scan.go[54-104]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Docs claim the repo context scan uses an `InputPipeline` that includes SSRF validation and secret redaction. In code, `security.InputPipeline()` only runs Unicode normalization and the context injection scanner; SSRF validation is not part of that pipeline, and secret redaction is an output concern.

## Issue Context
`run.go`’s host-side `scanRepoContextFiles()` uses `security.InputPipeline()` directly, so the docs should match that behavior. If SSRF/secret redaction are desired here, that’s a code change; otherwise, fix the docs text.

## Fix Focus Areas
- docs/guides/dev/cli-internals.md[468-474]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Wrong plugin state path 🐞 Bug ≡ Correctness
Description
The sandbox layout diagram claims plugin state is stored at
/sandbox/claude-config/plugins/marketplace.json, but the runtime writes enablement state to
CLAUDE_CONFIG_DIR/settings.json and marketplace metadata under
CLAUDE_CONFIG_DIR/plugins/marketplaces/<marketplace>/.claude-plugin/marketplace.json. This
mismatch can mislead debugging of plugin installation/enablement inside the sandbox.
Code

docs/guides/dev/cli-internals.md[R410-411]

+│   └── plugins/
+│       └── marketplace.json            Plugin state (if any)
Relevance

⭐⭐⭐ High

Docs/runtime path mismatches are routinely fixed; multiple doc accuracy corrections accepted.

PR-#1087
PR-#1252
PR-#2120

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The runtime’s plugin bootstrap writes marketplace metadata to a nested
plugins/marketplaces/.../.claude-plugin/marketplace.json path and writes enabled plugin state to
CLAUDE_CONFIG_DIR/settings.json, not /plugins/marketplace.json.

internal/runtime/claude.go[309-421]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The docs diagram shows plugin state at `/sandbox/claude-config/plugins/marketplace.json`, but the runtime actually writes plugin state/config across multiple files, including `{CLAUDE_CONFIG_DIR}/settings.json` and `{CLAUDE_CONFIG_DIR}/plugins/marketplaces/<marketplace>/.claude-plugin/marketplace.json`.

## Issue Context
This is purely a documentation accuracy issue, but it affects operational debugging (where to look for plugin enablement vs marketplace metadata).

## Fix Focus Areas
- docs/guides/dev/cli-internals.md[401-412]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. AGENTS casing mismatch 🐞 Bug ☼ Reliability
Description
The docs describe CLAUDE.md injection as pointing to AGENTS.md, but the runtime considers
agents.md/Agents.md as “present” and still injects a pointer whose content hardcodes
AGENTS.md. On the case-sensitive sandbox filesystem, repos using non-uppercase AGENTS filenames
can end up with a bridge that points to a non-existent file and fails to guide the agent to the
actual rules file.
Code

docs/guides/user/customizing-with-agents-md.md[R128-131]

+When the target repo has no AGENTS.md, fullsend injects an org-level default
+from the config repo. When the repo has AGENTS.md but no CLAUDE.md, fullsend
+injects a bridge CLAUDE.md that points to AGENTS.md. Both injected files are
+hidden from git so agents don't accidentally commit them.
Relevance

⭐⭐ Medium

Casing-related robustness rejected before, but injection logic fixes accepted later; outcome
uncertain.

PR-#680
PR-#2428

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
hasAgentsMD() returns true for AGENTS.md, agents.md, and Agents.md, but the injected
CLAUDE.md content references AGENTS.md (uppercase), which will not exist in repos that only have a
differently-cased filename.

internal/cli/run.go[1645-1654]
internal/cli/run.go[1667-1693]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Docs say injected CLAUDE.md points to `AGENTS.md`, but the runtime’s detection accepts multiple casings while the injected pointer content links to `AGENTS.md` specifically. On Linux (case-sensitive), this can break the intended “bridge” behavior for repos that use `agents.md`.

## Issue Context
Either:
- Update docs to require/strongly recommend the canonical `AGENTS.md` casing, or
- Update implementation to point to the actually-detected filename casing.

## Fix Focus Areas
- docs/guides/user/customizing-with-agents-md.md[126-131]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Informational

4. Guide under docs/guides/dev/ 📜 Skill insight ⌂ Architecture
Description
docs/guides/dev/cli-internals.md is a guide file under docs/guides/ but it is not placed in the
required admin/ or user/ subdirectory. This violates the guide placement/audience directory
policy and will make the guide non-compliant with the required structure.
Code

docs/guides/dev/cli-internals.md[R397-405]

+### Sandbox Workspace Layout
+
+The sandbox has two key directories that map to Claude Code's config levels:
+
+```
+/sandbox/
+├── claude-config/                   ← CLAUDE_CONFIG_DIR (personal level)
+│   ├── agents/
+│   │   └── review.md                   Agent definition (--agent loads from here)
Relevance

⭐ Low

Repo already uses docs/guides/dev/; no evidence of admin/user-only enforcement.

PR-#1087
PR-#1252
PR-#2015

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The compliance checklist requires guide files under docs/guides/ to be placed in admin/ or
user/ subdirectories. The modified file is located under docs/guides/dev/, and the PR adds new
guide content in that non-compliant location.

docs/guides/dev/cli-internals.md[397-405]
Skill: writing-user-docs

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A documentation guide was modified under `docs/guides/dev/`, but guides are required to live under either `docs/guides/admin/` or `docs/guides/user/`.

## Issue Context
This PR adds new content to `docs/guides/dev/cli-internals.md`, reinforcing a guide location that violates the required docs directory structure.

## Fix Focus Areas
- docs/guides/dev/cli-internals.md[397-475]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment thread docs/guides/dev/cli-internals.md Outdated
Comment on lines +470 to +473
All repo context files (CLAUDE.md, AGENTS.md, SKILL.md) are scanned for
prompt injection via `scanRepoContextFiles()` before the agent starts. The
scan uses the `InputPipeline` (context injection scanner, SSRF validator,
secret redactor). Critical findings block the run in `fail_mode: closed`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Misstated security pipeline 🐞 Bug ⛨ Security

cli-internals.md states scanRepoContextFiles() uses InputPipeline including SSRF validation
and secret redaction, but InputPipeline() is only unicode normalization plus prompt-injection
scanning. This can create false confidence about what security checks actually run over repo context
files.
Agent Prompt
## Issue description
Docs claim the repo context scan uses an `InputPipeline` that includes SSRF validation and secret redaction. In code, `security.InputPipeline()` only runs Unicode normalization and the context injection scanner; SSRF validation is not part of that pipeline, and secret redaction is an output concern.

## Issue Context
`run.go`’s host-side `scanRepoContextFiles()` uses `security.InputPipeline()` directly, so the docs should match that behavior. If SSRF/secret redaction are desired here, that’s a code change; otherwise, fix the docs text.

## Fix Focus Areas
- docs/guides/dev/cli-internals.md[468-474]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@waynesun09 waynesun09 force-pushed the docs-sandbox-skill-layering branch from e2b29da to 6572f48 Compare June 23, 2026 23:17
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Review · ⚠️ Cancelled · Started 11:21 PM UTC · Ended 11:35 PM UTC
Commit: 6bd5f3a · View workflow run →

@waynesun09 waynesun09 requested review from ascerra and mrizzi June 23, 2026 23:22
- customizing-with-skills.md: fix skill overloading section to distinguish
  extend (.claude/skills/) from override (customized/skills/), add skill
  precedence explanation (personal > project)
- customizing-with-agents-md.md: add section on how AGENTS.md composes with
  agent definitions (different layers, not competing)
- runtimes.md: add sandbox workspace layout diagram, agent rule layering
  diagram, AGENTS.md injection logic, and context file security scanning
- cli-internals.md: add cross-reference to runtimes.md for sandbox details

Assisted-by: Claude (fix), Gemini (review), Codex (review)
Signed-off-by: Wayne Sun <gsun@redhat.com>
@waynesun09 waynesun09 force-pushed the docs-sandbox-skill-layering branch from 6572f48 to c4ee5f0 Compare June 23, 2026 23:35
@fullsend-ai-review

fullsend-ai-review Bot commented Jun 23, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 11:38 PM UTC · Completed 11:53 PM UTC
Commit: c4ee5f0 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review

Findings

Medium

  • [architectural-misalignment] docs/guides/user/customizing-with-skills.md:84 — The PR reverses the documented skill precedence model: the old text says repo skills with the same name as built-in skills replace the built-in; the new text says built-in skills take precedence and repo skills are silently ignored. ADR 0035 describes the customized/ overlay mechanism (which the new docs preserve correctly), but the claim about project-level .claude/skills/ being shadowed by personal-level CLAUDE_CONFIG_DIR/skills/ needs verification against Claude Code's actual skill resolution behavior. If the new model is correct, the distinction between the two paths (extend vs. override) should be explicitly anchored to how Claude Code resolves personal vs. project skill directories — not left as an implicit claim.
    Remediation: Verify Claude Code's actual skill precedence (personal > project). If confirmed, add a brief note explaining that this precedence is a Claude Code runtime behavior, distinct from the ADR 0035 overlay mechanism. If not confirmed, revert to the previous model.

  • [architectural-incoherence] docs/guides/user/customizing-with-skills.md:50 — The new "Overriding built-in skills" section claims that customized/skills/ replaces the skill "at the config layer before the agent starts — the built-in version is never uploaded to the sandbox." ADR 0035 describes a copy-then-overlay model. The "never uploaded" claim may be accurate if the overlay happens during the workflow's Prepare step (before fullsend run), but this should be verified against the actual bootstrap sequence in run.go.
    Remediation: Verify whether the customized/ overlay happens before or after sandbox upload. If it happens before (in the reusable workflow), the claim is correct. If it happens inside the sandbox, correct the documentation.

  • [stale-reference] docs/agents/triage.md:90 — This file still uses the old "overload" terminology and claims "your version replaces the upstream default" when describing repo-level skill placement in .agents/skills/. Under the new model proposed in this PR, placing skills in .agents/skills/ (which symlinks to .claude/skills/) would NOT replace built-in skills. Merging this PR without updating triage.md creates contradictory documentation.
    Remediation: Update docs/agents/triage.md lines 90–95 to use the new terminology and point users to customized/skills/ for overriding built-in skills.

  • [stale-reference] docs/agents/review.md:60 — Same issue: docs/agents/review.md lines 60–67 use the old "overload" terminology and claim repo-level skills replace the upstream default. This directly contradicts the new skill precedence model.
    Remediation: Update docs/agents/review.md lines 60–67 to use "override via customized/skills/" terminology consistent with the updated customizing-with-skills.md.


Labels: PR modifies only documentation files covering sandbox layout, skill precedence, and agent rule layering.

@fullsend-ai-review fullsend-ai-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the review comment for full details.

these by providing your own skill with the same name. Your version replaces
the built-in one at runtime — no other configuration needed.
Skills you add to your repository are available to all fullsend agents
alongside the built-in skills. This is the primary way to give agents

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] architectural-misalignment

The PR reverses the documented skill precedence model: the old text says repo skills with the same name as built-in skills replace the built-in; the new text says built-in skills take precedence and repo skills are silently ignored. ADR 0035 describes the customized/ overlay mechanism (which the new docs preserve correctly), but the claim about project-level .claude/skills/ being shadowed by personal-level CLAUDE_CONFIG_DIR/skills/ needs verification against Claude Code actual skill resolution behavior.

Suggested fix: Verify Claude Code actual skill precedence (personal > project). If confirmed, add a brief note explaining that this precedence is a Claude Code runtime behavior, distinct from the ADR 0035 overlay mechanism.

@fullsend-ai-review fullsend-ai-review Bot added the component/docs User-facing documentation label Jun 23, 2026
Comment on lines +88 to +91
Repo skills **extend** the agent's skill set. They do not replace built-in
skills. If a repo skill has the same name as a built-in skill, the built-in
version takes precedence and the repo version is silently ignored. Use a
unique name to ensure your skill is discoverable.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this precedence behavior is accurate, i.e. repo skills with colliding names are silently ignored, then I feel like this should also track a follow-up to log a warning when a repo skill is shadowed, otherwise users have no way to know their skill isn't running.

@waynesun09 waynesun09 added this pull request to the merge queue Jun 25, 2026
Merged via the queue into main with commit 29d4fc3 Jun 25, 2026
22 checks passed
@waynesun09 waynesun09 deleted the docs-sandbox-skill-layering branch June 25, 2026 14:50
@fullsend-ai-retro

fullsend-ai-retro Bot commented Jun 25, 2026

Copy link
Copy Markdown

🤖 Finished Retro · ✅ Success · Started 2:54 PM UTC · Completed 3:04 PM UTC
Commit: c4ee5f0 · View workflow run →

@fullsend-ai-retro

Copy link
Copy Markdown

Retro: PR #2584 — docs: sandbox layout, skill precedence, and agent rule layering

Timeline:

  1. 2026-06-23T23:06Z — PR opened by waynesun09, a docs-only change correcting the skill precedence model (from "repo skills override built-ins" to "built-in skills win on collision") and adding sandbox layout/agent layering documentation.
  2. 2026-06-23T23:06–23:35Z — Three review agent runs dispatched (runs 28063141115, 28063635951, 28064412904). First two cancelled due to rapid synchronize events; third completed successfully.
  3. 2026-06-23T23:53Z — Review agent posted changes_requested with 4 medium findings.
  4. 2026-06-24T09:16Z — Human reviewer mrizzi commented with a valid observation about logging warnings for shadowed skills.
  5. 2026-06-25T13:27Z — Human reviewer rh-hemartin approved, overriding the review agent's changes_requested.
  6. 2026-06-25T14:50Z — PR merged.

Review agent accuracy: 2/4 findings valid.

  • Finding 1 (architectural-misalignment): False positive. The agent questioned the PR's skill precedence correction without verifying against the actual code in internal/runtime/claude.go, which confirms the PR's model is correct.
  • Finding 2 (architectural-incoherence): False positive. The "never uploaded" claim about the customized/ overlay is consistent with ADR-0035's layering mechanism.
  • Finding 3 (stale-reference in triage.md): Valid. docs/agents/triage.md still uses old "overload" terminology.
  • Finding 4 (stale-reference in review.md): Valid. docs/agents/review.md has the same stale terminology.

The valid stale-reference findings were not addressed before merge but are tracked in #2662.

Existing issues cover most improvement vectors:

  • Review cancellation churn → #1014 (debounce review dispatch)
  • CHANGES_REQUESTED for medium-only docs findings → #2115 (use COMMENT for human-authored PRs with only medium/low findings)
  • Stale cross-file references → #2662 (already filed for this specific case), #1061 (general docs-staleness scanning)

One novel proposal below addresses the root cause of the two false positives: the review agent treating existing (incorrect) documentation as ground truth rather than verifying against source code.

Proposals filed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component/docs User-facing documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants