fix(forensics): force gh CLI for issue creation to prevent misrouting (#2067) (#2094)

The forensics prompt suggested `gh issue create` but the agent's system-level tool rules preferred the `github_issues` tool, which has no repo parameter and always targets the user's current repository. Add an explicit constraint forbidding `github_issues` and requiring the `bash` tool with `gh issue create --repo gsd-build/gsd-2`. Fixes #2067 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-22 19:05:26 -04:00 · 2026-03-22 19:05:26 -04:00 · 8d5cadd53b
commit 8d5cadd53b
parent a6f8f77bbc
2 changed files with 53 additions and 5 deletions
--- a/src/resources/extensions/gsd/prompts/forensics.md
+++ b/src/resources/extensions/gsd/prompts/forensics.md
@ -103,9 +103,15 @@ Explain your findings:

 Then **offer GitHub issue creation**: "Would you like me to create a GitHub issue for this on gsd-build/gsd-2?"

-If yes, create using `gh issue create` with this format:
+**CRITICAL: The `github_issues` tool ONLY targets the current user's repository — it has no `repo` parameter. You MUST use `gh issue create --repo gsd-build/gsd-2` via the `bash` tool to file on the correct repo. Do NOT use the `github_issues` tool for this.**

-```
+If yes, create using the `bash` tool:
+
+```bash
+gh issue create --repo gsd-build/gsd-2 \
+  --title "..." \
+  --label "bug" --label "auto-generated" \
+  --body "$(cat <<'EOF'
 ## Problem
 [1-2 sentence summary]

@ -128,11 +134,10 @@ If yes, create using `gh issue create` with this format:

 ---
 *Auto-generated by `/gsd forensics`*
+EOF
+)"
 ```

-**Repository:** gsd-build/gsd-2
-**Labels:** bug, auto-generated
-
 ### Redaction Rules (CRITICAL)

 Before creating the issue, you MUST:
--- a/src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts
+++ b/src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts
@ -0,0 +1,43 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+const promptsDir = join(process.cwd(), "src/resources/extensions/gsd/prompts");
+
+function readPrompt(name: string): string {
+  return readFileSync(join(promptsDir, `${name}.md`), "utf-8");
+}
+
+test("forensics prompt explicitly forbids github_issues tool for issue creation", () => {
+  const prompt = readPrompt("forensics");
+
+  // Must contain an explicit prohibition against using the github_issues tool
+  assert.match(
+    prompt,
+    /Do NOT use the `?github_issues`? tool/i,
+    "Prompt must explicitly prohibit the github_issues tool",
+  );
+});
+
+test("forensics prompt requires gh CLI with --repo gsd-build/gsd-2 for issue creation", () => {
+  const prompt = readPrompt("forensics");
+
+  // Must contain the exact gh CLI command with the correct repo flag
+  assert.match(
+    prompt,
+    /gh issue create --repo gsd-build\/gsd-2/,
+    "Prompt must specify gh issue create --repo gsd-build/gsd-2",
+  );
+});
+
+test("forensics prompt routes issue creation through bash tool, not github_issues", () => {
+  const prompt = readPrompt("forensics");
+
+  // The constraint about using bash tool must be present
+  assert.match(
+    prompt,
+    /`?bash`? tool/i,
+    "Prompt must instruct use of the bash tool for issue creation",
+  );
+});