From 8d5cadd53b1ca07a8508eef7355800035e96b31b Mon Sep 17 00:00:00 2001
From: Tom Boucher <trekkie@nomorestars.com>
Date: Sun, 22 Mar 2026 19:05:26 -0400
Subject: [PATCH] fix(forensics): force gh CLI for issue creation to prevent
 misrouting (#2067) (#2094)

The forensics prompt suggested `gh issue create` but the agent's
system-level tool rules preferred the `github_issues` tool, which has
no repo parameter and always targets the user's current repository.
Add an explicit constraint forbidding `github_issues` and requiring
the `bash` tool with `gh issue create --repo gsd-build/gsd-2`.

Fixes #2067

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../extensions/gsd/prompts/forensics.md       | 15 ++++---
 .../gsd/tests/forensics-issue-routing.test.ts | 43 +++++++++++++++++++
 2 files changed, 53 insertions(+), 5 deletions(-)
 create mode 100644 src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts

diff --git a/src/resources/extensions/gsd/prompts/forensics.md b/src/resources/extensions/gsd/prompts/forensics.md
index 71225fcf8..4b3fc9cfe 100644
--- a/src/resources/extensions/gsd/prompts/forensics.md
+++ b/src/resources/extensions/gsd/prompts/forensics.md
@@ -103,9 +103,15 @@ Explain your findings:
 
 Then **offer GitHub issue creation**: "Would you like me to create a GitHub issue for this on gsd-build/gsd-2?"
 
-If yes, create using `gh issue create` with this format:
+**CRITICAL: The `github_issues` tool ONLY targets the current user's repository — it has no `repo` parameter. You MUST use `gh issue create --repo gsd-build/gsd-2` via the `bash` tool to file on the correct repo. Do NOT use the `github_issues` tool for this.**
 
-```
+If yes, create using the `bash` tool:
+
+```bash
+gh issue create --repo gsd-build/gsd-2 \
+  --title "..." \
+  --label "bug" --label "auto-generated" \
+  --body "$(cat <<'EOF'
 ## Problem
 [1-2 sentence summary]
 
@@ -128,11 +134,10 @@ If yes, create using `gh issue create` with this format:
 
 ---
 *Auto-generated by `/gsd forensics`*
+EOF
+)"
 ```
 
-**Repository:** gsd-build/gsd-2
-**Labels:** bug, auto-generated
-
 ### Redaction Rules (CRITICAL)
 
 Before creating the issue, you MUST:
diff --git a/src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts b/src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts
new file mode 100644
index 000000000..d4154ba98
--- /dev/null
+++ b/src/resources/extensions/gsd/tests/forensics-issue-routing.test.ts
@@ -0,0 +1,43 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+
+const promptsDir = join(process.cwd(), "src/resources/extensions/gsd/prompts");
+
+function readPrompt(name: string): string {
+  return readFileSync(join(promptsDir, `${name}.md`), "utf-8");
+}
+
+test("forensics prompt explicitly forbids github_issues tool for issue creation", () => {
+  const prompt = readPrompt("forensics");
+
+  // Must contain an explicit prohibition against using the github_issues tool
+  assert.match(
+    prompt,
+    /Do NOT use the `?github_issues`? tool/i,
+    "Prompt must explicitly prohibit the github_issues tool",
+  );
+});
+
+test("forensics prompt requires gh CLI with --repo gsd-build/gsd-2 for issue creation", () => {
+  const prompt = readPrompt("forensics");
+
+  // Must contain the exact gh CLI command with the correct repo flag
+  assert.match(
+    prompt,
+    /gh issue create --repo gsd-build\/gsd-2/,
+    "Prompt must specify gh issue create --repo gsd-build/gsd-2",
+  );
+});
+
+test("forensics prompt routes issue creation through bash tool, not github_issues", () => {
+  const prompt = readPrompt("forensics");
+
+  // The constraint about using bash tool must be present
+  assert.match(
+    prompt,
+    /`?bash`? tool/i,
+    "Prompt must instruct use of the bash tool for issue creation",
+  );
+});