| name | ln-034-vps-environment-diagnostics |
| description | Use when inspecting health, drift, logs, auth, ports, systemd, tmux, or safe repair needs for one VPS project environment. |
| license | MIT |
| allowed-tools | Bash, Read, mcp__hex-ssh__remote-ssh, mcp__hex-ssh__ssh-read-lines, mcp__hex-ssh__ssh-write-chunk, mcp__hex-ssh__ssh-edit-block |
Paths: File paths (shared/, ../ln-030-vps-bootstrap/references/) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
ln-034-vps-environment-diagnostics
Type: L3 Worker
Category: 0XX Shared / Infrastructure
Inspects one VPS project environment and reports health, drift, logs, auth state, ports, systemd, tmux, and bounded safe repairs.
MANDATORY READ
MANDATORY READ: Load shared/references/worker_runtime_contract.md, shared/references/coordinator_summary_contract.md, and shared/references/vps_runtime_contract.md
MANDATORY READ: Load ../ln-030-vps-bootstrap/references/scope_layers.md, ../ln-030-vps-bootstrap/references/troubleshooting.md, and ../ln-030-vps-bootstrap/references/verification_recipes.md
Input / Output
| Direction | Content |
|---|
| Input | mode, project/VPS variables, optional repair_scope, optional dry_run, optional runId, optional summaryArtifactPath |
| Output | vps-environment-diagnostics summary with status, findings, drift, safe repairs, warnings, blockers, and verification |
If summaryArtifactPath is provided, write the same summary JSON there. If not provided, return the summary inline and write it to the standalone run-scoped path. Generate a standalone run_id when runId is absent.
Modes
| Mode | Behavior |
|---|
inspect | Read-only health and drift report |
verify | Read-only post-install/post-redeploy verification |
repair_safe | Apply only documented bounded safe repairs selected by repair_scope |
Workflow
Phase 1: Scope And Safety
Resolve target environment and set mutation guard:
inspect and verify are read-only
repair_safe requires explicit repair_scope
dry_run=true converts repairs to planned actions
Phase 2: Host And Shared Runtime
Inspect:
- required binaries
${BOT_USER}
- Node/Claude/Codex versions
- auth health indicators without printing tokens
${AGENT_SKILLS_DIR} git state
- marketplace/plugin health
agent-update.timer and log tail
Phase 3: Project Runtime
Inspect:
${PROJECT_DIR} git state
/etc/${PROJECT_NAME} and /var/lib/${PROJECT_NAME}
${SERVICE_PREFIX}-god@*.service
- tmux socket and targets
- dispatch timer/service
- provider credential wiring without secret output
Phase 4: Relay Runtime
When Telegram/relay is enabled, inspect:
${SERVICE_PREFIX}-hex-relay.service
/opt/${SERVICE_PREFIX}-hex-relay
- HTTP
/health
- relay DB presence/schema
- old
relay-bot service/path drift
RELAY_HOOK_PORT listener collisions
Phase 5: Safe Repair
Allowed safe repairs only:
- restart a named inactive project service after confirming unit file exists
- re-enable an expected timer
- recreate missing non-secret directories with documented owner/mode
- rerun
systemctl daemon-reload
- report, but do not rewrite, missing auth or secrets
Forbidden repairs:
- secret creation or token edits
- deleting DB files
- deleting project repos
- changing Git remotes/branches
- changing shared auth
- broad package upgrades
Phase 6: Summary
Write a vps-environment-diagnostics summary artifact with:
- health verdict
- drift list
- repair actions applied or planned
- blockers
- warnings
- verification evidence
Critical Rules
- This worker diagnoses one environment at a time.
- Fleet target selection belongs outside this worker.
- Read-only modes must not mutate remote or local state.
- Repair actions are bounded and explicit.
- Never print secrets or auth tokens.
Definition of Done
Version: 1.0.0
Last Updated: 2026-05-05