name	ln-034-vps-environment-diagnostics
description	Use when inspecting health, drift, logs, auth, ports, systemd, tmux, or safe repair needs for one VPS project environment.
license	MIT
allowed-tools	Bash, Read, mcp__hex-ssh__remote-ssh, mcp__hex-ssh__ssh-read-lines, mcp__hex-ssh__ssh-write-chunk, mcp__hex-ssh__ssh-edit-block

Paths: File paths (shared/, ../ln-030-vps-bootstrap/references/) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

ln-034-vps-environment-diagnostics

Type: L3 Worker Category: 0XX Shared / Infrastructure

Inspects one VPS project environment and reports health, drift, logs, auth state, ports, systemd, tmux, and bounded safe repairs.

MANDATORY READ

MANDATORY READ: Load shared/references/worker_runtime_contract.md, shared/references/coordinator_summary_contract.md, and shared/references/vps_runtime_contract.md MANDATORY READ: Load ../ln-030-vps-bootstrap/references/scope_layers.md, ../ln-030-vps-bootstrap/references/troubleshooting.md, and ../ln-030-vps-bootstrap/references/verification_recipes.md

Input / Output

Direction	Content
Input	`mode`, project/VPS variables, optional `repair_scope`, optional `dry_run`, optional `runId`, optional `summaryArtifactPath`
Output	`vps-environment-diagnostics` summary with status, findings, drift, safe repairs, warnings, blockers, and verification

If summaryArtifactPath is provided, write the same summary JSON there. If not provided, return the summary inline and write it to the standalone run-scoped path. Generate a standalone run_id when runId is absent.

Modes

Mode	Behavior
`inspect`	Read-only health and drift report
`verify`	Read-only post-install/post-redeploy verification
`repair_safe`	Apply only documented bounded safe repairs selected by `repair_scope`

Workflow

Phase 1: Scope And Safety

Resolve target environment and set mutation guard:

inspect and verify are read-only
repair_safe requires explicit repair_scope
dry_run=true converts repairs to planned actions

Phase 2: Host And Shared Runtime

Inspect:

required binaries
${BOT_USER}
Node/Claude/Codex versions
auth health indicators without printing tokens
${AGENT_SKILLS_DIR} git state
marketplace/plugin health
agent-update.timer and log tail

Phase 3: Project Runtime

Inspect:

${PROJECT_DIR} git state
/etc/${PROJECT_NAME} and /var/lib/${PROJECT_NAME}
${SERVICE_PREFIX}-god@*.service
tmux socket and targets
dispatch timer/service
provider credential wiring without secret output

Phase 4: Relay Runtime

When Telegram/relay is enabled, inspect:

${SERVICE_PREFIX}-hex-relay.service
/opt/${SERVICE_PREFIX}-hex-relay
HTTP /health
relay DB presence/schema
old relay-bot service/path drift
RELAY_HOOK_PORT listener collisions

Phase 5: Safe Repair

Allowed safe repairs only:

restart a named inactive project service after confirming unit file exists
re-enable an expected timer
recreate missing non-secret directories with documented owner/mode
rerun systemctl daemon-reload
report, but do not rewrite, missing auth or secrets

Forbidden repairs:

secret creation or token edits
deleting DB files
deleting project repos
changing Git remotes/branches
changing shared auth
broad package upgrades

Phase 6: Summary

Write a vps-environment-diagnostics summary artifact with:

health verdict
drift list
repair actions applied or planned
blockers
warnings
verification evidence

Critical Rules

This worker diagnoses one environment at a time.
Fleet target selection belongs outside this worker.
Read-only modes must not mutate remote or local state.
Repair actions are bounded and explicit.
Never print secrets or auth tokens.

Definition of Done

Target environment and mutation guard resolved.
Host/shared runtime health inspected.
Project runtime health inspected.
Relay runtime health inspected or gated N/A:.
Drift and blockers reported with concrete evidence.
Safe repair actions were explicit, bounded, and recorded.
Forbidden repair categories were not performed.
dry_run=true, inspect, and verify performed no mutation.
Structured vps-environment-diagnostics summary artifact written.

Version: 1.0.0 Last Updated: 2026-05-05

name	ln-034-vps-environment-diagnostics
description	Use when inspecting health, drift, logs, auth, ports, systemd, tmux, or safe repair needs for one VPS project environment.
license	MIT
allowed-tools	Bash, Read, mcp__hex-ssh__remote-ssh, mcp__hex-ssh__ssh-read-lines, mcp__hex-ssh__ssh-write-chunk, mcp__hex-ssh__ssh-edit-block

Paths: File paths (shared/, ../ln-030-vps-bootstrap/references/) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.

ln-034-vps-environment-diagnostics

Type: L3 Worker Category: 0XX Shared / Infrastructure

Inspects one VPS project environment and reports health, drift, logs, auth state, ports, systemd, tmux, and bounded safe repairs.

MANDATORY READ

Input / Output

Direction	Content
Input	`mode`, project/VPS variables, optional `repair_scope`, optional `dry_run`, optional `runId`, optional `summaryArtifactPath`
Output	`vps-environment-diagnostics` summary with status, findings, drift, safe repairs, warnings, blockers, and verification

Modes

Mode	Behavior
`inspect`	Read-only health and drift report
`verify`	Read-only post-install/post-redeploy verification
`repair_safe`	Apply only documented bounded safe repairs selected by `repair_scope`

Workflow

Phase 1: Scope And Safety

Resolve target environment and set mutation guard:

inspect and verify are read-only
repair_safe requires explicit repair_scope
dry_run=true converts repairs to planned actions

Phase 2: Host And Shared Runtime

Inspect:

required binaries
${BOT_USER}
Node/Claude/Codex versions
auth health indicators without printing tokens
${AGENT_SKILLS_DIR} git state
marketplace/plugin health
agent-update.timer and log tail

Phase 3: Project Runtime

Inspect:

${PROJECT_DIR} git state
/etc/${PROJECT_NAME} and /var/lib/${PROJECT_NAME}
${SERVICE_PREFIX}-god@*.service
tmux socket and targets
dispatch timer/service
provider credential wiring without secret output

Phase 4: Relay Runtime

When Telegram/relay is enabled, inspect:

${SERVICE_PREFIX}-hex-relay.service
/opt/${SERVICE_PREFIX}-hex-relay
HTTP /health
relay DB presence/schema
old relay-bot service/path drift
RELAY_HOOK_PORT listener collisions

Phase 5: Safe Repair

Allowed safe repairs only:

restart a named inactive project service after confirming unit file exists
re-enable an expected timer
recreate missing non-secret directories with documented owner/mode
rerun systemctl daemon-reload
report, but do not rewrite, missing auth or secrets

Forbidden repairs:

secret creation or token edits
deleting DB files
deleting project repos
changing Git remotes/branches
changing shared auth
broad package upgrades

Phase 6: Summary

Write a vps-environment-diagnostics summary artifact with:

health verdict
drift list
repair actions applied or planned
blockers
warnings
verification evidence

Critical Rules

This worker diagnoses one environment at a time.
Fleet target selection belongs outside this worker.
Read-only modes must not mutate remote or local state.
Repair actions are bounded and explicit.
Never print secrets or auth tokens.

Definition of Done

Target environment and mutation guard resolved.
Host/shared runtime health inspected.
Project runtime health inspected.
Relay runtime health inspected or gated N/A:.
Drift and blockers reported with concrete evidence.
Safe repair actions were explicit, bounded, and recorded.
Forbidden repair categories were not performed.
dry_run=true, inspect, and verify performed no mutation.
Structured vps-environment-diagnostics summary artifact written.

Version: 1.0.0 Last Updated: 2026-05-05