fix(#2378): report failure when agent errors with no commits

.github/scripts/install-openshell.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Install the pinned OpenShell version via upstream install.sh.
+#
+# Sources openshell-version.sh for the version and commit SHA, then
+# runs the upstream installer. Requires sudo for RPM installation.
+#
+# Usage:
+#   .github/scripts/install-openshell.sh
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/openshell-version.sh"
+
+echo "Installing OpenShell ${OPENSHELL_VERSION} (${OPENSHELL_SHA})"
+curl -LsSf "https://raw.githubusercontent.com/NVIDIA/OpenShell/${OPENSHELL_SHA}/install.sh" \
+  | OPENSHELL_VERSION="v${OPENSHELL_VERSION}" sh
+
+openshell --version

.github/scripts/openshell-version.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Single source of truth for the pinned OpenShell version.
+#
+# Source this script to set OPENSHELL_VERSION and OPENSHELL_SHA in the
+# current shell. In GitHub Actions it also exports them to GITHUB_ENV
+# for downstream steps.
+#
+# Usage:
+#   source .github/scripts/openshell-version.sh
+
+# renovate: datasource=github-tags depName=NVIDIA/OpenShell
+OPENSHELL_VERSION=0.0.63
+OPENSHELL_SHA=ec197a43ef349e36c3fff04e9aaea9599fb83b31
+
+export OPENSHELL_VERSION OPENSHELL_SHA
+
+if [[ -n "${GITHUB_ENV:-}" ]]; then
+  echo "OPENSHELL_VERSION=${OPENSHELL_VERSION}" >> "${GITHUB_ENV}"
+  echo "OPENSHELL_SHA=${OPENSHELL_SHA}" >> "${GITHUB_ENV}"
+fi

.github/workflows/reusable-code.yml

@@ -56,6 +56,8 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        # Keep in sync with --vendor marker paths (see internal/scaffold/vendorcontent.go VendoredMarkerPath).
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -102,6 +104,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -178,4 +181,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-fix.yml

@@ -68,6 +68,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -114,6 +115,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -380,4 +382,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ steps.context.outputs.pr_number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-prioritize.yml

@@ -58,6 +58,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -104,6 +105,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment

.github/workflows/reusable-retro.yml

@@ -54,6 +54,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -100,6 +101,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -153,4 +155,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).pull_request.number || fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-review.yml

@@ -55,6 +55,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -169,4 +170,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).pull_request.number || fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.github/workflows/reusable-triage.yml

@@ -54,6 +54,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Checkout upstream defaults
+        if: hashFiles('.defaults/action.yml', '.fullsend/.defaults/action.yml') == ''
         uses: actions/checkout@v6
         with:
           repository: fullsend-ai/fullsend
@@ -100,6 +101,7 @@ jobs:
           mkdir -p .github/scripts
           cp "${SRC}/.github/scripts/setup-agent-env.sh" .github/scripts/setup-agent-env.sh
 
+
       - name: Validate enrollment and extract repo metadata
         id: repo-parts
         uses: ./.defaults/.github/actions/validate-enrollment
@@ -149,4 +151,4 @@ jobs:
           run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           status-repo: ${{ inputs.source_repo }}
           status-number: ${{ fromJSON(inputs.event_payload).issue.number }}
-          status-token: ${{ steps.app-token.outputs.token }}
+          mint-url: ${{ inputs.mint_url }}

.pre-commit-config.yaml

@@ -74,6 +74,8 @@ repos:
           - property "workflow_repository" is not defined
           - -ignore
           - SC2016
+          - -ignore
+          - '__REUSABLE_(WORKFLOW|DISPATCH)__'
 
   - repo: local
     hooks:

README.md

@@ -50,6 +50,7 @@ This is not a product spec. It's an evolving exploration of a hard problem space
   - [Vertex AI Inference Provisioning](docs/plans/vertex-inference-provisioning.md) — Provisioning and configuration for Vertex AI inference endpoints
   - [ADR-0045 Forge-Portable Harness Schema — Phase 1](docs/plans/adr-0045-forge-portable-harness-phase1.md) — Implementation plan for ADR-0045 forge-portable harness schema (Phase 1)
   - [ADR-0045 Forge-Portable Harness Schema — Phase 2](docs/plans/adr-0045-forge-portable-harness-phase2.md) — Implementation plan for ADR-0045 Phase 2: adopt new schema fields across install, scaffold, and lock flows
+  - [ADR-0045 Forge-Portable Harness Schema — Phase 3](docs/plans/adr-0045-forge-portable-harness-phase3.md) — Implementation plan for ADR-0045 Phase 3: deprecate config.yaml agents block, add Lint() diagnostics, migrate to harness-first discovery
   - [ADR-0046 Drift Scanner](docs/plans/2026-03-06-adr46-drift-scanner.md) — Implementation plan for ADR-0046 drift detection tool
 - **[docs/guides/](docs/guides/)** — Practical how-to documentation for administrators and developers (see [ADR 0023](docs/ADRs/0023-user-documentation-structure.md))
 - **[docs/ADRs/](docs/ADRs/)** — Architecture Decision Records for crystallizing specific decisions (see [ADR 0001](docs/ADRs/0001-use-adrs-for-decision-making.md))

action.yml

@@ -36,8 +36,10 @@ inputs:
   status-number:
     description: Issue/PR number for status comments (optional).
     default: ""
-  status-token:
-    description: Token for status comments (defaults to GH_TOKEN env var).
+  mint-url:
+    description: >-
+      Mint service URL for on-demand status comment tokens. The binary
+      mints a fresh short-lived token before each status API call.
     default: ""
 
 runs:
@@ -73,7 +75,7 @@ runs:
           done
         }
 
-        # Use vendored binary if present (placed by fullsend admin install --vendor-fullsend-binary).
+        # Use vendored binary if present (placed by fullsend admin install --vendor).
         # Per-org mode stores it at bin/fullsend (in .fullsend config repo);
         # per-repo mode stores it at .fullsend/bin/fullsend (in the target repo).
         # GitHub Contents API does not preserve the executable bit, so check -f not -x.
@@ -263,23 +265,17 @@ runs:
         podman info
         systemctl --user start podman.socket
 
-    - name: Set OpenShell version
-      shell: bash
-      run: |
-        echo "OPENSHELL_VERSION=0.0.54" >> "${GITHUB_ENV}"
-        # SHA corresponding to 0.0.54
-        echo "OPENSHELL_SHA=79aa355dd008e496a7d8f97b361a7b2866066fbc" >> "${GITHUB_ENV}"
-
-    - name: Install OpenShell CLI
+    - name: Configure OpenShell gateway
       shell: bash
       run: |
         mkdir -p $HOME/.config/openshell/
         cat > $HOME/.config/openshell/gateway.env << EOF
         OPENSHELL_BIND_ADDRESS=0.0.0.0
         EOF
 
-        curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/${OPENSHELL_SHA}/install.sh | OPENSHELL_VERSION=v${OPENSHELL_VERSION} sh
-        openshell --version
+    - name: Install OpenShell CLI
+      shell: bash
+      run: "$GITHUB_ACTION_PATH/.github/scripts/install-openshell.sh"
 
     - name: Restore cached sandbox image
       id: sandbox-cache
@@ -363,7 +359,7 @@ runs:
         STATUS_RUN_URL: ${{ inputs.run-url }}
         STATUS_REPO: ${{ inputs.status-repo }}
         STATUS_NUMBER: ${{ inputs.status-number }}
-        STATUS_TOKEN: ${{ inputs.status-token }}
+        MINT_URL: ${{ inputs.mint-url }}
       run: |
         set -euo pipefail
         FULLSEND_DIR="${FULLSEND_DIR:-${GITHUB_WORKSPACE}}"
@@ -373,17 +369,14 @@ runs:
         # Post-scripts enforce secret scanning, protected-path blocks,
         # and review-downgrade controls. Skipping them in CI bypasses
         # all post-push security gates.
-        if [[ -n "${STATUS_TOKEN}" ]]; then
-          echo "::add-mask::${STATUS_TOKEN}"
-        fi
         STATUS_FLAGS=()
         if [[ -n "${STATUS_REPO}" && -n "${STATUS_NUMBER}" ]]; then
           STATUS_FLAGS+=(--status-repo "${STATUS_REPO}" --status-number "${STATUS_NUMBER}")
           if [[ -n "${STATUS_RUN_URL}" ]]; then
             STATUS_FLAGS+=(--run-url "${STATUS_RUN_URL}")
           fi
-          if [[ -n "${STATUS_TOKEN}" ]]; then
-            STATUS_FLAGS+=(--status-token "${STATUS_TOKEN}")
+          if [[ -n "${MINT_URL}" ]]; then
+            STATUS_FLAGS+=(--mint-url "${MINT_URL}")
           fi
         fi
         fullsend run "${AGENT}" \
@@ -393,10 +386,11 @@ runs:
           "${STATUS_FLAGS[@]+"${STATUS_FLAGS[@]}"}"
 
     - name: Finalize orphaned status comment
-      if: always() && inputs.agent != '__install_only__' && inputs.status-repo != '' && inputs.status-number != ''
+      if: always() && inputs.agent != '__install_only__' && inputs.status-repo != '' && inputs.status-number != '' && inputs.mint-url != ''
       shell: bash
       env:
-        STATUS_TOKEN: ${{ inputs.status-token }}
+        MINT_URL: ${{ inputs.mint-url }}
+        AGENT: ${{ inputs.agent }}
         STATUS_REPO: ${{ inputs.status-repo }}
         STATUS_NUMBER: ${{ inputs.status-number }}
         RUN_ID: ${{ github.run_id }}
@@ -409,13 +403,8 @@ runs:
         # the deferred PostCompletion call never runs and the status comment
         # remains in "Started" state. This step runs unconditionally (if:
         # always()) to detect and finalize orphaned comments. See #2149.
-        TOKEN="${STATUS_TOKEN:-${GITHUB_TOKEN:-}}"
-        if [[ -z "${TOKEN}" ]]; then
-          echo "::warning::No token available for status comment reconciliation"
-          exit 0
-        fi
-        echo "::add-mask::${TOKEN}"
-        RECONCILE_FLAGS=(--repo "${STATUS_REPO}" --number "${STATUS_NUMBER}" --run-id "${RUN_ID}" --token "${TOKEN}")
+        RECONCILE_FLAGS=(--repo "${STATUS_REPO}" --number "${STATUS_NUMBER}" --run-id "${RUN_ID}")
+        RECONCILE_FLAGS+=(--mint-url "${MINT_URL}" --role "${AGENT}")
         if [[ -n "${RUN_URL}" ]]; then
           RECONCILE_FLAGS+=(--run-url "${RUN_URL}")
         fi

docs/ADRs/0035-layered-content-resolution.md

@@ -63,7 +63,9 @@ they are populated at runtime from upstream.
 replaced the earlier checkout at `@v0` with a checkout at a
 caller-controlled ref), copies them into the main dirs (`agents/`, `skills/`,
 etc.), then copies customizations on top so override files replace upstream
-defaults. The workflow inspects `install_mode` to resolve the correct
+defaults. When `--vendor` has committed upstream mirror content under
+`.defaults/`, the sparse checkout is skipped (see
+[ADR 0047](0047-vendored-installs-with-vendor-flag.md)). The workflow inspects `install_mode` to resolve the correct
 customization base:
 
 - `per-org`: reads from `customized/`

docs/ADRs/0045-forge-portable-harness-schema.md

@@ -142,8 +142,9 @@ agent definition `.md` file). `agent` describes *how* the agent behaves;
 `role` describes *what function* the agent serves in the pipeline; `slug`
 describes *who* the agent authenticates as. During Phase 1-2, `role` and
 `slug` are optional — `Validate()` does not require them. In Phase 3,
-`Validate()` emits warnings when `role` is missing. In Phase 4,
-`Validate()` requires `role`.
+`Validate()` continues to allow missing `role`, but `Lint()` emits
+warnings when `role` is missing. In Phase 4, `Validate()` requires
+`role`.
 
 `base` references another harness file whose fields serve as defaults for
 this harness. Any field set in the child overrides the corresponding base
@@ -516,11 +517,10 @@ func (h *Harness) ResolveForge(platform string) error { ... }
    Note: `role`/`slug` becoming required is independent of the `forge:`
    section — a harness that only targets one platform still needs `role`
    and `slug` but does not need `forge:`.
-   Implementation note: the current `Validate()` method returns hard errors
-   only — there is no warning/advisory path. Phase 3 will need a separate
-   `Lint()` method or log-level warnings to emit non-fatal diagnostics
-   without breaking existing callers that treat any `Validate()` error as
-   a hard stop.
+   Implementation note: `Validate()` returns hard errors only. Phase 3
+   adds a separate `Lint()` method that returns non-fatal `[]Diagnostic`
+   warnings without breaking existing callers that treat any `Validate()`
+   error as a hard stop.
 
 4. **Phase 4 (remove):** Require `role` in all harness files. Remove the
    `agents:` block from config.yaml entirely. Agent identity and