CLI Internals β
This guide provides implementation details for fullsend CLI internals: command structure, installation pipeline, sandbox runtime, and key source files. For running agents locally, see Running agents locally.
CLI Command Tree β
fullsend
βββ admin # All-in-one setup (GCP + GitHub)
β βββ install <org|owner/repo> # Full infrastructure setup
β βββ uninstall <org> # Tear down (reverse layer order)
β βββ analyze <org> # Health check installed state
β βββ enable
β β βββ repos <org> [repo...] # Enable agent on repos
β βββ disable
β βββ repos <org> [repo...] # Disable agent on repos
βββ mint # Token mint management
β βββ deploy # Deploy/update mint Cloud Function
β βββ add-role <role> # Register role PEM + ROLE_APP_IDS entry
β βββ remove-role <role> # Remove role from mint
β βββ enroll <org|owner/repo> # Register org/repo in mint
β βββ unenroll <org|owner/repo> # Remove org/repo from mint
β βββ status [org] # Inspect mint state and PEM health
β βββ token # Mint a short-lived token via OIDC
β βββ --role <name> # Agent role (triage, coder, review)
β βββ --repos <list> # Comma-separated repo names
β βββ --mint-url <url> # Mint service URL ($FULLSEND_MINT_URL)
β βββ --audience <string> # OIDC audience (default: fullsend-mint)
βββ inference # GCP: inference WIF management
β βββ provision <org|owner/repo> # Create WIF pool/provider for Agent Platform
β βββ deprovision <org|owner/repo> # Remove WIF access for org or repo
β βββ status <org|owner/repo> # Check WIF health, print config
βββ github # GitHub-only configuration
β βββ setup <org|owner/repo> # Configure fullsend (no GCP needed)
β βββ enroll <org> [repo...] # Enable repos for agent workflows
β βββ unenroll <org> [repo...] # Disable repos from agent workflows
β βββ set <target> <key> <value> # Update a config value
β βββ status <org> # Analyze GitHub-side state
β βββ uninstall <org> # Remove fullsend GitHub configuration
β βββ sync-scaffold <org> # Update workflow templates
βββ agent # Manage agent registrations in config
β βββ add <url-or-path> # Register an agent (URL auto-pinned)
β βββ list # List registered agents
β βββ update <name> [sha] # Re-pin URL agent to new commit SHA
β βββ remove <name> # Unregister agent from config
βββ lock [agent-name] # Pin remote deps to lock.yaml
β βββ --all # Lock all harnesses in the harness directory
β βββ --fullsend-dir <path> # Base directory with .fullsend layout
β βββ --forge <platform> # Lock only this forge variant; omit for all
β βββ --update # Force re-resolve even if current
β βββ --offline # Reject network fetches
β βββ --max-depth <int> # Max transitive dependency depth
β βββ --max-resources <int> # Max total remote resources
βββ run # Execute an agent in a sandbox
β βββ --fullsend-dir <path> # Base directory with .fullsend layout
β βββ --target-repo <path> # Path to the target repository
β βββ --output-dir <path> # Base directory for run output
β βββ --env-file <path> # Load env vars from dotenv file (repeatable)
β βββ --forge <platform> # Forge platform (github, gitlab); auto-detected from CI env
β βββ --no-post-script # Skip post-script execution
β βββ --debug [filter] # Enable Claude Code debug logging
β βββ --offline # Reject network fetches
β βββ --max-depth <int> # Max transitive dependency depth (0 disables)
β βββ --max-resources <int> # Max total remote resources per harness
β βββ --run-url <url> # CI/CD run URL for status comments
β βββ --status-repo <owner/repo> # Repository for status comments
β βββ --status-number <int> # Issue/PR number for status comments
β βββ --mint-url <url> # Mint service URL for on-demand status tokens
βββ fetch-skill <url> # Fetch a skill at runtime (in-sandbox)
βββ scan # Run security scanner on input/output
β βββ input # Scan event payload for prompt injection
β βββ output # Scan agent output for leaked secrets
β βββ context # Scan context files for prompt injection
β βββ url # Validate URLs against SSRF attacks
βββ post-review # Post PR review comments to GitHub
βββ post-comment # Post issue/PR comments to GitHub
βββ reconcile-status # Finalize orphaned status comments
βββ --repo <owner/repo> # Repository in owner/repo format
βββ --number <int> # Issue/PR number
βββ --run-id <string> # Workflow run ID (marker key)
βββ --run-url <url> # Workflow run URL (optional)
βββ --sha <string> # Commit SHA (optional)
βββ --reason <string> # Termination reason: terminated or cancelled (default: terminated)
βββ --mint-url <url> # Mint service URL for on-demand token (default: $FULLSEND_MINT_URL)
βββ --role <string> # Agent role for minting (required with --mint-url)Command Decomposition β
The mint, inference, and github subcommands decompose setup into role-specific operations for organizations that separate GCP and GitHub responsibilities:
| Install Phase | Standalone Command | Required Access |
|---|---|---|
| Phases 1-3: Mint deployment | fullsend mint deploy | GCP project (mint): roles/iam.serviceAccountAdmin, roles/iam.workloadIdentityPoolAdmin, roles/cloudfunctions.developer, roles/run.admin; with --pem-dir also roles/secretmanager.admin, roles/resourcemanager.projectIamAdmin |
| Phases 1-3: Mint enrollment | fullsend mint enroll | GCP project (mint): roles/cloudfunctions.viewer, roles/run.admin, roles/iam.workloadIdentityPoolAdmin; per-repo mode also needs roles/resourcemanager.projectIamAdmin |
| Phase 4: WIF provisioning | fullsend inference provision | GCP project (inference): roles/iam.workloadIdentityPoolAdmin, roles/resourcemanager.projectIamAdmin |
| Phases 5-7: GitHub setup + enrollment | fullsend github setup | GitHub only |
The typical handoff: a GCP admin runs mint deploy, mint enroll, and inference provision, then passes the mint URL and WIF provider resource name to a GitHub maintainer who runs github setup --mint-url=... --inference-wif-provider=.... See Advanced setup.
Note: The legacy
admin installcommand wraps all phases into a single invocation but is deprecated. The standalone commands above are the recommended path. See the Unified Installation Flow section below for how the phases are structured internally.
Token Resolution Chain β
All commands that interact with GitHub resolve authentication in this order:
GH_TOKEN env var β GITHUB_TOKEN env var β `gh auth token` CLIInstall Mode Detection β
The install command auto-detects mode from the positional argument:
fullsend admin install <org> β Per-org mode (full infrastructure)
fullsend admin install <owner>/<repo> β Per-repo mode (single repo bootstrap)Unified Installation Flow β
Both per-org and per-repo modes share the same core pipeline. The code follows the same phases in the same order β the only differences are where artifacts land and scope of WIF/enrollment.
Shared Pipeline β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Unified Install Pipeline (both modes) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β fullsend admin install <target> β
β ββββββββββββββββββββββββ β
β β Parse target β β
β β "acme" β org β β
β β "acme/repo" β repo β β
β ββββββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 1: Discover (read-only) β β
β β β β
β β a. Discover mint --mint-url / --mint-project / default β β
β β ββ DiscoverMint() β check if GCF exists, get URL β β
β β b. Resolve existing app IDs from mint env vars β β
β β ββ ROLE_APP_IDS (role β app ID, shared) β skip app β β
β β creation when all roles are present β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 2: App setup (shared: runAppSetup) β β
β β β β
β β For each role in --agents: β β
β β - Create/reuse GitHub App ({appSet}-{role} via --app-set)β β
β β - Download PEM key from App creation flow β β
β β - Store PEM in GCP Secret Manager β β
β β - Record App ID + Client ID β β
β β β β
β β Shared code: runAppSetup() β []AgentCredentials β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 3: Mint provisioning β β
β β β β
β β If mint not found β deploy GCF (Provision) β β
β β If mint exists β register org (EnsureOrgInMint) β β
β β β store PEMs in Secret Manager β β
β β β β
β β Both modes use gcf.NewProvisioner with same Config{} β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Per-repo adds: RegisterPerRepoWIF() β β β
β β β (adds repo to PER_REPO_WIF_REPOS env) β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 4: WIF provisioning (inference auth) β β
β β β β
β β Both modes: ProvisionWIF() β create pool, provider, IAM β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Per-org: org-wide WIF provider β β β
β β β Per-repo: repo-scoped (mintcore.BuildRepoProviderID)β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 5: Write scaffold + config files β β
β β β β
β β Both modes: write workflow files + customized/ dirs β β
β β CommitScaffoldFiles() delivery modes: β β
β β Default (PR): create feature branch β commit β open PR β β
β β --direct: try CommitFiles (default branch) β β
β β if ErrBranchProtected β fall back to PR mode β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Per-org: create .fullsend config repo β β β
β β β push reusable workflows β β β
β β β vendor fullsend binary (opt) β β β
β β β β β β
β β β Per-repo: write .fullsend/ dir in repo β β β
β β β push shim workflow template β β β
β β β vendor fullsend binary (opt) β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 6: Set secrets & variables β β
β β β β
β β Both modes write the same credential set: β β
β β Secrets: FULLSEND_GCP_PROJECT_ID β β
β β FULLSEND_GCP_WIF_PROVIDER β β
β β Variables: FULLSEND_GCP_REGION β β
β β FULLSEND_MINT_URL β β
β β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Per-org: secrets β .fullsend config repo β β β
β β β MINT_URL β org variable β β β
β β β + repo var (dot-prefix fix) β β β
β β β + PEM keys as repo secrets β β β
β β β + client IDs as repo variables β β β
β β β β β β
β β β Per-repo: secrets β target repo β β β
β β β + FULLSEND_PER_REPO_GUARD=true β β β
β β ββββββββββββββββββββββββββββββββββββββββββββ β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Phase 7: Enrollment (per-org only) β β
β β β β
β β Per-org: enable agent workflows on target repos β β
β β Per-repo: no-op (single repo, self-contained) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββMode Differences β
Both modes call the same functions (runAppSetup, gcf.NewProvisioner, ProvisionWIF). The differences are narrow:
| Phase | Shared Code | Per-Org Variation | Per-Repo Variation |
|---|---|---|---|
| 1. Discover | DiscoverMint(), resolve app IDs | Discovers all org repos | Single repo validation |
| 2. App setup | runAppSetup() β PEMs + App IDs | All 7 roles by default | Excludes "fullsend" role |
| 3. Mint | gcf.Provision() or EnsureOrgInMint() | β | + RegisterPerRepoWIF() |
| 4. WIF | ProvisionWIF() | Org-wide provider ID | mintcore.BuildRepoProviderID() (repo-scoped) |
| 5. Scaffold | scaffold.PerRepoCustomizedDirs() / WalkFullsendRepo() | Creates .fullsend repo, pushes workflows + optional binary | Writes .fullsend/ dir + shim workflow + optional binary in target repo |
| 6. Secrets | Same secret names, same API calls | Config repo + org variable | Target repo + PER_REPO_GUARD |
| 7. Enrollment | β | EnrollmentLayer enables repos | No-op (self-contained) |
Per-Org Layer Stack β
Per-org mode wraps phases 5-7 in a Layer interface for composability (install forward, uninstall reverse):
type Layer interface {
Name() string
RequiredScopes(op Operation) []string
Install(ctx context.Context) error
Uninstall(ctx context.Context) error
Analyze(ctx context.Context) (LayerStatus, string, error)
}Stack order: ConfigRepo β Workflows β HarnessWrappers β VendorBinary β Secrets β Inference β Dispatch β Enrollment
Install: process 1β8 (forward)
Uninstall: process 8β1 (reverse)Per-repo mode does not use the layer stack β it runs the same phases inline in runPerRepoInstall() and runGitHubSetupPerRepo() since there's no need for composable uninstall ordering with a single repo. Vendoring (when --vendor is set) and stale asset cleanup are handled inline or via shared helpers; per-org mode uses VendorBinaryLayer.
Binary acquisition (internal/binary) β
Linux binary resolution for fullsend run and vendoring lives in internal/binary:
| Function | Policy |
|---|---|
ResolveForRun | Release download (released CLI only) β cross-compile β latest release |
ResolveForVendor | Cross-compile β matching release (released CLI only) β fail (no latest) |
ResolveExplicit | Validate linux/{arch} ELF for --fullsend-binary |
Vendoring commit messages use title + body (upload and stale delete). github status reports stale vendored assets at bin/fullsend or .fullsend/bin/fullsend without install-intent flags.
OpenShell Sandbox Runtime β
Sandbox Lifecycle β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Sandbox Lifecycle (run.go) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ β
β β Load harness β LoadWithBase: unmarshal β compose base β β
β β β ResolveForge(--forge / env) β Validate β
β ββββββββ¬βββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β EnsureAvailable() β Verify openshell binary exists β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β EnsureGateway() β Start/verify gateway service β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β EnsureProvider() β Register inference provider β
β β β (bare-key credential form) β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Pre-script β Run harness.pre_script (host-side) β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Create() β openshell sandbox create β
β β β --image {harness.image} β
β β β Returns sandbox ID β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β bootstrapSandbox() β β
β β β β
β β Upload to /sandbox/workspace: β β
β β βββ fullsend binary (cross-compiled) β β
β β βββ agent definition file β β
β β βββ skills/ directory β β
β β βββ plugins/ directory β β
β β βββ host_files (expanded ${VAR} paths) β β
β β βββ .env file (bootstrapEnv) β β
β β βββ security hooks β β
β β β β
β β bootstrapEnv() writes: β β
β β βββ PATH=/sandbox/workspace/bin:$PATH β β
β β βββ CLAUDE_CONFIG_DIR=/sandbox/claude-configβ β
β β βββ FULLSEND_OUTPUT_DIR=... β β
β β βββ FULLSEND_FETCH_URL=... (if allow_runtime_fetch)β β
β β βββ FULLSEND_FETCH_TOKEN=<per-run token> (if above)β β
β β βββ sources .env.d/*.env files β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Copy source code β Upload target repo to sandbox β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Security scan β Run host-side scanners on input β
β β (input) β (injection detection, SSRF, etc.) β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β Exec() β Run agent in sandbox β β
β β β β
β β Command built by buildClaudeCommand(): β β
β β cd {repoDir} && β β
β β . {envFile} && β β
β β claude --print --verbose β β
β β --output-format stream-json β β
β β --model {model} β β
β β --agent {agent} β β
β β --dangerously-skip-permissions β β
β β 'Run the agent task' β β
β β β β
β β Background: OIDC token refresh every 4m β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Extract output β SafeDownload() with sanitization: β
β β β - Remove dangerous symlinks (sandbox escape) β
β β β - Remove .git/hooks/ (hook injection) β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββ β
β β Validation loop (if configured) β β
β β β β
β β for i := 0; i < max_iterations; i++ { β β
β β run validation script β β
β β if pass β break β β
β β feed feedback β re-run agent β β
β β } β β
β ββββββββββββ¬ββββββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Post-script β Run harness.post_script (host-side) β
β ββββββββ¬ββββββββββββ β
β βΌ β
β ββββββββββββββββββββ β
β β Delete() β openshell sandbox delete β
β β β Cleanup sandbox resources β
β ββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSandbox Constants β
SandboxWorkspace = "/sandbox/workspace"
SandboxClaudeConfig = "/sandbox/claude-config"For sandbox workspace layout, agent rule layering, and security scanning details, see Agent runtimes.
Key Sandbox Operations β
| Operation | CLI Command | Purpose |
|---|---|---|
EnsureAvailable() | Check openshell binary | Verify runtime available |
EnsureGateway() | openshell gateway ... | Start inference gateway |
EnsureProvider() | openshell provider ... | Register model provider (bare-key form) |
Create() | openshell sandbox create --image ... | Spin up container |
Exec() | openshell sandbox exec ... | Run command in sandbox |
ExecStreamReader() | openshell sandbox exec ... | Streaming stdout reader |
Upload() | openshell sandbox upload ... | Copy files into sandbox |
Download() | openshell sandbox download ... | Copy files out of sandbox |
SafeDownload() | Download + sanitize | Remove dangerous symlinks (absolute or repo-escaping), .git/hooks |
CollectLogs() | Download logs dir | Extract sandbox logs |
ExtractTranscripts() | Download transcripts | Extract conversation transcripts |
Delete() | openshell sandbox delete | Destroy container |
Security: sanitizeDownload() β
After downloading files from the sandbox, sanitizeDownload() removes:
- Dangerous symlinks (absolute targets or targets that escape the repo) β Prevents sandbox escape via symlink-to-host-path attacks; relative in-repo symlinks are kept
- .git/hooks/ β Prevents hook injection that would execute on the host
Workflow Deployment & Scaffold System β
Scaffold Architecture β
The fullsend binary embeds a complete .fullsend repo template using Go's embed.FS:
//go:embed all:fullsend-repo
var content embed.FSFile Categories β
fullsend-repo/ (embedded template)
βββ .github/
β βββ workflows/ β Pushed to config repo
β βββ actions/ β Upstream-only (not installed)
β βββ scripts/ β Upstream-only (not installed)
βββ agents/ β Layered (runtime, not installed)
βββ skills/ β Layered (runtime, not installed)
βββ schemas/ β Layered (runtime, not installed)
βββ harness/ β Layered (runtime, not installed)
βββ policies/ β Layered (runtime, not installed)
βββ scripts/ β Layered (runtime, not installed)
βββ env/ β Layered (runtime, not installed)
βββ templates/
β βββ shim-per-repo.yaml β Per-repo shim workflow template
βββ (other files) β Installed to config repoThree categories:
| Category | Installed? | Source | Purpose |
|---|---|---|---|
| Installed | Yes | Scaffold β .fullsend repo | Workflows, configs, static files |
| Layered | No (runtime) or yes with --vendor | Upstream @v0 sparse checkout, or vendored at install | agents/, skills/, harness/, plugins/, policies/, scripts/, schemas/, env/ |
| Upstream-only | No (layered) or yes with --vendor | Referenced directly or vendored at install | .github/actions/, .github/scripts/ |
Runtime skips upstream fetch when .defaults/action.yml is present (vendored); layered installs sparse-checkout fullsend-ai/fullsend@v0 into .defaults/.
File Mode Tracking β
Since embed.FS doesn't preserve Unix permissions, executable files are tracked in a static map:
var executableFiles = map[string]struct{}{
"scripts/post-code.sh": {},
"scripts/pre-triage.sh": {},
"scripts/scan-secrets": {},
// ... 20+ entries
}FileMode() returns "100755" for scripts, "100644" for everything else. A test (TestFileModeMatchesFilesystem) validates this map stays in sync with the actual filesystem.
Complete End-to-End Flow: Issue β Agent Run β PR β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β End-to-End: Issue Triage β Code β Review β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Issue created on target repo β
β β β
β βΌ β
β 2. GitHub webhook β triage workflow dispatched β
β β β
β βΌ β
β 3. Triage workflow calls .fullsend reusable workflow β
β β β
β βΌ β
β 4. Workflow requests OIDC token (id-token: write) β
β β β
β βΌ β
β 5. POST /v1/token β Mint validates, returns scoped token β
β β β
β βΌ β
β 6. fullsend run --agent triage β
β βββ Load harness/triage.yaml β
β βββ Create sandbox β
β βββ Bootstrap (binary, agent, skills, env) β
β βββ Run claude in sandbox β
β βββ Extract output β
β βββ Cleanup sandbox β
β β β
β βΌ β
β 7. Triage agent labels issue, assigns priority β
β β β
β βΌ β
β 8. Coder workflow dispatched (label trigger) β
β β β
β βΌ β
β 9. Repeat steps 4-6 with role=coder β
β βββ Coder agent creates branch, writes code β
β βββ Opens PR via GitHub App bot β
β β β
β βΌ β
β 10. Review workflow dispatched (PR trigger) β
β β β
β βΌ β
β 11. Repeat steps 4-6 with role=review β
β βββ Review agent examines diff β
β βββ Posts review comments via GitHub App bot β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββKey Source Files Reference β
Note: Line counts are approximate and may drift as the codebase evolves.
| File | Lines | Purpose |
|---|---|---|
internal/cli/root.go | ~34 | CLI entry point, command registration |
internal/cli/admin.go | ~2415 | Install/uninstall/analyze/enable/disable |
internal/cli/mint.go | ~1022 | Mint deploy/enroll/unenroll/status |
internal/cli/inference.go | ~408 | Inference WIF provision/status |
internal/cli/github.go | ~966 | GitHub setup/set/status/uninstall/sync-scaffold/enroll/unenroll |
internal/cli/run.go | ~1923 | Agent execution lifecycle |
internal/mint/main.go | ~95 | GCF token mint entry point (wiring only) |
cmd/mint/ | ~285 | Standalone mint server (no GCP dependency) |
internal/mintcore/ | ~1425 | Shared mint library (handler, OIDC verifiers, GitHub API) |
internal/dispatch/gcf/provisioner.go | ~1959 | GCP infrastructure provisioner |
internal/sandbox/sandbox.go | ~459 | OpenShell sandbox operations |
internal/harness/harness.go | ~486 | Harness YAML parsing |
internal/layers/layers.go | ~159 | Layer interface and stack |
internal/layers/secrets.go | ~200 | PEM key deployment layer |
internal/layers/inference.go | ~150 | Inference credential layer |
internal/layers/dispatch.go | ~364 | Mint URL deployment layer |
internal/scaffold/scaffold.go | ~146 | Embedded template system |
internal/inference/inference.go | ~26 | Provider interface |
internal/inference/vertex/vertex.go | ~80 | Agent Platform (Vertex AI) implementation |
internal/config/config.go | ~264 | Org/repo config structures |
See Also β
- Running agents locally β Run agents locally (binary download, GCP credentials, per-agent env vars)
- Getting Started β Standard per-repo installation
- Advanced setup β Alternative installation paths and setup flags
- Mint service administration β Deploying and managing the token mint
- Infrastructure Reference β Infrastructure details
- Customizing Agents β User customization guide
