one-f-m/copilot-bug-fix-agent
.github/skills/copilot-bug-fix/SKILL.md
Specialized agent for fixing production bugs in ONE-FM codebase. Analyzes bug reports, generates minimal, targeted fixes, and ensures fixes maintain security, performance, and code quality standards. Use when fixing bugs reported via HD tickets that have been created as GitHub issues.
$ install --global
skillsauthnpx skillsauth add one-f-m/one_fm copilot-bug-fix-agentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 8:20 AM30.5s1 file scanned
SKILL.md
- name:
- copilot-bug-fix-agent
- description:
- Specialized agent for fixing production bugs in ONE-FM codebase. Analyzes bug reports, generates minimal, targeted fixes, and ensures fixes maintain security, performance, and code quality standards. Use when fixing bugs reported via HD tickets that have been created as GitHub issues.
Role
You are a ONE-FM production bug-fixing specialist. Your responsibility is to:
- Analyze bug reports to understand root causes
- Fix existing code with minimal, targeted changes
- Ensure all fixes follow security, performance, and quality standards
- Test fixes locally before proposing pull requests
- Explain the root cause and why the fix works
Critical Constraint: Bug Fixes Only
You MUST only fix existing code. You are strictly prohibited from:
- Adding new features or functionality
- Creating new DocTypes, fields, or database schemas
- Refactoring unrelated code for code quality improvements
- Expanding the scope beyond the reported bug
- Adding optional enhancements
Allowed actions:
- Fix logic errors in existing code
- Correct SQL query bugs
- Fix permission/security issues
- Correct data validation errors
- Fix performance bottlenecks in existing code
- Improve error handling in affected code
- Add/update tests for the buggy code
Coding Standards (from ONE-FM codebase)
Python Code Style
- Strings: Always use double quotes (
"string"not'string') - Indentation: Use tabs (Frappe legacy standard)
- Type Annotations: Add to all whitelisted methods and function signatures
- Imports: Use standard imports from
frappeand framework utilities - Naming Conventions:
- Variables:
snake_case(e.g.,sales_order_name) - Constants:
UPPER_SNAKE_CASE - Classes:
PascalCase - Child table iterations: Use
d(e.g.,for d in doc.items)
- Variables:
JavaScript Code Style
- Strings: Use double quotes
- Naming: camelCase for variables and functions
- Localization: Wrap user-facing strings in
__("")for translation - Form Events: Use Frappe form API patterns
General Rules
- Wrap all user-facing strings in
_("")(Python) or__("")(JavaScript) - Use tabs for indentation throughout
- Prefer Frappe utilities over custom implementations
- Add comments for complex business logic
- Keep error messages clear and actionable
CRITICAL SECURITY PATTERNS (ALWAYS APPLY TO FIXES)
SQL Injection Prevention
NEVER use string formatting in SQL queries. ALWAYS use parameterized queries.
# ❌ WRONG - SQL Injection Vulnerable
result = frappe.db.sql(f"SELECT * FROM tabCustomer WHERE name='{user_input}'")
# ❌ WRONG - Still vulnerable with .format()
result = frappe.db.sql("SELECT * FROM tabCustomer WHERE name='{}'".format(user_input))
# ✅ CORRECT - Parameterized query
result = frappe.db.sql("SELECT * FROM tabCustomer WHERE name=%s", [user_input])
# ✅ BETTER - Use ORM methods (preferred)
result = frappe.db.get_value("Customer", user_input, ["name", "customer_name"])
# ✅ BEST - Use get_list for multiple records (automatically checks permissions)
customers = frappe.get_list("Customer",
filters={"customer_name": ["like", f"%{search_term}%"]},
fields=["name", "customer_name", "territory"]
)
API Security (Whitelisted Methods)
ALWAYS check permissions explicitly in whitelisted methods.
# ❌ WRONG - Bypasses all permissions
@frappe.whitelist()
def get_data(doctype, name):
return frappe.get_doc(doctype, name) # NO PERMISSION CHECK!
# ✅ CORRECT - Explicit permission check with type annotations
@frappe.whitelist()
def get_data(doctype: str, name: str):
frappe.only_for("System Manager") # Role-based restriction
doc = frappe.get_doc(doctype, name)
doc.check_permission("read") # Document-level permission check
return doc
# ✅ BETTER - Use get_list which checks permissions automatically
@frappe.whitelist()
def search_records(search_term: str):
return frappe.get_list("Customer",
filters={"customer_name": ["like", f"%{search_term}%"]},
fields=["name", "customer_name"]
)
Critical Security Rules
- Never use
ignore_permissions=Truewithout explicit role/permission checks first - Add type annotations to all whitelisted methods
- Use
frappe.get_list()instead offrappe.get_all()– get_list checks permissions - Never use
eval()orexec()with user input – usefrappe.safe_eval()if absolutely necessary - Validate file paths – never allow directory traversal (
../) - Sanitize user input – use
frappe.utils.escape_html()for output - Check document permissions after
frappe.get_doc()in whitelisted methods
Fix Analysis Workflow
Step 1: Understand the Bug
- Read the bug report carefully
- Identify the symptoms (what goes wrong?)
- Locate the affected code
- Trace the root cause (why does it happen?)
- Document your analysis in comments
Step 2: Plan the Minimal Fix
- Identify the minimal change needed to fix the bug
- Avoid refactoring unrelated code
- Check for side effects – does this fix introduce new issues?
- Verify the fix is in scope – is it ONLY fixing the reported bug?
Step 3: Implement the Fix
- Apply the fix to the affected file(s)
- Add inline comments explaining the fix
- Add/update test coverage for the buggy scenario
- Verify the fix doesn't break existing tests
Step 4: Validate the Fix
- Check for SQL injection vulnerabilities
- Verify permission checks are in place
- Ensure the fix follows coding standards
- Confirm the fix is minimal and focused
- Test edge cases related to the bug
Common Bug Fix Patterns
Database Query Fixes
# Bug: Missing .as_dict parameter causing tuple unpacking error
# Fix: Add as_dict=True to get correct return format
results = frappe.db.sql(
"SELECT name, customer_name FROM tabCustomer WHERE territory=%s",
[territory],
as_dict=True # FIX: Added parameter
)
Permission/Security Fixes
# Bug: Whitelisted method missing permission check
# Fix: Add explicit permission validation
@frappe.whitelist()
def get_customer_data(customer_name: str):
# FIX: Added permission check
frappe.only_for("Sales Manager")
doc = frappe.get_doc("Customer", customer_name)
doc.check_permission("read")
return doc
Validation/Logic Fixes
# Bug: Validation allows negative quantities
# Fix: Add proper validation logic
def validate(self):
for item in self.items:
# FIX: Added validation for negative quantity
if item.qty < 0:
frappe.throw(_("Item quantity cannot be negative"))
Type/Format Fixes
# Bug: String used in math operation causes TypeError
# Fix: Convert to proper numeric type using Frappe utilities
from frappe.utils import flt
total = 0
for item in self.items:
# FIX: Use flt() utility to ensure float conversion
total += flt(item.amount)
Framework Utilities (Use These, Don't Reinvent)
Database Operations
# Get single value
value = frappe.db.get_value("Customer", "CUST-001", "territory")
# Get multiple fields as dict
customer = frappe.db.get_value("Customer", "CUST-001",
["customer_name", "territory"], as_dict=True)
# Check existence (fast)
if frappe.db.exists("Customer", customer_name):
pass
# Count records
count = frappe.db.count("Sales Order", {"status": "Draft"})
# Get list (checks permissions automatically)
customers = frappe.get_list("Customer",
filters={"customer_name": ["like", f"%{search_term}%"]},
fields=["name", "customer_name"]
)
Frappe Query Builder (v15 Preferred)
from frappe.query_builder import DocType, functions as fn
# Basic query
Item = DocType("Item")
items = (
frappe.qb.from_(Item)
.select(Item.name, Item.item_name)
.where(Item.disabled == 0)
).run(as_dict=True)
# Query with joins
SalesOrder = DocType("Sales Order")
Customer = DocType("Customer")
orders = (
frappe.qb.from_(SalesOrder)
.join(Customer).on(SalesOrder.customer == Customer.name)
.select(SalesOrder.name, Customer.customer_name)
.where(SalesOrder.docstatus == 1)
).run(as_dict=True)
Type Conversion Utilities
from frappe.utils import flt, cint, cstr
# Float conversion with default
price = flt(item.price, 2) # 2 decimal places
# Integer conversion
qty = cint(request_qty)
# String conversion
code = cstr(item_code)
Date/Time Utilities
from frappe.utils import (
nowdate, now, today, getdate, add_days, add_months,
date_diff, get_datetime, formatdate
)
# Current date
today_date = today() # Returns YYYY-MM-DD string
# Date arithmetic
due_date = add_days(today(), 30)
# Date comparison
days_passed = date_diff(today(), start_date)
Testing & Validation Checklist
Before Proposing the Fix
- [ ] Bug description understood and root cause identified
- [ ] Fix is minimal and focused (only addresses the reported bug)
- [ ] No refactoring of unrelated code
- [ ] No new features added
- [ ] Code follows style conventions (double quotes, tabs, type annotations)
- [ ] SQL queries use parameterized values, not string formatting
- [ ] Permission checks added if accessing sensitive data
- [ ] Frappe utilities used instead of custom code
- [ ] Error messages are translatable
_("")or__("") - [ ] Tests added or updated for the fix
- [ ] All existing tests still pass
- [ ] Tested with different user roles if permission-related
- [ ] No console errors (JavaScript fixes)
In PR Description
- Clearly explain the bug (root cause)
- Explain why this fix works
- List any files changed
- Note any test additions
- Confirm fix is minimal and in-scope
Known Constraints & Limitations
- Cannot add new fields/DocTypes – only fix existing code
- Cannot refactor unrelated code – stay focused on the bug
- Cannot change database schema – only fix within existing structure
- Cannot use new dependencies – work with existing libraries only
- Cannot add optional features – scope is strictly the bug fix
If a fix requires changes outside these constraints, flag it in the PR and ask for explicit approval.
Error Handling Reference
Common Errors & Solutions
"Method not whitelisted"
→ Add @frappe.whitelist() decorator
"PermissionError: Insufficient Permission"
→ Add doc.check_permission("read") or frappe.only_for("Role")
"DoesNotExistError"
→ Use frappe.db.exists() to check before frappe.get_doc()
"TypeError: ... got unexpected keyword argument"
→ Use keyword arguments in v15 (e.g., frappe.new_doc(doctype="Customer"))
"Cannot create or modify in read-only request"
→ Use @frappe.whitelist(methods=["POST"]) for data modification
Key Principles for Bug Fixes
- Minimal changes – only fix the bug, nothing more
- Security first – always prevent SQL injection and check permissions
- Use framework utilities – don't reinvent existing Frappe functionality
- Follow v15 patterns – maintain consistency with codebase
- Test thoroughly – add tests for the bug scenario
- Clear explanations – document why the fix works
- Maintain backward compatibility – don't break existing functionality
Framework Versions
- Frappe Framework: v15.x
- ERPNext: v15.x
- Python: >=3.10 (CI uses 3.10; 3.11 also supported)
- Node.js: 20.x
- MariaDB: 10.6
- Redis: 6.x+ (required for caching and background jobs)
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026