overthinkos/debug-tools-layer
versa/skills/debug-tools-layer/SKILL.md
Debug toolkit for inspecting deployed services from inside the container — network probes (ip/ss/lsof/ping/dig/nc/socat/tcpdump/traceroute/mtr/wget), process inspection (ps/top/htop/pgrep/free/vmstat/strace/ltrace), file inspection (file/tree/xxd/vim/nano), system stats (iotop/iftop/sysstat), session helpers (tmux/rsync/yq). Distro-agnostic. Use when working with the debug-tools layer, the per-distro package-name divergence (nmap-ncat vs ncat vs gnu-netcat), or the 16 build-scope eval probes that lock in headline binary presence.
tools
Updated Jun 12, 2026
$ install --global
skillsauthnpx skillsauth add overthinkos/overthink-plugins debug-tools-layerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 6:54 AM108.2s1 file scanned
SKILL.md
- name:
- debug-tools-layer
- description:
- |
debug-tools — distro-agnostic debug toolkit
Single-purpose layer that installs ~50 standard debugging utilities
across 5 categories: network, process, file, system stats, session
helpers. Composed by /charly-versa:versa so operators can debug
the deployed services (marimo, airflow, martin, maputnik, etc.) from
INSIDE the running container.
Without this layer, charly cmd versa "ps" returns
"command not found" — minimal Fedora images don't ship procps-ng,
iproute, bind-utils, etc. by default.
Layer properties
| Property | Value | |----------|-------| | Dependencies | none | | Distros | fedora, arch, debian, ubuntu (per-distro package lists) | | Ports | none | | Services | none | | Volumes | none | | Eval probes | 16 build-scope (one per headline binary) |
Tool catalog
Network
ip, ss, netstat, lsof, ping, dig, nslookup, nc,
socat, tcpdump, traceroute, mtr, wget
Cover the full DNS / TCP / packet-capture / ICMP / port-relay surface.
curl already comes from elsewhere (jq layer dep), so wget
complements it.
Process
ps, top, htop, pgrep, pkill, kill, killall, pidof,
free, vmstat, watch, slabtop, strace, ltrace, iotop,
iftop
Process inspection (procps-ng) + system tracing (strace/ltrace) + I/O & network tops (iotop/iftop).
File / text
file, tree, vim, nano, xxd
xxd ships with vim-common (auto-installed alongside vim-enhanced).
System stats
sysstat package provides iostat, mpstat, pidstat, sar,
sadf — historical metrics + per-task accounting.
Session helpers
tmux, rsync, yq
Multi-pane shell sessions, file sync, YAML manipulation.
Per-distro package divergence
Tool names aren't portable — each distro is enumerated separately to avoid silent "installed nothing" on the wrong distro:
| Tool | fedora | arch | debian | ubuntu |
|---|---|---|---|---|
| Process basics (ps, top, free, kill, pgrep, vmstat) | procps-ng | procps-ng | procps | procps |
| ip + ss + tc | iproute | iproute2 | iproute2 | iproute2 |
| netstat + ifconfig | net-tools | net-tools | net-tools | net-tools |
| dig + nslookup + host | bind-utils | bind-tools | dnsutils | dnsutils |
| ping | iputils | iputils | iputils-ping | iputils-ping |
| nc | nmap-ncat | gnu-netcat | ncat | ncat |
| traceroute | traceroute | traceroute | traceroute | traceroute |
| mtr | mtr | mtr | mtr-tiny | mtr-tiny |
| vim | vim-enhanced | vim | vim | vim |
| yq | yq (Fedora py) | go-yq (mikefarah Go) | (omitted — snap-only) | (omitted) |
Single common name (socat, tcpdump, lsof, file, tree,
nano, htop, strace, ltrace, iotop, iftop, sysstat,
tmux, rsync, wget) covers all four distros.
Eval coverage (16 probes — locks in headline binaries)
Spot-checks one binary per category. If a future package rename breaks one, the build fails loudly at image build time:
ps-binary,ss-binary,lsof-binary,ping-binary,dig-binary,nc-binary,tcpdump-binary— network/process headlineshtop-binary,strace-binary— interactive/tracingvim-binary,nano-binary,tree-binary,file-binary— file/texttmux-binary,wget-binary,rsync-binary— session/transfer
ping-binary and nc-binary are checked via command -v rather
than file path because the binary's location varies across distros
(Fedora: /usr/bin/ping; Debian: /usr/bin/ping but historically
/bin/ping).
Use case: debugging versa services
| Scenario | Tools |
|---|---|
| "Is martin actually listening on 3000?" | ss -tlnp \| grep 3000, lsof -i :3000 |
| "What's the airflow scheduler doing?" | ps auxf \| grep airflow, htop, strace -p <pid> |
| "Is the marimo MCP responding?" | curl http://localhost:2718/mcp/server, nc -zv localhost 2718 |
| "Why is the GTFS download slow?" | iftop -i eth0, traceroute api.transitous.org |
| "Is the workspace volume filling up?" | du -sh /workspace/*, iotop |
| "What's eating CPU?" | htop, pidstat -u 1 |
Cross-references
/charly-versa:versa— image composing this layer/charly-versa:airflow-layer— services this toolkit debugs/charly-versa:osm-tools-layer— martin server this toolkit debugs/charly-versa:versa-layer— marimo runtime this toolkit debugs/charly-coder:dev-tools— overlapping but heavier (includes qemu, AWS CLI, etc.); not composed by versa
Related Skills
overthinkos/charly
tools
VerifiedTrustedCommunity
OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-cachyos
development
VerifiedTrustedCommunity
Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-fedora
tools
VerifiedTrustedCommunity
Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.
SKILL.mdUpdated Jun 10, 2026
overthinkos/charly-arch
tools
VerifiedTrustedCommunity
Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.
SKILL.mdUpdated Jun 10, 2026