--- name: systematic-debugging description: "4-phase root cause debugging: understand bugs before fixing." version: 1.1.0 author: Hermes Agent (adapted from obra/superpowers) license: MIT platforms: [linux, macos, windows] metadata: hermes: tags: [debugging, troubleshooting, problem-solving, root-cause, investigation] related_skills: [test-driven-development, writing-plans, subagent-driven-development] --- # Systematic Debugging ## Overview Random fixes waste time and create new bugs. Quick patches mask underlying issues. **Core principle:** ALWAYS find root cause before attempting fixes. Symptom fixes are failure. **Violating the letter of this process is violating the spirit of debugging.** ## The Iron Law ``` NO FIXES WITHOUT ROOT CAUSE INVESTIGATION FIRST ``` If you haven't completed Phase 1, you cannot propose fixes. ## When to Use Use for ANY technical issue: - Test failures - Bugs in production - Unexpected behavior - Performance problems - Build failures - Integration issues **Use this ESPECIALLY when:** - Under time pressure (emergencies make guessing tempting) - "Just one quick fix" seems obvious - You've already tried multiple fixes - Previous fix didn't work - You don't fully understand the issue **Don't skip when:** - Issue seems simple (simple bugs have root causes too) - You're in a hurry (rushing guarantees rework) - Someone wants it fixed NOW (systematic is faster than thrashing) ## The Four Phases You MUST complete each phase before proceeding to the next. --- ## Phase 1: Root Cause Investigation **BEFORE attempting ANY fix:** ### 1. Read Error Messages Carefully - Don't skip past errors or warnings - They often contain the exact solution - Read stack traces completely - Note line numbers, file paths, error codes **Action:** Use `read_file` on the relevant source files. Use `search_files` to find the error string in the codebase. ### 2. Reproduce Consistently - Can you trigger it reliably? - What are the exact steps? - Does it happen every time? - If not reproducible → gather more data, don't guess **Action:** Use the `terminal` tool to run the failing test or trigger the bug: ```bash # Run specific failing test pytest tests/test_module.py::test_name -v # Run with verbose output pytest tests/test_module.py -v --tb=long ``` ### 3. Check Recent Changes - What changed that could cause this? - Git diff, recent commits - New dependencies, config changes **Action:** ```bash # Recent commits git log --oneline -10 # Uncommitted changes git diff # Changes in specific file git log -p --follow src/problematic_file.py | head -100 ``` ### 4. Gather Evidence in Multi-Component Systems **WHEN system has multiple components (API → service → database, CI → build → deploy):** **BEFORE proposing fixes, add diagnostic instrumentation:** For EACH component boundary: - Log what data enters the component - Log what data exits the component - Verify environment/config propagation - Check state at each layer Run once to gather evidence showing WHERE it breaks. THEN analyze evidence to identify the failing component. THEN investigate that specific component. ### 5. Trace Data Flow **WHEN error is deep in the call stack:** - Where does the bad value originate? - What called this function with the bad value? - Keep tracing upstream until you find the source - Fix at the source, not at the symptom **Action:** Use `search_files` to trace references: ```python # Find where the function is called search_files("function_name(", path="src/", file_glob="*.py") # Find where the variable is set search_files("variable_name\\s*=", path="src/", file_glob="*.py") ``` ### Phase 1 Completion Checklist - [ ] Error messages fully read and understood - [ ] Issue reproduced consistently - [ ] Recent changes identified and reviewed - [ ] Evidence gathered (logs, state, data flow) - [ ] Problem isolated to specific component/code - [ ] Root cause hypothesis formed **STOP:** Do not proceed to Phase 2 until you understand WHY it's happening. --- ## Phase 2: Pattern Analysis **Find the pattern before fixing:** ### 1. Find Working Examples - Locate similar working code in the same codebase - What works that's similar to what's broken? **Action:** Use `search_files` to find comparable patterns: ```python search_files("similar_pattern", path="src/", file_glob="*.py") ``` ### 2. Compare Against References - If implementing a pattern, read the reference implementation COMPLETELY - Don't skim — read every line - Understand the pattern fully before applying ### 3. Identify Differences - What's different between working and broken? - List every difference, however small - Don't assume "that can't matter" ### 4. Understand Dependencies - What other components does this need? - What settings, config, environment? - What assumptions does it make? --- ## Phase 3: Hypothesis and Testing **Scientific method:** ### 1. Form a Single Hypothesis - State clearly: "I think X is the root cause because Y" - Write it down - Be specific, not vague ### 2. Test Minimally - Make the SMALLEST possible change to test the hypothesis - One variable at a time - Don't fix multiple things at once ### 3. Verify Before Continuing - Did it work? → Phase 4 - Didn't work? → Form NEW hypothesis - DON'T add more fixes on top ### 4. When You Don't Know - Say "I don't understand X" - Don't pretend to know - Ask the user for help - Research more --- ## Phase 4: Implementation **Fix the root cause, not the symptom:** ### 1. Create Failing Test Case - Simplest possible reproduction - Automated test if possible - MUST have before fixing - Use the `test-driven-development` skill ### 2. Implement Single Fix - Address the root cause identified - ONE change at a time - No "while I'm here" improvements - No bundled refactoring ### 3. Verify Fix ```bash # Run the specific regression test pytest tests/test_module.py::test_regression -v # Run full suite — no regressions pytest tests/ -q ``` ### 4. If Fix Doesn't Work — The Rule of Three - **STOP.** - Count: How many fixes have you tried? - If < 3: Return to Phase 1, re-analyze with new information - **If ≥ 3: STOP and question the architecture (step 5 below)** - DON'T attempt Fix #4 without architectural discussion ### 5. If 3+ Fixes Failed: Question Architecture **Pattern indicating an architectural problem:** - Each fix reveals new shared state/coupling in a different place - Fixes require "massive refactoring" to implement - Each fix creates new symptoms elsewhere **STOP and question fundamentals:** - Is this pattern fundamentally sound? - Are we "sticking with it through sheer inertia"? - Should we refactor the architecture vs. continue fixing symptoms? **Discuss with the user before attempting more fixes.** This is NOT a failed hypothesis — this is a wrong architecture. --- ## Multi-Module Configuration Pitfall When a system bootstraps configuration through multiple sequential modules (e.g., firstboot scripts, installers), **check execution order before blaming individual modules**. A later module that uses `cat > file` (overwrite) will silently destroy configuration written by an earlier module. **Pattern this happened on:** Clawdie ISO firstboot — `shell-system.sh` (step 6) runs after `shell-ssh.sh` (step 4). Both generate `~/.profile` and `~/.bashrc`. Step 6's `cat >` overwrites step 4's work. The fix was to consolidate dotfile generation into the LAST module that runs. **Investigation checklist:** 1. Identify all modules that touch the same output file. 2. Map their execution order (grep for `run_step_if` or equivalent). 3. Check whether each write is `cat >` (overwrite) or `cat >>` (append). 4. If a later module overwrites, move the content to the later module, or change to append with idempotency guards. ## Red Flags — STOP and Follow Process If you catch yourself thinking: - "Quick fix for now, investigate later" - "Just try changing X and see if it works" - "Add multiple changes, run tests" - "Skip the test, I'll manually verify" - "It's probably X, let me fix that" - "I don't fully understand but this might work" - "Pattern says X but I'll adapt it differently" - "Here are the main problems: [lists fixes without investigation]" - Proposing solutions before tracing data flow - **"One more fix attempt" (when already tried 2+)** - **Each fix reveals a new problem in a different place** **ALL of these mean: STOP. Return to Phase 1.** **If 3+ fixes failed:** Question the architecture (Phase 4 step 5). ## Common Rationalizations | Excuse | Reality | |--------|---------| | "Issue is simple, don't need process" | Simple issues have root causes too. Process is fast for simple bugs. | | "Emergency, no time for process" | Systematic debugging is FASTER than guess-and-check thrashing. | | "Just try this first, then investigate" | First fix sets the pattern. Do it right from the start. | | "I'll write test after confirming fix works" | Untested fixes don't stick. Test first proves it. | | "Multiple fixes at once saves time" | Can't isolate what worked. Causes new bugs. | | "Reference too long, I'll adapt the pattern" | Partial understanding guarantees bugs. Read it completely. | | "I see the problem, let me fix it" | Seeing symptoms ≠ understanding root cause. | | "One more fix attempt" (after 2+ failures) | 3+ failures = architectural problem. Question the pattern, don't fix again. | ## Quick Reference | Phase | Key Activities | Success Criteria | |-------|---------------|------------------| | **1. Root Cause** | Read errors, reproduce, check changes, gather evidence, trace data flow | Understand WHAT and WHY | | **2. Pattern** | Find working examples, compare, identify differences | Know what's different | | **3. Hypothesis** | Form theory, test minimally, one variable at a time | Confirmed or new hypothesis | | **4. Implementation** | Create regression test, fix root cause, verify | Bug resolved, all tests pass | ## Hermes Agent Integration ### Investigation Tools Use these Hermes tools during Phase 1: - **`search_files`** — Find error strings, trace function calls, locate patterns - **`read_file`** — Read source code with line numbers for precise analysis - **`terminal`** — Run tests, check git history, reproduce bugs - **`web_search`/`web_extract`** — Research error messages, library docs ### Network / SSH / tmux lag investigations For reports like “remote tmux feels laggy,” separate noisy log symptoms from the actual interactive path. Keep diagnostics tidy: prefer single bounded logs under `~/.local/state/hermes/net-tests/` and generated dashboards under `~/.local/share/hermes/net-dashboard/`; avoid writing multiple files to the user's Desktop unless explicitly requested. Detailed patterns and examples live in `references/network-live-diagnostics.md`; projector/dashboard-specific guidance lives in `references/wifi-projector-dashboard-diagnostics.md`. Reusable helpers include `scripts/live_download_monitor.py` for bounded JSONL monitoring and `scripts/periodic-pcap-sampler.sh` for low-disk, periodic short pcaps. 1. Classify kernel/firewall messages before blaming them. `UFW BLOCK ... SRC= SPT=53 ACK RST` is usually a blocked DNS TCP reset from the router; LAN discovery noise often appears as UDP 1900/5353/5355/3702 or TCP probes from another local device. Treat these as evidence to classify, not proof of the lag cause. 1. Classify kernel/firewall messages before blaming them. `UFW BLOCK ... SRC= SPT=53 ACK RST` is usually a blocked DNS TCP reset from the router; LAN discovery noise often appears as UDP 1900/5353/5355/3702 or TCP probes from another local device. Treat these as evidence to classify, not proof of the lag cause. 2. Inspect the live SSH sockets: ```bash ss -nti '( sport = :22 or dport = :22 )' ``` Useful fields: `rtt:/`, `bytes_retrans`, `retrans:/`, `cwnd`, `rcv_ooopack`, and `reord_seen`. High RTT variance, retransmits, or very low `cwnd` are strong evidence for packet loss/reordering/congestion on the actual SSH stream. 3. Compare layers with short ping samples: ```bash ping -c 50 -i 0.1 ping -c 50 -i 0.1 1.1.1.1 ping -c 50 -i 0.1 ``` Router clean + internet jitter points upstream/ISP/Wi-Fi interference rather than local host load. 4. Check Wi-Fi quality and band: ```bash nmcli -f ACTIVE,SSID,BSSID,CHAN,RATE,SIGNAL,BARS,SECURITY dev wifi iw dev link ip -s link show ``` 2.4 GHz, weak signal, or jitter can make SSH/tmux feel sticky even with no packet loss to the router. 5. If Tailscale is involved, compare direct/public SSH vs Tailscale and inspect path state: ```bash tailscale status tailscale netcheck ``` Prefer the path with lower RTT variance and fewer retransmits; Tailscale direct is often better than public SSH, but verify with `ss -nti` and ping rather than assuming. 6. Only propose changes after evidence: e.g. switch to 5 GHz/Ethernet, prefer Tailscale hostnames in `~/.ssh/config`, or investigate router/ISP jitter. 7. Avoid creating many ad-hoc report files on the user's Desktop. For this user's recurring network diagnostics, write a single timestamped logfile under `~/.local/state/hermes/net-tests/` unless they explicitly ask for Desktop files. See `references/network-ssh-wifi-diagnostics.md` for a reusable single-log skeleton and pitfalls. 8. When comparing home Wi-Fi with a phone hotspot, derive the gateway dynamically (`ip route show default`) instead of hardcoding `192.168.1.1`. Otherwise the hotspot test can falsely report gateway failure. 9. After a network switch, distinguish stale public SSH sessions from surviving Tailscale sessions. Inspect `ss -nti` for old local addresses, FIN-WAIT states, Send-Q/notsent, retrans/backoff, and PMTU anomalies. Public DNS SSH can die across the switch while `*.ts.net`/MagicDNS SSH remains healthy. 6. Only propose changes after evidence: e.g. switch to 5 GHz/Ethernet, prefer Tailscale hostnames in `~/.ssh/config`, or investigate router/ISP jitter. 7. When a large download is active, avoid unbounded packet capture. First run a bounded low-volume monitor (disk, `ss -tinp`, short pings, Wi-Fi state) with runtime/log-size/free-space limits. If local gateway ping remains clean while internet/Tailscale ping jumps to hundreds or thousands of ms, suspect saturation/bufferbloat rather than Wi-Fi driver failure. 8. Wireshark/tshark can be added as a second layer, but only with short filtered captures and summarized output. Keep raw pcaps under `~/.local/state/hermes/net-tests/` and avoid dumping large packet logs into chat or Desktop. 9. For projector/streaming/interference sessions, preserve real-world event markers (projector on, Ubuntu installer phase, Bluetooth off, download phase) in the active run directory and visualize them as spikes/filters for non-technical viewers. See `references/wifi-projector-dashboard-diagnostics.md`; use `scripts/periodic-pcap-sampler.sh` when the user wants wire-level evidence over time without continuous large pcaps. 9. For user-facing network history, prefer a non-technical "story dashboard" over raw numbered tables: charts with visible spikes, line toggles, plain-language event cards, and technical details hidden behind disclosure widgets. For before/after interference tests (e.g. projector/Epson on), collect comparable bounded monitor windows and mark the event moment so a non-technical viewer can see whether spikes start or stop with the event. See `references/network-live-diagnostics.md` and `scripts/network_story_dashboard.py`. 10. When embedding parsed log data into a static HTML dashboard, do not HTML-escape JSON inside `