Add debug logging to five pkg/ files (#30266)

Author: github-actions[bot]

pkg/fileutil/fileutil.go

@@ -37,6 +37,7 @@ var log = logger.New("fileutil:fileutil")
 func ValidateAbsolutePath(path string) (string, error) {
 	// Check for empty path
 	if path == "" {
+		log.Print("ValidateAbsolutePath: rejected empty path")
 		return "", errors.New("path cannot be empty")
 	}
 
@@ -45,9 +46,11 @@ func ValidateAbsolutePath(path string) (string, error) {
 
 	// Verify the path is absolute to prevent relative path traversal
 	if !filepath.IsAbs(cleanPath) {
+		log.Printf("ValidateAbsolutePath: rejected relative path: %s", path)
 		return "", fmt.Errorf("path must be absolute, got: %s", path)
 	}
 
+	log.Printf("ValidateAbsolutePath: validated path: %s", cleanPath)
 	return cleanPath, nil
 }
 
@@ -60,6 +63,7 @@ func ValidateAbsolutePath(path string) (string, error) {
 //   - Either path cannot be resolved to an absolute form.
 //   - The resolved candidate path starts outside the resolved base directory.
 func MustBeWithin(base, candidate string) error {
+	log.Printf("MustBeWithin: checking candidate=%q within base=%q", candidate, base)
 	// EvalSymlinks resolves both symlinks and ".." components.
 	// Fall back to Abs when a path does not exist on disk yet.
 	absBase, err := filepath.EvalSymlinks(base)
@@ -78,8 +82,10 @@ func MustBeWithin(base, candidate string) error {
 	}
 	rel, err := filepath.Rel(absBase, absCand)
 	if err != nil || !filepath.IsLocal(rel) {
+		log.Printf("MustBeWithin: path escape detected: candidate=%q base=%q", candidate, base)
 		return fmt.Errorf("path %q escapes base directory %q", candidate, base)
 	}
+	log.Printf("MustBeWithin: path is safe: candidate=%q (rel=%s) within base=%q", candidate, rel, base)
 	return nil
 }
 

pkg/workflow/compiler_repo_config.go

@@ -1,12 +1,23 @@
 package workflow
 
+import "github.com/github/gh-aw/pkg/logger"
+
+var repoConfigLog = logger.New("workflow:compiler_repo_config")
+
 // loadRepoConfig loads and caches repository-level configuration from aw.json.
 func (c *Compiler) loadRepoConfig() (*RepoConfig, error) {
 	if c.repoConfigLoaded {
+		repoConfigLog.Print("loadRepoConfig: returning cached repo config")
 		return c.repoConfig, c.repoConfigErr
 	}
 
+	repoConfigLog.Printf("loadRepoConfig: loading repo config from git root: %s", c.gitRoot)
 	c.repoConfig, c.repoConfigErr = LoadRepoConfig(c.gitRoot)
 	c.repoConfigLoaded = true
+	if c.repoConfigErr != nil {
+		repoConfigLog.Printf("loadRepoConfig: failed to load repo config: %v", c.repoConfigErr)
+	} else {
+		repoConfigLog.Print("loadRepoConfig: repo config loaded successfully")
+	}
 	return c.repoConfig, c.repoConfigErr
 }

pkg/workflow/compiler_yaml_audit_step.go

@@ -2,8 +2,12 @@ package workflow
 
 import (
 	"strings"
+
+	"github.com/github/gh-aw/pkg/logger"
 )
 
+var auditStepLog = logger.New("workflow:compiler_yaml_audit_step")
+
 // generatePreAgentAuditStep emits a step that lists files in agent-related directories
 // for all known agentic engines (Copilot, Claude, Codex, Gemini, Crush, OpenCode, Pi)
 // under the workspace and the agent user's home folder.
@@ -18,6 +22,7 @@ import (
 // continue-on-error so a missing directory or permission error does not block agent
 // execution.
 func (c *Compiler) generatePreAgentAuditStep(yaml *strings.Builder) {
+	auditStepLog.Print("Generating pre-agent workspace audit step")
 	yaml.WriteString("      - name: Audit pre-agent workspace\n")
 	yaml.WriteString("        id: pre_agent_audit\n")
 	yaml.WriteString("        continue-on-error: true\n")

pkg/workflow/map_helpers.go

@@ -36,10 +36,17 @@ package workflow
 import (
 	"maps"
 	"slices"
+
+	"github.com/github/gh-aw/pkg/logger"
 )
 
+var mapHelpersLog = logger.New("workflow:map_helpers")
+
 // excludeMapKeys creates a new map excluding the specified keys
 func excludeMapKeys(original map[string]any, excludeKeys ...string) map[string]any {
+	if mapHelpersLog.Enabled() {
+		mapHelpersLog.Printf("excludeMapKeys: input=%d keys, excluding=%v", len(original), excludeKeys)
+	}
 	excludeSet := make(map[string]bool)
 	for _, key := range excludeKeys {
 		excludeSet[key] = true
@@ -51,6 +58,9 @@ func excludeMapKeys(original map[string]any, excludeKeys ...string) map[string]a
 			result[key] = value
 		}
 	}
+	if mapHelpersLog.Enabled() {
+		mapHelpersLog.Printf("excludeMapKeys: output=%d keys", len(result))
+	}
 	return result
 }
 

pkg/workflow/sub_agent_step.go

@@ -4,9 +4,12 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/github/gh-aw/pkg/logger"
 	"github.com/github/gh-aw/pkg/parser"
 )
 
+var subAgentStepLog = logger.New("workflow:sub_agent_step")
+
 // generateRestoreInlineSubAgentsStep emits a step that copies inline sub-agent files
 // from the activation artifact into the workspace after the base-branch restore.
 //
@@ -24,6 +27,7 @@ func generateRestoreInlineSubAgentsStep(yaml *strings.Builder, data *WorkflowDat
 	}
 	subAgentDir := parser.GetEngineSubAgentDir(engineID)
 	subAgentExt := parser.GetEngineSubAgentExt(engineID)
+	subAgentStepLog.Printf("Generating restore inline sub-agents step: engine=%s, dir=%s, ext=%s", engineID, subAgentDir, subAgentExt)
 
 	yaml.WriteString("      - name: Restore inline sub-agents from activation artifact\n")
 	yaml.WriteString("        env:\n")