insforge-debug
insforge/agent-skills
Diagnose InsForge project failures and performance issues using logs, metrics, DB health, and AI-assisted triage.
What is insforge-debug?
insforge-debug provides observability primitives and symptom recipes to diagnose reactive failures (SDK errors, HTTP 4xx/5xx, timeouts, auth issues, RLS denials) and proactive audits (security, performance, system health). Use it when you have an error or need to audit your InsForge backend before launch.
- Query logs across 5 backend sources (InsForge, PostgREST, Postgres, edge functions, deploy logs)
- Check DB health via 7 named checks (connections, slow queries, bloat, size, index usage, locks, cache hit ratio)
- Run static advisor scans for security, performance, and health issues
- Review active RLS policies and auth configuration
- Inspect deployment state and edge function deploy logs
- Use AI-assisted triage to diagnose issues from error descriptions
How to install insforge-debug
npx skills add https://github.com/insforge/agent-skills --skill insforge-debug- InsForge project with backend deployed
- npx @insforge/cli available (never install globally)
How to use insforge-debug
- 1.Run `npx @insforge/cli diagnose --ai "<issue description>"` for AI-assisted triage when you have a concrete error or symptom
- 2.Use the symptom recipes in the skill to identify which debug primitives to query (logs, metrics, db-health, advisor, policies, metadata, error-objects, deploy-state)
- 3.Query the appropriate primitive using `npx @insforge/cli <command>` (e.g., `logs <source>`, `diagnose db`, `diagnose advisor --json`)
- 4.Cross-reference findings against the per-primitive reference docs to interpret results and identify root cause
- 5.For RLS issues, use `db query` to test visibility as service role and distinguish between filtered rows and missing data
- 6.Verify AI-assisted suggestions against the primitives it cites before acting on recommendations
Use cases
- Diagnose SDK errors with null data and error codes by routing through logs and DB health checks
- Investigate HTTP 4xx/5xx responses on specific endpoints using error-to-log-source routing
- Debug RLS access issues (403 on writes, empty results on reads) by reviewing policies and metadata
- Troubleshoot login failures and OAuth callback errors via auth logs and provider configuration
- Identify slow queries or system-wide performance degradation using logs, metrics, and DB health
- Backend engineers diagnosing InsForge project failures
- DevOps/SRE teams auditing system health and performance
- Full-stack developers debugging authentication and RLS issues
- Teams preparing for production launch and security reviews
insforge-debug FAQ
Use `diagnose --ai` first when you have a concrete error message, failing URL, or HTTP status. It returns suggestions with primitive citations. For proactive audits or when you already know the symptom category, go directly to the relevant primitive recipe.
Writes fail loudly with HTTP 403. Reads fail silently — PostgREST filters denied rows out instead of returning an error, so the request looks successful with zero rows. Both use the same diagnosis path (logs, policies, metadata) except the 403 variant has a logged policy violation event.
Use `npx @insforge/cli db query "SELECT ..."` to query as service role (unrestricted). If rows exist in service-role query but not in the user query, RLS filtered them. If both return empty, the data doesn't exist.
Use the error-objects reference to map HTTP status to log source. Each status has a distinct path (e.g., 429 is rate-limit, 403 is auth/RLS, 5xx is backend). The reference includes a routing table.
No. Always use `npx @insforge/cli` — never install globally. This ensures you use the correct version for your project.
Full instructions (SKILL.md)
Source of truth, from insforge/agent-skills.
name: insforge-debug description: >- Use when diagnosing problems in an InsForge project — reactive failures (SDK error object, HTTP 4xx/5xx, gateway timeout 502/503/504, edge function failure or timeout, login/OAuth/auth errors, RLS denial, realtime channel issues, slow query on one endpoint, edge function or Vercel deploy failure), proactive audits (security/RLS review, performance/index review, system health check, pre-launch readiness), or when the user has an error but doesn't know where to start. license: Apache-2.0 metadata: author: insforge version: "2.0.0" organization: InsForge date: May 2026
InsForge Debug
Diagnose problems in InsForge projects by combining the backend's observability primitives — logs, metrics, db-health, advisor, policies, metadata, error objects, deploy state, and AI assist. This skill provides:
- A reference per debug primitive (one observability surface each — under
references/) - Symptom Recipes (below) that name the primitive sequence for known reactive symptoms and proactive audits
Always use npx @insforge/cli — never install the CLI globally.
Fastest Path: AI-Assisted Triage
When the user gives a concrete description (error message, failing URL, HTTP status), hand it to the InsForge debug agent. Unlike the other primitives, this one returns suggestions, not just observations — verify the diagnosis against the primitives it cites before acting on it.
npx @insforge/cli diagnose --ai "<issue description>"
See references/ai-assisted.md for when to use this first vs when to skip, and how to verify the output.
Debug Primitives
Each primitive is one independently-queryable observability surface backed by a distinct underlying data source. Real diagnoses are compositions of primitives.
All commands run via npx @insforge/cli .... The (command) shown next to each primitive is the actual CLI command — primitive names are concept labels, not CLI subcommand names (e.g., "DB health" is diagnose db, not diagnose db-health; "Policies" is db policies, not diagnose policies).
| Primitive (command) | What you see | Reference |
|---|---|---|
Logs (logs <source>; diagnose logs for cross-source aggregate) | Time-stream of events from 5 backend sources (insforge.logs / postgREST.logs / postgres.logs / function.logs / function-deploy.logs) | references/logs.md |
Metrics (diagnose metrics) | EC2 instance time-series (CPU / memory / disk / network) over 1h / 6h / 24h / 7d | references/metrics.md |
DB health (diagnose db) | Current Postgres state via 7 named checks (connections / slow-queries / bloat / size / index-usage / locks / cache-hit) | references/db-health.md |
Advisor (diagnose advisor --json) | Static-scan issues across 3 categories (security / performance / health) with ruleId / affectedObject / recommendation | references/advisor.md |
Policies (db policies) | Active RLS rules from pg_policies (USING / WITH CHECK per cmd per role) — returns all policies as a dump | references/policies.md |
Metadata (metadata --json) | Declarative backend state dump (auth config / tables / buckets / functions / AI models / realtime channels) | references/metadata.md |
| Error objects (no command — read SDK / HTTP response) | SDK error envelope + HTTP status — the routing table from a client-visible error to the right log source | references/error-objects.md |
Deploy state (deployments list + deployments status <id> --json + logs function-deploy.logs) | Frontend (Vercel) deployment history + per-deploy metadata, plus edge function deploy logs | references/deploy-state.md |
AI assist (diagnose --ai "<description>") | LLM agent that combines the other primitives — returns a diagnosis with suggestions | references/ai-assisted.md |
Symptom Recipes
Each recipe is a primitive call sequence with one-line "look for X" at each step. Command syntax, flags, and deep interpretation are in the per-primitive references above.
Recipe: SDK returned { data: null, error: { code, message } }
- error-objects — read code/message/details. If code starts with
PGRST*, route by prefix using the table in the reference. - logs (matching source per error-objects routing) — find the error timestamp, get the full backend-side context.
- db-health (
connections,locks,slow-queries) — only if the error suggests DB issue (PostgREST timeout, lock conflict).
Recipe: HTTP 4xx/5xx response on a specific request
- error-objects — use the HTTP status routing table to pick the log source (each status has a distinct path; 429 is special).
- logs (right source for that status) — find the failing request line and error.
- metrics — only for 5xx patterns spanning multiple endpoints, to confirm system-wide load issue.
Recipe: RLS access issue (403 on write, or empty result on read)
Same bug, two surfacings. Writes (INSERT / UPDATE / DELETE) fail loudly with 403. Reads (SELECT) fail silently with an empty array — PostgREST filters denied rows out instead of returning 403, so the request looks successful with zero rows. Diagnosis path is the same except step 1 only applies to the 403 variant.
- logs (
postgREST.logs) — 403 variant only: find the policy violation event with table and role context. Empty-result variant: skip — no error is logged for silently-filtered rows. - policies — list policies for that table; walk USING / WITH CHECK against the actual request and the JWT claim used.
- metadata — verify auth config (which claim feeds
auth.uid()/requesting_user_id(); for third-party auth like Clerk/Auth0, is the provider registered as a JWT issuer?). - db query (
db query "<sql>") — empty-result variant only: confirm rows that should be visible actually exist by querying as service role (not as the user):npx @insforge/cli db query "SELECT id, user_id FROM <table>". Distinguishes "RLS filtered everything" from "no matching data exists".
Recipe: Login fails / OAuth callback errors / token expired
- logs (
insforge.logs) — find auth errors with timestamp and provider context. - metadata — verify the provider is enabled, redirect URLs match the callback URL exactly (protocol + host + path).
Recipe: Edge function runtime error / timeout
- logs (
function.logs) — get the error stack and execution context. - metadata — confirm the function exists and
status: "active". - (If needed)
npx @insforge/cli functions code <slug>— inspect the source for obvious issues.
Recipe: functions deploy failed
- deploy-state (
function-deploy.logs) — find the build/push error. - metadata — confirm whether the function ended up in the active list (partial-deploy detection).
Recipe: deployments deploy failed (Vercel)
- deploy-state (
deployments list+status <id> --json) — readstatus,metadata.webhookEventType, andenvVarKeys. - Local
npm run build— reproduce the same error locally for faster iteration.
Recipe: Single slow query / one endpoint slow
- logs (
postgres.logs) — find the query text and timestamp. - db-health (
slow-queries,index-usage) — confirm it's inpg_stat_statements; check for missing index. - policies — if it's an RLS-gated table, verify the policy isn't adding hidden joins.
Recipe: All responses slow / high CPU/memory (active incident)
- metrics (
--range 1h) — confirm system-wide pressure (CPU / memory / disk). - db-health — DB is the most common bottleneck; check
connections,locks,slow-queries. - logs (
diagnose logsaggregate) — error patterns across sources at the spike timestamp. - advisor (
--severity critical) — pre-existing known issues that may explain the degradation.
Recipe: Realtime channel won't connect / messages missing
- logs (
insforge.logs) — WebSocket errors and subscription failures. - metadata — verify the channel pattern matches what the client subscribes to,
enabled: true. - policies — RLS on the underlying table (realtime delivers row changes; RLS gates which rows the subscriber sees).
Recipe: 429 rate limit
- error-objects — confirm 429 status. No logs are recorded for 429s; no
Retry-Afterheader is returned. Don't waste time grepping logs. - metrics (
--range 1h) — overall backend load context. - Fix is always client-side: debounce, batch, exponential backoff, eliminate retry loops.
Recipe: Gateway timeout (502 / 503 / 504) on a specific URL
Route by URL subsystem before drilling:
| URL pattern | Drill into |
|---|---|
/api/database/records/... | logs (postgREST.logs → postgres.logs) + db-health (locks, slow-queries) |
/functions/<slug> | logs (function.logs) — function may be crash-looping |
/api/auth/... | logs (insforge.logs) |
| Any path during system-wide spike | metrics (--range 1h) |
Recipe: Pre-launch / proactive audit
Requires Platform login (
npx @insforge/cli login). Not available when the project is linked via--api-key— fall back todb-health+policies+metadatafor a manual audit in that case.
- advisor — full scan, then
--severity criticalfirst, then warnings. - advisor (
--category security) — focus on security issues; cross-verify with policies (RLS coverage) and metadata (auth config, public buckets, secret presence). - advisor (
--category performance) — cross-verify with db-health (slow-queries,index-usage,bloat). - advisor (
--category health) — cross-verify with metrics (resource trends over7d). - After fixes, re-run advisor and confirm
isResolved: truefor each addressedruleId.
Recipe: Don't know where to start
- ai-assisted (
diagnose --ai "<error or URL>") — get a starting hypothesis. - Verify by re-checking the primitives the diagnosis names. Trust the primitive observations over the suggestion.
Related skills
More from insforge/agent-skills and the wider catalog.
insforge
SDK integration for InsForge app features: database, auth, storage, functions, AI, realtime, email, and payments.
insforge-cli
Manage InsForge backend infrastructure, databases, deployments, and cloud services via CLI.
insforge-integrations
Wire external auth providers (Clerk, Auth0, WorkOS, Kinde, Stytch, Better Auth) or OKX x402 payment into InsForge.