name: endor-troubleshoot description: > Troubleshoot Endor Labs scan errors and failures. Use when the user says "scan failed", "why did the scan fail", "endor troubleshoot", "fix scan error", "diagnose error", or pastes an error message from a failed scan. Matches errors against known patterns across NPM, Maven, PyPI, Go, Cargo, NuGet, RubyGems, and Packagist. Do NOT use for setup issues (/endor-setup) or general scanning (/endor-scan).

Endor Labs Scan Error Troubleshooter

Input Parsing

Accept input as: pasted error text, scan-and-diagnose request, or natural language description.

If no error text provided, ask:

1. Run a scan on the current repository and diagnose errors?
2. Analyze error text you paste in?

For scan mode, use scan MCP tool: path=repo path, scan_types=["vulnerabilities", "dependencies"], scan_options={ "quick_scan": true }. Parse results for errors and match against knowledge base.

Workflow

Step 1: Detect Ecosystem

No match? Check cross-ecosystem patterns (GitHub Packages, registry/artifactory, sandbox errors).

Step 2: Classify Error Category

Auth Conflict -- persistent auth error loop, "multiple authentication", "conflicting auth", "invalid permissions" or repeated auth failures despite valid credentials. Root cause: both ~/.endorctl/config.yaml AND auth env vars (ENDOR_MCP_SERVER_AUTH_MODE, ENDOR_NAMESPACE, ENDOR_API) in settings.json/mcp.json are present simultaneously.

Private Registry -- package not found, auth failures (401/403), SSH/Git credential errors, connection refused/timeout, missing registry config.

Toolchain -- language/SDK version mismatches, missing SDKs/build tools, lock file format issues, compiler/build config errors.

Other -- invalid manifests, compilation errors, missing build deps, plugin failures.

Step 3: Match Against Known Patterns

Read references/error-knowledge-base.md and match the error text against patterns for the detected ecosystem and category.

Step 4: Present Diagnosis

## Scan Error Diagnosis

### Error Identified

| Field | Value |
|-------|-------|
| Ecosystem | {ecosystem} |
| Category | {Private Registry / Toolchain / Other} |
| Error | {description} |
| Fixable | {Yes / No / Partially} |

### What This Means
{Plain-language explanation}

### Resolution
{Step-by-step remediation from matching rule}

{If Scan Profile fix:} Update [Scan Profile](https://docs.endor.ai/docs/scan-profiles/) with correct toolchain version.
{If Private Registry fix:} Configure [Private Package Registry](https://docs.endor.ai/docs/integrations/private-package-registries), or set credentials in CI.
{If not fixable in cloud:} Move scanning to CI/CD pipeline.

### Next Steps
- `/endor-scan` - Re-run after fix
- `/endor-setup` - Reconfigure if needed

Step 5: Handle Multiple Errors

1. Identify all distinct errors
2. Diagnose each separately
3. Present in priority order: Private Registry > Toolchain > Other
4. Note if fixing one may resolve others

Common Resolution Patterns

Auth Conflict: Check if ~/.endorctl/config.yaml exists AND settings.json/mcp.json contains auth env vars. If both present, user must choose one workflow:

• Local Development: keep config.yaml, remove ENDOR_MCP_SERVER_AUTH_MODE/ENDOR_NAMESPACE/ENDOR_API from settings.json env block
• Multi-Namespace: delete ~/.endorctl/config.yaml (or rm -rf ~/.endorctl), keep env vars in settings.json Then restart MCP connection and retry. See /endor-setup Step 2.2 for full workflow details.

Private Registry: Check if package is private -> configure Private Package Registry or set CI credentials -> verify registry is internet-accessible from cloud.

Toolchain: Identify required version from error -> update Scan Profile -> re-scan.

Cloud Scanning Limitations (move to CI): SSH Git deps, system package installation (python3-dev, PostgreSQL libs), Windows builds, custom env vars, Docker builds.

For data source policy, read references/data-sources.md.

Error Handling