t295: Issue-sync label passthrough — replace hardcoded allowlist

[marcusquinn]

Summary

• Replaces the hardcoded 20-tag allowlist in map_tags_to_labels() with a passthrough approach
• All #tags from TODO.md now become GitHub issue labels automatically
• Small alias map normalises synonyms (bugfix→bug, feat→enhancement, docs→documentation, etc.)
• auto-dispatch meta-tag is skipped (not useful as a label)
• New ensure_labels_exist() creates missing labels on-the-fly via gh label create --force
• cmd_enrich() now syncs labels alongside body updates, so existing issues get their missing labels

Problem

Tags like #supervisor, #self-improvement, #shell, #ci, #memory, #release, #reliability, #issue-sync, and many others were silently dropped because they weren't in the hardcoded allowlist. Only ~20 of dozens of tags were synced.

Testing

• Bash syntax check: pass
• ShellCheck (warning level): zero violations
• Functional tests of map_tags_to_labels():
  • Aliases work (bugfix→bug, feat→enhancement, hardening→quality, sync→git, docs→documentation)
  • New tags pass through (supervisor, self-improvement, shell, ci, memory, release)
  • auto-dispatch correctly skipped
  • # prefix stripped
  • Empty input returns empty

Ref #1153

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 10 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/t295-label-passthrough

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the issue synchronization script by transitioning from a restrictive hardcoded label allowlist to a flexible passthrough system. The changes ensure that all relevant tags from TODO.md are automatically converted into GitHub issue labels, with support for aliasing common synonyms and on-the-fly creation of missing labels. This improves the accuracy and completeness of issue labeling, making issue tracking more robust and reducing manual label management.

Highlights

• Label Passthrough: Replaced the hardcoded allowlist for map_tags_to_labels() with a passthrough approach, allowing all #tags from TODO.md to become GitHub issue labels automatically.
• Alias Mapping: Implemented a small alias map to normalize common synonyms (e.g., bugfix to bug, feat to enhancement, docs to documentation) to canonical GitHub label names.
• Meta-tag Skipping: Ensured that the auto-dispatch meta-tag is skipped, as it is not useful as a label.
• On-the-fly Label Creation: Introduced a new ensure_labels_exist() function that creates missing labels on-the-fly using gh label create --force.
• Label Syncing in cmd_enrich(): Modified cmd_enrich() to sync labels alongside body updates, ensuring that existing issues receive their missing labels.

Changelog

• .agents/scripts/issue-sync-helper.sh
  • Modified map_tags_to_labels to implement a passthrough mechanism for tags, including stripping whitespace, skipping the auto-dispatch meta-tag, and applying an alias map for common synonyms.
  • Introduced a new function ensure_labels_exist to programmatically create GitHub labels if they do not already exist, using gh label create --force.
  • Integrated ensure_labels_exist into cmd_push to ensure all derived labels exist when creating new issues.
  • Updated cmd_enrich to parse tags, map them to labels, ensure their existence, and then apply them to existing issues during the enrichment process.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 47 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 11 20:02:26 UTC 2026: Code review monitoring started
Wed Feb 11 20:02:27 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 47

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 47
• VULNERABILITIES: 0

Generated on: Wed Feb 11 20:02:29 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request significantly improves label management by replacing a hardcoded allowlist with a dynamic passthrough system for syncing TODO.md tags to GitHub issues. However, it introduces security risks due to improper gh CLI invocation, specifically argument injection and unauthorized label modification via the --force flag. Additionally, the use of 2>/dev/null suppresses critical error messages, hindering debuggability and violating style guidelines. Addressing these concerns will enhance both security and maintainability.

[gemini-code-assist]

The ensure_labels_exist function is vulnerable to argument injection and unauthorized label metadata modification. The $label variable, derived from user-controlled tags, is passed without a -- separator, allowing attackers to inject flags. The unquoted $labels variable in the loop also allows shell globbing. Furthermore, the --force flag enables unauthorized modification of existing labels. Additionally, the use of 2>/dev/null to suppress stderr violates the repository's style guide, hiding potentially useful error messages from gh and hindering debugging.

Suggested change

	for label in $labels; do
	[[ -z "$label" ]] && continue
	# --force is idempotent: updates if exists, creates if not
	gh label create "$label" --repo "$repo_slug" --color "EDEDED" \
	--description "Auto-created from TODO.md tag" --force 2>/dev/null || true
	for label in "$labels"; do
	[[ -z "$label" ]] && continue
	gh label create -- "$label" --repo "$repo_slug" --color "EDEDED" \
	--description "Auto-created from TODO.md tag" 2>/dev/null || true
	done

[gemini-code-assist]

Similar to the ensure_labels_exist function, this use of 2>/dev/null violates the repository's style guide (Line 50). Suppressing stderr from gh issue edit can hide important errors, like problems with permissions or invalid labels, making troubleshooting harder. The || true guard is sufficient to prevent script termination on error.

Suggested change

	gh issue edit "$issue_number" --repo "$repo_slug" "${label_args[@]}" 2>/dev/null || true
	gh issue edit "$issue_number" --repo "$repo_slug" "${label_args[@]}" || true

References

1. Line 50: 2>/dev/null is acceptable ONLY when redirecting to log files, not blanket suppression. ^(link)