Skip to content

t299: Add Phase 10b to auto-create TODO tasks from quality findings #1171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
marcusquinn wants to merge 2 commits into from
Closed

t299: Add Phase 10b to auto-create TODO tasks from quality findings #1171

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f809215
feat: add Phase 10b to auto-create TODO tasks from quality findings (…
marcusquinn Feb 11, 2026
1fde44d
fix: use finding-to-task-helper.sh for quality-sweep task creation (t…
marcusquinn Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 99 additions & 0 deletions .agents/scripts/supervisor-helper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10212,6 +10212,105 @@ cmd_pulse() {
bash "$coderabbit_pulse_script" run --repo "$pulse_repo" --quiet 2>>"$SUPERVISOR_LOG" || true
fi

# Phase 10b: Auto-create TODO tasks from quality findings (t299)
# Converts CodeRabbit and quality-sweep findings into actionable TODO tasks with #auto-dispatch.
# Self-throttles with 24h cooldown to avoid task spam.
local task_creation_cooldown=86400 # 24 hours in seconds
local task_creation_state_file="${SUPERVISOR_DIR}/last-task-creation.json"
local should_create_tasks=false

# Check cooldown
if [[ -f "$task_creation_state_file" ]]; then
local last_run
last_run=$(jq -r '.timestamp // 0' "$task_creation_state_file" 2>/dev/null || echo "0")
local now
now=$(date +%s)
local age=$((now - last_run))

if [[ "$age" -ge "$task_creation_cooldown" ]]; then
should_create_tasks=true
log_verbose " Phase 10b: Task creation cooldown expired (${age}s >= ${task_creation_cooldown}s)"
else
local remaining=$((task_creation_cooldown - age))
log_verbose " Phase 10b: Task creation cooldown active (${remaining}s remaining)"
fi
else
should_create_tasks=true
log_verbose " Phase 10b: First task creation run"
fi

if [[ "$should_create_tasks" == "true" ]]; then
log_verbose " Phase 10b: Creating tasks from quality findings"

# Get repo path for TODO.md
local pulse_repo=""
pulse_repo=$(db "$SUPERVISOR_DB" "SELECT DISTINCT repo FROM tasks LIMIT 1;" 2>/dev/null || echo "")
if [[ -z "$pulse_repo" ]]; then
pulse_repo="$(pwd)"
fi

local todo_file="${pulse_repo}/TODO.md"
Comment on lines +10247 to +10252
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The pulse_repo variable is retrieved directly from the database and used to construct the todo_file path without any validation or sanitization. An attacker who can influence the tasks table in the database could potentially set repo to an arbitrary path (e.g., using path traversal or pointing to sensitive directories), leading to an arbitrary file write (append) when findings are written to TODO.md. Since this framework uses TODO.md for autonomous task execution, this could be used to inject malicious tasks into other repositories or locations.

local tasks_created=false

# Create tasks from CodeRabbit findings
local coderabbit_creator="${SCRIPT_DIR}/coderabbit-task-creator-helper.sh"
if [[ -x "$coderabbit_creator" ]]; then
log_verbose " Converting CodeRabbit findings to tasks..."
local coderabbit_output
coderabbit_output=$("$coderabbit_creator" create 2>>"$SUPERVISOR_LOG" || true)

if [[ -n "$coderabbit_output" ]] && echo "$coderabbit_output" | grep -q "^- \[ \]"; then
# Append tasks to TODO.md
echo "" >> "$todo_file"
echo "$coderabbit_output" >> "$todo_file"
tasks_created=true
local task_count
task_count=$(echo "$coderabbit_output" | grep -c "^- \[ \]" || echo "0")
log_verbose " Created $task_count tasks from CodeRabbit findings"
fi
fi

# Create tasks from quality-sweep findings (SonarCloud, Codacy)
local finding_to_task="${SCRIPT_DIR}/finding-to-task-helper.sh"
if [[ -x "$finding_to_task" ]]; then
log_verbose " Converting quality-sweep findings to tasks..."
local sweep_output
sweep_output=$("$finding_to_task" create --min-severity medium --limit 10 2>>"$SUPERVISOR_LOG" || true)

if [[ -n "$sweep_output" ]] && echo "$sweep_output" | grep -q "^- \[ \]"; then
# Append tasks to TODO.md
echo "" >> "$todo_file"
echo "$sweep_output" >> "$todo_file"
Comment on lines +10265 to +10283
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

This section appends findings from external tools (like CodeRabbit) directly into the TODO.md file with the #auto-dispatch tag. This creates a task injection vulnerability, as malicious content in findings could lead to automatic execution of commands by the dispatcher agent. Additionally, the current implementation involves inefficient double grep calls on coderabbit_output to check for and count tasks, which can be optimized.

tasks_created=true
local task_count
task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0")
log_verbose " Created $task_count tasks from quality-sweep findings"
fi
Comment on lines +10280 to +10288
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Similar to the CodeRabbit findings block, this block calls grep twice on sweep_output. It's more efficient to get the count once and use it for both the conditional check and the log message.

Suggested change
if [[ -n "$sweep_output" ]] && echo "$sweep_output" | grep -q "^- \[ \]"; then
# Append tasks to TODO.md
echo "" >> "$todo_file"
echo "$sweep_output" >> "$todo_file"
tasks_created=true
local task_count
task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0")
log_verbose " Created $task_count tasks from quality-sweep findings"
fi
local task_count
task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0")
if [[ "$task_count" -gt 0 ]]; then
# Append tasks to TODO.md
echo "" >> "$todo_file"
echo "$sweep_output" >> "$todo_file"
tasks_created=true
log_verbose " Created $task_count tasks from quality-sweep findings"
fi

fi

# Commit and push TODO.md if tasks were created
if [[ "$tasks_created" == "true" ]]; then
log_verbose " Committing and pushing TODO.md updates..."
(
cd "$pulse_repo" || exit 1
git add TODO.md 2>>"$SUPERVISOR_LOG" || true
git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG" || true
git push 2>>"$SUPERVISOR_LOG" || true
)
Comment on lines +10294 to +10299
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Using || true on these git commands, especially git push, is risky as it suppresses all errors. A git push failure, for instance, would leave the remote TODO.md outdated, but the script would update the cooldown timer, preventing a retry for 24 hours. This can lead to silent failures and data inconsistency. While the style guide (line 13) allows || true for commands that may fail, a push failure is a definite failure of the operation's goal and should not be ignored. It's better to handle git operations more carefully by checking for changes before committing and letting set -e handle critical failures like a failed push.

Suggested change
(
cd "$pulse_repo" || exit 1
git add TODO.md 2>>"$SUPERVISOR_LOG" || true
git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG" || true
git push 2>>"$SUPERVISOR_LOG" || true
)
(
cd "$pulse_repo" || exit 1
git add TODO.md 2>>"$SUPERVISOR_LOG"
# Only commit if there are changes to avoid an error from an empty commit.
if git diff --staged --quiet; then
log_verbose " No new tasks to commit to TODO.md."
else
git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG"
git push 2>>"$SUPERVISOR_LOG"
fi
)

fi

# Update cooldown state
mkdir -p "$SUPERVISOR_DIR"
cat > "$task_creation_state_file" << EOF
{
"timestamp": $(date +%s),
"date": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
"tasks_created": $tasks_created
}
EOF
log_verbose " Phase 10b: Task creation complete"
fi

# Phase 11: Supervisor session memory monitoring + respawn (t264, t264.1)
# OpenCode/Bun processes accumulate WebKit malloc dirty pages that are never
# returned to the OS. Over long sessions, a single process can grow to 25GB+.
Expand Down