Skip to content

t1006: Fix cron PATH and GH_TOKEN detection #1291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alex-solovyev merged 1 commit into from
Feb 12, 2026
Merged

t1006: Fix cron PATH and GH_TOKEN detection #1291

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion .agents/scripts/supervisor-helper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13190,7 +13190,26 @@ cmd_cron() {
local script_path
script_path="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/supervisor-helper.sh"
local cron_marker="# aidevops-supervisor-pulse"
local cron_cmd="*/${interval} * * * * ${script_path} pulse ${batch_arg} >> ${SUPERVISOR_DIR}/cron.log 2>&1 ${cron_marker}"

# Detect current PATH for cron environment (t1006)
local user_path="${PATH}"

# Detect GH_TOKEN from gh CLI if available (t1006)
local gh_token=""
if command -v gh &>/dev/null; then
gh_token=$(gh auth token 2>/dev/null || true)
fi

# Build cron command with environment variables
local env_vars=""
if [[ -n "$user_path" ]]; then
env_vars="PATH=${user_path}"
fi
if [[ -n "$gh_token" ]]; then
env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"
fi
Comment on lines +13194 to +13210
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid writing GH_TOKEN into crontab (secret exposure risk).

Embedding GH_TOKEN in the cron entry stores it in plaintext and makes it visible via crontab -l, which is a hard security no-go. The script already resolves GH_TOKEN at runtime (cache + gh/gopass/credentials), so the cron entry doesn’t need the token.

✅ Safer approach (remove GH_TOKEN from cron line) 
-	# Detect GH_TOKEN from gh CLI if available (t1006)
-	local gh_token=""
-	if command -v gh &>/dev/null; then
-		gh_token=$(gh auth token 2>/dev/null || true)
-	fi
-
-	# Build cron command with environment variables
+	# Build cron command with environment variables
 	local env_vars=""
 	if [[ -n "$user_path" ]]; then
 		env_vars="PATH=${user_path}"
 	fi
-	if [[ -n "$gh_token" ]]; then
-		env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"
-	fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Detect current PATH for cron environment (t1006)
local user_path="${PATH}"
# Detect GH_TOKEN from gh CLI if available (t1006)
local gh_token=""
if command -v gh &>/dev/null; then
gh_token=$(gh auth token 2>/dev/null || true)
fi
# Build cron command with environment variables
local env_vars=""
if [[ -n "$user_path" ]]; then
env_vars="PATH=${user_path}"
fi
if [[ -n "$gh_token" ]]; then
env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"
fi
# Detect current PATH for cron environment (t1006)
local user_path="${PATH}"
# Build cron command with environment variables
local env_vars=""
if [[ -n "$user_path" ]]; then
env_vars="PATH=${user_path}"
fi
🤖 Prompt for AI Agents 
In @.agents/scripts/supervisor-helper.sh around lines 13194 - 13210, The cron
entry construction currently injects GH_TOKEN into env_vars (variables gh_token
and env_vars) which writes the secret into the crontab; remove any logic that
appends GH_TOKEN into env_vars so GH_TOKEN is never placed into the generated
cron line. Keep detection of gh CLI and the gh_token retrieval (the command -v
gh / gh auth token block) if you want to cache or use it at runtime, but stop
adding "${gh_token}" to env_vars (the branch that sets
env_vars="${env_vars:+${env_vars} }GH_TOKEN=${gh_token}"); instead rely on
runtime resolution of credentials and only export non-secret envs like PATH
(user_path) into the cron entry.


local cron_cmd="*/${interval} * * * * ${env_vars:+${env_vars} }${script_path} pulse ${batch_arg} >> ${SUPERVISOR_DIR}/cron.log 2>&1 ${cron_marker}"
Comment on lines +13194 to +13212
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Sanitize PATH before injecting into cron (cron treats %/newlines specially).

Cron treats % as a newline and rejects embedded newlines, so an unsanitized PATH can silently break the crontab line. Strip newlines and escape % before composing the entry.

🧹 Harden PATH for cron 
 	# Detect current PATH for cron environment (t1006)
-	local user_path="${PATH}"
+	local user_path="${PATH}"
+	# Cron treats % as newline; strip newlines and escape %
+	user_path=${user_path//$'\n'/}
+	user_path=${user_path//$'\r'/}
+	user_path=${user_path//%/\\%}
🤖 Prompt for AI Agents 
In @.agents/scripts/supervisor-helper.sh around lines 13194 - 13212, The PATH
value stored in user_path can contain newlines or '%' characters that break cron
entries; after assigning user_path, sanitize it by stripping
newlines/carriage-returns and escaping '%' (e.g., replace $'\n' and $'\r' with
nothing and replace '%' with '\%'), then use that sanitized variable (e.g.,
sanitized_path) when building env_vars and cron_cmd instead of the raw
user_path; ensure env_vars uses sanitized_path so cron receives a single-line,
percent-escaped PATH.


case "$action" in
install)
Expand Down
Loading