t1032.1: Implement code-audit-helper.sh unified audit orchestrator

[marcusquinn]

Summary

• Replace 6-line placeholder stub with full unified audit orchestrator (~1270 lines)
• Iterates configured services from code-audit-config.json (CodeRabbit, Codacy, SonarCloud, CodeFactor)
• Calls each service collector, aggregates findings into shared audit_findings SQLite table with columns: source, severity, path, line, description, category, rule_id
• Deduplicates cross-service findings on same file+line (first finding kept, others marked duplicate)
• Outputs unified summary with severity/category/file breakdowns

Implementation Details

Commands: audit, report, summary, status, reset, help

Service collectors:

• CodeRabbit: Imports from existing coderabbit-collector-helper.sh SQLite DB
• SonarCloud: Direct API call via curl + jq parsing
• Codacy: Direct API call via curl + jq parsing
• CodeFactor: Direct API call via curl + jq parsing

Quality: ShellCheck zero violations, bash syntax verified, integration tested with deduplication verification.

Patterns followed: local var="$1", explicit returns, db() wrapper with busy_timeout (t135.3), _save_cleanup_scope/push_cleanup for temp files, stderr logging from collector subshells.

Testing

• bash -n syntax check: PASS
• shellcheck -x: zero violations
• help command: works
• status command: shows dependencies, service availability, DB stats
• audit command: gracefully skips services without tokens, full pipeline runs
• Deduplication: verified with test data (same file:line from 2 services correctly deduped)
• summary and report commands: work with latest run

Closes #1363

Summary by CodeRabbit

• New Features

  • Unified audit orchestrator integrating findings from multiple security services.
  • New commands: audit, report, summary, status, reset, and help for improved workflow.
  • Cross-service deduplication to eliminate duplicate findings.
  • Enhanced reporting with text, JSON, and CSV formats and filtering options.

• Refactor

  • Migrated from snapshot-oriented approach to run-based audit system with centralized database storage.

[coderabbitai]

Walkthrough

The script undergoes a comprehensive rewrite transforming it from a simple snapshot-oriented tool into a unified audit orchestrator. It introduces a normalized SQLite schema with audit_runs and audit_findings tables, multi-service collectors for CodeRabbit/SonarCloud/Codacy/CodeFactor, deduplication logic, and unified reporting capabilities with new command structure.

Changes

Cohort / File(s)	Summary
Audit Orchestrator Core .agents/scripts/code-audit-helper.sh	Complete architectural redesign: normalized SQLite schema (audit_runs/audit_findings with WAL mode), multi-service collector framework (CodeRabbit, SonarCloud, Codacy, CodeFactor), deduplication across services, reporting engine (text/json/csv formats), status/health diagnostics, and unified command dispatch (audit, report, summary, status, reset, help).

Sequence Diagram

sequenceDiagram
    participant Client
    participant Orchestrator as Orchestrator<br/>(cmd_audit)
    participant CR as CodeRabbit<br/>Collector
    participant SC as SonarCloud<br/>Collector
    participant CD as Codacy<br/>Collector
    participant CF as CodeFactor<br/>Collector
    participant DB as SQLite DB<br/>(audit_runs/<br/>audit_findings)
    participant Dedup as Deduplication<br/>Logic

    Client->>Orchestrator: audit command
    Orchestrator->>DB: Create audit_run row
    Orchestrator->>CR: collect_coderabbit(run_id)
    CR->>DB: Insert findings
    Orchestrator->>SC: collect_sonarcloud(run_id)
    SC->>DB: Insert findings
    Orchestrator->>CD: collect_codacy(run_id)
    CD->>DB: Insert findings
    Orchestrator->>CF: collect_codefactor(run_id)
    CF->>DB: Insert findings
    Orchestrator->>Dedup: deduplicate_findings(run_id)
    Dedup->>DB: Mark duplicates<br/>(dedup_key match)
    Orchestrator->>DB: Mark run complete
    Orchestrator->>Client: Audit complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• t1032.2: Add Codacy collector with paginated API polling and severity mapping #1384 — Standalone Codacy collector implementation compatible with the unified audit_findings/audit_runs schema and deduplication flow introduced here.
• t1032.5: Wire Phase 10b to unified audit orchestrator #1377 — Supervisor/pulse.sh integration that calls the new unified orchestrator with audit-task-creator fallback.

Poem

🔍 Multiple auditors dance as one,
CodeRabbit, SonarCloud, Codacy run—
Findings converge in SQLite's keep,
Deduped and blessed, they never sleep! 📊✨

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Merge Conflict Detection	⚠️ Warning	⚠️ Unable to check for merge conflicts: Failed to fetch base branch: From https://github.com/marcusquinn/aidevops ! [rejected] main -> main (non-fast-forward) + 5dfbfbc...63c3e40 main -> origin/main (forced update)

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: implementing a unified audit orchestrator in code-audit-helper.sh, referencing the task ID t1032.1.
Linked Issues check	✅ Passed	The PR fully implements all coding requirements from #1363: unified orchestrator with service collectors, SQLite schema with audit_findings table, deduplication logic, and CLI commands (audit, report, summary, status, reset, help).
Out of Scope Changes check	✅ Passed	All changes are scoped to code-audit-helper.sh orchestrator implementation with no unrelated modifications or scope creep beyond the #1363 requirements.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t1032.1

⚔️ Resolve merge conflicts (beta)

• Auto-commit resolved conflicts to branch feature/t1032.1
• Create stacked PR with resolved conflicts
• Post resolved changes as copyable diffs in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the code auditing capabilities by introducing a unified orchestrator. It centralizes the collection and reporting of code quality findings from multiple services, providing a consolidated and deduplicated view of potential issues. This change streamlines the code review process and offers a clearer picture of code health across different analysis tools.

Highlights

• Unified Audit Orchestrator Implementation: The code-audit-helper.sh script has been transformed from a 6-line placeholder into a comprehensive 1270-line orchestrator for unified code audits.
• Multi-Service Integration: The orchestrator now integrates with and collects findings from various code quality services, including CodeRabbit, Codacy, SonarCloud, and CodeFactor.
• Centralized Data Storage and Deduplication: All collected findings are aggregated into a shared SQLite database (audit_findings table), with a mechanism to deduplicate cross-service findings on the same file and line.
• Comprehensive Command-Line Interface: A full suite of commands has been implemented, allowing users to audit, report, summary, status, reset, and access help for managing code audits.
• Robustness and Quality Assurance: The script adheres to best practices, including shellcheck zero violations, bash syntax verification, and integration testing with deduplication verification.

Changelog

• .agents/scripts/code-audit-helper.sh
  • Replaced placeholder script with a full unified audit orchestrator.
  • Added functions for database initialization, configuration loading, and repository information retrieval.
  • Implemented collector functions for CodeRabbit, SonarCloud, Codacy, and CodeFactor.
  • Included logic for deduplicating findings across different services.
  • Developed command-line interface functions (audit, report, summary, status, reset, help).

Activity

• No human activity has been recorded on this pull request since its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 19 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Feb 13 15:02:31 UTC 2026: Code review monitoring started
Fri Feb 13 15:02:32 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 19

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 19
• VULNERABILITIES: 0

Generated on: Fri Feb 13 15:02:35 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This is an impressive and comprehensive script for orchestrating code audits. The implementation is well-structured and follows many of the established patterns. My review focuses on a few key areas to enhance security, robustness, and adherence to the repository style guide. I've identified a critical SQL injection vulnerability that needs immediate attention, along with a high-severity bug in the SQL escaping logic. Other comments point out style guide violations and opportunities to improve maintainability and robustness. Addressing these points will make this excellent script even better.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 21 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Feb 13 15:37:54 UTC 2026: Code review monitoring started
Fri Feb 13 15:37:54 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 21

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 21
• VULNERABILITIES: 0

Generated on: Fri Feb 13 15:37:57 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 26 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Feb 13 19:09:32 UTC 2026: Code review monitoring started
Fri Feb 13 19:09:33 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 26

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 26
• VULNERABILITIES: 0

Generated on: Fri Feb 13 19:09:35 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.agents/scripts/code-audit-helper.sh:
- Around line 636-639: Auto-detected pr_number from the gh command is not
validated and could contain non-numeric output; after the assignment to
pr_number inside the auto-detect block (the gh pr view call), validate that
pr_number is purely numeric (e.g., match against ^[0-9]+$ or use a numeric test)
and if it fails, set it to 0 or exit with an error before any SQL interpolation
occurs (the later use of pr_number in the SQL on line 653 must only receive a
validated numeric value); ensure this validation happens immediately after the
gh pr view assignment so the sanitized pr_number is used everywhere.

🧹 Nitpick comments (2)

.agents/scripts/code-audit-helper.sh (2)

247-259: CodeRabbit importer builds SQL via shell string interpolation — less robust than the jq approach used by other collectors.

The SonarCloud, Codacy, and CodeFactor collectors all use jq with a sql_str filter to generate SQL, which is more controlled. Here, sql_escape is called on individual fields but the overall SQL is assembled via shell string concatenation inside a pipeline subshell. A description containing characters that break shell quoting (or a truly adversarial code comment) could corrupt the generated SQL.

Additionally, $pr_number on line 250 is interpolated directly into the inner DB query without sql_escape — it's safe because it's validated as numeric upstream, but it's inconsistent with the escaping applied to other fields.

Consider refactoring to use a jq-based approach consistent with the other collectors, or at minimum, wrapping the inserts in a transaction for atomicity.

---

187-193: sql_escape is correct for SQLite but consider handling newlines.

Single-quote doubling is the right escaping for SQLite string literals. However, multi-line descriptions (from API responses or code comments) could contain literal newlines that break the generated SQL file when each INSERT is expected on one logical line — particularly in import_coderabbit_findings where SQL is appended line-by-line to a file.

The jq-based collectors avoid this because jq's output is single-line by default. For the shell-based import_coderabbit_findings, a newline in $body could split the INSERT across multiple lines in $sql_file, causing parse errors.

🛡️ Proposed hardening

 sql_escape() {
 	local val
 	val="$1"
+	# Replace newlines and carriage returns with spaces
+	val="${val//$'\n'/ }"
+	val="${val//$'\r'/}"
 	val="${val//\'/\'\'}"
 	echo "$val"
 	return 0
 }

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Auto-detected PR number bypasses numeric validation.

Line 626 validates pr_number when provided via --pr, but the auto-detected value from gh pr view on line 638 is never validated. If gh returns unexpected output (e.g., an error string leaking to stdout), it flows directly into SQL interpolation on line 653.

🛡️ Proposed fix

 	if [[ "$pr_number" -eq 0 ]]; then
 		pr_number=$(gh pr view --json number -q .number 2>/dev/null || echo "0")
+		if ! [[ "$pr_number" =~ ^[0-9]+$ ]]; then
+			log_warn "Could not auto-detect PR number, defaulting to 0"
+			pr_number=0
+		fi
 	fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Auto-detect PR if not specified
	if [[ "$pr_number" -eq 0 ]]; then
	pr_number=$(gh pr view --json number -q .number 2>/dev/null || echo "0")
	fi
	# Auto-detect PR if not specified
	if [[ "$pr_number" -eq 0 ]]; then
	pr_number=$(gh pr view --json number -q .number 2>/dev/null || echo "0")
	if ! [[ "$pr_number" =~ ^[0-9]+$ ]]; then
	log_warn "Could not auto-detect PR number, defaulting to 0"
	pr_number=0
	fi
	fi

🤖 Prompt for AI Agents

In @.agents/scripts/code-audit-helper.sh around lines 636 - 639, Auto-detected
pr_number from the gh command is not validated and could contain non-numeric
output; after the assignment to pr_number inside the auto-detect block (the gh
pr view call), validate that pr_number is purely numeric (e.g., match against
^[0-9]+$ or use a numeric test) and if it fails, set it to 0 or exit with an
error before any SQL interpolation occurs (the later use of pr_number in the SQL
on line 653 must only receive a validated numeric value); ensure this validation
happens immediately after the gh pr view assignment so the sanitized pr_number
is used everywhere.