fix: never auto-close issues without merged PR evidence

[marcusquinn]

Summary

• Failed tasks no longer auto-close issues — posts failure comment + needs-review label, keeps issue OPEN for human triage
• Verified/deployed tasks require merged PR to close — if no merged PR exists, flags for human review instead of auto-closing
• needs-review label added to ensure_status_labels() and ALL_STATUS_LABELS for proper lifecycle management

Root Cause

sync_issue_status_label() in issue-sync.sh had three bugs:

1. failed state called gh issue close — should never close, only flag
2. verified|deployed state closed issues even when pr_url was empty, no_pr, task_only, or task_obsolete — should require actual merged PR
3. needs-review label was used but never created by ensure_status_labels(), causing silent failures

Impact

Reopened 5 incorrectly auto-closed issues: #2106, #1998, #1764, #1763, #1762

Supersedes

Supersedes PR #2112 (which only fixed the failed-state bug, not the verified/deployed path or label management).

Files Changed

File	Change
.agents/scripts/supervisor/issue-sync.sh	Fix all three close paths + label management

Fixes #1763, #1762, #2106

Summary by CodeRabbit

• New Features

  • Added "needs-review" status label to track issues requiring attention.
  • Added a merged-PR verification gate so only confirmed merged PRs auto-close issues.

• Bug Fixes

  • Failures no longer auto-close issues; they now post failure notes and mark for review.
  • Unmerged PRs trigger review comments and the needs-review label instead of silent closure.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the automated issue management system by addressing critical bugs that led to premature or incorrect issue closures. The primary goal is to enhance the reliability of issue status transitions, ensuring that issues are only closed when appropriate conditions are met, particularly the presence of a merged pull request for verified/deployed tasks. It also introduces a "needs-review" label to clearly mark issues requiring human attention, preventing silent failures and improving the overall workflow for issue resolution.

Highlights

• Issue Auto-Closing Logic: Modified the issue synchronization script to prevent automatic closing of issues for failed tasks and for verified/deployed tasks without concrete merged PR evidence.
• Human Review Flagging: Introduced a mechanism to flag issues with a "needs-review" label when tasks fail or when verified/deployed tasks lack merged PR evidence, ensuring human intervention.
• Label Management: Ensured the "needs-review" label is properly created and included in the list of all status labels for consistent lifecycle management.

Changelog

• .agents/scripts/supervisor/issue-sync.sh
  • Fixed all three issue closing paths to prevent incorrect auto-closure.
  • Improved label management by ensuring the needs-review label is created and recognized.

Activity

• Reopened 5 issues (t1300: Investigate t1165.1 repeated permission_denied_write_operations failures #2106, t1267: Retry t005.1 #1998, t1165.2: Container pool manager in supervisor #1764, t1165.1: Design container image and OAuth token provisioning #1763, t1165: Containerized Claude Code CLI instances for multi-subscription scaling #1762) that were incorrectly auto-closed due to previous bugs.
• Supersedes PR fix: prevent auto-closing failed issues and preserve em-dash content #2112, which only addressed a subset of the identified issues.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 44 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Introduced a merged-PR gating and a new "needs-review" label in .agents/scripts/supervisor/issue-sync.sh. Terminal-state handling now only auto-closes issues when a linked PR is confirmed merged; otherwise the script comments, applies needs-review, and leaves the issue open. Failure paths likewise retain the issue and mark it for human review.

Changes

Cohort / File(s)

Summary

Issue sync supervisor script .agents/scripts/supervisor/issue-sync.sh

Added needs-review to ALL_STATUS_LABELS. Implemented merged-PR detection (has_merged_pr) and gating: only auto-close on verified/deployed when a linked PR is MERGED; non-merged PRs trigger a comment and needs-review label. Failure/non-terminal states now post failure comments, apply needs-review, keep issues open, and may reopen previously closed issues. Also added ensure_status_labels update for new label and adjusted stale-label tracking.

Sequence Diagram(s)

sequenceDiagram
    participant Supervisor as Supervisor Script
    participant GH as GitHub API
    participant Issue as Issue
    participant PR as Pull Request

    Supervisor->>GH: fetch issue labels & linked PR(s)
    GH-->>Supervisor: labels, PR refs
    Supervisor->>PR: check PR state (merged/open/closed)
    PR-->>Supervisor: PR.state
    alt PR.state == "MERGED"
        Supervisor->>GH: post close comment & close Issue
        GH-->>Issue: issue closed, comment added
    else PR.state != "MERGED"
        Supervisor->>GH: post verification/failure comment
        Supervisor->>GH: add `needs-review` label to Issue
        GH-->>Issue: comment added, label applied (issue remains open)
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• #944: Adds merged-PR evidence detection and PR-linking helpers used for issue-closing decisions.
• #1299: Modifies supervisor issue-sync close/label logic and ALL_STATUS_LABELS, overlapping label management and terminal-state handling.
• #1504: Alters terminal-state closing behavior to inspect PR evidence and route non-merged cases to manual-review flows.

Poem

🛠️ A check for merges now guards the gate,
If proof's not merged, we mark for fate.
Needs-review waves its gentle flag,
Issues stay open — no premature tag.
Automation sings; humans then validate.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses issue #1763 by modifying issue-sync.sh to enforce stricter close conditions, but the linked issue objectives focus on container image design and OAuth token provisioning, which are entirely separate from this script fix.	Verify whether issue #1763 actually requires this script modification or if the wrong issue was linked; the PR's container/token work appears unrelated to shell script gate logic.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: never auto-close issues without merged PR evidence' accurately captures the primary change: preventing auto-closure of issues lacking merged PR proof.
Out of Scope Changes check	✅ Passed	All changes are scoped to issue-sync.sh and address the three stated bugs (failed state auto-closing, verified/deployed closing without merged PR, and needs-review label management), staying within the PR's declared objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/prevent-auto-close-failed-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 38 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 17:59:07 UTC 2026: Code review monitoring started
Sat Feb 21 17:59:08 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 38

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 38
• VULNERABILITIES: 0

Generated on: Sat Feb 21 17:59:10 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request correctly fixes a critical bug where issues were being auto-closed without proper evidence. The new logic, which requires a merged pull request to close 'verified' or 'deployed' tasks and flags 'failed' tasks for human review, is a significant improvement to the issue lifecycle management. The changes are well-structured and directly address the root causes outlined in the description. I have two suggestions for improvement. Firstly, the widespread use of 2>/dev/null suppresses important diagnostic errors from gh and db commands, which violates the repository's style guide and makes debugging difficult. I've recommended removing this suppression, aligning with repository rules on error visibility. Secondly, the control flow in the new failed case is confusing and has a misleading comment; it should return explicitly like other terminal states, which also aligns with repository rules for explicit function returns. Overall, this is a valuable fix that enhances the reliability of the automated supervisor.

[gemini-code-assist]

While using || echo "" is a good way to prevent the script from exiting on an expected error (like a PR not being found), suppressing stderr with 2>/dev/null hides critical unexpected errors such as authentication failures, API rate limits, or network issues. This makes debugging failures much harder and violates the repository's style guide (line 50) and general rules.

By removing 2>/dev/null, expected errors (e.g., gh exiting with status 1 for a non-existent PR) will still be handled by || echo "", but unexpected system or auth errors will become visible in the logs. This pattern should be applied to the other gh and db calls in this file that use 2>/dev/null.

Suggested change

	pr_state=$(gh pr view "$pr_number" --repo "$repo_slug" --json state,mergedAt,changedFiles \
	--jq '"state:\(.state) merged:\(.mergedAt // "n/a") files:\(.changedFiles)"' 2>/dev/null || echo "")
	pr_state=$(gh pr view "$pr_number" --repo "$repo_slug" --json state,mergedAt,changedFiles \
	--jq '"state:\(.state) merged:\(.mergedAt // "n/a") files:\(.changedFiles)"' || echo "")

References

1. 2>/dev/null is acceptable ONLY when redirecting to log files, not blanket suppression. This usage is a blanket suppression of potential gh CLI errors. ^(link)
2. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[gemini-code-assist]

The comment on line 481 is misleading. The ;; does not cause a fall-through in the case statement in the way the comment implies. Instead, execution continues after the case block, which is confusing.

The failed case should be treated as a terminal action within this case statement, similar to the verified | deployed and cancelled cases. It performs all necessary actions (commenting, labeling) and should then exit the function. Using return 0 makes the control flow clearer and consistent with the other terminal states.

Suggested change

	# Fall through to non-terminal state logic for label handling
	;;
	# This is a terminal action. Return to prevent fall-through to the generic label handler.
	return 0

References

1. All functions in shell scripts must have explicit return statements to ensure predictable behavior and exit code propagation.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.agents/scripts/supervisor/issue-sync.sh (1)

346-346: Naming inconsistency: needs-review breaks the status: prefix convention.

Every other label in ALL_STATUS_LABELS uses the status: prefix. Consider renaming to status:needs-review for consistency, or updating the comment on line 351 (which says "Removes all status:* labels") to reflect that this set now includes a non-status: label. Either way, the current code is functionally correct.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/scripts/supervisor/issue-sync.sh at line 346, ALL_STATUS_LABELS
currently contains a label "needs-review" that breaks the "status:" prefix
convention; update the ALL_STATUS_LABELS string to replace "needs-review" with
"status:needs-review" to maintain consistency (and scan for any usages of
ALL_STATUS_LABELS or downstream label parsing logic to ensure they still match),
or alternatively update the nearby comment that states "Removes all status:*
labels" to mention the non-prefixed label—preferably rename to
status:needs-review for consistency across label handling.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/supervisor/issue-sync.sh:
- Around line 424-427: The current check using grep -qi 'MERGED' against
pr_state always matches because the label "merged:" is present in the jq output;
update the logic that sets has_merged_pr to reliably detect a merged PR by
either 1) matching the state field explicitly (e.g., search for "state:MERGED"
or use a regex that anchors the field name) instead of plain "MERGED", or
preferably 2) replace the string-parse with a dedicated gh JSON query: call gh
pr view --repo "$repo_slug" "$pr_number" --json state and inspect the returned
.state value, then set has_merged_pr="true" only when that value equals
"MERGED"; update references to pr_state, the grep -qi 'MERGED' check, and the
has_merged_pr assignment accordingly.
- Around line 474-481: The "failed" case currently falls through because
state_to_status_label("failed") returns empty, so new_label is "", and gated
blocks never reopen or relabel a previously-closed issue; update the sync logic
to detect the "failed" state (e.g., check the status/state variable used before
calling state_to_status_label) and explicitly run gh to reopen the issue (gh
issue edit "$issue_number" --repo "$repo_slug" --state open) before adding the
"needs-review" label and posting fail_comment; ensure this happens regardless of
new_label being empty so closed issues are reopened for human review, and keep
using the existing fail_comment and needs-review label variables.
- Around line 421-422: The current check that tests whether a PR is merged
incorrectly matches the substring "merged" in the jq output (variable pr_state),
causing CLOSED/OPEN PRs to be treated as merged; update the conditional that
uses grep so it explicitly matches the state field value (e.g., change the grep
in the if that inspects pr_state to search for 'state:MERGED' instead of just
'MERGED' or 'merged') — locate the conditional around the use of pr_state (the
if echo "$pr_state" | grep ...) and replace the pattern to grep -q
'state:MERGED' to only detect actually merged PRs.

---

Nitpick comments:
In @.agents/scripts/supervisor/issue-sync.sh:
- Line 346: ALL_STATUS_LABELS currently contains a label "needs-review" that
breaks the "status:" prefix convention; update the ALL_STATUS_LABELS string to
replace "needs-review" with "status:needs-review" to maintain consistency (and
scan for any usages of ALL_STATUS_LABELS or downstream label parsing logic to
ensure they still match), or alternatively update the nearby comment that states
"Removes all status:* labels" to mention the non-prefixed label—preferably
rename to status:needs-review for consistency across label handling.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 38 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 20:50:07 UTC 2026: Code review monitoring started
Sat Feb 21 20:50:07 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 38

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 38
• VULNERABILITIES: 0

Generated on: Sat Feb 21 20:50:10 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.agents/scripts/supervisor/issue-sync.sh (2)

420-423: pr_state_raw can be derived from pr_state, eliminating a redundant API call.

Both lines 420–421 and 422–423 independently call gh pr view for the same PR number. The first call fetches only .state; the second already retrieves the same field (plus mergedAt and changedFiles). This is one extra GitHub API round-trip per state transition and introduces a small TOCTOU window where the PR could change state between the two requests.

♻️ Merge into a single call

-			local pr_state="" pr_state_raw=""
-			pr_state_raw=$(gh pr view "$pr_number" --repo "$repo_slug" --json state --jq '.state' 2>/dev/null || echo "")
-			pr_state=$(gh pr view "$pr_number" --repo "$repo_slug" --json state,mergedAt,changedFiles \
-				--jq '"state:\(.state) merged:\(.mergedAt // "n/a") files:\(.changedFiles)"' 2>/dev/null || echo "")
+			local pr_state="" pr_state_raw=""
+			pr_state=$(gh pr view "$pr_number" --repo "$repo_slug" --json state,mergedAt,changedFiles \
+				--jq '"state:\(.state) merged:\(.mergedAt // "n/a") files:\(.changedFiles)"' 2>/dev/null || echo "")
+			pr_state_raw=$(echo "$pr_state" | sed -n 's/^state:\([A-Z]*\).*/\1/p')

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/scripts/supervisor/issue-sync.sh around lines 420 - 423, The two gh
pr view calls are redundant; remove the first call and derive pr_state_raw from
the output of the second call (the pr_state variable) to avoid an extra API
request and a TOCTOU window. Update the assignment that sets pr_state to run a
single gh pr view --json state,mergedAt,changedFiles ... --jq '..."' and then
extract the raw state into pr_state_raw by parsing pr_state (e.g., pulling the
.state value from the jq output string) so both pr_state and pr_state_raw are
produced from the same API response.

---

29-29: needs-review color D93F0B duplicates status:claimed.

Both labels render identically in GitHub's label list. Consider a distinct hex (e.g. E99695) to make triage easier.

🎨 Suggested color tweak

-	gh label create "needs-review" --repo "$repo_slug" --color "D93F0B" --description "Flagged for human review by AI supervisor" --force 2>/dev/null || true
+	gh label create "needs-review" --repo "$repo_slug" --color "E99695" --description "Flagged for human review by AI supervisor" --force 2>/dev/null || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/scripts/supervisor/issue-sync.sh at line 29, The label creation for
"needs-review" currently uses color "D93F0B", which duplicates the existing
"status:claimed" color; update the gh label create invocation that sets
"needs-review" (the line calling gh label create "needs-review" --repo
"$repo_slug" --color "D93F0B" ...) to use a distinct hex (e.g. "E99695") so the
label is visually unique from "status:claimed".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/supervisor/issue-sync.sh:
- Around line 444-445: The script currently builds remove_args (from
ALL_STATUS_LABELS) and then calls gh issue edit with both --remove-label ... and
--add-label "needs-review" in the same command, causing "needs-review" to be
removed when new_label is empty; fix by splitting the operations: first call gh
issue edit to remove status labels using the constructed "${remove_args[@]}",
then call a separate gh issue edit to add "needs-review" (only when desired).
Update both call sites that use gh issue edit (the no-merged-PR path and the
failed path) so they perform the removal and the needs-review addition in two
sequential gh calls rather than one combined call, ensuring remove_args does not
include or conflict with the separate add operation; keep existing error
handling (2>/dev/null || true) behavior.

---

Nitpick comments:
In @.agents/scripts/supervisor/issue-sync.sh:
- Around line 420-423: The two gh pr view calls are redundant; remove the first
call and derive pr_state_raw from the output of the second call (the pr_state
variable) to avoid an extra API request and a TOCTOU window. Update the
assignment that sets pr_state to run a single gh pr view --json
state,mergedAt,changedFiles ... --jq '..."' and then extract the raw state into
pr_state_raw by parsing pr_state (e.g., pulling the .state value from the jq
output string) so both pr_state and pr_state_raw are produced from the same API
response.
- Line 29: The label creation for "needs-review" currently uses color "D93F0B",
which duplicates the existing "status:claimed" color; update the gh label create
invocation that sets "needs-review" (the line calling gh label create
"needs-review" --repo "$repo_slug" --color "D93F0B" ...) to use a distinct hex
(e.g. "E99695") so the label is visually unique from "status:claimed".

Both issues raised in this review have been fixed in subsequent commits and marked resolved. Dismissing stale CHANGES_REQUESTED.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 38 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 20:56:46 UTC 2026: Code review monitoring started
Sat Feb 21 20:56:46 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 38

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 38
• VULNERABILITIES: 0

Generated on: Sat Feb 21 20:56:49 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

All 3 items addressed in commit 02fcf8f: (1) needs-review removed from ALL_STATUS_LABELS so it's no longer simultaneously added and removed, (2) dual gh pr view merged into single API call, (3) label color changed to E99695.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 38 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 21 20:59:24 UTC 2026: Code review monitoring started
Sat Feb 21 20:59:24 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 38

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 38
• VULNERABILITIES: 0

Generated on: Sat Feb 21 20:59:27 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud