t1330: Rate limit tracker for provider utilisation monitoring

[marcusquinn]

Summary

• Adds aidevops stats rate-limits command to observability-helper.sh that monitors requests/min and tokens/min per provider from the existing observability DB (t1307), compares against configurable rate limits, and warns at 80% threshold
• Integrates rate limit awareness into model-availability-helper.sh resolve_tier() so throttle-risk providers are automatically deprioritised in favour of fallback providers
• Integrates rate limit warning into dispatch.sh resolve_model() static fallback path

Changes

New: .agents/configs/rate-limits.json.txt

Configurable rate limit definitions per provider (requests/min, tokens/min, billing_type). Copy to ~/.config/aidevops/rate-limits.json and adjust for your plan. Covers: anthropic, openai, google, deepseek, openrouter, groq, opencode, xai.

Extended: observability-helper.sh

• cmd_rate_limits() — new command showing rolling-window utilisation vs configured limits per provider. Supports --json, --provider, --window flags.
• check_rate_limit_risk() — returns ok/warn/critical for a provider based on current utilisation vs configured limits
• Supporting helpers: _get_rate_limits_config(), _get_rate_limit_value(), _get_warn_pct(), _get_window_minutes(), _get_configured_providers()

Extended: model-availability-helper.sh

• _check_provider_rate_limit_risk() — queries observability-helper.sh for rate limit status
• _extract_provider() — extracts provider from model spec
• resolve_tier() — now checks rate limit risk before selecting primary provider; if primary is at throttle risk (≥warn_pct), prefers fallback provider
• cmd_rate_limits() — now also shows observability-derived utilisation alongside API header data

Extended: dispatch.sh

• resolve_model() — adds rate limit risk check in static fallback path; logs warning when anthropic is at throttle risk, prompting operator to configure alternative providers

Acceptance Criteria

• Rate limit definitions exist per provider (requests_per_min, tokens_per_min) in .agents/configs/rate-limits.json.txt
• aidevops stats rate-limits shows current utilisation per provider
• When a provider exceeds 80% of its rate limit, model routing prefers alternatives (via resolve_tier() in model-availability-helper.sh)
• Rate limit data derived from existing observability SQLite DB — no new data collection
• Works with both token-billed and subscription providers (billing_type field)
• ShellCheck clean — zero errors/warnings on all modified .sh files

Testing

# Show rate limit utilisation
aidevops stats rate-limits

# JSON output for scripting
aidevops stats rate-limits --json

# Filter by provider
aidevops stats rate-limits --provider anthropic --json

# Via model-availability-helper
.agents/scripts/model-availability-helper.sh rate-limits

Ref: t1307 (observability DB), t1100 (budget-aware routing), GH#2263

Summary by CodeRabbit

• New Features

  • CLI rate-limits command to view per-provider utilization (ok/warn/critical) with JSON output and filtering.
  • Automatic routing notices and fallback suggestions when a provider shows throttle risk.
  • Observability now surfaces rate-limit utilization alongside API-derived status.

• Documentation

  • Added user-configurable rate-limits template, help text describing config location, fields, and usage.

• Chores

  • Package/tooling version bumped to 1.1.0.

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 49 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 2807eb9 and 9cd012a.

📒 Files selected for processing (3)

• .agents/scripts/model-availability-helper.sh
• .agents/scripts/observability-helper.sh
• .agents/scripts/supervisor-archived/dispatch.sh

Walkthrough

Adds rate-limit awareness across the agents: a new rate-limits config template, observability-helper rate-limit tracking and CLI, model-availability-helper provider extraction and throttle-risk checks, and supervisor dispatch warnings when providers (notably Anthropic) hit warn/critical thresholds.

Changes

Cohort / File(s)	Summary
Rate-limits config .agents/configs/rate-limits.json.txt	New template defining per-provider limits (requests/tokens per minute), global metadata (warn_pct, window_minutes, threshold), and billing types.
Observability helper .agents/scripts/observability-helper.sh	Adds rate-limit tracking (t1330): new config constants, config readers, provider value getters, risk scoring (check_rate_limit_risk), provider listing, cmd_rate_limits() CLI, help/dispatch wiring, and version bump to 1.1.0.
Model availability helper .agents/scripts/model-availability-helper.sh	Adds _extract_provider() (model → provider mapping) and _check_provider_rate_limit_risk() to query observability; integrates throttle-risk checks into tier resolution and rate-limit/status display.
Supervisor dispatch .agents/scripts/supervisor/dispatch.sh	Emits runtime warnings when Anthropic rate-limit status is warn/critical during model resolution (two code locations); no core selection changes.
Acceptance / tasks todo/tasks/t1330-brief.md	Adds acceptance-check items for rate-limit definitions and a shellcheck verification block; no runtime logic changes.

Sequence Diagram(s)

sequenceDiagram
    participant ModelSelector as ModelSelector
    participant RLChecker as RateLimitChecker
    participant ObsHelper as ObservabilityHelper
    participant Config as RateLimitsConfig
    participant ProviderResolver as ProviderResolver

    ModelSelector->>RLChecker: ask risk for <model_id>
    RLChecker->>Config: read provider thresholds (window, warn_pct)
    Config-->>RLChecker: return thresholds
    RLChecker->>ObsHelper: query utilization metrics (requests/tokens)
    ObsHelper-->>RLChecker: return utilization data
    RLChecker->>RLChecker: compute status (ok / warn / critical)
    RLChecker-->>ModelSelector: return risk

    alt risk == warn or critical
        ModelSelector->>ProviderResolver: prefer fallback provider
    else risk == ok
        ModelSelector->>ProviderResolver: use primary provider
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix: enforce Anthropic-only model routing for all worker dispatch #799 — Modifies Anthropic model-resolution/fallback behavior; related due to changes that affect Anthropic fallback handling.

Suggested labels

needs-review

Poem

🚦 Limits watched as metrics chime,
Fallbacks ready, chosen in time.
Observability hums in tune,
Warnings whisper, plans attune.
DevOps sails beneath the moon.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically describes the main feature being introduced—a rate limit tracker for provider utilization monitoring—which directly maps to the primary changes across observability-helper.sh, model-availability-helper.sh, and related configuration.
Docstring Coverage	✅ Passed	Docstring coverage is 94.12% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t1330

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the AI model routing system by integrating comprehensive rate limit awareness. It introduces a new command for monitoring provider utilization, enabling users to track requests and tokens per minute against defined limits. Crucially, the system now intelligently deprioritizes providers at risk of throttling, ensuring more resilient and efficient model selection. This proactive approach helps avoid service interruptions due to exceeding API rate limits.

Highlights

• Rate Limit Monitoring Command: Introduced a new aidevops stats rate-limits command to monitor requests/min and tokens/min per provider from the observability database, comparing against configurable rate limits and warning at an 80% threshold.
• Dynamic Provider Deprioritization: Integrated rate limit awareness into model-availability-helper.sh's resolve_tier() function, automatically deprioritizing throttle-risk providers in favor of fallback providers.
• Static Fallback Rate Limit Warning: Integrated a rate limit warning into dispatch.sh's resolve_model() static fallback path, logging a warning if a primary provider (e.g., Anthropic) is at throttle risk.
• Configurable Rate Limit Definitions: Added a new configuration file, .agents/configs/rate-limits.json.txt, allowing users to define rate limits (requests/min, tokens/min, billing_type) for various AI providers.

Changelog

• .agents/configs/rate-limits.json.txt
  • Added a new JSON configuration file to define rate limits (requests/min, tokens/min, billing_type) for various AI providers, including a warning threshold and window minutes.
• .agents/scripts/model-availability-helper.sh
  • Introduced _check_provider_rate_limit_risk to query observability-helper.sh for a provider's rate limit status.
  • Added _extract_provider to parse the provider name from a model specification.
  • Modified resolve_tier to check the primary provider's rate limit risk and prefer a fallback provider if the primary is at throttle risk.
  • Updated cmd_rate_limits to display observability-derived utilization alongside API header data.
• .agents/scripts/observability-helper.sh
  • Added rate-limits as a new command option.
  • Updated the script version to 1.1.0.
  • Defined new constants for rate limit configuration file paths and default values.
  • Implemented helper functions: _get_rate_limits_config, _get_rate_limit_value, _get_warn_pct, _get_window_minutes, _get_configured_providers for managing rate limit settings.
  • Created check_rate_limit_risk to determine a provider's risk status (ok, warn, critical) based on current usage and configured limits.
  • Developed cmd_rate_limits to display detailed rate limit utilization, supporting JSON output, provider filtering, and window customization.
  • Extended cmd_help with new options and examples for the rate-limits command.
  • Integrated cmd_rate_limits into the main command dispatch logic.
• .agents/scripts/supervisor/dispatch.sh
  • Updated comments in resolve_model to reflect the new rate limit awareness in model-availability-helper.sh.
  • Added a rate limit check within resolve_model's static fallback path to log warnings if Anthropic is at throttle risk, prompting users to configure alternatives.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 56 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 25 03:18:14 UTC 2026: Code review monitoring started
Wed Feb 25 03:18:15 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 56

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 56
• VULNERABILITIES: 0

Generated on: Wed Feb 25 03:18:17 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request introduces a valuable rate-limiting awareness mechanism to improve provider routing. The implementation is well-structured, adding a new rate-limits command and integrating it into the model resolution logic. My review focuses on improving the robustness and maintainability of the new shell scripts. Specifically, I've pointed out several instances where suppressing stderr can hide important errors, and a case where manually constructing JSON can be unsafe. Addressing these points will make the new functionality more reliable and easier to debug.

[augmentcode]

🤖 Augment PR Summary

Summary: Introduces rate-limit utilisation monitoring per provider and makes routing aware of throttle risk.

Changes:

• Adds a configurable provider rate-limit template at .agents/configs/rate-limits.json.txt (requests/min, tokens/min, billing type, thresholds).
• Extends observability-helper.sh with a new rate-limits command that reads the existing observability SQLite DB and reports rolling-window utilisation, with optional JSON output and filtering.
• Adds check_rate_limit_risk() and supporting config helpers to classify providers as ok/warn/critical based on utilisation vs configured limits.
• Updates model-availability-helper.sh tier resolution to prefer a fallback provider when the primary provider is at throttle risk.
• Enhances model-availability-helper.sh rate-limits output to include observability-derived utilisation alongside API header-derived limits.
• Updates supervisor dispatch.sh static fallback path to warn when Anthropic appears throttle-risk, prompting configuration of alternative providers.

Technical Notes: Rate-limit data is derived from the existing observability DB (no new collection) and uses a configurable rolling window with a default warn threshold of 80%.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/model-availability-helper.sh:
- Around line 944-945: The code is overwriting the rate-limit status returned by
_check_provider_rate_limit_risk by using "|| rl_risk=\"ok\"" which loses
"warn"/"critical" outputs; instead, capture the function output into rl_risk
regardless of exit code (call _check_provider_rate_limit_risk
"$primary_provider" and allow non-zero exits), then only apply a default if
rl_risk is empty (e.g., set rl_risk=${rl_risk:-ok}); ensure you still redirect
stderr as before and then use rl_risk in the subsequent check that compares to
"warn" or "critical".

In @.agents/scripts/observability-helper.sh:
- Around line 1266-1296: Validate and sanitize the window_minutes value returned
by _get_window_minutes before embedding it into SQL: ensure window_minutes is a
positive integer (e.g., use a regex like '^[0-9]+$' or arithmetic casting) and
fallback to a safe default if invalid; replace direct interpolation of
"${window_minutes}" in db_query calls with the validated/clamped variable (same
change for occurrences around the other db_query blocks noted) and do the same
for any effective_window variables so SQL date modifiers only ever receive a
numeric value, preventing malformed queries and injection via CLI/config.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 76d1493 and 35be5c0d1822cba1d8c0e317927e3f71b7709e98.

📒 Files selected for processing (4)

• .agents/configs/rate-limits.json.txt
• .agents/scripts/model-availability-helper.sh
• .agents/scripts/observability-helper.sh
• .agents/scripts/supervisor/dispatch.sh

[marcusquinn]

Flagged for Human Review

Reason: PR #2273 (t1330) is OPEN but task t1330 was cancelled in supervisor DB. PR has 1 review request change and 2 comments. Decide whether to close this PR or merge the useful work and update DB state.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[marcusquinn]

Flagged for Human Review

Reason: PR #2273 (t1330) is OPEN but task t1330 is cancelled in supervisor DB. PR has 1 review request and 2 comments. Needs human decision: close the PR or reopen the task.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[marcusquinn]

Flagged for Human Review

Reason: PR #2273 (t1330) is OPEN but task t1330 was cancelled in supervisor DB. PR should be closed.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[marcusquinn]

Flagged for Human Review

Reason: PR #2273 (t1330) is open but task t1330 was cancelled in supervisor DB as 'DB orphan with no TODO entry'. This PR should be closed to avoid confusion.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[marcusquinn]

Flagged for Human Review

Reason: PR #2273 (t1330: Rate limit tracker) is still OPEN but t1330 was cancelled in supervisor DB as 'DB orphan with no TODO entry'. This orphan PR should be closed or the work salvaged. Human decision needed: close the PR or re-register the task.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[marcusquinn]

Flagged for Human Review

Reason: t1330 (rate limit tracker) PR #2273 has 1 rejection and 2 comments, and the task was cancelled in supervisor DB as 'DB orphan with no TODO entry'. Determine if this feature is still wanted — if so, reopen and address review feedback; if not, close the PR.

This issue has been flagged by the AI supervisor for human review. Please assess and take appropriate action.

---

Flagged by AI Supervisor (automated reasoning cycle)

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 70 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 25 13:54:58 UTC 2026: Code review monitoring started
Wed Feb 25 13:54:59 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 70

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 70
• VULNERABILITIES: 0

Generated on: Wed Feb 25 13:55:01 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

@coderabbitai review

All review feedback has been addressed across commits 48fcba65 and 73ccd647:

1. CRITICAL: rl_risk overwrite bug (CodeRabbit, Augment) - Fixed: changed || rl_risk="ok" to || true + ${rl_risk:-ok} default so warn/critical status is preserved
2. SQL injection via window_minutes (CodeRabbit, Augment) - Fixed: added numeric validation with regex ^[0-9]+$ and fallback to defaults in both check_rate_limit_risk() and cmd_rate_limits()
3. Remove 2>/dev/null suppression (Gemini x8) - Fixed: removed all blanket stderr suppression across model-availability-helper.sh, observability-helper.sh, and dispatch.sh; || true / || val="0" patterns provide graceful fallback
4. Unsafe JSON construction (Gemini) - Fixed: replaced printf-based JSON with jq -c -n using --arg/--argjson for safe escaping

ShellCheck clean on all three modified files.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 70 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 25 13:57:28 UTC 2026: Code review monitoring started
Wed Feb 25 13:57:28 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 70

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 70
• VULNERABILITIES: 0

Generated on: Wed Feb 25 13:57:31 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

@marcusquinn: Thank you for the detailed summary of the fixes! I can see you've addressed:

✅ Critical security & correctness fixes:

• rl_risk variable preservation (warn/critical states now properly maintained)
• SQL injection prevention with numeric validation
• Removed error suppression for better debugging
• Safe JSON construction with jq

✅ ShellCheck compliance confirmed on all modified scripts

I'll review the changes now to verify these fixes are correctly implemented across the three modified shell scripts.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[marcusquinn]

@coderabbitai review

All review feedback has been addressed in commit 48fcba65:

1. Critical fix: Rate-limit risk bypass — || rl_risk="ok" was overwriting warn/critical status. Now uses || true inside subshell + ${var:-default} pattern to preserve function output regardless of exit code.
2. SQL injection guard: window_minutes/effective_window validated as positive integers before SQL interpolation. Falls back to DEFAULT_WINDOW_MINUTES if invalid.
3. Removed 2>/dev/null suppressions: All blanket stderr suppressions removed from new rate-limit code across 3 files. The || fallback patterns already handle errors gracefully.
4. Safe JSON construction: Replaced manual printf JSON with jq -c -n --arg/--argjson for proper escaping.

[coderabbitai]

@marcusquinn: Thank you for the comprehensive summary of the security and correctness fixes in commit 48fcba65! I can see you've addressed:

✅ Critical variable preservation - rl_risk now properly maintains warn/critical states
✅ SQL injection prevention - Input validation on window_minutes with fallback
✅ Improved debugging - Removed blanket stderr suppressions
✅ Safe JSON handling - Using jq for proper escaping

I'll review the changes now across the three modified shell scripts to verify these fixes are correctly implemented.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/observability-helper.sh:
- Around line 1356-1358: The pre-ingest command (cmd_ingest) can still emit
stdout parse info that contaminates the JSON produced by later rate-limits
--json; suppress all cmd_ingest output by redirecting both stdout and stderr (so
nothing prints to stdout) or use a true silent flag if cmd_ingest supports one,
keeping the existing fallback (|| true). Update the invocation of cmd_ingest in
the script to fully silence its output so downstream consumers of rate-limits
--json receive only valid JSON.

In `@todo/tasks/t1330-brief.md`:
- Around line 42-64: The fenced YAML and code blocks in the acceptance criteria
(the ```yaml blocks showing the verify/pattern/path snippets and the ShellCheck
snippet) lack the required blank lines before and after the fences causing MD031
errors; fix by inserting a single blank line immediately before each opening
```yaml (and ```bash) fence and a blank line immediately after each closing ```
fence so the blocks are separated from surrounding text and satisfy markdownlint
rules (affects the blocks containing verify/method/pattern/path and the
ShellCheck run).

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 35be5c0d1822cba1d8c0e317927e3f71b7709e98 and 48fcba65dc8fd11103942163ca14c66100aba552.

📒 Files selected for processing (4)

• .agents/scripts/model-availability-helper.sh
• .agents/scripts/observability-helper.sh
• .agents/scripts/supervisor/dispatch.sh
• todo/tasks/t1330-brief.md

[marcusquinn]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[marcusquinn]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 71 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 25 15:58:49 UTC 2026: Code review monitoring started
Wed Feb 25 15:58:50 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 71

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 71
• VULNERABILITIES: 0

Generated on: Wed Feb 25 15:58:52 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

All review comments have been addressed in commits 985f456, 8139e7a, 950f4b7, and 2807eb9:

1. rl_risk capture bug (CodeRabbit, Augment): Fixed — now uses || true to preserve stdout, with ${rl_risk:-ok} default
2. Timeout protection (CodeRabbit): Added 5s timeout via gtimeout/timeout with ok fallback
3. 2>/dev/null removal (Gemini): Removed from all rate-limit code paths across 3 files
4. window_minutes SQL validation (CodeRabbit, Augment): Added integer regex check with safe default
5. req_limit/tok_limit validation (CodeRabbit): Added _sanitize_uint() helper, applied at both call sites
6. cmd_ingest stdout contamination (CodeRabbit): Added >/dev/null redirect for clean JSON
7. JSON construction (Gemini): Replaced printf with jq --arg/--argjson
8. MD031 brief formatting (CodeRabbit): Fixed blank lines around fenced blocks

ShellCheck: zero violations on all modified .sh files.

@coderabbitai full review

[coderabbitai]

@marcusquinn: Excellent comprehensive remediation across all four commits! Your systematic approach to addressing every piece of feedback is impressive:

🔒 Security & correctness hardened:

• Variable state preservation (rl_risk) prevents logic bypass
• Timeout protection guards against hanging helpers
• SQL injection prevention with validated integers
• Input sanitization via _sanitize_uint() helper
• Safe JSON construction throughout

🛠️ Observability & quality:

• Error visibility restored (stderr no longer suppressed)
• Clean JSON output for programmatic consumers
• Markdown compliance maintained

✅ Zero technical debt maintained:

• ShellCheck: 0 violations across all modified shell scripts

I'll conduct a complete re-review of all changes now to verify the implementation of these 8 fixes across the four commits and ensure the rate-limit tracking feature meets all acceptance criteria.

✅ Actions performed

Full review triggered.

[marcusquinn]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/observability-helper.sh:
- Around line 1307-1320: The rolling-window SQL comparisons use datetime('now',
...) which produces a space-separated timestamp while recorded_at is stored as
ISO-8601 (with 'T' and 'Z'), causing lexical mis-ordering; update the queries
invoked by db_query (those computing actual_reqs and actual_tokens and any other
recorded_at filters) to use strftime('%Y-%m-%dT%H:%M:%SZ', 'now',
'-${window_minutes} minutes') (or equivalent ISO-formatted cutoff) so the
recorded_at vs cutoff comparison is ISO-compatible; keep using
sql_escape("$provider") and the same WHERE clauses but replace datetime('now',
'-...') with the ISO strftime expression for minute- and day-level windows to
fix over-counting.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 950f4b7 and 2807eb9.

📒 Files selected for processing (2)

• .agents/scripts/model-availability-helper.sh
• .agents/scripts/observability-helper.sh

[marcusquinn]

@coderabbitai review

Fixes applied for the 3 actionable issues from the latest review:

1. rl_risk capture (model-availability-helper.sh:957): Moved || true outside the command substitution — rl_risk=$(...) || true instead of rl_risk=$(... || true). Both are functionally equivalent (verified: echo output is captured before return triggers the || branch), but the new form is more explicit about intent.

2. cmd_ingest output contamination (observability-helper.sh:1374): Changed >/dev/null to >/dev/null 2>&1 to suppress both stdout and stderr, preventing any output from contaminating --json responses.

3. Timeout protection (model-availability-helper.sh:869-886): Already implemented in prior commits with gtimeout/timeout detection and 5-second limit. No additional changes needed.

ShellCheck: zero violations on both files.

[coderabbitai]

@marcusquinn: Thank you for the detailed breakdown of the three fixes! I can see you've systematically addressed the actionable items:

✅ Error handling clarity (model-availability-helper.sh:957):

• Moved || true outside command substitution for explicit intent
• rl_risk=$(...) || true pattern clearly shows fallback behavior

✅ Output contamination prevention (observability-helper.sh:1374):

• Enhanced suppression to >/dev/null 2>&1
• Ensures clean JSON output by silencing both stdout and stderr

✅ Timeout protection (model-availability-helper.sh:869-886):

• Already implemented with gtimeout/timeout detection and 5s limit
• No additional changes needed

✅ Zero technical debt maintained — ShellCheck clean on both modified files.

I'll review the implementation now to verify these fixes are correctly applied.

Note: The multiple flagged comments in this PR indicate that task t1330 was cancelled in the supervisor DB. This administrative issue will need human resolution (close PR or reconcile task state) before merge.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 90 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 25 16:39:10 UTC 2026: Code review monitoring started
Wed Feb 25 16:39:11 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 90

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 90
• VULNERABILITIES: 0

Generated on: Wed Feb 25 16:39:14 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

All issues addressed in subsequent commits. Verified by independent code review.

[marcusquinn]

Resolves #2263.