t1323: Fix TTSR shell-local-params rule false-positives on currency/pricing text

[marcusquinn]

Summary

• Expands currency/pricing false-positive exclusions in validatePositionalParams() quality hook to handle single-digit amounts ($5 flat, $3 fee), escaped dollar signs (\$49/mo), markdown table rows, and pipe-delimited cells
• Adds negative lookbehind for escaped dollar signs (\$N) in the TTSR shell-local-params regex pattern
• Verified with 38 test cases covering both false-positive exclusions and true-positive detection

Changes

.agents/plugins/opencode-aidevops/index.mjs

1. validatePositionalParams() (quality hook for .sh files): Added 4 new exclusion checks:

   • $N followed by pricing/unit words (per, flat, fee, monthly, etc.)
   • Escaped \$N (literal dollar sign in shell strings)
   • Lines starting with | (markdown table rows in heredocs)
   • $N followed by | (markdown table cell boundary)

2. TTSR shell-local-params rule: Added (?<!\\) negative lookbehind before \$[1-9] to skip escaped dollar signs in assistant output scanning.

Testing

• 27/27 validatePositionalParams tests pass (23 false-positive exclusions + 4 true-positive detections)
• 11/11 TTSR regex tests pass (7 false-positive exclusions + 4 true-positive detections)
• JS syntax check passes
• Verified against real shell scripts (domain-research-helper.sh) — correctly identifies true violations while excluding \$49/mo pricing patterns

Closes #2194

Summary by CodeRabbit

• Bug Fixes
  • Fewer false positives when flagging positional parameters in shell snippets: the detector now recognizes escaped dollar signs, skips currency/pricing and table-like lines, and better handles heredoc/pipe contexts so alerts are more accurate.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the logic for detecting direct positional parameter usage in shell scripts, specifically addressing false positives related to currency and pricing text. By introducing more sophisticated exclusion rules within the validatePositionalParams() quality hook and updating the shell-local-params regex, the changes aim to improve the accuracy of the analysis, reducing noise for developers while maintaining the integrity of the original rule.

Highlights

• Enhanced validatePositionalParams() exclusions: Expanded currency/pricing false-positive exclusions in the validatePositionalParams() quality hook to cover single-digit amounts, escaped dollar signs, markdown table rows, and pipe-delimited cells.
• TTSR shell-local-params regex update: Incorporated a negative lookbehind into the TTSR shell-local-params regex pattern to prevent false positives on escaped dollar signs (\$N).
• Comprehensive testing: Verified changes with 38 test cases, ensuring both false-positive exclusions and true-positive detection, and confirmed against real-world shell scripts.

Changelog

• .agents/plugins/opencode-aidevops/index.mjs
  • Added new exclusion checks within validatePositionalParams() for currency/pricing patterns, escaped dollar signs, markdown table rows, and pipe-delimited cells.
  • Modified the shell-local-params TTSR rule's regex pattern to include a negative lookbehind (?<!\\) to ignore escaped dollar signs.

Activity

• 27 validatePositionalParams tests passed, including 23 false-positive exclusions and 4 true-positive detections.
• 11 TTSR regex tests passed, covering 7 false-positive exclusions and 4 true-positive detections.
• JS syntax check passed without issues.
• Verified against real shell scripts, confirming correct identification of true violations and exclusion of \$49/mo pricing patterns.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 07b8c65 and e29a13c.

📒 Files selected for processing (1)

• .agents/plugins/opencode-aidevops/index.mjs

---

Walkthrough

Updates detection of unescaped positional params: added escaping-aware pre-filtering and multiple false-positive filters (currency, pricing/unit phrases, markdown table/pipe cases) in validator; adjusted TTSR shell-local-params regex to ignore escaped dollar signs.

Changes

Cohort / File(s)	Summary
Guard Logic & Rule Update .agents/plugins/opencode-aidevops/index.mjs	In validatePositionalParams strip escaped \\$[1-9], skip lines without unescaped $N, and add filters for currency/pricing patterns, pricing/unit phrases, markdown table lines, and $N followed by pipes. Update BUILTIN_TTSR_RULES shell-local-params regex to use negative lookbehind (?<!\\) so escaped $N are ignored.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• t1323: Fix TTSR shell-local-params rule false-positives on currency/pricing text #2296: Adds exclusions for currency/pricing and markdown patterns in shell-local-params detection; overlaps with the false-positive filters here.
• fix: prevent TTSR messagesTransformHook infinite correction loop #2203: Adjusts shell-local-params TTSR regex to avoid false positives for escaped-dollar cases.
• t1304: Soft TTSR — wire rules into OpenCode plugin hooks #2139: Earlier changes to validatePositionalParams and TTSR handling that this PR further refines.

Poem

💸 Escaped dollars bow away,
Regex learns the rules today,
Tables, prices left unscared,
Shell hints now check who's prepared,
Tiny tweak — detection spared.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: fixing false-positives in the TTSR shell-local-params rule for currency/pricing text patterns.
Linked Issues check	✅ Passed	The PR fully addresses issue #2194 requirements: expanded false-positive exclusions for currency/pricing patterns, updated TTSR regex with negative lookbehind for escaped dollars, and all tests passing (27/27).
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #2194: currency/pricing false-positive fixes in validatePositionalParams and TTSR shell-local-params rule pattern, with no unrelated modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/ttsr-shell-local-params-currency-false-positives

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 89 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 26 18:35:54 UTC 2026: Code review monitoring started
Thu Feb 26 18:35:54 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 89

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 89
• VULNERABILITIES: 0

Generated on: Thu Feb 26 18:35:57 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/plugins/opencode-aidevops/index.mjs:
- Around line 811-813: The check that currently does if (/\\\$[1-9]/.test(line))
{ continue; } skips the entire line when it contains any escaped dollar, hiding
real unescaped positional params; instead detect unescaped positional params by
either removing escaped dollars first (e.g., let s = line.replace(/\\\$\d/g, '')
and test s) or use a negative-lookbehind to match unescaped tokens
(/((?<!\\)\$[1-9])/) and only continue when no unescaped match exists—update the
if to use one of these approaches on the variable line so mixed content like
`"\$5 fee $1"` still triggers detection for $1.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fbcddc3 and fc5f6b7.

📒 Files selected for processing (1)

• .agents/plugins/opencode-aidevops/index.mjs

[gemini-code-assist]

Code Review

This pull request effectively addresses false positives in shell parameter validation by expanding the exclusion patterns for currency and pricing information. The addition of a negative lookbehind in the TTSR rule to handle escaped dollar signs is also a solid improvement. I have one suggestion to consolidate the new conditional checks for better readability and maintainability.

[gemini-code-assist]

For better readability and maintainability, you can consolidate these consecutive if statements into a single condition using the logical OR (||) operator. This makes the code more compact and easier to read, and simplifies adding or removing patterns in the future.

Suggested change

	if (/\$[1-9][0-9.,/]/.test(trimmed)) {
	continue;
	}
	if (/\$[1-9]\s+(?:per|mo(?:nth)?|year|yr|day|week|hr|hour|flat|each|off|fee|plan|tier|user|seat|unit|addon|setup|trial|credit|annual|quarterly|monthly)\b/.test(trimmed)) {
	continue;
	}
	if (/\\\$[1-9]/.test(line)) {
	continue;
	}
	if (/^\s*\|/.test(line)) {
	continue;
	}
	if (/\$[1-9]\s*\|/.test(trimmed)) {
	continue;
	}
	if (
	/\$[1-9][0-9.,/]/.test(trimmed) ||
	/\$[1-9]\s+(?:per|mo(?:nth)?|year|yr|day|week|hr|hour|flat|each|off|fee|plan|tier|user|seat|unit|addon|setup|trial|credit|annual|quarterly|monthly)\b/.test(trimmed) ||
	/\\\$[1-9]/.test(line) ||
	/^\s*\|/.test(line) ||
	/\$[1-9]\s*\|/.test(trimmed)
	) {
	continue;
	}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 89 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 26 18:48:21 UTC 2026: Code review monitoring started
Thu Feb 26 18:48:22 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 89

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 89
• VULNERABILITIES: 0

Generated on: Thu Feb 26 18:48:24 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/plugins/opencode-aidevops/index.mjs:
- Around line 821-822: The pipe-exclusion regex if
(/\$[1-9]\s*\|/.test(stripped)) continue; is too broad and skips valid shell
uses (e.g. echo "$1" | ...); narrow it to apply only when the line is a markdown
table row (or remove it entirely because table-row detection already exists).
Change the check in the runtime validator to first verify the markdown-table
context (use the existing table-row detection helper or a boolean like
isTableRow/insideTable) before applying the /\$[1-9]\s*\|/ test, and make the
same adjustment to the TTSR pattern usage referenced at line ~1539 so pipe
skipping only occurs for real markdown table rows.
- Around line 812-814: The current check if (/\$[1-9][0-9.,/]/.test(stripped))
incorrectly treats patterns like "$1/config" as currency; update the regex used
in that conditional to exclude '/' (e.g., change the character class to [0-9.,]
and ensure it matches currency-like sequences such as decimals or comma groups
only), so the if condition on stripped only skips true currency patterns and not
paths like "$1/config".

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc5f6b7 and 07b8c65.

📒 Files selected for processing (1)

• .agents/plugins/opencode-aidevops/index.mjs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

$1/… is being misclassified as pricing and skipped.

Line 812 treats any $[1-9] followed by / as currency. That hides real violations like "$1/config" in shell scripts, reducing enforcement coverage.

Proposed fix

-        if (/\$[1-9][0-9.,/]/.test(stripped)) {
+        if (
+          // Multi-digit or formatted amounts, optionally with billing unit
+          /\$[1-9]\d[0-9.,]*(?:\/(?:mo(?:nth)?|yr|year|day|week|hr|hour))?\b/.test(stripped) ||
+          // Single-digit amount with explicit billing unit (e.g. $5/mo)
+          /\$[1-9]\/(?:mo(?:nth)?|yr|year|day|week|hr|hour)\b/.test(stripped)
+        ) {
           continue;
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/plugins/opencode-aidevops/index.mjs around lines 812 - 814, The
current check if (/\$[1-9][0-9.,/]/.test(stripped)) incorrectly treats patterns
like "$1/config" as currency; update the regex used in that conditional to
exclude '/' (e.g., change the character class to [0-9.,] and ensure it matches
currency-like sequences such as decimals or comma groups only), so the if
condition on stripped only skips true currency patterns and not paths like
"$1/config".

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pipe exclusion is too broad and misses real shell violations.

The current \$N ... | exclusions skip valid detections such as echo "$1" | sed .... This affects both the runtime validator (Line 821) and TTSR pattern (Line 1539). For A-grade shell quality, constrain pipe-based skipping to markdown-table context only (or remove it here, since table-row detection already exists).

Proposed fix

-        if (/\$[1-9]\s*\|/.test(stripped)) {
-          continue;
-        }
+        // Keep pipeline cases detectable; markdown table rows are already
+        // handled by the line-start pipe check above.

-    pattern: "^\\s+(?:echo|printf|return|if|\\[\\[).*(?<!\\\\)\\$[1-9](?![0-9.,/])(?!\\s*[|])(?!\\s+(?:per|mo(?:nth)?|year|yr|day|week|hr|hour|flat|each|off|fee|plan|tier|user|seat|unit|addon|setup|trial|credit|annual|quarterly|monthly)\\b)(?!.*local\\s+\\w+=)",
+    pattern: "^\\s+(?:echo|printf|return|if|\\[\\[).*(?<!\\\\)\\$[1-9](?![0-9.,/])(?!\\s+(?:per|mo(?:nth)?|year|yr|day|week|hr|hour|flat|each|off|fee|plan|tier|user|seat|unit|addon|setup|trial|credit|annual|quarterly|monthly)\\b)(?!.*local\\s+\\w+=)",

Also applies to: 1539-1539

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/plugins/opencode-aidevops/index.mjs around lines 821 - 822, The
pipe-exclusion regex if (/\$[1-9]\s*\|/.test(stripped)) continue; is too broad
and skips valid shell uses (e.g. echo "$1" | ...); narrow it to apply only when
the line is a markdown table row (or remove it entirely because table-row
detection already exists). Change the check in the runtime validator to first
verify the markdown-table context (use the existing table-row detection helper
or a boolean like isTableRow/insideTable) before applying the /\$[1-9]\s*\|/
test, and make the same adjustment to the TTSR pattern usage referenced at line
~1539 so pipe skipping only occurs for real markdown table rows.

[marcusquinn]

@coderabbitai review

Both review comments have been addressed:

1. CodeRabbit (escaped dollar line-skip): Fixed in commit 07b8c65 — replaced whole-line continue with strip-then-test approach (trimmed.replace(/\\\$[1-9]/g, '')) so mixed content like "\ fee $1" still detects the unescaped $1.

2. Gemini (consolidate if-statements): Applied in commit 9725366 — merged 4 separate if-continue blocks into a single compound condition for readability.

All 27 test cases pass (22 false-positive exclusions + 5 true-positive detections).

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 89 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 26 18:54:41 UTC 2026: Code review monitoring started
Thu Feb 26 18:54:41 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 89

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 89
• VULNERABILITIES: 0

Generated on: Thu Feb 26 18:54:44 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

@marcusquinn: Thank you for addressing the feedback! I can see you've:

1. Implemented the strip-then-test approach (commit 07b8c65) – This is a much better solution that handles mixed escaped/unescaped scenarios correctly.
2. Consolidated the if-statements (commit 9725366) – Improved readability with the compound condition.

Great to hear all 27 test cases are passing. I'll review the updated changes now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 90 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 26 19:08:51 UTC 2026: Code review monitoring started
Thu Feb 26 19:08:51 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 90

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 90
• VULNERABILITIES: 0

Generated on: Thu Feb 26 19:08:54 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

@coderabbitai review

All three review findings have been addressed in commit e29a13c:

1. Pipe-exclusion too broad ($[1-9]\s*\|): Removed entirely. Only ^\s*\| (markdown table row start) remains. Shell pipes like echo "$1" | sed are now correctly detected as violations.

2. Currency regex includes / ($[1-9][0-9.,/]): Changed to $[1-9][0-9.,] (no /). Added explicit billing-unit pattern $[1-9]\/(?:mo|month|yr|year|day|week|hr|hour) so $5/mo is still excluded but $1/config is detected.

3. TTSR pattern updated: Removed (?!\s*[|]) pipe exclusion and / from (?![0-9.,/]) → (?![0-9.,]). Added (?!\/(?:mo|month|yr|year|day|week|hr|hour)\b) for billing units.

Verified with 32 test cases covering all edge cases (paths, billing units, pipes, markdown tables, escaped dollars, mixed content).

[coderabbitai]

@marcusquinn: Excellent work addressing all three findings! I can see you've made very precise improvements:

1. Narrowed pipe detection – Keeping only markdown table row start (^\s*\|) while allowing shell pipe usage to be properly detected is the right balance.

2. Split currency vs. path detection – Removing / from the general currency character class and adding explicit billing-unit patterns ($5/mo, etc.) is a smart approach that maintains pricing exclusions while catching shell paths like $1/config.

3. Synchronized TTSR pattern – Aligning the runtime pattern with the validator logic ensures consistency across the quality checks.

32 test cases covering all the edge cases (paths, billing units, pipes, markdown tables, escaped dollars, mixed content) is thorough validation. I'll review the updated changes now.

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

All review comments addressed in commits 07b8c65, 9725366, e29a13c. Verified with 23 test cases.