feat: daily multi-tool code quality sweep across all repos

[marcusquinn]

Summary

• Extends daily code review from single-repo CodeRabbit-only (issue Daily CodeRabbit Pulse Review #2386) to a multi-repo, multi-tool quality sweep across all repos.json pulse-enabled repos
• Adds run_daily_quality_sweep() to pulse-wrapper.sh — runs once per 24h, creates persistent pinned issues per repo, posts findings from ShellCheck, Qlty, SonarCloud, Codacy, and CodeRabbit
• Updates coderabbit.md to document the broader multi-tool scope and mark issue Daily CodeRabbit Pulse Review #2386 as legacy

Tools integrated

Tool	Source	Auth required
ShellCheck	Local CLI	No
Qlty	Local CLI (~/.qlty/bin/qlty)	QLTY_TOKEN in gopass
SonarCloud	Public API	No (public repos)
Codacy	REST API	CODACY_API_TOKEN in gopass
CodeRabbit	@coderabbitai mention	No (GitHub App)

How it works

1. run_daily_quality_sweep() checks timestamp guard (24h interval)
2. For each pulse-enabled repo, _ensure_quality_issue() creates/finds a persistent "Daily Code Quality Review" issue (labels: quality-review + persistent, pinned)
3. _quality_sweep_for_repo() runs all available tools and posts a single summary comment
4. The supervisor LLM reads findings on the next pulse and creates actionable GitHub issues

Verification

• shellcheck passes with zero violations
• bash -n syntax check passes
• Pattern follows existing update_health_issues() / _update_health_issue_for_repo() conventions

Summary by CodeRabbit

• New Features
  • Automated daily code quality reviews now analyze repositories using multiple integrated analysis tools for comprehensive coverage.
  • Consolidated findings are posted to persistent GitHub issues, enabling centralized tracking and visibility of code quality concerns.
  • Issues remain open with regular updates reflecting the latest quality assessment status.
  • Multi-repository support coordinates quality sweeps across multiple projects simultaneously.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a0030f and 950559f.

📒 Files selected for processing (2)

• .agents/scripts/pulse-wrapper.sh
• .agents/tools/code-review/coderabbit.md

---

Walkthrough

Introduces a daily code quality sweep orchestration feature that aggregates findings from multiple quality tools (ShellCheck, Qlty, SonarCloud, Codacy, CodeRabbit) and posts consolidated summaries to persistent per-repo GitHub issues, with 24-hour interval gating and per-repo issue caching.

Changes

Cohort / File(s)	Summary
Daily Quality Sweep Implementation .agents/scripts/pulse-wrapper.sh	Adds three new functions: run_daily_quality_sweep() for orchestration, _ensure_quality_issue() for persistent per-repo issue creation/caching, and _quality_sweep_for_repo() for multi-tool findings aggregation. Introduces QUALITY_SWEEP_INTERVAL (86400s) and QUALITY_SWEEP_LAST_RUN configuration variables. Integrates ShellCheck, Qlty CLI, SonarCloud, Codacy, and CodeRabbit tool outputs into unified quality summaries posted as comments. Updates main() to invoke daily sweep after pulse runs.
Workflow Documentation .agents/tools/code-review/coderabbit.md	Updates documentation to reflect shift from legacy single-issue daily review (Issue #2386) to new multi-repo, multi-tool quality sweep orchestrated by pulse-wrapper.sh, marking previous approach as superseded.

Sequence Diagram(s)

sequenceDiagram
    participant Main as main()
    participant Sweep as run_daily_quality_sweep()
    participant Issue as _ensure_quality_issue()
    participant Quality as _quality_sweep_for_repo()
    participant Tools as Quality Tools<br/>(ShellCheck, Qlty,<br/>SonarCloud, Codacy,<br/>CodeRabbit)
    participant GitHub as GitHub API

    Main->>Sweep: Invoke daily quality sweep
    activate Sweep
    Note over Sweep: Check 24h interval<br/>from timestamp file
    
    loop For each pulse-enabled repo
        Sweep->>Issue: Ensure quality issue exists
        activate Issue
        Issue->>GitHub: Create or fetch "Daily Code Quality Review" issue
        GitHub-->>Issue: Return issue number
        Issue->>Sweep: Return cached issue ID
        deactivate Issue
        
        Sweep->>Quality: Run quality sweep for repo
        activate Quality
        Quality->>Tools: Gather findings from all tools
        Tools-->>Quality: Return aggregated results<br/>(ShellCheck, Qlty, SonarCloud,<br/>Codacy, CodeRabbit)
        Quality->>GitHub: Post consolidated comment to issue
        GitHub-->>Quality: Comment posted
        deactivate Quality
    end
    
    Sweep->>Sweep: Update last-run timestamp
    deactivate Sweep

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: pre-fetch all repo state before pulse to prevent single-repo tunnel vision #2471: Modifies .agents/scripts/pulse-wrapper.sh in similar fashion by adding orchestration functions and new globals, then updating main() to invoke them.
• t245.2: Codacy API integration — fetch, normalize, deduplicate #1000: Adds Codacy fetch/normalize/dedup functionality that the daily quality sweep directly depends on for aggregated findings collection.

Suggested labels

enhancement

Poem

📊 Five tools now dance in daily grace,
Findings flow through GitHub space,
Quality swept with persistent flair,
Issues consolidated, tracked with care,
A-grade automation everywhere! ✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/daily-quality-review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the automated code quality review process by expanding it from a single-repository, CodeRabbit-exclusive check to a comprehensive, multi-tool sweep across all configured repositories. The new system ensures consistent daily monitoring of code health, consolidating findings from various static analysis tools into persistent GitHub issues, which are then reviewed by a supervisor LLM to generate actionable tasks.

Highlights

• Multi-Tool Code Quality Sweep: Implemented a daily multi-tool code quality sweep across all pulse-enabled repositories, extending beyond the previous single-repo CodeRabbit-only review.
• New Functionality in pulse-wrapper.sh: Introduced run_daily_quality_sweep() in pulse-wrapper.sh to orchestrate the daily quality checks, including helper functions for issue management and tool execution.
• Integrated Quality Tools: Integrated multiple code quality tools: ShellCheck, Qlty, SonarCloud, Codacy, and CodeRabbit, to provide a comprehensive analysis.
• Persistent GitHub Issues: Established persistent 'Daily Code Quality Review' GitHub issues for each repository, which are pinned and labeled for easy tracking of findings.
• Documentation Update: Updated coderabbit.md documentation to reflect the expanded scope of the quality sweep and to mark the old single-repo CodeRabbit-only review (issue Daily CodeRabbit Pulse Review #2386) as legacy.

Changelog

• .agents/scripts/pulse-wrapper.sh
  • Added new environment variables, QUALITY_SWEEP_INTERVAL and QUALITY_SWEEP_LAST_RUN, to control the frequency and state of the quality sweep.
  • Introduced the run_daily_quality_sweep function to manage the daily quality checks across repositories, including a timestamp guard.
  • Implemented the _ensure_quality_issue function to create or retrieve persistent 'Daily Code Quality Review' GitHub issues, ensuring they are labeled and pinned.
  • Developed the _quality_sweep_for_repo function to execute various code quality tools (ShellCheck, Qlty, SonarCloud, Codacy, CodeRabbit) and post consolidated findings as comments on the persistent issue.
  • Integrated the run_daily_quality_sweep function into the main execution flow of the script.
• .agents/tools/code-review/coderabbit.md
  • Updated the 'Daily Full Codebase Review' section to describe the new multi-tool, multi-repo daily code quality review process.
  • Provided details on the implementation of the new sweep, including the tools used and the workflow.
  • Marked the previous single-repo CodeRabbit review mechanism (issue Daily CodeRabbit Pulse Review #2386) as legacy, indicating its replacement by the new system.

Activity

• No human activity (comments, reviews, approvals) was detected on this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 107 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 1 04:23:16 UTC 2026: Code review monitoring started
Sun Mar 1 04:23:17 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 107

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 107
• VULNERABILITIES: 0

Generated on: Sun Mar 1 04:23:19 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request introduces a daily multi-tool code quality sweep, enhancing the project by adding new functions to pulse-wrapper.sh for managing sweeps, creating persistent issues, and integrating various quality tools. However, a high-severity security vulnerability was identified: the system is susceptible to Indirect Prompt Injection. Untrusted data from analyzed repositories is included in GitHub issue comments processed by an LLM-based supervisor, potentially allowing an attacker to manipulate its behavior. Additionally, the extensive use of 2>/dev/null and >/dev/null 2>&1 in the new shell script functions suppresses critical error messages, which can lead to silent failures and hinder debugging.

[gemini-code-assist]

This section of the script (lines 1474-1492) constructs a Markdown comment by concatenating output from several external tools and posts it to a GitHub issue for an LLM-based 'supervisor' agent. This creates a high-severity Indirect Prompt Injection vulnerability, as untrusted tool outputs can manipulate the supervisor's behavior. To mitigate this, sanitize all tool outputs and use structured data formats with clear delimiters. Additionally, on line 1492, the gh issue comment command uses >/dev/null 2>&1, which completely silences both stdout and stderr. While the || block handles the exit code, valuable error messages for debugging (e.g., authentication issues, network problems) are lost. It is recommended to redirect only stdout (>/dev/null) to preserve stderr for debugging.

Suggested change

	local comment_body="## Daily Code Quality Sweep
	**Date**: ${now_iso}
	**Repo**: \`${repo_slug}\`
	**Tools run**: ${tool_count}
	---
	${shellcheck_section}
	${qlty_section}
	${sonar_section}
	${codacy_section}
	${coderabbit_section}
	---
	_Auto-generated by pulse-wrapper.sh daily quality sweep. The supervisor will review findings and create actionable issues._"
	# Post comment
	gh issue comment "$issue_number" --repo "$repo_slug" --body "$comment_body" >/dev/null 2>&1 || {
	gh issue comment "$issue_number" --repo "$repo_slug" --body "$comment_body" >/dev/null || {

References

1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[gemini-code-assist]

Suppressing jq's stderr with 2>/dev/null can hide critical errors, such as a malformed repos.json file, which would cause the quality sweep to fail silently. To improve debuggability, it's better to allow jq to report syntax errors. The || echo "" construct will still prevent the script from exiting on failure.

Suggested change

	repo_entries=$(jq -r '.initialized_repos[] | select(.pulse == true and (.local_only // false) == false and .slug != "") | "\(.slug)|\(.path)"' "$repos_json" 2>/dev/null || echo "")
	repo_entries=$(jq -r '.initialized_repos[] | select(.pulse == true and (.local_only // false) == false and .slug != "") | "\(.slug)|\(.path)"' "$repos_json" || echo "")

References

1. In shell scripts with 'set -e' enabled, use '|| true' to prevent the script from exiting when a command like 'jq' fails on an optional lookup. Do not suppress stderr with '2>/dev/null' so that actual syntax or system errors remain visible for debugging.
2. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[gemini-code-assist]

Suppressing curl's stderr output with 2>/dev/null will hide network errors, API errors, or other issues when fetching data from SonarCloud. This makes it difficult to diagnose why the SonarCloud section might be missing from a report. It's better to let curl errors be visible in logs.

Suggested change

	sonar_status=$(curl -s "https://sonarcloud.io/api/qualitygates/project_status?projectKey=${project_key}" 2>/dev/null || echo "")
	sonar_status=$(curl -s "https://sonarcloud.io/api/qualitygates/project_status?projectKey=${project_key}" || echo "")

References

1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.