t2892: fix quality-debt review feedback on pulse-wrapper.sh

[marcusquinn]

Summary

• Sanitizes process names in log entries to prevent log injection via crafted command lines (strips control characters, truncates to 200 chars)
• Replaces grep -v grep anti-pattern with bracket trick ([.]opencode) across 4 call sites — prevents false exclusions from substring matching
• Replaces echo "$cmd" | grep subshell with [[ "$cmd" =~ pattern ]] in cleanup_orphans() — eliminates 2 subshell forks per loop iteration
• Uses printf -v instead of subshell for trigger_reasons string join (PR t2856: refactor trigger_reasons to use array in pulse-wrapper.sh #2886 Gemini review feedback)

Context

Addresses critical and medium severity findings from Gemini Code Assist review on PR #2881, plus the medium-severity printf -v suggestion from PR #2886.

The critical grep -v "$$" security bypass was already fixed in a prior refactor — guard_child_processes() now uses awk -v parent=$$ for exact PID matching. This PR addresses the remaining actionable findings.

Verification

• shellcheck -S warning passes with zero violations
• bash -n syntax check passes
• All changes are behaviour-preserving: same processes matched, same log output (minus control characters)

Closes #2892

Summary by CodeRabbit

• Bug Fixes

  • Improved process identification and matching reliability across different platforms.
  • Enhanced logging safety with sanitization of command output.

• Improvements

  • Optimized process filtering and pattern matching logic.
  • Refined data processing methods for better performance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4a6ff6a8-b790-4e30-af91-59f547ce8091

📥 Commits

Reviewing files that changed from the base of the PR and between 9fbc675 and 69edfae.

📒 Files selected for processing (1)

• .agents/scripts/pulse-wrapper.sh

---

Walkthrough

This pull request addresses critical security vulnerabilities and robustness issues in the pulse-wrapper script's process filtering and logging logic. Changes replace unsafe grep -v "$$" patterns with precise Bash regex matching, sanitize logged process commands to prevent injection, optimize string construction with printf-based approaches, and strengthen process identification across multiple filtering sections without altering public function signatures.

Changes

Cohort / File(s)	Summary
Process Filtering and Identification .agents/scripts/pulse-wrapper.sh	Replaced grep -v "$$" substring-matching vulnerabilities with shell pattern matching using Bash regex ([[ "$cmd" =~ ... ]]). Converted grep patterns (\.opencode → [.]opencode, /full-loop|Supervisor Pulse|... patterns) to Bash regex for host-agnostic, reliable process identification across multiple process guards and orphan cleanup sections.
Logging Sanitization .agents/scripts/pulse-wrapper.sh	Added sanitization for command base names extracted from process listings before logging: strips non-printable characters and enforces length limits to prevent log injection attacks where malicious command lines could inject fake log entries or spoof system messages.
String Construction Optimization .agents/scripts/pulse-wrapper.sh	Replaced subshell-based reconstruction of trigger reason strings with printf-based approaches (e.g., printf '%s,' "${reasons[@]}" | sed 's/,$//') to reduce subshell overhead while maintaining correct trailing-comma trimming in trigger/reason aggregation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• t1398.1: Add process resource guard to pulse-wrapper.sh #2881: Introduces resource-guard function and process-identification enhancements in the same script; this PR directly addresses security vulnerabilities in the filtering logic that underpins that feature.
• t1398: Fix runaway memory consumption — process guards, ShellCheck limits, session awareness #2855: Modifies pulse-wrapper.sh's process filtering and guard/logging logic; changes in this PR complement and strengthen the session-count and child-process cleanup patterns introduced there.

Poem

🛡️ Grep's loose grip now tightened,
Bash regex logic enlightened,
Processes trapped by true PID,
Log injection schemes forbidden,
Shell safety newly brighten'd! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 't2892: fix quality-debt review feedback on pulse-wrapper.sh' directly references the linked issue and clearly summarizes the primary purpose of sanitizing and refactoring the script.
Linked Issues check	✅ Passed	The pull request addresses all four findings from issue #2892: sanitizes process names to prevent log injection (medium findings), replaces grep -v grep with bracket patterns for robustness (medium findings), and removes subshell overhead with printf and regex matching (improvement). The critical grep -v $$ bypass was previously fixed.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing the four findings from issue #2892: log sanitization, grep pattern replacement, subshell optimization, and regex matching improvements in pulse-wrapper.sh. No extraneous modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/t2892-pulse-wrapper-quality-debt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the pulse-wrapper.sh script by addressing several code quality, security, and performance concerns identified in recent code reviews. The changes focus on improving robustness against log injection, optimizing process filtering for accuracy and efficiency, and reducing subshell overhead for better script performance.

Highlights

• Security Enhancement: Sanitized process names in log entries to prevent log injection via crafted command lines, stripping control characters and truncating to 200 characters.
• Code Quality Improvement: Replaced the grep -v grep anti-pattern with the more robust bracket trick ([.]opencode) across four call sites to prevent false exclusions from substring matching.
• Performance Optimization: Replaced echo "$cmd" | grep subshells with [[ "$cmd" =~ pattern ]] in cleanup_orphans(), eliminating two subshell forks per loop iteration.
• Performance Optimization: Utilized printf -v instead of a subshell for string joining trigger_reasons, addressing feedback from a previous PR review.

Changelog

• .agents/scripts/pulse-wrapper.sh
  • Sanitized process names in log entries to prevent log injection.
  • Replaced grep -v grep anti-pattern with bracket trick across multiple call sites for accurate process filtering.
  • Replaced echo "$cmd" | grep subshell with [[ "$cmd" =~ pattern ]] for efficient pattern matching.
  • Used printf -v instead of a subshell for string joining an array, improving performance.

Activity

• Addressed critical and medium severity findings from a Gemini Code Assist review on PR t1398.1: Add process resource guard to pulse-wrapper.sh #2881.
• Incorporated a medium-severity printf -v suggestion from PR t2856: refactor trigger_reasons to use array in pulse-wrapper.sh #2886.
• Verified shellcheck -S warning passes with zero violations.
• Confirmed bash -n syntax check passes.
• Ensured all changes are behavior-preserving, maintaining original functionality while improving underlying mechanisms.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 107 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Mar 5 13:53:44 UTC 2026: Code review monitoring started
Thu Mar 5 13:53:44 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 107

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 107
• VULNERABILITIES: 0

Generated on: Thu Mar 5 13:53:46 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request introduces several valuable improvements, such as replacing grep -v grep anti-patterns, optimizing performance by removing subshells with [[ ... =~ ... ]] and printf -v, and adding log injection sanitization. These are all great changes. However, I've found a critical issue in the new regex patterns used for process filtering. The backslashes used to escape spaces are incorrect within the [[ ... =~ ... ]] construct, which will cause the pattern matching to fail and could lead to the script unintentionally killing important processes. I've left specific comments with suggestions to fix this.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

The backslashes in Supervisor\ Pulse and Strategic\ Review are incorrect for a regex pattern inside [[ ... ]]. They will be treated as literal backslashes, causing the pattern to not match strings containing "Supervisor Pulse" or "Strategic Review". This will break the intended logic of skipping these processes, potentially leading to them being killed incorrectly. The spaces do not need to be escaped in this context.

Suggested change

	if [[ "$cmd" =~ /full-loop|Supervisor\ Pulse|Strategic\ Review|language-server|eslintServer ]]; then
	if [[ "$cmd" =~ /full-loop|Supervisor Pulse|Strategic Review|language-server|eslintServer ]]; then

[gemini-code-assist]

Similar to the previous instance, the backslashes in the regex pattern are incorrect and will prevent it from matching process names with spaces, such as "Supervisor Pulse". This could lead to incorrectly killing processes that should be skipped. The spaces do not need to be escaped within the [[ ... =~ ... ]] construct.

Suggested change

	[[ "$cmd" =~ /full-loop|Supervisor\ Pulse|Strategic\ Review|language-server|eslintServer ]] && continue
	[[ "$cmd" =~ /full-loop|Supervisor Pulse|Strategic Review|language-server|eslintServer ]] && continue

[marcusquinn]

PR #2910 (t2893) was merged first and both target pulse-wrapper.sh. This PR likely has merge conflicts. Dispatching a worker to rebase and fix.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 107 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Mar 5 14:28:34 UTC 2026: Code review monitoring started
Thu Mar 5 14:28:34 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 107

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 107
• VULNERABILITIES: 0

Generated on: Thu Mar 5 14:28:37 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[robstiles]

Permission check failed for this PR (HTTP 403 from collaborator permission API). Unable to determine if @marcusquinn is a maintainer or external contributor. A maintainer must review and merge this PR manually. This is a fail-closed safety measure — the pulse will not auto-merge until the permission API succeeds.