docs: add security follow-up tasks and plans

[marcusquinn]

Summary by CodeRabbit

• Chores
  • Updated project planning with five new backlog items and two new active plans focused on script integrity, shell/script hardening, and dashboard token storage security.
• Bug Fixes
  • CLI/script now detects legacy loop-state files, warns users, and prevents automatic advancement when such legacy state is present.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's security roadmap by documenting new, critical security tasks and outlining detailed plans for their implementation. It introduces strategies to improve the integrity of installation scripts and harden dashboard token storage, proactively addressing potential vulnerabilities and strengthening the overall security posture of the system.

Highlights

• New Security Tasks Added: Five new security-related tasks (t104-t108) have been added to the TODO.md backlog. These tasks address critical areas such as install script integrity, safe usage of eval in shell scripts, and hardening dashboard token storage.
• Install Script Integrity Hardening Plan: A detailed plan for 'Install Script Integrity Hardening' has been introduced in todo/PLANS.md. This plan aims to eliminate the use of curl | sh by implementing verified downloads and local execution, thereby reducing supply-chain exposure.
• Dashboard Token Storage Hardening Plan: A comprehensive plan for 'Dashboard Token Storage Hardening' has been added to todo/PLANS.md. This plan focuses on migrating token storage from persistent localStorage to session/memory-based storage, along with a clear/reset flow, to mitigate XSS risks and prevent token leakage.

Changelog

• TODO.md
  • Added five new security tasks (t104-t108) to the 'Backlog' section, focusing on script integrity, eval removal, and token storage.
• todo/PLANS.md
  • Introduced a new 'Install Script Integrity Hardening' plan, detailing its purpose, context, and a four-phase progress breakdown.
  • Introduced a new 'Dashboard Token Storage Hardening' plan, outlining its purpose, context, and a three-phase progress breakdown.
  • Updated the TOON:active_plans metadata to include the two newly added security plans.

Activity

• The pull request introduces new security tasks and detailed plans.
• No human activity (comments, reviews) has been recorded yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

Five backlog tasks (t104–t108) and two active plans (p013–p014) were added for script and token-storage hardening; the Active Plans index was updated. The loop helper script .agent/scripts/full-loop-helper.sh was changed to detect legacy Ralph/Claude loop state files and warn/stop auto-advancing when they exist.

Changes

Cohort / File(s)	Summary
Backlog Security Tasks TODO.md	Added five backlog items t104–t108 focusing on shell/script hardening and dashboard token storage; TOON backlog index incremented to include these entries.
Active Planning Documents todo/PLANS.md	Inserted two new Active Plans (p013, p014) dated 2026-02-03 with full planning scaffolding, milestones, decisions, and TOON plan blocks; updated Active Plans index to include them.
Loop Control / Legacy Detection .agent/scripts/full-loop-helper.sh	After Task phase in cmd_start and cmd_run_foreground, added checks for legacy loop-state files (.agent/loop-state/ralph-loop.local.state, .claude/ralph-loop.local.state), emit legacy-mode warnings and prevent auto-advancing (skip cmd_resume) when found.

Sequence Diagram(s)

sequenceDiagram
    participant User as User
    participant Script as FullLoopHelper.sh
    participant LegacyFS as Legacy Loop-State Files
    participant Resumer as cmd_resume

    rect rgba(0,128,255,0.5)
    User->>Script: invoke cmd_start / cmd_run_foreground
    end

    rect rgba(0,200,100,0.5)
    Script->>LegacyFS: check for ralph-loop.local.state or .claude/ralph-loop.local.state
    LegacyFS-->>Script: exists / not exists
    end

    alt legacy state exists
        Script->>User: print legacy-mode warning and return (no auto-advance)
    else no legacy state
        Script->>Resumer: call cmd_resume (auto-advance)
        Resumer-->>Script: resume operations
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(loop-state): change state files from .md to .state extension #111: Modifies loop-state handling in related scripts and renames/updates state file paths—closely related to legacy-state checks added here.
• feat: migrate loop state to .agent/loop-state and enhance re-anchor #65: Also edits .agent/scripts/full-loop-helper.sh to add legacy-state detection and conditional auto-advance behavior.
• feat(localhost): add port management and loop-mode auto-branch #52: Adds loop-mode branching and pre-edit checks affecting the agent loop behavior that this change also touches.

Poem

🔐 A few new tasks to harden the shell,
Legacy loops now ring a cautious bell,
Plans penned down with milestones bright,
Tokens guarded through the night,
Scripts march forward—only when it's well.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: adding security-related follow-up tasks to TODO.md and two security hardening plans to PLANS.md, with shell script improvements in full-loop-helper.sh.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/you-can-create-the-branch-continue

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR documents upcoming security follow-up work by adding new backlog items and formal plan entries.

Changes:

• Added five security-related backlog tasks to TODO.md, including two that link to detailed plans
• Created two new detailed plans in todo/PLANS.md: install script integrity hardening and dashboard token storage hardening
• Outlined phased milestones, estimates, and placeholders for decision/discovery logs for each plan
• Updated TOON active_plans metadata to include the two new plans and adjusted the count accordingly

Technical Notes: Plans focus on reducing supply-chain risk (eliminating curl|sh flows) and hardening dashboard token persistence (moving away from localStorage and adding reset/clear behavior).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. No suggestions at this time.

Comment augment review to trigger a new review at any time.

[gemini-code-assist]

Code Review

This pull request adds several important security-related tasks to the backlog and provides detailed execution plans for two of them: hardening the install script integrity and securing dashboard token storage. The new tasks and plans are well-defined, follow the project's documentation standards, and address critical security areas. My review includes a couple of suggestions to make the security plans even more comprehensive by considering additional defense-in-depth measures.

[gemini-code-assist]

The plan to replace curl | sh is a great security improvement. To make the plan even more robust, consider explicitly prioritizing cryptographic signature verification (e.g., GPG/PGP) over simple checksums where available. While checksums ensure integrity against download corruption, signatures also verify authenticity, protecting against a compromised server providing both a malicious script and a matching malicious checksum.

You could add this to Phase 1: Inventory all curl|sh usages and vendor verification options (preferring signatures over checksums).

[gemini-code-assist]

This is an excellent plan for hardening token storage. Moving from localStorage to session or in-memory storage is a great step. To further enhance security and provide defense-in-depth against XSS, consider adding a task to this plan to review and enforce a strict Content Security Policy (CSP). A strong CSP can prevent the execution of unauthorized scripts, which is the root cause of XSS attacks that could steal tokens even from sessionStorage.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 406 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Feb 3 01:58:56 UTC 2026: Code review monitoring started
Tue Feb 3 01:58:56 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 406
Tue Feb 3 01:58:56 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Tue Feb 3 01:58:58 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 406
• VULNERABILITIES: 0

Generated on: Tue Feb 3 02:00:15 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@TODO.md`:
- Around line 55-59: Add the five new tasks (t104, t105, t106, t107, t108) into
the TOON backlog block and update the backlog header count from 52 to 57 so the
<!--TOON:backlog[52]--> block matches the new task list; ensure the block
content includes the exact task lines for t104–t108 (with their tags and links)
and also update any internal count/summary references inside that same TOON
backlog block so automation (TOON/beads) stays consistent.

In `@todo/PLANS.md`:
- Around line 24-115: The TOON plan IDs p013 and p014 are duplicated; update the
new plans "Install Script Integrity Hardening" and "Dashboard Token Storage
Hardening" to use unique, unused plan IDs (e.g. pick next free IDs not already
assigned to Multi‑Agent Orchestration or Document Extraction) and update any
embedded TOON tags (the <!--TOON:plan{...}--> entries) to match; also correct
the active_plans array/count (active_plans[11] currently lists 12 entries) so
the index/count matches the actual number of entries and ensure any referenced
milestone or decision IDs inside those plan blocks (e.g., m064–m070) remain
consistent with the new plan IDs.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 406 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Feb 3 02:23:34 UTC 2026: Code review monitoring started
Tue Feb 3 02:23:35 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 406
Tue Feb 3 02:23:35 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Tue Feb 3 02:23:37 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 406
• VULNERABILITIES: 0

Generated on: Tue Feb 3 02:25:04 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring