docs: add backlog tasks and loop auto-advance

[marcusquinn]

Summary

• add backlog tasks and plans for security and deploy follow-ups
• adjust TOON metadata counts and plan IDs
• auto-advance full loop after v2 task completion

Summary by CodeRabbit

• Chores
  • Enhanced task execution workflow with automatic phase advancement for foreground execution after Task phase completion, including legacy state detection
  • Expanded backlog tracking documentation with 8 new items
  • Added two new security hardening initiatives to active planning: script integrity and token storage protection

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the agent's operational efficiency by introducing an auto-advance feature for the full loop, which will reduce manual intervention in v2 task completion. Concurrently, it significantly strengthens the project's security posture by outlining and detailing future work on critical areas like script integrity, safe shell command execution, and secure token management. These changes collectively aim to improve both automation and overall system resilience.

Highlights

• Automated Loop Advancement: The full-loop-helper.sh script now includes logic to automatically advance the full loop after a v2 task completes, streamlining the workflow. A warning is issued if the system is detected to be in a legacy mode, requiring manual resumption.
• New Backlog Tasks Added: Several new backlog tasks have been added to TODO.md, focusing on critical security enhancements such as install script integrity hardening, removal of eval commands in various scripts, and dashboard token storage hardening. Additionally, some deployment-related bug fixes were listed.
• Detailed Security Plans: Two comprehensive plans have been documented in todo/PLANS.md: 'Install Script Integrity Hardening' to mitigate supply-chain risks by verifying downloaded scripts, and 'Dashboard Token Storage Hardening' to improve security by moving tokens from localStorage to session/memory-based storage.
• TOON Metadata Updates: The TOON metadata blocks in both TODO.md and todo/PLANS.md have been updated to accurately reflect the new backlog tasks and active plans, ensuring consistency in project tracking.

Changelog

• .agent/scripts/full-loop-helper.sh
  • Added cmd_resume call to cmd_run_foreground for automatic loop advancement.
  • Implemented a check for legacy state files (ralph-loop.local.state) to prevent auto-advancement in older modes and provide a warning.
• TODO.md
  • Introduced new backlog tasks (t104-t111) covering security hardening (e.g., install script integrity, eval removal, token storage) and deployment bug fixes.
  • Updated the TOON backlog metadata count from [52] to [60] and included the new task entries.
• todo/PLANS.md
  • Added a new detailed plan for 'Install Script Integrity Hardening' (p016), outlining its purpose, context, and four phases of progress.
  • Added a new detailed plan for 'Dashboard Token Storage Hardening' (p017), describing its purpose, context, and three phases of progress.
  • Updated the TOON active plans metadata count from [9] to [12] and included the new plan entries (p016, p017).

Activity

• No specific review comments or discussions have been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 39 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Introduces automatic phase advancement in the foreground execution loop with legacy state detection, expands the backlog with eight new tracked items, and adds two security-focused planning entries with comprehensive metadata to the active plans inventory.

Changes

Cohort / File(s)	Summary
Loop Phase Automation .agent/scripts/full-loop-helper.sh	Adds auto-advance logic after Task phase completion; checks for legacy state indicators and either warns/exits or automatically invokes cmd_resume to proceed to the next phase.
Backlog Expansion TODO.md	Adds eight new backlog items (t104–t111) with full metadata; updates TOON backlog index from [52] to [60].
Active Plans Growth todo/PLANS.md	Adds two new security-focused planning entries (Install Script Integrity Hardening and Dashboard Token Storage Hardening) with complete TOON metadata; updates active plans index from [9] to [12].

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• PR #65: Modifies .agent/scripts/full-loop-helper.sh to handle legacy vs. new loop-state locations and adjust resume behavior with legacy-state checks.
• PR #292: Directly related functional changes to cmd_run_foreground and loop-resume logic in the same script with legacy-state detection and auto-advance flow.
• PR #33: Earlier foundational work on full-loop helper script's loop-resume behavior that this PR builds upon.

Poem

🚀 Scripts leap forward through each phase so neat,
Legacy whispers gently retreat,
Backlogs grow with purpose true,
Security plans harden the crew,
Zero debt—our A-grade beats the heat! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding backlog tasks/plans and implementing loop auto-advance functionality in the shell script.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/you-can-create-the-branch-continue

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces an auto-advance feature for the v2 task loop and updates the project's backlog with new tasks and plans, primarily focused on security enhancements. The implementation for the loop auto-advance in full-loop-helper.sh is sound, correctly distinguishing between legacy and v2 modes. The documentation updates in TODO.md and PLANS.md are clear and add important context for upcoming work. I've identified a couple of areas for improvement: one regarding code maintainability in the shell script by centralizing path constants, and another concerning data consistency in TODO.md where the machine-readable and human-readable backlogs are out of sync. Addressing these points will enhance the quality and maintainability of the codebase.

[gemini-code-assist]

The file paths for legacy state files are hardcoded here. To improve maintainability and avoid duplicating these strings if they are used elsewhere, consider defining them as constants in a shared configuration file (e.g., shared-constants.sh). This centralizes path management, making future updates easier and reducing the risk of inconsistencies.

[gemini-code-assist]

There's an inconsistency between the human-readable backlog and the machine-readable TOON:backlog block. Tasks t109, t110, and t111 are present in this TOON block but are missing from the human-readable list of tasks in the backlog section above. To ensure maintainability and clarity, these two representations of the backlog should be kept in sync.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@TODO.md`:
- Around line 55-59: The human-readable TODO.md stops at t108 while the TOON
backlog contains t109–t111; update TODO.md by adding the missing t109, t110, and
t111 entries using the same item format as existing lines (checkbox, id, short
title, tags, estimate, parent plan link if present, and logged date) so the
human list exactly mirrors the TOON backlog; ensure each new line uses the same
syntax as examples (e.g., "- [ ] t109 ... `#tags` ~1h (ai:... test:...)
logged:YYYY-MM-DD") and verify IDs and titles match the canonical TOON entries.

In `@todo/PLANS.md`:
- Around line 96-100: Milestone ID collision: the <!--TOON:milestones[...] block
for plan_id p017 reuses IDs m068, m069, m070 already present in the Multi‑Agent
Orchestration plan; to fix, open the TOON milestone block (the comment starting
with <!--TOON:milestones[3]{...}...) and replace m068, m069, m070 with new
unique IDs that do not exist elsewhere (e.g., m0xx series), preserving plan_id
p017 and the rest of each row (desc, est, scheduled, status); after updating,
run your TOON/milestone validation script or search the repo for duplicate IDs
to confirm no collisions remain.
- Around line 52-57: The milestones block uses IDs m064–m067 which collide with
existing milestones; update the duplicate IDs in this TOON milestone fragment
(the entries with plan_id p016 and descriptions "Phase 1: Inventory curl|sh
usages...", "Phase 2: Replace with download-verify-execute flow...", "Phase 3:
Add fallback behavior and error messages", "Phase 4: Update docs/tests and
verify behavior") to new, unique IDs (e.g., m068–m071 or another unused
sequence) so TOON parsing/analytics won’t break, making sure all four IDs are
consistent and not used elsewhere in the file.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 2 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Feb 4 04:38:09 UTC 2026: Code review monitoring started
Wed Feb 4 04:38:10 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 2
Wed Feb 4 04:38:10 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Wed Feb 4 04:38:12 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 2
• VULNERABILITIES: 0

Generated on: Wed Feb 4 04:39:45 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring