t2950: Fix quality-debt in setup.sh from PR #2936 review feedback

[marcusquinn]

Summary

• Remove 2>/dev/null from cmd_set calls persisting supervisor pulse consent (HIGH) — errors should be visible so users understand why consent wasn't saved, preventing silent re-prompting on next run
• Remove redundant 2>/dev/null from grep where file existence is already verified by preceding -f check (MEDIUM) — avoids masking permission errors on legacy config reads
• Single-quote all variable interpolations in crontab entry (MEDIUM/security) — prevents command injection via directory names containing shell metacharacters

All 4 findings from the Gemini code review on PR #2936 are addressed.

Closes #2950

Summary by CodeRabbit

• Bug Fixes
  • Improved error visibility and diagnostics in setup processes.
  • Enhanced configuration generation to properly handle file paths containing spaces and special characters.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses several quality-of-life and security improvements identified during a code review of a previous PR. The changes primarily focus on enhancing error visibility for critical operations and bolstering security by preventing command injection in generated cron jobs. The overall aim is to make the setup.sh script more robust, transparent, and secure for users.

Highlights

• Error Visibility: Removed 2>/dev/null from cmd_set calls that persist supervisor pulse consent, ensuring that any errors during this process are visible to the user instead of being silently suppressed. This prevents scenarios where consent might not be saved, leading to repeated prompts.
• Redundant Error Suppression Removal: Eliminated a redundant 2>/dev/null from a grep command used to read legacy configuration. Since file existence is already checked, removing this suppression allows permission errors on the configuration file to be exposed, aiding in debugging.
• Security Enhancement: Implemented single-quoting for all variable interpolations within the crontab entry generation. This change mitigates potential command injection vulnerabilities, particularly if directory names or other variables contain shell metacharacters.

Changelog

• setup.sh
  • Removed 2>/dev/null from a grep command reading legacy feature toggles.
  • Removed 2>/dev/null from cmd_set calls when recording supervisor pulse consent.
  • Single-quoted variables (OPENCODE_BIN, PULSE_DIR, wrapper_script) in the crontab entry generation to prevent command injection.

Activity

• The pull request was created by marcusquinn to address quality-debt from a previous PR's review feedback.
• The author explicitly states that all 4 findings from the Gemini code review on PR GH#2926: fix supervisor pulse consent model — default OFF, persist consent, never silently re-enable #2936 are addressed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 16 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2f1e1192-2b33-42ae-b334-d40b33cb815d

📥 Commits

Reviewing files that changed from the base of the PR and between dad309d and d420988.

📒 Files selected for processing (1)

• setup.sh

Walkthrough

Removes stderr suppression from grep and cmd_set calls to ensure error visibility, and adds proper quoting to crontab entry variables to prevent command injection vulnerabilities.

Changes

Cohort / File(s)	Summary
Error Handling & Security Hardening setup.sh	Remove 2>/dev/null redirection from legacy feature toggle grep (line 773) and explicit consent recording cmd_set calls (lines 815, 821) to surface errors. Add single quotes around environment variables in supervisor-pulse crontab entry (line 924) to prevent command injection via paths containing metacharacters.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

bug

Poem

Removing masks from errors, bright and clear,
Shell scripts that breathe without the fear,
Quotes protect against the sneaky space,
Security and visibility—the proper place. 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references fixing quality-debt in setup.sh based on PR #2936 review feedback, directly matching the pull request objectives and changes.
Linked Issues check	✅ Passed	All four review findings from issue #2950 are addressed: two HIGH findings on cmd_set stderr suppression removed (lines 815, 821), MEDIUM security finding on crontab quoting fixed, and MEDIUM finding on grep stderr suppression removed.
Out of Scope Changes check	✅ Passed	All changes directly address the four code review findings specified in issue #2950; no out-of-scope modifications are present.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/t2950-setup-quality-debt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 15:48:34 UTC 2026: Code review monitoring started
Fri Mar 6 15:48:34 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 15:48:37 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@setup.sh`:
- Around line 922-925: The cron command interpolation can break if any path
contains an apostrophe; wrap the variables used in the crontab entry
(opencode_bin, _aidevops_dir, wrapper_script and any path injected into the
echoed line) with a shell_single_quote() sanitizer before embedding them into
the echo so single quotes inside paths are escaped safely; modify the block that
builds the cron entry (the subshell containing crontab -l | grep -v ... and the
echo "... # aidevops: supervisor-pulse") to call
shell_single_quote(opencode_bin), shell_single_quote(_aidevops_dir), and
shell_single_quote(wrapper_script) (and any other path vars) instead of
interpolating raw variables.
- Around line 771-776: The current assignment for _legacy_val uses a pipeline
(grep ... | tail -1 | cut -d= -f2) that will cause the script to exit under set
-euo pipefail if grep finds no match; change the logic so a missing key does not
produce a non-zero exit—e.g., run grep safely with a fallback (use grep -E ...
|| true or test with grep -q before command substitution), or replace the
pipeline with a single awk/parameter-expansion invocation that returns empty on
no match; update the block that sets _legacy_val and the surrounding conditional
that checks [[ -n "$_legacy_val" ]] so the assignment never aborts when
supervisor_pulse= is absent in the FEATURE_TOGGLES_USER file and
_pulse_user_config remains unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a921567f-f30b-4bce-8933-b16a5b8cf075

📥 Commits

Reviewing files that changed from the base of the PR and between 4a4b6c1 and dad309d.

📒 Files selected for processing (1)

• setup.sh

[gemini-code-assist]

Code Review

This pull request effectively addresses several quality-debt items from a previous review. The changes to remove error suppression (2>/dev/null) are correct and will improve debuggability by revealing potential permission or configuration errors. The addition of single quotes to the crontab entry is a good security enhancement. I have one suggestion to further harden the crontab entry against edge cases involving special characters in paths, which is included in the comments.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

While single-quoting variables is a good improvement to handle paths with spaces, this is still vulnerable if any of the path variables contain a single quote. This could lead to parsing issues or command injection in the crontab.

To make this fully robust, you should also escape any single quotes within the variables. The standard way to do this in shell is to replace each ' with '\''.

Suggested change

	echo "*/2 * * * * OPENCODE_BIN='${opencode_bin}' PULSE_DIR='${_aidevops_dir}' /bin/bash '${wrapper_script}' >> '$HOME/.aidevops/logs/pulse-wrapper.log' 2>&1 # aidevops: supervisor-pulse"
	echo "*/2 * * * * OPENCODE_BIN='${opencode_bin//\'/'\''}' PULSE_DIR='${_aidevops_dir//\'/'\''}' /bin/bash '${wrapper_script//\'/'\''}' >> '${HOME//\'/'\''}/.aidevops/logs/pulse-wrapper.log' 2>&1 # aidevops: supervisor-pulse"

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 16:11:13 UTC 2026: Code review monitoring started
Fri Mar 6 16:11:13 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 16:11:16 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

@coderabbitai review

Both findings have been addressed in commit e633c8f:

1. Critical (line 788): Replaced grep|tail|cut pipeline with awk — awk always exits 0 on no match, safe under set -euo pipefail.
2. Major (line 944): Added shell_single_quote() function to escape apostrophes in paths before embedding in crontab entry.

Please re-review to resolve the CHANGES_REQUESTED state.

[coderabbitai]

@marcusquinn, thank you for the detailed summary of the changes in commit e633c8f. Both fixes look sound in principle:

1. Line 788 — Replacing the grep|tail|cut pipeline with awk is a clean and robust approach; awk exits 0 on no-match by default, making it safe under set -euo pipefail without needing error suppression.
2. Line 944 — Adding a dedicated shell_single_quote() helper to escape apostrophes before embedding paths into the crontab entry is a solid security-conscious pattern for handling edge-case paths.

Triggering a full re-review now to verify these changes and resolve the CHANGES_REQUESTED state.

---

🧠 Learnings used

Learnt from: marcusquinn
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-03T16:33:18.313Z
Learning: For the marcusquinn/aidevops repository: The daily quality sweep system (pulse-wrapper.sh) should only mention coderabbitai for full codebase review when there are significant changes (Quality Gate failure, +10 issues in one day, etc.), not on every automated sweep with stable metrics.

---

Learnt from: alex-solovyev
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-04T05:50:49.615Z
Learning: In the marcusquinn/aidevops repository: As of 2026-03-04, the chrome-webstore-helper.sh SC2119/SC2120 (load_credentials argument mismatch) and stash-audit-helper.sh SC2181 (indirect exit code checking) ShellCheck issues have been resolved. ShellCheck now reports 0 errors and 0 warnings for these files.

---

Learnt from: CR
Repo: marcusquinn/aidevops PR: 0
File: .github/instructions/codacy.instructions.md:0-0
Timestamp: 2026-02-24T04:43:58.695Z
Learning: If any issues are found after running `codacy_cli_analyze` on edited files, propose and apply fixes for them immediately

✅ Actions performed

Full review triggered.

Both findings addressed in commit e633c8f: (1) grep|tail|cut pipeline replaced with awk for pipefail safety, (2) shell_single_quote() added for crontab path escaping. Both review comments marked as resolved. All CI checks pass.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 16:30:18 UTC 2026: Code review monitoring started
Fri Mar 6 16:30:18 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 16:30:21 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud