chore: mark t110 complete, add t119 for hotspots triage

TODO.md

@@ -219,8 +219,8 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis
     - Notes: Document Matrix bot setup on Cloudron. Create matrix-dispatch-helper.sh. Room-to-droid mapping. Message → claude -p → response flow.
   - [ ] t109.5 Documentation & examples ~3h blocked-by:t109.1,t109.2,t109.3
     - Notes: Update AGENTS.md with parallel agent guidance. Create example droids (code-reviewer, seo-analyst). Document when to use parallel vs sequential.
-- [ ] t110 Cron agent for scheduled task management #tools #automation #agents ~3h (ai:2h test:45m read:15m) logged:2026-02-04 started:2026-02-04T03:47Z
-  - Notes: Agent for setting up, managing, identifying, and debugging cron jobs that dispatch AI agents. Uses OpenCode server API for session management. Commands: list (show scheduled tasks), add (create new cron job), remove (delete cron job), logs (view execution history), debug (troubleshoot failed jobs). Integrates with existing mailbox system for task dispatch. Add to tools/automation/cron-agent.md.
+- [x] t110 Cron agent for scheduled task management #tools #automation #agents ~3h actual:1h (ai:2h test:45m read:15m) logged:2026-02-04 started:2026-02-04T03:47Z completed:2026-02-04
+  - Notes: Implemented cron-agent.md subagent, cron-helper.sh (list/add/remove/pause/resume/logs/debug/status/run), cron-dispatch.sh (OpenCode server API). Security hardened for remote use (HTTPS by default, proper array expansion). PRs #304, #305 merged.
 - [ ] t111 Objective runner with safety guardrails #tools #automation #agents ~4h (ai:2.5h test:1h read:30m) logged:2026-02-04
   - Notes: Long-running objective execution via stateless coordinator loop. Safety guardrails: budget limits (max tokens/cost), step limits (max iterations before human review), scope constraints (whitelist of allowed tools/paths), checkpoint reviews (pause after N steps for approval), rollback capability (git worktrees), audit log (all actions to memory). Creates objective-runner-helper.sh. Add to tools/automation/.
 - [ ] t112 VoiceInk to OpenCode via macOS Shortcut #tools #voice #automation ~1h (ai:45m test:15m) logged:2026-02-04 related:t080,t081
@@ -244,6 +244,8 @@ Tasks with no open blockers - ready to work on. Use `/ready` to refresh this lis
   - Notes: Implemented privacy-filter-helper.sh with scan/filter/apply/patterns commands. Detects 30+ patterns (credentials, PII, internal URLs). Integrates with secretlint. Created tools/security/privacy-filter.md documentation.
 - [ ] t118 Agent testing framework with OpenCode sessions #tools #testing #agents ~4h (ai:2.5h test:1h read:30m) logged:2026-02-04 related:t115
   - Notes: Framework for testing agent changes in isolated OpenCode sessions. Features: create test session, inject test prompts, capture responses, validate against expected patterns, compare before/after agent changes. Uses OpenCode server API. Create agent-test-helper.sh. Add to tools/build-agent/agent-testing.md.
+- [ ] t119 Triage SonarCloud security hotspots (53 pre-existing) #security #code-quality ~2h (ai:1.5h test:30m) logged:2026-02-04
+  - Notes: SonarCloud reports 53 security hotspots across helper scripts. Breakdown: S5332 (22 HTTP URLs - many localhost, intentional), S6506 (6 curl without HTTPS enforcement), S6505 (25 npm install without --ignore-scripts). Actions: 1) Mark localhost HTTP as safe in SonarCloud. 2) Add --proto '=https' to curl commands where appropriate. 3) Evaluate npm --ignore-scripts tradeoffs. 4) Configure sonar-project.properties exclusions for false positives.
 - [ ] t102 Claude-Flow Inspirations - Selective Feature Adoption #plan → [todo/PLANS.md#2026-01-31-claude-flow-inspirations---selective-feature-adoption] ~3d (ai:2d test:0.5d read:0.5d) logged:2026-01-31
   - [ ] t102.1 Cost-Aware Model Routing ~4h blocked-by:none
     - Notes: Create tools/context/model-routing.md with tier guidance (simple→haiku, code→sonnet, architecture→opus). Add model: field to subagent YAML frontmatter. Create /route command for model suggestions.