fix: address review feedback — qlty dispatcher, jq dedup, multi-remote detection, gitignore

[marcusquinn]

Summary

Fixes 4 bugs found during quality-debt triage and PR review feedback analysis, plus addresses all review feedback from CodeRabbit and Gemini on #3885.

Closes #3885

Changes

1. quality-cli-manager.sh — Qlty dispatcher uses wrapper script

The execute_cli_command() qlty case previously invoked the qlty binary directly, bypassing the qlty-cli.sh wrapper's load_api_config() auth setup. This meant QLTY_API_TOKEN, QLTY_COVERAGE_TOKEN, and QLTY_WORKSPACE_ID were never exported before qlty commands ran.

Fix: Route qlty through qlty-cli.sh wrapper (same pattern as coderabbit, codacy, sonar, snyk). This also eliminates the curl | bash security concern since the wrapper already uses the safe download-to-temp-file pattern.

2. quality-cli-manager.sh — Remove invalid QLTY_ORG positional argument

analyze_with_clis() appended $QLTY_ORG as a positional argument to qlty check, but qlty check only accepts [OPTIONS] [PATHS]... — not an organization argument. Organization context is configured via environment variables in qlty-cli.sh's load_api_config().

Fix: Removed the QLTY_ORG conditional and pass only $args to execute_cli_command.

3. quality-cli-manager.sh — Remove unreachable return statements

Three functions (install_clis, init_clis, analyze_with_clis) had unreachable return 0 after if/else blocks where both branches already return.

Fix: Removed the 3 unreachable return 0 statements.

4. stuck-detection-helper.sh — jq unique_by string concatenation collision

unique_by(.issue + .repo) concatenates strings, so issue "12" + repo "3" produces the same key as issue "1" + repo "23". This could silently drop valid entries.

Fix: unique_by([.issue, .repo]) uses array comparison, which is collision-free.

5. worktree-helper.sh — Multi-remote branch detection

branch_was_pushed() only checked origin remote. In fork workflows, this returns false even when the branch exists on another remote.

Fix: git for-each-ref "refs/remotes/*/$branch" checks all remotes. Also removed unnecessary 2>/dev/null (per Gemini review — git for-each-ref exits successfully with no output for non-matching patterns).

6. .gitignore — hostinger SSH key pattern gap

Existing pattern hostinger_* didn't match hostinger or hostinger.pub.

Fix: Added hostinger and hostinger.* patterns.

Review Feedback Addressed

Reviewer	Finding	Status
CodeRabbit	Critical: qlty bypasses wrapper auth setup	Fixed — routes through qlty-cli.sh
CodeRabbit	Critical: QLTY_ORG invalid positional arg	Fixed — removed
CodeRabbit	Nitpick: 3x unreachable return 0	Fixed — removed
CodeRabbit	Nitpick: curl|bash security	Fixed — wrapper uses safe pattern
Gemini	High: curl|bash security risk	Fixed — wrapper uses safe pattern
Gemini	Medium: remove 2>/dev/null from for-each-ref	Fixed
Gemini	High: unquoted $args fragile	Noted — refactoring entire call chain out of scope
Codacy	curl piped to bash	Fixed — wrapper uses safe pattern

CI Failures (not code-related)

• SonarCloud: Missing SONAR_TOKEN (infrastructure config issue)
• Monitor & Auto-Fix: 403 permissions error (GitHub Actions token scope)

Testing

• ShellCheck passes on all modified scripts
• Changes are minimal and targeted — no functional regressions expected

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 26 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8e824384-c52a-462e-b4be-c0369dea1d39

📥 Commits

Reviewing files that changed from the base of the PR and between 7d99199 and 32d9eca.

📒 Files selected for processing (4)

• .agents/scripts/quality-cli-manager.sh
• .agents/scripts/stuck-detection-helper.sh
• .agents/scripts/worktree-helper.sh
• .gitignore

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/review-feedback-batch1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the robustness and correctness of the quality CLI management system and related helper scripts. It addresses several identified bugs and incorporates feedback from code reviews, ensuring that various quality analysis tools function as intended, particularly concerning authentication, argument handling, and unique identification logic. Additionally, it refines Git operations for multi-remote setups and improves .gitignore coverage.

Highlights

• Qlty Dispatcher Fix: The qlty CLI command now correctly routes through its wrapper script, qlty-cli.sh, ensuring proper authentication setup and addressing a curl | bash security concern.
• Invalid QLTY_ORG Argument Removal: Removed the incorrect $QLTY_ORG positional argument from qlty check calls, as organization context is handled via environment variables.
• Unreachable Return Statements Clean-up: Eliminated three unreachable return 0 statements in install_clis, init_clis, and analyze_with_clis functions for cleaner code.
• jq unique_by Collision Fix: Corrected a jq unique_by logic in stuck-detection-helper.sh by changing string concatenation to array comparison ([.issue, .repo]) to prevent key collisions.
• Multi-Remote Branch Detection Improvement: Enhanced branch_was_pushed() in worktree-helper.sh to detect remote tracking branches across all Git remotes, not just 'origin', and removed unnecessary error redirection.
• .gitignore Hostinger Pattern Update: Expanded the .gitignore patterns for Hostinger SSH keys to include hostinger and hostinger.* for more comprehensive exclusion.

Changelog

• .agents/scripts/quality-cli-manager.sh
  • Updated execute_cli_command to correctly route 'qlty' CLI commands through its wrapper script, qlty-cli.sh.
  • Removed the conditional appending of $QLTY_ORG as a positional argument for qlty check.
  • Removed unreachable return 0 statements from install_clis, init_clis, and analyze_with_clis functions.
• .agents/scripts/stuck-detection-helper.sh
  • Modified jq's unique_by expression to use an array [.issue, .repo] instead of string concatenation to prevent hash collisions.
• .agents/scripts/worktree-helper.sh
  • Adjusted branch_was_pushed to check for remote tracking branches across all remotes using git for-each-ref.
  • Removed the 2>/dev/null redirection from the git for-each-ref command.
• .gitignore
  • Added hostinger and hostinger.* patterns to prevent Hostinger SSH keys from being committed.

Activity

• CodeRabbit identified critical issues regarding qlty bypassing wrapper auth setup and invalid QLTY_ORG arguments, which have been fixed.
• CodeRabbit suggested removing unreachable return 0 statements, which has been implemented.
• CodeRabbit and Gemini both highlighted the curl | bash security concern, which was addressed by routing through the safe wrapper pattern.
• Gemini recommended removing 2>/dev/null from git for-each-ref, which has been applied.
• Gemini noted that unquoted $args were fragile, but this was deemed out of scope for the current refactoring.
• Codacy also flagged the curl piped to bash issue, which is now fixed.
• SonarCloud CI failures are due to a missing SONAR_TOKEN (infrastructure config issue).
• Monitor & Auto-Fix CI failures are due to a 403 permissions error (GitHub Actions token scope).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 366 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 8 14:06:33 UTC 2026: Code review monitoring started
Sun Mar 8 14:06:34 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 366

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 366
• VULNERABILITIES: 0

Generated on: Sun Mar 8 14:06:36 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request addresses several issues across multiple shell scripts and configuration. In quality-cli-manager.sh, the qlty command is now correctly dispatched through its wrapper script, and an invalid argument has been removed. Unreachable code has also been cleaned up. In stuck-detection-helper.sh, a potential data collision issue in jq's unique_by has been resolved by using an array for the key. The worktree-helper.sh script has been improved to detect pushed branches across all remotes, not just origin. The .gitignore file has been updated to correctly ignore more variations of hostinger files. The implemented fixes appear correct and align with the goals described in the pull request. I have not identified any new issues or further improvement opportunities in this set of changes.