t1412.4: recover closed PR #3098 runtime task scanning

[marcusquinn]

Summary

• Recover the missing worker-pipeline behavior from closed-unmerged PR t1412.4: Runtime content scanning for worker pipelines #3098 by reintroducing pre-dispatch task scanning in cron-dispatch.sh
• Scan each task with content-scanner-helper.sh before dispatch and branch on outcomes: clean, flagged/warn (wrap as untrusted data), and scanner-failed/unavailable (prepend UNSCANNED warning)
• Add explicit warning-level logging for scan outcomes to preserve security evidence in dispatch logs

Why

PR #3098 was closed unmerged, and its key pipeline behavior (scanning task descriptions before dispatch) was not present on main. This restores that safety control using the current scanner helper architecture already merged on main.

Verification

• shellcheck .agents/scripts/cron-dispatch.sh (SC1091 info only; no warnings/errors)
• .agents/scripts/content-scanner-helper.sh test (23 passed, 0 failed)
• Targeted runtime checks:
  • Clean input: scan-stdin => CLEAN (exit 0)
  • Malicious input: scan-stdin => FLAGGED (exit 1)
  • Annotation path: annotate-stdin emits [UNTRUSTED-DATA-{id}]...[/UNTRUSTED-DATA-{id}]

Linkage

• Recovers closed-unmerged t1412.4: Runtime content scanning for worker pipelines #3098

Summary by CodeRabbit

• New Features
  • Optional pre-dispatch content scanning for tasks to detect unsafe or flagged content.
  • Tasks are annotated with severity-aware warnings when issues are found, or marked "unscanned" if scanning fails or is unavailable.
  • Administrators can enable or disable content scanning; scan results are logged for visibility and troubleshooting.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• no-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fcf8a13a-84d1-41d3-a7ab-03a58f84a66d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds pre-dispatch runtime content scanning to the cron-dispatch script using a configurable external helper; introduces CONTENT_SCANNER_HELPER, WORKER_CONTENT_SCANNING, and log_warn; annotates or prefixes tasks based on scanner exit codes and helper availability before dispatching.

Changes

Cohort / File(s)	Summary
Content Scanning Integration .agents/scripts/cron-dispatch.sh	Added readonly variables CONTENT_SCANNER_HELPER, WORKER_CONTENT_SCANNING, new function log_warn, and a pre-dispatch content-scanning block. Scanner invocation uses exit codes to log and annotate tasks (0 = clean, 1/2 = flagged/warn with untrusted wrapping, other codes or missing helper = UNSCANNED). Scanning logic duplicated across both job processing paths.

Sequence Diagram

sequenceDiagram
    participant CD as Cron Dispatch
    participant CSH as Content Scanner Helper
    participant Task as Task Input

    CD->>CD: Check WORKER_CONTENT_SCANNING && helper executable
    alt Scanning enabled & helper present
        CD->>CSH: Run scanner (scan-stdin) with Task
        CSH-->>CD: Exit code + output
        alt Exit 0
            CD->>CD: log clean scan
            CD->>Task: dispatch original task
        else Exit 1 or 2
            CD->>CD: log flagged/warn output
            CD->>Task: annotate/wrap as untrusted (severity based)
        else Other exit code
            CD->>CD: log scan failure + output
            CD->>Task: prefix with [UNSCANNED]
        end
    else Scanning enabled but helper missing OR scanning disabled
        CD->>CD: log helper missing or disabled
        CD->>Task: prefix with [UNSCANNED]
    end
    CD->>CD: Continue dispatch flow

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• GH#3916: Recover high-value hardening into mergeable replacement PR #4126 — Modifies and hardens content-scanner-helper.sh, directly related to the new helper invocation and IO behavior added here.

Suggested labels

needs-review

Poem

⚙️ A tiny guard before tasks take flight,
The scanner whispers: clean, warn, or fight.
Exit codes decide how the task is dressed,
Flags and prefixes keep inputs addressed,
Dispatch proceeds with checks shining bright. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically references the recovery of PR #3098 functionality (runtime task scanning) in cron-dispatch.sh, directly matching the changeset's main objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/pr3098-recovery

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 400 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Mar 11 14:40:24 UTC 2026: Code review monitoring started
Wed Mar 11 14:40:24 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 400

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 400
• VULNERABILITIES: 0

Generated on: Wed Mar 11 14:40:27 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request recovers and enhances the worker-pipeline behavior from a previously closed pull request by adding content scanning to task descriptions before dispatch. This ensures that potentially malicious or untrusted content is identified and handled appropriately, with detailed logging for security auditing.

Highlights

• Content Scanning: Reintroduces pre-dispatch task scanning in cron-dispatch.sh to enhance security.
• Task Handling: Scans each task with content-scanner-helper.sh before dispatch, branching on outcomes: clean, flagged/warn (wrap as untrusted data), and scanner-failed/unavailable (prepend UNSCANNED warning).
• Logging: Adds explicit warning-level logging for scan outcomes to preserve security evidence in dispatch logs.

Changelog

• .agents/scripts/cron-dispatch.sh
  • Implemented pre-dispatch content scanning for tasks.
  • Added logic to handle different scan outcomes (clean, flagged, failed).
  • Integrated warning-level logging for scan results.

Activity

• Reintroduced pre-dispatch task scanning from closed PR t1412.4: Runtime content scanning for worker pipelines #3098.
• Implemented content scanning using content-scanner-helper.sh.
• Added handling for clean, flagged/warn, and scanner-failed/unavailable outcomes.
• Included warning-level logging for scan outcomes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/scripts/cron-dispatch.sh:
- Around line 331-355: The branch currently treats any scan_exit==1 as flagged;
instead, when CONTENT_SCANNER_HELPER scan-stdin returns exit 1, inspect
scan_result for an explicit scanner "flag" indicator (e.g., known token/keyword
the helper emits for FLAGGED or WARN) and only proceed with the flagged/warn
handling (the severity_label, annotate-stdin call, and wrapping into task) if
that marker is present; otherwise treat it as a scanner failure and follow the
UNSCANNED path (log the error and prepend the Runtime content scan failed
warning). Use the existing symbols scan_exit, scan_result,
CONTENT_SCANNER_HELPER scan-stdin, annotate-stdin, and task to implement this
conditional check.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 96eed225-b047-477f-821c-29f2e3dc404b

📥 Commits

Reviewing files that changed from the base of the PR and between 2f9a43a and ceb94cf.

📒 Files selected for processing (1)

• .agents/scripts/cron-dispatch.sh

[gemini-code-assist]

Code Review

This pull request reintroduces runtime task scanning before dispatch, a critical security feature. No new vulnerabilities were identified by the security review. The implementation is robust, handling various outcomes from the scanner including clean, flagged, and error states, and includes a new log_warn function for better logging. There is a suggestion to improve the robustness and clarity of how the scanner's output and exit code are captured, by using a more modern bash approach.

[gemini-code-assist]

The current method of capturing the exit code using ... || scan_exit=$? is a common but sometimes fragile idiom in shell scripting, especially if set -e were to be used. A more robust and modern approach in bash is to use process substitution with read to capture the output, and PIPESTATUS to capture the exit code of commands in a pipeline. This separates the concerns of capturing output and exit status, leading to clearer and more reliable code, aligning with the principle of robust exit code handling as described in our guidelines (Rule 4).

Suggested change

	local scan_result=""
	local scan_exit=0
	scan_result=$(printf '%s' "$task" | CONTENT_SCANNER_QUIET=true "$CONTENT_SCANNER_HELPER" scan-stdin 2>&1) || scan_exit=$?
	local scan_result scan_exit
	read -r -d '' scan_result < <(printf '%s' "$task" | CONTENT_SCANNER_QUIET=true "$CONTENT_SCANNER_HELPER" scan-stdin 2>&1)
	scan_exit=${PIPESTATUS[1]}

References

1. In shell scripts, capture a command's exit code in a variable instead of using $? directly in conditionals. This aligns with ShellCheck SC2181 and improves clarity for multi-way branches.

[marcusquinn]

Dispatching worker to address requested review changes.\n- Model: default headless rotation (anthropic/claude-sonnet-4-6 or openai/gpt-5.3-codex)\n- Branch: bugfix/pr3098-recovery\n- Scope: resolve CHANGES_REQUESTED feedback on runtime task scanning recovery PR\n- Attempt: 1 of 1\n- Direction: implement reviewer-requested deltas only and re-verify related checks

[marcusquinn]

Dispatching fix worker.

• Model: default headless rotation (anthropic/claude-sonnet-4-6 or openai/gpt-5.3-codex)
• Branch: bugfix/pr3098-recovery
• Scope: address changes-requested feedback and stabilize CI
• Attempt: 1 of 1
• Direction: push fixes to existing branch and keep issue linkage intact

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 402 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Mar 11 16:42:56 UTC 2026: Code review monitoring started
Wed Mar 11 16:42:56 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 402

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 402
• VULNERABILITIES: 0

Generated on: Wed Mar 11 16:42:58 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

Missing issue link. This PR references issue #2645, but the PR body doesn't contain a closing keyword.

Add Closes #2645 to the PR description so GitHub auto-links and auto-closes the issue on merge.

[marcusquinn]

Supervisor restarted the worker after a stalled run.

• Model: codex (openai/gpt-5.3-codex)
• Branch: bugfix/pr3098-recovery
• Reason: >21h runtime with 0 commits (struggle_ratio: 49969)
• Diagnosis: worker failed to progress from review analysis to branch updates
• Next action: re-dispatched focused fix run for CHANGES_REQUESTED + failing checks on this PR

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 402 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Wed Mar 11 16:50:53 UTC 2026: Code review monitoring started
Wed Mar 11 16:50:53 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 402

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 402
• VULNERABILITIES: 0

Generated on: Wed Mar 11 16:50:55 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

Detected unresolved inline bot suggestion(s). Dispatching a focused fix worker to evaluate and apply valid suggestions before merge.