fix(supervisor): add missing $SUPERVISOR_DB arg, remove PATH guard (t147.1)

[marcusquinn]

Summary

• Critical fix: Added missing $SUPERVISOR_DB argument to both db() calls in the no_pr retry counter logic. Without it, sqlite3 treated the SQL string as a filename and failed silently — the retry counter never persisted, making the 5-attempt threshold unreachable (infinite retry loop).
• Cleanup: Removed unused no_pr_key variable.
• Robustness: Removed HOMEBREW_PREFIX guard around PATH augmentation for cron. The idempotent ":$PATH:" check already prevents duplicates; the guard was overly restrictive for cron environments where HOMEBREW_PREFIX may be set without all tool paths present.

Triage Results (PR #435, 4 threads)

Thread	Severity	Reviewer	Verdict	Action
db() missing $SUPERVISOR_DB	Critical	CodeRabbit	Valid bug	Fixed
Unused no_pr_key variable	Medium	Gemini	Valid	Removed
HOMEBREW_PREFIX PATH guard	High	Gemini	Valid concern	Fixed
json_extract counter reset	Minor	CodeRabbit	Valid but by design	Acknowledged

All 4 threads replied to with evidence and resolved.

Testing

• bash -n syntax check: PASS
• ShellCheck: 0 new violations
• test-batch-quality-hardening.sh: 55/56 pass (1 expected diff: deployed vs repo)

Refs: GH#438, t147.1

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t147.1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses several critical issues and improves the robustness and cleanliness of the supervisor script. The primary focus is on fixing a database interaction bug that caused the "no_pr" retry counter to fail silently, leading to infinite retry loops. Additionally, it refines how system PATHs are handled in cron environments and removes an unnecessary variable.

Highlights

• Critical Database Fix: Corrected a critical bug by adding the missing "$SUPERVISOR_DB" argument to "db()" calls within the "no_pr" retry counter logic, preventing silent failures and infinite retry loops.
• Path Augmentation Robustness: Enhanced script robustness by removing the "HOMEBREW_PREFIX" guard from PATH augmentation, allowing cron environments to correctly resolve tool paths even when "HOMEBREW_PREFIX" is set without all tools.
• Code Cleanup: Cleaned up the codebase by removing the unused "no_pr_key" variable.

Changelog

• .agents/scripts/supervisor-helper.sh
  • Removed the "if [[ -z "${HOMEBREW_PREFIX:-}" ]]; then ... fi" block, allowing PATH augmentation to proceed unconditionally, relying on the ":$PATH:" != ":$_p:" check for idempotency.
  • Modified two "db" command calls to include the "$SUPERVISOR_DB" argument, specifically in the "no_pr" retry counter logic.
  • Removed the declaration of the "no_pr_key" local variable as it was unused.
• TODO.md
  • Updated the status of task "t142 bug: schema-validator-helper.sh set -e causes premature exit" from "[ ]" to "[x]" and added "completed:2026-02-07".
  • Updated the status of task "t135.9 P2-C: Add trap cleanup for temp files in setup.sh and mktemp scripts" from "[ ]" to "[x]" and added "completed:2026-02-07".

Activity

• A critical bug regarding the missing "$SUPERVISOR_DB" argument in "db()" calls was identified by CodeRabbit and subsequently fixed.
• An unused "no_pr_key" variable was flagged by Gemini and has been removed.
• A high-severity concern about the "HOMEBREW_PREFIX" PATH guard, raised by Gemini, was addressed by removing the guard for improved robustness.
• A minor point about "json_extract" counter reset, noted by CodeRabbit, was acknowledged as being by design.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 26 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Feb 7 18:10:38 UTC 2026: Code review monitoring started
Sat Feb 7 18:10:38 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 26
Sat Feb 7 18:10:38 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Sat Feb 7 18:10:40 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 26
• VULNERABILITIES: 0

Generated on: Sat Feb 7 18:10:41 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical bug in the no_pr retry logic by adding the missing $SUPERVISOR_DB argument, which was causing an infinite loop. The cleanup of the unused no_pr_key variable and the removal of the restrictive HOMEBREW_PREFIX guard are also positive changes that improve code clarity and robustness.

My main concern is a potential SQL injection vulnerability in the database queries where $task_id is used directly. I've added specific comments with recommendations to validate this variable to mitigate the risk.

[gemini-code-assist]

This query appears to be vulnerable to SQL injection. The $task_id variable is interpolated directly into the SQL string. If this variable can be influenced by an external source, it could be manipulated to alter the query's logic, potentially affecting unintended rows or exposing data.

To mitigate this, I recommend validating the $task_id to ensure it conforms to an expected format before it's used in the query. For example:

if [[ ! "$task_id" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
    log_error "Invalid task_id format: $task_id"
    return 1
fi

This validation should be performed before the database call.

[gemini-code-assist]

Similar to the SELECT query, this UPDATE query is also vulnerable to SQL injection via the $task_id variable. An unvalidated task_id could lead to unintended updates across multiple rows in the tasks table.

Please apply the same validation for $task_id before this query is executed to prevent this vulnerability.