t3657: address PR #1688 review feedback — path resolution, sqlite busy_timeout, shared token extraction

[marcusquinn]

Summary

Addresses unactioned review feedback from PR #1688 (t1114 ROI cost tracking feature). All findings verified against current code before applying.

Fixes applied

CodeRabbit — pattern-tracker-helper.sh L353-368

• Added .timeout 5000 to the raw sqlite3 INSERT in cmd_record to prevent SQLITE_BUSY failures under concurrent access. Other sqlite3 calls in this file use the same pattern; this brings the new INSERT into line.

Gemini — evaluate.sh L793-796 and memory-integration.sh L254-258

• Both scripts set pattern_helper="${SCRIPT_DIR}/pattern-tracker-helper.sh" as the primary lookup. In the supervisor context, SCRIPT_DIR resolves to .agents/scripts/supervisor-archived/, so this path never exists. Fixed by trying ${SCRIPT_DIR}/../pattern-tracker-helper.sh first (sibling directory), then the original ${SCRIPT_DIR}/ path, then the $HOME fallback.

CodeRabbit — memory-integration.sh L228-243 (duplicated token extraction)

• The camelCase/snake_case token extraction block was identical in evaluate.sh and memory-integration.sh. Extracted into extract_tokens_from_log() in supervisor-archived/_common.sh (which is sourced before both modules). Uses module-level globals _EXTRACT_TOKENS_IN/_EXTRACT_TOKENS_OUT for bash 3.2 compatibility (macOS ships bash 3.2; local -n namerefs require bash 4.3+). Verified with unit tests covering empty path, non-existent file, camelCase, and snake_case formats.

Note: The awk variable rename (or → outr) flagged by CodeRabbit was already applied in the original PR commit — confirmed at pattern-tracker-helper.sh:69.

Closes #3657

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 22367eae-c4df-45aa-ad6a-eff9388f0f22

📥 Commits

Reviewing files that changed from the base of the PR and between 853ddda and 7019c16.

📒 Files selected for processing (4)

• .agents/scripts/archived/pattern-tracker-helper.sh
• .agents/scripts/supervisor-archived/_common.sh
• .agents/scripts/supervisor-archived/evaluate.sh
• .agents/scripts/supervisor-archived/memory-integration.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/t3657-qd-pr1688

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses previously unactioned review feedback from a prior feature (t1114 ROI cost tracking). The changes focus on improving the robustness of SQLite operations, ensuring correct script path resolution in various execution environments, and centralizing duplicated code for token extraction to enhance maintainability and reduce redundancy across scripts.

Highlights

• SQLite Busy Timeout: Added a 5-second timeout to the sqlite3 INSERT command in pattern-tracker-helper.sh to prevent SQLITE_BUSY errors during concurrent database access, aligning it with other SQLite operations in the file.
• Path Resolution Fixes: Corrected the resolution logic for pattern-tracker-helper.sh in evaluate.sh and memory-integration.sh to properly locate the script when executed in a supervisor context, by first checking a sibling directory.
• Shared Token Extraction: Extracted the duplicated camelCase/snake_case token extraction logic from evaluate.sh and memory-integration.sh into a new reusable function extract_tokens_from_log() in _common.sh, improving code reusability and maintainability.

Changelog

• .agents/scripts/archived/pattern-tracker-helper.sh
  • Introduced a 5-second timeout for SQLite INSERT operations to enhance robustness against concurrent access.
• .agents/scripts/supervisor-archived/_common.sh
  • Implemented extract_tokens_from_log function to provide a shared utility for parsing token counts from log files, supporting both camelCase and snake_case formats.
• .agents/scripts/supervisor-archived/evaluate.sh
  • Improved the path resolution for pattern-tracker-helper.sh to correctly locate it in supervisor contexts.
  • Refactored token count extraction by delegating to the new extract_tokens_from_log function in _common.sh.
• .agents/scripts/supervisor-archived/memory-integration.sh
  • Refactored token count extraction by delegating to the new extract_tokens_from_log function in _common.sh.
  • Improved the path resolution for pattern-tracker-helper.sh to correctly locate it in supervisor contexts.

Activity

• This pull request directly addresses unactioned review feedback from PR t1114: Track opus vs sonnet token cost ratio in pattern tracker for ROI analysis #1688 (t1114 ROI cost tracking feature), with all findings verified against the current codebase.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 347 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 14 07:45:17 UTC 2026: Code review monitoring started
Sat Mar 14 07:45:17 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 347

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 347
• VULNERABILITIES: 0

Generated on: Sat Mar 14 07:45:20 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

The pull request effectively addresses feedback from a prior review by fixing a script path resolution, improving SQLite write robustness with a timeout, and refactoring duplicated code into a shared function. These are all positive changes. However, my review identified a critical SQL injection vulnerability in a modified line within pattern-tracker-helper.sh. The suggested fix now emphasizes the use of parameterized queries for sqlite3 for robust protection, while providing an immediate escaping solution. Additionally, I've provided a more comprehensive performance improvement for the newly created extract_tokens_from_log function, optimizing I/O and parsing efficiency by consolidating commands and using awk.

[gemini-code-assist]

This line is vulnerable to SQL injection. The variables $mem_id and $sql_strategy are directly embedded into the SQL query string. If their values contain a single quote, an attacker could break out of the string and execute arbitrary SQL commands, which is a critical security risk.

For sqlite3 in shell scripts, the most robust way to prevent SQL injection is to use parameterized queries with .param set within a helper function. This separates the SQL command from the data, eliminating injection risks. As an immediate fix for this line, you must escape single quotes within these variables before they are used in the query. The standard way to escape a single quote in SQL is to double it (''). You can achieve this in bash using parameter expansion: ${variable//'/'/''}.

Suggested change

	sqlite3 -cmd ".timeout 5000" "$MEMORY_DB" "INSERT OR REPLACE INTO pattern_metadata (id, strategy, quality, failure_mode, tokens_in, tokens_out, estimated_cost) VALUES ('$mem_id', '$sql_strategy', $sql_quality, $sql_failure_mode, $sql_tokens_in, $sql_tokens_out, $sql_estimated_cost);" 2>/dev/null || log_warn "Failed to store pattern metadata for $mem_id"
	sqlite3 -cmd ".timeout 5000" "$MEMORY_DB" "INSERT OR REPLACE INTO pattern_metadata (id, strategy, quality, failure_mode, tokens_in, tokens_out, estimated_cost) VALUES ('${mem_id//'/'/''}', '${sql_strategy//'/'/''}', $sql_quality, $sql_failure_mode, $sql_tokens_in, $sql_tokens_out, $sql_estimated_cost);" 2>/dev/null || log_warn "Failed to store pattern metadata for $mem_id"

References

1. Employ a defense-in-depth strategy for handling user-provided input. Sanitize input at the entry point using a strict allowlist, and also apply context-specific escaping or safe handling mechanisms (e.g., parameterized queries for SQL, --arg for jq) at each point of use.
2. To prevent SQL injection in shell scripts using sqlite3, create a helper function that uses .param set for safe parameterized bindings instead of direct string interpolation.

[gemini-code-assist]

The current implementation for extracting token counts can be inefficient, as it may read the log file from disk up to four separate times. For large log files, this can lead to a noticeable performance degradation.

You can significantly improve efficiency by reading the file only once to gather all potential matches. Furthermore, instead of repeated grep | cut pipelines, consider using a single awk command or a while IFS='=' read -r key value loop to parse the extracted matches, which is more efficient and readable for processing multiple key-value pairs from a single source. Also, the initial grep | sed pipeline can be consolidated into a single sed command for further optimization.

Suggested change

	local raw_in raw_out
	raw_in=$(grep -oE '"inputTokens":[0-9]+' "$log_file" 2>/dev/null | tail -1 | grep -oE '[0-9]+' || true)
	raw_out=$(grep -oE '"outputTokens":[0-9]+' "$log_file" 2>/dev/null | tail -1 | grep -oE '[0-9]+' || true)
	if [[ -z "$raw_in" ]]; then
	raw_in=$(grep -oE '"input_tokens":[0-9]+' "$log_file" 2>/dev/null | tail -1 | grep -oE '[0-9]+' || true)
	fi
	if [[ -z "$raw_out" ]]; then
	raw_out=$(grep -oE '"output_tokens":[0-9]+' "$log_file" 2>/dev/null | tail -1 | grep -oE '[0-9]+' || true)
	fi
	local matches raw_in raw_out
	matches=$(sed -nE 's/.*"(inputTokens|input_tokens|outputTokens|output_tokens)":([0-9]+).*/\1:\2/p' "$log_file" 2>/dev/null || true)
	if [[ -n "$matches" ]]; then
	read -r raw_in raw_out <<< "$(echo "$matches" | awk -F: '
	/^(inputTokens|input_tokens):/ { last_in=$2 }
	/^(outputTokens|output_tokens):/ { last_out=$2 }
	END { print last_in, last_out }
	')"
	fi

References

1. Optimize shell script pipelines by replacing 'grep | sed' combinations with a single, more efficient 'sed' command where possible to improve performance.
2. When parsing multiple key-value pairs from a single source in shell scripts, use a single 'while IFS='=' read -r key value' loop instead of repeated 'grep | cut' pipelines to improve efficiency and readability.