fix(auto-update): detect script drift when VERSION matches to prevent stale pulse (GH#4727)

[alex-solovyev]

Summary

• Adds a sentinel-based script drift check to auto-update-helper.sh that detects when deployed scripts differ from the repo even when VERSION matches
• Prevents the "fix merged but not deployed" gap that caused Codacy false-positive issues to recur

Root Cause (GH#4727)

The Codacy not_collected false-positive issue recurred despite being fixed in PR #4704 because:

1. PR t4696: fix Codacy not_collected misclassification in failure miner #4704 fixed gh-failure-miner-helper.sh (merged 07:43 today)
2. setup.sh was not run after the merge — no auto-deploy on merge
3. The pulse ran at 08:40 using the old deployed version from ~/.aidevops/
4. The old script still treated Codacy ACTION_REQUIRED as a CI failure
5. The pulse LLM saw the systemic cluster and created duplicate issue bug: Codacy Static Code Analysis returning not_collected on PRs (systemic, 3+ events) #4727

The existing stale check only compared VERSION files. Since the fix in PR #4704 was a script change without a version bump, the stale check did not trigger.

Fix

Added an else branch to the existing VERSION stale check that:

• Compares SHA-256 of gh-failure-miner-helper.sh between repo and deployed
• If hashes differ (script drift), runs setup.sh --non-interactive to re-deploy
• Uses sha256sum (Linux) with shasum -a 256 (macOS) fallback
• Skips silently if either file is missing (safe for fresh installs)

Immediate Mitigation

The fixed gh-failure-miner-helper.sh was manually deployed to ~/.aidevops/ in this session. The pulse will now correctly report 0 failed events for Codacy.

Verification

• ShellCheck: zero violations
• gh-failure-miner-helper.sh prefetch --pulse-repos --since-hours 24: reports failed events: 0, systemic clusters: 0
• Sentinel hash check logic tested: sha256sum comparison works on Linux; shasum -a 256 fallback for macOS

Closes #4727

Summary by CodeRabbit

• Chores
  • Added automatic drift detection for deployed agents. The system now detects when agent deployments are out of sync with the repository and automatically triggers a re-deployment to restore consistency.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6ee9558d-1a8c-4891-94a9-a71f00ffb3f6

📥 Commits

Reviewing files that changed from the base of the PR and between 38a0a40 and 4a07abd.

📒 Files selected for processing (1)

• .agents/scripts/auto-update-helper.sh

---

Walkthrough

The PR adds drift-detection logic to the cmd_check function in the auto-update helper script. When deployed and local versions match, it compares SHA-256 hashes of a sentinel script. If drift is detected, it logs a warning and triggers a non-interactive redeployment via setup.sh to refresh deployed agents.

Changes

Cohort / File(s)	Summary
Drift Detection & Redeployment .agents/scripts/auto-update-helper.sh	Added SHA-256 sentinel-file comparison logic to detect deployment drift when versions align. Triggers non-interactive redeployment via setup.sh if sentinel hashes diverge, with fallback from sha256sum to shasum and conditional execution based on file existence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: add recovery logic to auto-update cmd_check() for diverged/dirty repos #4245: Modifies cmd_check() with recovery/cleanup and authenticated remote-version fetching, complementing the new drift-detection approach.
• t1524: Fix aidevops update to detect and deploy stale agents #4001: Adds VERSION-file validation to cmd_check for stale agent detection and non-interactive redeployment, using similar trigger patterns.
• GH#4142: fix auto-update recovery for dirty tree, diverged branch, and API rate limits #4144: Enhances cmd_check with recovery/freshness logic and GitHub API fallback, operating alongside the sentinel hash validation.

Suggested labels

bug

Poem

🔍 When deployed code drifts from its source,
SHA-256 stands guard, of course!
Hashes differ, redeploy it fast,
Agents refresh, no more outdated past. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding script drift detection to auto-update-helper.sh when VERSION matches, with reference to the linked issue GH#4727.
Linked Issues check	✅ Passed	The pull request successfully implements all coding requirements from issue #4727: detecting script drift via SHA-256 hash comparison, triggering re-deployment when hashes differ, and providing platform-specific fallbacks (sha256sum/shasum).
Out of Scope Changes check	✅ Passed	All changes are within scope: the modification to auto-update-helper.sh exclusively adds drift-detection logic to address the stale script issue described in #4727, with no unrelated alterations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/codacy-not-collected-redeploy

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 347 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 14 09:15:48 UTC 2026: Code review monitoring started
Sat Mar 14 09:15:48 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 347

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 347
• VULNERABILITIES: 0

Generated on: Sat Mar 14 09:15:50 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud