fix(secretlint): add rule installation validation and better error handling

[marcusquinn]

Summary

Recovers valuable improvements from a stashed bugfix branch that was never merged.

Changes

Secretlint Improvements:

• Add check_rules_installed() to detect missing rule presets before scanning
• Add validate_secretlint_setup() for comprehensive installation validation
• Handle exit code 2 (configuration error) separately from exit code 1 (secrets found)
• Add rule validation in show_status() command for better diagnostics
• Document "Failed to load rule module" error and fix in secretlint.md

Markdown/Style Fixes:

• Add system-reminder to markdownlint allowed HTML tags
• Fix markdown code block syntax (use text/bash instead of bare blocks)

Dependencies:

• Update dspyground ^0.1.0 → ^0.2.0

Why This Matters

The secretlint rule validation prevents confusing "scan failed" errors when users have secretlint installed but are missing the required rule presets. This was a common issue causing false negatives in secret detection.

Summary by CodeRabbit

• New Features

  • Enhanced Secretlint setup validation to detect missing rule dependencies and provide installation guidance.

• Documentation

  • Added troubleshooting guidance for common Secretlint configuration and installation issues.
  • Updated documentation formatting and README content for clarity.

• Chores

  • Updated dspyground dependency to version 0.2.0.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 35 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 448e6a5 and a4f62b5.

📒 Files selected for processing (1)

• .agent/scripts/secretlint-helper.sh

Walkthrough

Introduces Secretlint rule validation mechanisms to verify preset installations in shell scripts, extends troubleshooting documentation with remediation guidance, updates a dependency version, and applies formatting standardization across documentation files for consistency.

Changes

Cohort / File(s)	Summary
Secretlint Validation ​.agent/scripts/secretlint-helper.sh	Added check_rules_installed() function to detect and validate Secretlint rule preset installations (local/global), and validate_secretlint_setup() to aggregate binary and rule validation checks. Integrated rule checks into scan workflow with error handling for exit code 2.
Secretlint Troubleshooting ​.agent/tools/code-review/secretlint.md	Expanded troubleshooting guidance with remediation steps for failed rule module loading, exit code 2 handling, and enhanced examples including preset installation in global setups.
Configuration Updates ​.markdownlint.json, package.json	Updated Markdown linting rule MD033 to allow "system-reminder" element; bumped dspyground dependency from ^0.1.0 to ^0.2.0.
Documentation Formatting ​.opencode/MCP-TESTING-GUIDE.md, templates/home/.agent/README.md, templates/home/git/.agent/README.md, tests/toon-test-documents/sample.md, todo/PLANS.md	Standardized code fence syntax with language specifiers (text, bash), removed emoji from headers, added "Authoritative Source" section, and appended generation metadata.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🔐 Rules now validate before they scan,
Secrets checked with a cleaner plan,
Docs aligned from the top down,
Zero debt in this DevOps town! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main changes: adding rule installation validation and improving error handling for Secretlint, which directly aligns with the primary objectives of the PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness and user experience of the Secretlint integration by adding comprehensive validation for rule installations and improving error handling. The primary goal is to prevent users from encountering confusing 'scan failed' messages when the underlying issue is a missing rule preset, which was a common cause of false negatives in secret detection. By clearly differentiating between actual secret findings and setup problems, and providing better diagnostic tools and documentation, this change makes the Secretlint setup and troubleshooting process much smoother.

Highlights

• Improved Secretlint Rule Validation: Introduced check_rules_installed() and validate_secretlint_setup() functions to detect and report missing Secretlint rule presets before scanning, preventing cryptic 'scan failed' errors.
• Enhanced Error Handling: The run_secretlint_scan() function now distinguishes between secrets found (exit code 1) and configuration/installation errors (exit code 2), providing more specific feedback to the user.
• Better Diagnostics: The show_status() command now includes rule installation validation, offering clearer insights into the Secretlint setup.
• Updated Documentation: The secretlint.md documentation has been updated to explain common errors like 'Failed to load rule module' and 'Scan fails with exit code 2', along with their respective fixes.
• Markdown Style Fixes: Markdownlint configuration was updated to allow system-reminder HTML tags, and several markdown code blocks were updated to use explicit language types (e.g., text, bash).
• Dependency Update: The dspyground dependency has been updated from ^0.1.0 to ^0.2.0.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 256 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Jan 13 22:55:06 UTC 2026: Code review monitoring started
Tue Jan 13 22:55:06 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 256
Tue Jan 13 22:55:06 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Tue Jan 13 22:55:08 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 256
• VULNERABILITIES: 0

Generated on: Tue Jan 13 22:55:47 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request introduces valuable improvements to the secretlint integration by adding validation for rule installation and enhancing error handling. These changes will significantly improve the user experience by providing clearer diagnostics for configuration issues. The core logic in secretlint-helper.sh is solid, but I've identified a few opportunities to improve maintainability, reduce redundancy, and fix a bug that suppresses important error messages. The accompanying documentation and markdown style updates are well-executed and beneficial.

[gemini-code-assist]

There's a bug in how check_rules_installed is called within the show_status function. Redirecting stderr to /dev/null (2>/dev/null) will suppress the detailed error messages that check_rules_installed prints when it detects missing rules.

When a user runs $0 status to diagnose problems, they should see the list of missing packages. By suppressing stderr, they will see no output for a failed check, which can be confusing. Please remove the 2>/dev/null redirection to ensure diagnostic messages are always visible.

Suggested change

	if check_rules_installed "$SECRETLINT_CONFIG_FILE" 2>/dev/null; then
	print_success "All configured rules are installed"
	fi
	if check_rules_installed "$SECRETLINT_CONFIG_FILE"; then
	print_success "All configured rules are installed"
	fi

[gemini-code-assist]

To improve maintainability and reduce code duplication, the check_rules_installed function can be refactored. The current implementation has separate, nearly identical blocks for each rule check.

By using an associative array to map configuration strings to their corresponding npm package names, you can iterate through the rules in a loop. This makes the code cleaner and simplifies adding or removing rule checks in the future.

check_rules_installed() {
    local config_file="${1:-$SECRETLINT_CONFIG_FILE}"
    
    if [[ ! -f "$config_file" ]]; then
        return 2
    fi
    
    local missing_rules=()
    # Map of config string to package name
    local -A rules_map=(
        ["secretlint-rule-preset-recommend"]="@secretlint/secretlint-rule-preset-recommend"
        ["secretlint-rule-pattern"]="@secretlint/secretlint-rule-pattern"
    )
    
    for config_string in "${!rules_map[@]}"; do
        if grep -q "$config_string" "$config_file"; then
            local package_name="${rules_map[$config_string]}"
            if ! npm list "$package_name" &>/dev/null && ! npm list -g "$package_name" &>/dev/null; then
                missing_rules+=("$package_name")
            fi
        fi
    done
    
    if [[ ${#missing_rules[@]} -gt 0 ]]; then
        print_error "Missing required secretlint rules:"
        for rule in "${missing_rules[@]}"; do
            echo "  - $rule"
        done
        print_info "Install with: npm install --save-dev ${missing_rules[*]}"
        return 1
    fi
    
    return 0
}

[gemini-code-assist]

The validate_secretlint_setup function can be simplified for better readability and to remove redundant logic.

The explicit check if [[ -f "$SECRETLINT_CONFIG_FILE" ]] is unnecessary because the called function check_rules_installed already handles the case where the configuration file doesn't exist by returning a specific exit code (2).

You can make the logic clearer by calling check_rules_installed once and then checking its exit code to determine if there's an issue. This function should only flag missing rules (exit code 1) as an issue, not a missing configuration file.

Suggested change

	validate_secretlint_setup() {
	local has_issues=0
	# Check binary
	if ! check_secretlint_installed; then
	has_issues=1
	fi
	# Check rules if config exists
	if [[ -f "$SECRETLINT_CONFIG_FILE" ]]; then
	if ! check_rules_installed; then
	has_issues=1
	fi
	fi
	return $has_issues
	}
	validate_secretlint_setup() {
	local has_issues=0
	# Check binary
	if ! check_secretlint_installed; then
	has_issues=1
	fi
	# Check rules, ignoring "no config" errors (exit code 2)
	check_rules_installed
	if [[ $? -eq 1 ]]; then
	has_issues=1
	fi
	return $has_issues
	}

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[augmentcode]

🤖 Augment PR Summary

Summary: Improves Secretlint integration by validating rule preset installation up-front and making scan failures easier to diagnose.

Changes:

• Added check_rules_installed() to detect missing Secretlint rule presets referenced by .secretlintrc.json before running a scan.
• Added validate_secretlint_setup() to perform a combined binary + rule validation flow.
• Updated scan handling to treat exit code 2 as a configuration/installation error (separate from exit code 1 for secrets found).
• Enhanced status output to include rule-installation diagnostics.
• Expanded Secretlint docs with troubleshooting for “Failed to load rule module …” and guidance for exit code 2.
• Adjusted markdownlint allowed HTML tags (adds system-reminder) and corrected fenced code block language hints.
• Bumped dependency dspyground from ^0.1.0 to ^0.2.0.

Technical Notes: Rule validation uses npm list (local then global) to confirm required rule modules are present and provides install commands when they are not.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

In show_status, check_rules_installed ... 2>/dev/null suppresses print_error output (stderr), so the “Missing required secretlint rules” header can disappear while the rule list still prints to stdout. Consider not redirecting stderr (or redirecting both streams) so the diagnostics remain clear when rules are missing.

_{🤖 Was this useful? React with 👍 or 👎}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 256 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Jan 13 22:57:40 UTC 2026: Code review monitoring started
Tue Jan 13 22:57:40 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 256
Tue Jan 13 22:57:41 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Tue Jan 13 22:57:43 UTC 2026: Codacy analysis completed with auto-fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 256
• VULNERABILITIES: 0

Generated on: Tue Jan 13 22:58:25 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring