fix: guard empty plugin_namespaces array in setup.sh deploy

[marcusquinn]

Summary

• setup.sh deploy_aidevops_agents() crashes with 'unbound variable' when no plugins.json exists
• Root cause: iterating empty array with set -u (nounset) enabled
• Broke supervisor post-PR lifecycle deploy step (t132.4 failed)
• Fix: guard all three plugin_namespaces iteration sites with array length check

Summary by CodeRabbit

• New Features

  • Added a GitHub authentication check and token caching to reduce interactive prompts and improve reliability of automated/cron workflows.

• Chores

  • Optimized deployment script to skip unnecessary processing when no plugin namespaces are configured, improving deployment efficiency.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical issue in the setup.sh deployment script where an 'unbound variable' error would occur if no plugins.json file was present, leading to an empty plugin_namespaces array. The fix ensures the script's robustness by conditionally iterating over the array only when it contains elements, preventing deployment failures and ensuring the supervisor post-PR lifecycle deploy step completes successfully.

Highlights

• Critical Deployment Fix: Resolves an 'unbound variable' crash in the setup.sh deployment script that occurred when the plugin_namespaces array was empty (i.e., no plugins.json existed).
• Root Cause Addressed: The crash was due to iterating an empty array while set -u (nounset) was enabled, which treats references to unset variables as errors.
• Robustness Improvement: Implemented array length checks before iterating plugin_namespaces in three distinct locations within the deploy_aidevops_agents function, ensuring the script handles empty arrays gracefully.
• Supervisor Lifecycle Fix: This fix addresses a failure in the supervisor post-PR lifecycle deploy step (specifically, t132.4 failed) that was caused by the aforementioned issue.

Changelog

• setup.sh
  • Added conditional checks ([[ ${#plugin_namespaces[@]} -gt 0 ]]) before iterating the plugin_namespaces array in three locations within the deploy_aidevops_agents function.
  • These checks prevent 'unbound variable' errors when the array is empty, particularly when set -u is enabled, by ensuring loops are only executed if the array contains elements.

Activity

• No specific activity (comments, reviews, or progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

Guards were added to skip iterating over an empty plugin_namespaces array in setup.sh. A new check_gh_auth() helper was introduced in .agents/scripts/supervisor-helper.sh, with GH_TOKEN caching and standardized GitHub auth checks replacing direct gh auth status calls across supervisor flows.

Changes

Cohort / File(s)	Summary
Setup script: plugin_namespaces guards setup.sh	Added length checks before iterating plugin_namespaces in three places: clean-preserve directory construction, rsync exclude list building, and tar exclude list building.
Supervisor GitHub auth helper & token caching .agents/scripts/supervisor-helper.sh	Added check_gh_auth(); introduced GH_TOKEN cache file read/write; replaced direct gh auth status checks with check_gh_auth() calls in multiple supervisor flows (dispatch, sync_claim_to_github, verify paths).

Sequence Diagram(s)

sequenceDiagram
    participant Supervisor
    participant Cache as "Token Cache (file)"
    participant GH_API as "GitHub API"
    participant GH_CLI as "gh CLI"

    Supervisor->>Cache: read cached GH_TOKEN?
    alt cached token present
        Supervisor->>GH_API: verify token via lightweight API call
        GH_API-->>Supervisor: 200 OK / auth state
    else no cached token
        Supervisor->>GH_CLI: gh auth status
        GH_CLI-->>Supervisor: auth state or prompt
        alt token obtained
            Supervisor->>Cache: write GH_TOKEN to cache
        end
    end
    Supervisor->>Supervisor: return auth result to callers (dispatch / sync / verify)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: extend setup.sh to deploy plugins during aidevops update (t136.3) #762: Related edits to setup.sh handling of plugin_namespaces used in preserve/rsync/tar exclusion logic.
• Fix OpenCode plugin array overwrite bug #92: Related fixes around plugin array handling and detection that interact with plugin_namespaces iteration logic.

Poem

🛠️ A token cached, a loop now spared,
Scripts sing cleaner, checks repaired,
Supervisor asks with gentler tone,
Empty lists skip, no needless drone,
DevOps hums — automation cared. 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 77.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary fix in the changeset - guarding empty plugin_namespaces arrays in setup.sh to prevent unbound variable errors during deployment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/setup-plugin-array

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request effectively resolves the 'unbound variable' error that occurs when the plugin_namespaces array is empty. The addition of guards to check the array's length before iteration is a solid and safe fix. I've added one suggestion to make the code for populating the preserved_dirs array a bit more concise and idiomatic by appending the array directly, which is possible thanks to the guard you've added. The other changes look good.

[gemini-code-assist]

This for loop can be made more concise. Since you're inside the if guard, you can safely append the entire plugin_namespaces array to preserved_dirs in one go. This is a more idiomatic way to combine arrays in Bash.

Suggested change

	for pns in "${plugin_namespaces[@]}"; do
	preserved_dirs+=("$pns")
	done
	preserved_dirs+=("${plugin_namespaces[@]}")

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 54 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Feb 9 17:10:12 UTC 2026: Code review monitoring started
Mon Feb 9 17:10:13 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 54

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 54
• VULNERABILITIES: 0

Generated on: Mon Feb 9 17:10:16 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 54 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Feb 9 17:17:16 UTC 2026: Code review monitoring started
Mon Feb 9 17:17:17 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 54

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 54
• VULNERABILITIES: 0

Generated on: Mon Feb 9 17:17:19 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.agents/scripts/supervisor-helper.sh (1)

109-146: ⚠️ Potential issue | 🟠 Major

Blocker: GH_TOKEN cache stored in .agent-workspace (disallowed location).

Persisting a token under ~/.aidevops/.agent-workspace violates the repo’s credential storage guidance. Please remove the workspace cache and rely on ~/.config/aidevops/credentials.sh (via setup-local-api-keys.sh) or a secure store like gopass/keychain. This keeps secrets out of the workspace and maintains A‑grade security posture.

Suggested fix (remove workspace cache + align priority comment)

-# Priority: existing GH_TOKEN env > `gh auth token` > cached token > gopass > credentials.sh
-# When `gh auth token` succeeds (interactive), cache it for cron to use later.
-_gh_token_cache="$HOME/.aidevops/.agent-workspace/supervisor/.gh-token-cache"
+# Priority: existing GH_TOKEN env > `gh auth token` > gopass > credentials.sh
+# For cron, persist GH_TOKEN via setup-local-api-keys.sh (credentials.sh) or gopass.
 if [[ -z "${GH_TOKEN:-}" ]]; then
-    # Try cached token FIRST (most reliable for cron — written by interactive sessions)
-    if [[ -f "$_gh_token_cache" ]]; then
-        GH_TOKEN=$(cat "$_gh_token_cache" 2>/dev/null || echo "")
-    fi
-    # If no cache, try gh auth token (works interactively, may fail in cron)
-    if [[ -z "$GH_TOKEN" ]]; then
-        GH_TOKEN=$(gh auth token 2>/dev/null || echo "")
-    fi
-    # Cache the token if we got one (for future cron runs)
-    if [[ -n "$GH_TOKEN" ]]; then
-        mkdir -p "$(dirname "$_gh_token_cache")"
-        printf '%s' "$GH_TOKEN" > "$_gh_token_cache" 2>/dev/null || true
-        chmod 600 "$_gh_token_cache" 2>/dev/null || true
-    fi
+    # Try gh auth token (interactive sessions)
+    GH_TOKEN=$(gh auth token 2>/dev/null || echo "")
     if [[ -z "$GH_TOKEN" ]]; then
         # Try gopass (encrypted secret store)
         GH_TOKEN=$(gopass show -o github/token 2>/dev/null || echo "")
@@
     if [[ -n "$GH_TOKEN" ]]; then
         export GH_TOKEN
     fi
 fi
-unset _gh_token_cache

Based on learnings NEVER store credentials, API keys, tokens, or secrets in ~/.aidevops/.agent-workspace/ directory; Store API Keys and Tokens in ~/.config/aidevops/credentials.sh with 600 file permissions (owner read/write only).