…n#4714)

…squinn#4723)

)

marcusquinn#4711)

Addresses Gemini cross-PR review feedback (PR marcusquinn#1253): local var="$1"
combined form masks exit codes; use separate declare+assign per styleguide.

Closes marcusquinn#3170

…mail-signature-parser-helper.sh (marcusquinn#4724)

Address 3 Gemini review findings from PR marcusquinn#3055:
- merge_toon_contact: replace 6 grep calls with one while/case pass over $existing (HIGH)
- resolve_contact_filename: replace 2 grep calls with one while/case pass over file (MEDIUM)
- list_contacts: replace 2 grep calls per file with one while/case pass per file (MEDIUM)

All three sites now parse fields in a single read loop, eliminating redundant
subshell forks and grep invocations. ShellCheck: zero new violations.

Closes marcusquinn#3161

…n#4725)

…ng (marcusquinn#4726)

- Pass pre-computed protocol to build_curl_args() in both cron-dispatch.sh
  and cron-helper.sh, eliminating the redundant get_protocol() subshell call
  inside the function when callers already have the value
- Add log_warn when OPENCODE_INSECURE=1 in cron-helper.sh to match the
  existing warning in cron-dispatch.sh (operator visibility parity)
- Use log_warn (stderr) instead of log_info (stdout) for the SSL warning in
  cron-dispatch.sh for correct severity routing

Addresses gemini review feedback from PR marcusquinn#305.
Closes marcusquinn#3529

…arcusquinn#4728)

- Clarify credential transport: keys embedded as export lines in uploaded
  shell script, not via AcceptEnv/SendEnv (which cannot silently fail)
- Add /proc/<pid>/environ exposure note for security-conscious deployments
- Add mitigation guidance: restrict host access or use short-lived tokens
- Add opencode-ai as preferred npm install option; keep @anthropic-ai/claude-code
  as the claude CLI alternative

Closes marcusquinn#3445

…TATE_DIR and move timestamp after success (marcusquinn#4729)

- Use ${SUPERVISOR_STATE_DIR:-/var/lib/supervisor} instead of SUPERVISOR_DIR for
  task_creation_cooldown_file to guard against unset variable under set -u/-e
- Add mkdir -p before writing the cooldown timestamp to ensure directory exists
- Move date +%s write to AFTER confirming TODO.md exists and task creation runs,
  preventing the cooldown from throttling retries when prerequisites are missing

Addresses PR marcusquinn#1170 review feedback (issue marcusquinn#3526).

)

- Move NODE_PATH snippet from build-agent.md into node-helpers.md and
  replace with a file:line reference (CodeRabbit feedback)
- Add FTS5 capability probe to sqlite3 status check in onboarding-helper.sh
  so partial installs (sqlite3 present, FTS5 missing) are correctly reported
  as 'partial' rather than 'ready' (CodeRabbit + Gemini feedback)
- Add fts5 field to JSON output using jq for type-safe boolean construction

Closes marcusquinn#3528

…reviews (marcusquinn#4731)

Replace 2>/dev/null with 2>>"${SUPERVISOR_LOG:-/dev/null}" on three jq
commands in the dismiss_bot_reviews function and check_pr_status function.

This aligns with the repository style guide (no blanket stderr suppression)
and allows jq parsing errors from malformed gh api responses to be captured
in the supervisor log for debugging, rather than silently discarded.

Closes marcusquinn#3564
Addresses gemini-code-assist review feedback on PR marcusquinn#952

…inn#4732)

…arcusquinn#4734)

Change the error string written on auto-rebase failure from the human-readable
'Merge conflict — auto-rebase failed' to the machine-readable token
'merge_conflict:auto_rebase_failed'. This aligns with the case-match in
evaluate.sh:718 and dispatch.sh:673 which filter on 'merge_conflict' — without
this fix, tasks blocked by auto-rebase failure were not picked up for retry.

Fix 2 (git add before diff --check) was already present in deploy.sh at line
2248 from a prior refactor — no change needed there.

Closes marcusquinn#3524

…arcusquinn#4735)

Addresses Gemini code review suggestion from PR marcusquinn#134: store the
dynamic and hardcoded badge grep patterns in local variables to
improve maintainability and avoid repeating the pattern strings.

Closes marcusquinn#3522

…le violations (marcusquinn#4737)

When markdownlint fails due to bad config, invalid arguments, or other
non-rule errors, the output won't match the MD[0-9] pattern, causing
violation_count=0 and a false success return—even in blocking mode.

Capture lint_exit separately (|| lint_exit=$?) and treat non-zero exit
codes as blocking errors in changed-file mode and advisory warnings in
full-scan mode. Covers both cases: output present (non-rule error message)
and no output (silent config parse failure).

Closes marcusquinn#3505
Addresses CodeRabbit review on PR marcusquinn#271

…arcusquinn#4736)

Merge the redundant `pro` case into `sonnet | eval | health | pro` since
both resolve to the same model (anthropic/claude-sonnet-4-6). Reduces
duplication and improves maintainability as suggested in PR marcusquinn#799 review.

Closes marcusquinn#3519

…ng (marcusquinn#4738)

…4739)

… note (marcusquinn#4740)

…4741)

Replace comma-separated string iteration with bash arrays in:
- supervisor-archived/issue-sync.sh: ALL_STATUS_LABELS constant + sync_issue_status_label() loop
- issue-sync-helper.sh: _DONE_REMOVE_LABELS constant + _mark_issue_done()

Eliminates IFS manipulation and here-string splitting for safer, more
idiomatic bash iteration. Addresses Gemini review feedback on PR marcusquinn#1375.

ShellCheck: zero new violations.

…uinn#4744)

…n#4745)

)

… stale pulse (marcusquinn#4749)

When a script fix is merged without a version bump, the deployed copy in
~/.aidevops/ stays stale until setup.sh is run manually. The auto-update
stale check only compared VERSION files, missing intra-version script changes.

Add a sentinel-based script drift check: compare SHA-256 of
gh-failure-miner-helper.sh between repo and deployed. If they differ,
re-deploy all agents via setup.sh --non-interactive.

Root cause of GH#4727: PR marcusquinn#4704 fixed gh-failure-miner-helper.sh (merged
07:43) but the pulse ran at 08:40 using the old deployed version, which
still treated Codacy ACTION_REQUIRED as a CI failure and produced a false
systemic cluster, causing the pulse LLM to create a duplicate issue.

Closes marcusquinn#4727

…ve-review filters (marcusquinn#4748)

Closes marcusquinn#4733

Adds --include-positive to quality-feedback-helper.sh scan-merged to bypass
the positive-review suppression filters (summary-only, approval-only,
no-actionable-sentiment). Intended for use with --dry-run to audit which
reviews are being suppressed and verify the filters are working correctly.

Changes:
- cmd_scan_merged: parse --include-positive flag, pass to _scan_single_pr
- _scan_single_pr: accept include_positive arg; bypass summary_only filter
  and approval/sentiment select() when true; use select() pattern instead
  of pipe-through-boolean to avoid jq object-construction errors
- Help text: document --include-positive with usage example
- Tests: 5 new tests covering flag unit behaviour and _scan_single_pr
  integration (27/27 passing, 0 shellcheck violations)

…ction refactoring (marcusquinn#4926)

Extract printUsage, runDiscoveryIfNeeded, guardCredits, buildRetryConfig from main()
to reduce function-complexity smells. Add makeFeatureHandler factory to eliminate
5 duplicate inline lambdas in COMMAND_REGISTRY (boolean-logic/return-statements).
No behaviour changes — pure structural refactoring. Syntax verified: node --check.

…4927)

Change backoff granularity from provider-level to model-level so that
rate-limiting one model (e.g. claude-sonnet) doesn't block other models
from the same provider (e.g. claude-opus). Auth errors still back off
at provider level since credentials are shared.

Key changes:
- record_provider_backoff() accepts model param, keys on model for
  rate_limit/provider_error, on provider for auth_error
- New model_backoff_active() checks both model-level and provider-level
- choose_model() uses model_backoff_active() instead of provider-level
- cmd_backoff CLI accepts both model IDs and provider names
- Fix file_mtime() stat order (Linux stat -f returns filesystem info)
- Tests: set AIDEVOPS_HEADLESS_MODELS for self-contained runs, disable
  sandbox (strips STUB_* env vars), add 4 model-level backoff tests

Closes marcusquinn#4925

…arcusquinn#4931)

Replace ${!env_var:-} with eval-based equivalent at 3 locations in
config-helper.sh. The ${!var:-default} syntax causes 'bad substitution'
on macOS /bin/bash 3.2.57, making config_get fail silently during
pulse-wrapper.sh startup.

Closes marcusquinn#4929

… [skip ci]

* fix: add sqlite3 to setup.sh required dependencies

sqlite3 is used by 700+ callsites across the framework (memory system,
worktree registry, supervisor, observability) but was never installed
during setup. On Linux systems without sqlite3 pre-installed, these
features fail silently.

Adds sqlite3 to check_requirements() with correct package name mapping:
sqlite3 for Debian/Ubuntu/brew, sqlite for Fedora/Arch/Alpine.

* fix: use canonical brew formula name 'sqlite' instead of alias 'sqlite3'

Homebrew's formula is 'sqlite' (sqlite3 is an alias). While the alias
works, using the canonical name is more robust. Separate apt case from
the wildcard fallback which now correctly handles brew, dnf, pacman,
and apk.

Addresses CodeRabbit review feedback on PR marcusquinn#4935.

---------

Co-authored-by: Alexey <1556417+alex-solovyev@users.noreply.github.com>

…e clarity (marcusquinn#4936)

* fix: correct contribution metrics — remove double-counting and improve clarity

- Remove --all from git log to count only default-branch commits, fixing
  ~12% inflation from squash-merged PR commits being counted twice (once
  as branch originals, once as the squash-merge on main)
- Rename 'Contributions' sections to 'Commits' for accuracy
- Rename 'Contributor output' to 'GitHub activity' and move to top of
  dashboard (most meaningful metric: issues, PRs, merges, comments)
- Clarify column headers: 'Direct' → 'Direct Pushes', 'PR Merges' → 'PRs Merged'
- Reorder dashboard: GitHub activity → AI sessions → Commits (most to least meaningful)

* fix: resolve default branch explicitly for worktree robustness

Address Gemini review feedback — git log without --all and without an
explicit branch name walks the current branch, which is wrong when
called from a worktree on a feature branch. Add _resolve_default_branch()
helper that tries origin/HEAD, then main/master, then HEAD as fallback.
Apply to all three git log call sites.

…g swallowed (marcusquinn#4938)

Login shell startup files (~/.bash_profile, ~/.bashrc) on remote servers
(Cloudways, Hetzner, Cloudron, Hostinger, Closte) can redirect or close
stdout before wp runs. Dropping the -l flag avoids sourcing those files
while still executing the cd+wp command correctly.

Also redirect the [INFO] diagnostic line in run_wp_command to stderr so
callers can capture clean WP-CLI stdout without mixing it with log output.

Fixes marcusquinn#4937

…les (marcusquinn#4941)

When a subprocess needs a secret value, pass it as an environment
variable, never as a command argument. Command arguments appear in
error messages, ps output, and logs -- even when the command's intent
is safe. This was learned from an incident where wp db query echoed
a secret in its error output.

Adds section 8.2 (prevention) and 8.3 (post-execution detection) to
prompts/build.txt. Updates opsec.md, gopass.md, and cloudron.md with
cross-references to the new pattern.

Closes marcusquinn#4939

…tter (marcusquinn#4948)

* fix: prevent duplicate dispatch across runners via assignee check + jitter

Root cause: multiple pulse runners evaluating the same issue simultaneously
create duplicate PRs. Process-based dedup (has_worker_for_repo_issue,
is-duplicate) only sees local processes — invisible across machines.

Fix 1: Add is-assigned command to dispatch-dedup-helper.sh that queries
GitHub assignees before dispatch. If another runner already self-assigned,
skip the issue. This is the primary cross-machine dedup guard.

Fix 2: Add 0-30s random startup jitter to pulse-wrapper.sh so concurrent
launchd-triggered pulses don't evaluate issues at the same instant.
Configurable via PULSE_JITTER_MAX (set to 0 to disable).

Fix 3: Update pulse.md dispatch instructions to enforce the assignee
check as a mandatory step alongside existing local process dedup.

Observed: PR marcusquinn#4940 duplicated PR marcusquinn#4938 for issue marcusquinn#4937 because
alex-solovyev's pulse dispatched 2 min after marcusquinn self-assigned,
interpreting the in-progress worker as 'failed'.

* fix: validate PULSE_JITTER_MAX as numeric, use read -ra for assignee parsing

Address Gemini review feedback:
- Validate PULSE_JITTER_MAX is numeric before arithmetic (prevents
  set -e failures from non-integer env var values)
- Use read -ra for comma-separated assignee parsing instead of IFS
  word splitting (more robust against whitespace edge cases)

…requirements (marcusquinn#4949)

Call detect_package_manager once at the top of the dependency-check block
and reuse the result for both sqlite package-name resolution and the
install prompt. Previously it was called twice: once inside the sqlite3
check and again when installing missing deps.

Closes marcusquinn#4946

…lback (marcusquinn#4951)

Addresses review feedback from PR marcusquinn#4941 (Gemini Code Assist) by making
the temporary file pattern more specific: recommend mktemp for file
creation and trap for guaranteed cleanup on exit or error.

Closes marcusquinn#4943

…in wp_args log (marcusquinn#4953)

* fix: use printf '%q' for wp_args logging to handle spaces in arguments

Closes marcusquinn#4944

* fix: use shell parameter expansion to trim trailing space in wp_args log

Replace subshell-in-string $(printf '%q ' ...) with a two-step pattern:
  local args_str; args_str=$(printf '%q ' "${wp_args[@]}")
  ... ${args_str% }

This avoids spawning an extra subshell inside the double-quoted string and
uses pure shell parameter expansion (${args_str% }) to strip the trailing
space left by printf '%q '. Applied to all three logging sites:
run_wp_command (line 383), run_on_category (line 404), run_on_all (line 447).

Addresses Gemini Code Assist suggestion on PR marcusquinn#4950.

---------

Co-authored-by: Alexey <1556417+alex-solovyev@users.noreply.github.com>

…acking (marcusquinn#4955)

Every autonomous process that creates GitHub issues now adds a source:*
label identifying which process created it. This makes auto-created work
filterable and traceable — you can see at a glance whether an issue came
from the review scanner, quality sweep, CI failure miner, etc.

Labels added:
- source:review-feedback  (quality-feedback-helper.sh)
- source:review-scanner   (post-merge-review-scanner.sh)
- source:quality-sweep    (stats-functions.sh — quality-review + simplification-debt)
- source:health-dashboard (stats-functions.sh — supervisor/contributor health)
- source:ci-failure-miner (gh-failure-miner-helper.sh)
- source:circuit-breaker  (circuit-breaker-helper.sh)
- source:mission-validation (milestone-validation-worker.sh)
- source:findings-to-tasks (findings-to-tasks-helper.sh)
- source:self-evolution   (self-evolution-helper.sh)

All labels use color #C2E0C6 (light green) for visual consistency.
Existing type labels (quality-debt, bug, etc.) are preserved — source:*
is an orthogonal dimension.

…al detection (marcusquinn#4956)

* fix(security): add section 8.4 column-level query discipline and URL credential detection (marcusquinn#4954)

Add layered defense (Option C) against credential exposure from application
config tables that store secrets in URL query parameters.

Layer 1 - Prompt rule (build.txt section 8.4):
- Never fetch raw record values from webhook/integration/OAuth config tables
- Query schema/keys first, then extract only non-credential fields
- Treat any URL field in application config as potentially containing credentials

Layer 2 - Output redaction tooling:
- Add credential_exposure category to prompt-guard-helper.sh (inline + YAML)
- Detect secrets in URL query params: secret=, token=, api_key=, password=,
  access_token=, auth=, client_secret=, webhook_secret=
- Redact matched values in sanitize function (replaces 8+ char values with [REDACTED])
- 9 new tests (7 detection + 2 sanitization), all passing, zero regressions

Closes marcusquinn#4954

* fix(tests): replace real-looking credential formats with FAKE_ prefixes and fix short-value threshold test

- Lines 1497-1501: prefix test literals with FAKE_SK_LIVE_, FAKE_AKIA_, FAKE_JWT_, FAKE_CS_
  to make it unambiguous these are test fixtures, not real credentials (CodeRabbit CHANGES_REQUESTED)
- Line 1502: change 'key=abc' to 'secret=abc' — 'key' is not a tracked parameter so the
  test never validated the short-value threshold; 'secret' is tracked (line 330) and 'abc'
  (3 chars) is below the 8-char minimum, correctly producing no match

Closes marcusquinn#4954

---------

Co-authored-by: marcusquinn <6428977+marcusquinn@users.noreply.github.com>

…arcusquinn#4957)

Two gaps in the full-loop workflow:

1. After merging a PR on the aidevops repo, no release was cut — fixes
   sat on main until someone manually released. Contributors running
   aidevops update got nothing. Now the full-loop auto-bumps a patch
   version, tags, and creates a GitHub release after every merge.

2. Issue closing comments didn't tell the reporter which version
   contained the fix. Now the template includes a 'Released in: vX.Y.Z'
   line with 'run aidevops update to get this fix' so reporters know
   exactly when and how to pick up the solution.

Auto-release is aidevops-repo-only and always uses patch (workers can't
determine if a change is minor/major — that requires human judgment).

The issue-sync-lib.sh was adding '@' prefix to ALL assignee values in
GitHub issue bodies. This caused problems when the assignee was not a
GitHub username but rather:
- A Linux username like 'dave' (user@host format from whoami)
- An email-like identity

Now we only add '@' if the assignee matches the GitHub username pattern
(alphanumeric + . _ -) without '@' characters.

Fixes incorrect @dave mentions in issues created by workers.