t299: Add Phase 10b to auto-create TODO tasks from quality findings#1171
t299: Add Phase 10b to auto-create TODO tasks from quality findings#1171marcusquinn wants to merge 2 commits intomainfrom
Conversation
…t299) - Adds Phase 10b after Phase 10 in supervisor pulse cycle - Converts CodeRabbit findings via coderabbit-task-creator-helper.sh create - Converts quality-sweep findings via quality-sweep-helper.sh tasks - Self-throttles with 24h cooldown using state file - Commits and pushes TODO.md if new tasks were added - Closes self-improvement feedback loop for autonomous quality task creation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…299) - Replace quality-sweep-helper.sh tasks with finding-to-task-helper.sh create - quality-sweep tasks only shows table suggestions, not TODO-compatible lines - finding-to-task-helper.sh create outputs proper TODO task format - Limit to 10 tasks per run with medium+ severity to avoid spam
Summary of ChangesHello @marcusquinn, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the self-improvement feedback loop by automating the conversion of quality findings from tools like CodeRabbit, SonarCloud, and Codacy into actionable TODO tasks. By integrating this new phase into the supervisor's regular pulse, the system will proactively address identified issues, reducing manual overhead and ensuring continuous code quality improvement. The implementation includes a cooldown to manage task creation frequency and automatically updates the project's TODO list. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces Phase 10b to automatically create TODO tasks from quality findings, effectively closing the feedback loop. However, it introduces two high-severity security risks: unvalidated repository paths leading to arbitrary file writes, and untrusted findings from external tools creating a path for indirect command injection via auto-dispatch tags. Additionally, there's a critical issue with error handling in git operations that could cause data inconsistency, and two medium-severity suggestions for improving efficiency by avoiding redundant commands. Addressing these points will make this valuable new feature more robust, secure, and performant.
| ( | ||
| cd "$pulse_repo" || exit 1 | ||
| git add TODO.md 2>>"$SUPERVISOR_LOG" || true | ||
| git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG" || true | ||
| git push 2>>"$SUPERVISOR_LOG" || true | ||
| ) |
There was a problem hiding this comment.
Using || true on these git commands, especially git push, is risky as it suppresses all errors. A git push failure, for instance, would leave the remote TODO.md outdated, but the script would update the cooldown timer, preventing a retry for 24 hours. This can lead to silent failures and data inconsistency. While the style guide (line 13) allows || true for commands that may fail, a push failure is a definite failure of the operation's goal and should not be ignored. It's better to handle git operations more carefully by checking for changes before committing and letting set -e handle critical failures like a failed push.
| ( | |
| cd "$pulse_repo" || exit 1 | |
| git add TODO.md 2>>"$SUPERVISOR_LOG" || true | |
| git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG" || true | |
| git push 2>>"$SUPERVISOR_LOG" || true | |
| ) | |
| ( | |
| cd "$pulse_repo" || exit 1 | |
| git add TODO.md 2>>"$SUPERVISOR_LOG" | |
| # Only commit if there are changes to avoid an error from an empty commit. | |
| if git diff --staged --quiet; then | |
| log_verbose " No new tasks to commit to TODO.md." | |
| else | |
| git commit -m "chore: auto-create tasks from quality findings (t299)" 2>>"$SUPERVISOR_LOG" | |
| git push 2>>"$SUPERVISOR_LOG" | |
| fi | |
| ) |
| echo "$coderabbit_output" >> "$todo_file" | ||
| tasks_created=true | ||
| local task_count | ||
| task_count=$(echo "$coderabbit_output" | grep -c "^- \[ \]" || echo "0") | ||
| log_verbose " Created $task_count tasks from CodeRabbit findings" | ||
| fi | ||
| fi | ||
|
|
||
| # Create tasks from quality-sweep findings (SonarCloud, Codacy) | ||
| local finding_to_task="${SCRIPT_DIR}/finding-to-task-helper.sh" | ||
| if [[ -x "$finding_to_task" ]]; then | ||
| log_verbose " Converting quality-sweep findings to tasks..." | ||
| local sweep_output | ||
| sweep_output=$("$finding_to_task" create --min-severity medium --limit 10 2>>"$SUPERVISOR_LOG" || true) | ||
|
|
||
| if [[ -n "$sweep_output" ]] && echo "$sweep_output" | grep -q "^- \[ \]"; then | ||
| # Append tasks to TODO.md | ||
| echo "" >> "$todo_file" | ||
| echo "$sweep_output" >> "$todo_file" |
There was a problem hiding this comment.
This section appends findings from external tools (like CodeRabbit) directly into the TODO.md file with the #auto-dispatch tag. This creates a task injection vulnerability, as malicious content in findings could lead to automatic execution of commands by the dispatcher agent. Additionally, the current implementation involves inefficient double grep calls on coderabbit_output to check for and count tasks, which can be optimized.
| pulse_repo=$(db "$SUPERVISOR_DB" "SELECT DISTINCT repo FROM tasks LIMIT 1;" 2>/dev/null || echo "") | ||
| if [[ -z "$pulse_repo" ]]; then | ||
| pulse_repo="$(pwd)" | ||
| fi | ||
|
|
||
| local todo_file="${pulse_repo}/TODO.md" |
There was a problem hiding this comment.
The pulse_repo variable is retrieved directly from the database and used to construct the todo_file path without any validation or sanitization. An attacker who can influence the tasks table in the database could potentially set repo to an arbitrary path (e.g., using path traversal or pointing to sensitive directories), leading to an arbitrary file write (append) when findings are written to TODO.md. Since this framework uses TODO.md for autonomous task execution, this could be used to inject malicious tasks into other repositories or locations.
| if [[ -n "$sweep_output" ]] && echo "$sweep_output" | grep -q "^- \[ \]"; then | ||
| # Append tasks to TODO.md | ||
| echo "" >> "$todo_file" | ||
| echo "$sweep_output" >> "$todo_file" | ||
| tasks_created=true | ||
| local task_count | ||
| task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0") | ||
| log_verbose " Created $task_count tasks from quality-sweep findings" | ||
| fi |
There was a problem hiding this comment.
Similar to the CodeRabbit findings block, this block calls grep twice on sweep_output. It's more efficient to get the count once and use it for both the conditional check and the log message.
| if [[ -n "$sweep_output" ]] && echo "$sweep_output" | grep -q "^- \[ \]"; then | |
| # Append tasks to TODO.md | |
| echo "" >> "$todo_file" | |
| echo "$sweep_output" >> "$todo_file" | |
| tasks_created=true | |
| local task_count | |
| task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0") | |
| log_verbose " Created $task_count tasks from quality-sweep findings" | |
| fi | |
| local task_count | |
| task_count=$(echo "$sweep_output" | grep -c "^- \[ \]" || echo "0") | |
| if [[ "$task_count" -gt 0 ]]; then | |
| # Append tasks to TODO.md | |
| echo "" >> "$todo_file" | |
| echo "$sweep_output" >> "$todo_file" | |
| tasks_created=true | |
| log_verbose " Created $task_count tasks from quality-sweep findings" | |
| fi |
|
Closing: the improved Phase 10b implementation was already merged to main by a worker (with task ID assignment, simpler cooldown, and proper commit_and_push_todo pattern). This PR's original code was superseded. t299 is complete via the worker's version. |
Add escalating conflict resolution to rebase_sibling_pr(): 1. Plain rebase (no conflicts) 2. Rebase with -Xtheirs (feature branch wins on conflicts) 3. AI CLI resolution for complex cases (Strategy 3 fallback) Also adds: - resolve_rebase_conflicts() for AI-assisted per-file resolution - Stale worktree cleanup (abort stuck rebases, fix detached HEAD) - Temp worktree creation when no worktree exists (avoids dirty tree) - CONFLICTING added to t298 handler (was only BEHIND/DIRTY) - Phase 7b: periodic retry of merge-conflict-blocked tasks (30min) Tested: resolved 4 blocked PRs (#1171, #1187, #1188, #1191) that were stuck with merge conflicts — all resolved with -Xtheirs.
…1203) Add escalating conflict resolution to rebase_sibling_pr(): 1. Plain rebase (no conflicts) 2. Rebase with -Xtheirs (feature branch wins on conflicts) 3. AI CLI resolution for complex cases (Strategy 3 fallback) Also adds: - resolve_rebase_conflicts() for AI-assisted per-file resolution - Stale worktree cleanup (abort stuck rebases, fix detached HEAD) - Temp worktree creation when no worktree exists (avoids dirty tree) - CONFLICTING added to t298 handler (was only BEHIND/DIRTY) - Phase 7b: periodic retry of merge-conflict-blocked tasks (30min) Tested: resolved 4 blocked PRs (#1171, #1187, #1188, #1191) that were stuck with merge conflicts — all resolved with -Xtheirs.
1 participant
Summary
Closes the self-improvement feedback loop by adding Phase 10b to the supervisor pulse cycle.
Changes
coderabbit-task-creator-helper.sh createto convert findings into TODO tasksquality-sweep-helper.sh tasksto convert SonarCloud/Codacy findings into TODO tasks~/.aidevops/.agent-workspace/supervisor/last-task-creation.json#auto-dispatchfor autonomous pickupTesting
Impact
Currently 5 CodeRabbit findings (2 critical, 2 high) and 19 SonarCloud findings are waiting. Phase 10b will automatically convert these into actionable TODO tasks every 24 hours.
Ref #1169