t1158: Fix audit script PR linkage detection for auto-reaped tasks

[alex-solovyev]

Summary

• Root cause: audit_closed_issues() called find_closing_pr("", ...) with empty task_line, so PR number extraction from TODO.md always failed
• Impact: False no_pr_linkage findings for auto-reaped tasks (t1141, t1129, t1126, t1128) that had valid pr:#NNN in TODO.md but were removed from supervisor DB
• Fix: Pass ${task_line:-} to find_closing_pr + add fallback PR extraction from task_line when has_evidence is true

Changes

• issue-audit.sh:260 — Pass task_line to find_closing_pr instead of empty string
• issue-audit.sh:282-292 — Add fallback: extract PR number from task_line when has_evidence=true but merged_pr empty

Verification

• ShellCheck passes clean
• No other files modified (minimal change)
• Eliminates ~4 of 6 high-severity false positives from audit report

Ref #1744

Summary by CodeRabbit

• Bug Fixes
  • Improved linkage between closed tasks and pull requests with enhanced fallback mechanisms, ensuring PR associations are correctly captured even when standard linkage methods are unavailable.
  • Enhanced logging to provide better visibility into the PR discovery process when initial connection attempts fail.

[gemini-code-assist]

Summary of Changes

Hello @alex-solovyev, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a bug in the issue-audit.sh script that led to false positives for missing PR linkages, particularly for tasks that were automatically reaped. The changes ensure that the script accurately identifies associated pull requests by correctly passing task information to the PR detection function and providing a robust fallback for direct PR extraction from task descriptions. This significantly improves the accuracy of the audit report by eliminating several high-severity false positives.

Highlights

• Corrected PR linkage detection: The issue-audit.sh script now correctly identifies linked pull requests for auto-reaped tasks by passing the task_line to the find_closing_pr function, resolving previous false no_pr_linkage findings.
• Implemented fallback PR extraction: A new fallback mechanism was added to extract the PR number directly from the task_line when has_evidence is true but merged_pr remains empty, ensuring robust PR detection.

Changelog

• .agents/scripts/supervisor/issue-audit.sh
  • Modified the audit_closed_issues function to pass the task_line variable to find_closing_pr instead of an empty string.
  • Added a conditional block within audit_closed_issues to perform a fallback extraction of the PR number directly from task_line if has_evidence is true and merged_pr is still empty.

Activity

• The author verified that ShellCheck passes clean.
• The changes were kept minimal, affecting only one file.
• The fix is expected to eliminate approximately 4 out of 6 high-severity false positives from the audit report.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

Enhanced the PR linkage logic in the issue-audit script by passing task_line to find_closing_pr and adding a fallback mechanism. When standard linkage fails but completion evidence exists in TODO.md, the script now extracts the PR number directly from task_line to populate merged_pr.

Changes

Cohort / File(s)	Summary
PR Linkage Fallback Logic .agents/scripts/supervisor/issue-audit.sh	Updated audit_closed_issues to pass ${task_line:-} to find_closing_pr and introduced a fallback path that extracts pr:#NNN from task_line when initial PR discovery fails, ensuring merged_pr can be populated from TODO.md as a last resort.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• t1158: Fix audit script PR linkage detection for auto-reaped tasks #1744: Addresses the same audit script PR-linkage logic, specifically updating how merged_pr is discovered via task_line fallback and find_closing_pr usage.

Possibly related PRs

• t220: Link closing PR reference when issue-sync closes issues #944: Adds the helper mechanism for task-line PR extraction as a fallback alongside find_closing_pr, which this PR now leverages in the supervisor audit flow.
• t1004: Ensure all task completion paths write pr:#NNN to TODO.md #1295: Modifies supervisor-era scripts to improve pr:#NNN discovery and backfill from TODO.md, including related changes to find_closing_pr and fallback parsing patterns.

Poem

When PRs hide in TODO's dusty notes, 📝
A fallback path ensures they stay afloat, ⚓
Task_line whispers secrets once concealed,
merged_pr now restored, at last revealed! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main fix: improving PR linkage detection in the audit script for auto-reaped tasks, which directly matches the changeset's core objective.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t1158

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 42 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Mon Feb 23 21:06:26 UTC 2026: Code review monitoring started
Mon Feb 23 21:06:26 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 42

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 42
• VULNERABILITIES: 0

Generated on: Mon Feb 23 21:06:29 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

The pull request correctly addresses the issue where PR linkage detection failed for auto-reaped tasks. By passing the task_line to find_closing_pr and adding a fallback extraction mechanism, it significantly reduces false positives in the audit report. The changes are minimal and follow the existing patterns in the script.

[gemini-code-assist]

Avoid using 2>/dev/null for blanket suppression of command errors. This can hide important diagnostic information such as authentication failures or system issues in find_closing_pr or the tools it invokes (e.g., gh or tea).

Suggested change

	pr_info=$(find_closing_pr "${task_line:-}" "$task_id" "$repo_slug" 2>/dev/null || echo "")
	pr_info=$(find_closing_pr "${task_line:-}" "$task_id" "$repo_slug" || echo "")

References

1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.agents/scripts/supervisor/issue-audit.sh (1)

247-263: ⚠️ Potential issue | 🟡 Minor

task_line is declared inside the conditional but referenced outside it — move the initialisation up

local task_line="" lives on line 247, inside if [[ -f "$todo_file" && -n "$task_id" ]]; then. This PR now references task_line outside that block at line 263 (find_closing_pr "${task_line:-}") and lines 285–292.

While practically safe today — task_id is always non-empty here (early continue at line 214) so the condition collapses to [[ -f "$todo_file" ]], which is invariant across iterations — it creates a subtle invariant that isn't obvious. Any future edit that makes the condition non-constant (e.g., adding a per-issue guard) would silently stale-leak task_line from a previous iteration into find_closing_pr and the fallback, producing incorrect PR linkage.

🛠️ Proposed fix — hoist the initialisation before the `if` block

-	# Check 2: Does TODO.md have completion evidence for this task?
-	local has_evidence=false
-	if [[ -f "$todo_file" && -n "$task_id" ]]; then
-		local task_line=""
-		task_line=$(grep -E "^\s*- \[.\] ${task_id} " "$todo_file" | head -1 || echo "")
+	# Check 2: Does TODO.md have completion evidence for this task?
+	local has_evidence=false
+	local task_line=""
+	if [[ -f "$todo_file" && -n "$task_id" ]]; then
+		task_line=$(grep -E "^\s*- \[.\] ${task_id} " "$todo_file" | head -1 || echo "")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/scripts/supervisor/issue-audit.sh around lines 247 - 263, task_line
is declared inside the if-block but used later by find_closing_pr and other
code, which risks leaking a stale value; hoist the declaration/initialization of
local task_line (e.g., local task_line="") to immediately before the if [[ -f
"$todo_file" && -n "$task_id" ]]; then block so task_line is always defined
per-iteration, keep all existing uses of task_line (find_closing_pr
"${task_line:-}" "$task_id" "$repo_slug" and later checks) unchanged.

🧹 Nitpick comments (1)

.agents/scripts/supervisor/issue-audit.sh (1)

282-292: Fallback duplicates find_closing_pr Check 1 and is effectively dead code in the normal flow

The grep at line 287 is identical to find_closing_pr Check 1 in issue-sync-lib.sh (lines 1095–1099):

todo_pr=$(echo "$task_line" | grep -oE 'pr:#[0-9]+' | head -1 | grep -oE '[0-9]+' ...)

Because the primary fix at line 263 now passes task_line to find_closing_pr, Check 1 will extract pr:#NNN`` and populate merged_pr before this fallback is ever reached. The only scenario where the fallback activates is a catastrophic subshell failure of `find_closing_pr` itself (which `|| echo ""` already suppresses to an empty result).

If the intent is purely defensive, a short comment to that effect would be clearer than duplicating the library's extraction logic inline:

-	# t1158: Fallback — if TODO.md has completion evidence (pr:`#NNN`) but merged_pr
-	# is still empty (e.g., find_closing_pr failed, platform search unavailable),
-	# extract PR number directly from task_line as last resort.
-	if [[ "$has_evidence" == "true" && -z "$merged_pr" && -n "${task_line:-}" ]]; then
-		local fallback_pr=""
-		fallback_pr=$(printf '%s' "$task_line" | grep -oE 'pr:#[0-9]+' | head -1 | grep -oE '[0-9]+' || echo "")
-		if [[ -n "$fallback_pr" ]]; then
-			merged_pr="$fallback_pr"
-			log_verbose "audit_closed_issues: task $task_id — extracted PR #$fallback_pr from TODO.md as fallback"
-		fi
-	fi
+	# Defensive: find_closing_pr with task_line (line 263) already handles pr:`#NNN` extraction
+	# via Check 1 in issue-sync-lib.sh. This block is only reached on subshell failure.

Alternatively, the block can be kept as-is with the understanding that it is dead under normal conditions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/scripts/supervisor/issue-audit.sh around lines 282 - 292, This
fallback block duplicates the Check 1 extraction performed by find_closing_pr
(called earlier) and is effectively dead in normal flow; either remove the block
or keep it but add a short defensive comment above it clarifying that this
duplicates find_closing_pr's 'pr:#[0-9]+' extraction and exists only to guard
against catastrophic subshell/library failure—referencing the symbols merged_pr,
task_line, task_id and the find_closing_pr behavior so future readers know it’s
intentional.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.agents/scripts/supervisor/issue-audit.sh:
- Around line 247-263: task_line is declared inside the if-block but used later
by find_closing_pr and other code, which risks leaking a stale value; hoist the
declaration/initialization of local task_line (e.g., local task_line="") to
immediately before the if [[ -f "$todo_file" && -n "$task_id" ]]; then block so
task_line is always defined per-iteration, keep all existing uses of task_line
(find_closing_pr "${task_line:-}" "$task_id" "$repo_slug" and later checks)
unchanged.

---

Nitpick comments:
In @.agents/scripts/supervisor/issue-audit.sh:
- Around line 282-292: This fallback block duplicates the Check 1 extraction
performed by find_closing_pr (called earlier) and is effectively dead in normal
flow; either remove the block or keep it but add a short defensive comment above
it clarifying that this duplicates find_closing_pr's 'pr:#[0-9]+' extraction and
exists only to guard against catastrophic subshell/library failure—referencing
the symbols merged_pr, task_line, task_id and the find_closing_pr behavior so
future readers know it’s intentional.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 950ffc9 and 11cf0bb.

📒 Files selected for processing (1)

• .agents/scripts/supervisor/issue-audit.sh