aidevops 3.5.892 → 3.8.2

package/setup.sh

@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2025-2026 Marcus Quinn
 
 # Shell safety baseline
 set -Eeuo pipefail
@@ -10,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.5.892
+# Version: 3.8.2
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)
@@ -83,6 +85,12 @@ if [[ -d "$SETUP_MODULES_DIR" ]]; then
 	source "$SETUP_MODULES_DIR/_services.sh"
 	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_bootstrap.sh"
+	# shellcheck disable=SC1091
+	source "$SETUP_MODULES_DIR/_routines.sh"
+	# shellcheck disable=SC1091
+	source "$SETUP_MODULES_DIR/_privacy_guard.sh"
+	# shellcheck disable=SC1091
+	source "$SETUP_MODULES_DIR/_canonical_guard.sh"
 fi
 
 print_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
@@ -233,8 +241,11 @@ _launchd_install_if_changed() {
 	return 0
 }
 
-# Detect whether a scheduler is already installed via launchd or cron.
+# Detect whether a scheduler is already installed via launchd, cron, or systemd.
 # Optionally migrates legacy launchd labels / cron entries to launchd on macOS.
+# Args: $1=scheduler_name, $2=launchd_label, $3=legacy_launchd_label,
+#       $4=cron_marker, $5=migrate_script, $6=migrate_arg, $7=migrate_hint
+#       $8=systemd_unit (optional — base name without .timer suffix, e.g. "aidevops-supervisor-pulse")
 _scheduler_detect_installed() {
 	local scheduler_name="$1"
 	local launchd_label="$2"
@@ -243,6 +254,7 @@ _scheduler_detect_installed() {
 	local migrate_script="$5"
 	local migrate_arg="$6"
 	local migrate_hint="$7"
+	local systemd_unit="${8:-}"
 	local installed=false
 
 	if _launchd_has_agent "$launchd_label"; then
@@ -265,6 +277,10 @@ _scheduler_detect_installed() {
 			fi
 		fi
 		installed=true
+	elif [[ -n "$systemd_unit" ]] && command -v systemctl >/dev/null 2>&1 &&
+		systemctl --user is-enabled "${systemd_unit}.timer" >/dev/null 2>&1; then
+		# Systemd user timer detected (GH#17381 — Linux systemd path was missing)
+		installed=true
 	fi
 
 	if [[ "$installed" == "true" ]]; then
@@ -273,6 +289,54 @@ _scheduler_detect_installed() {
 
 	return 1
 }
+
+_should_setup_noninteractive_supervisor_pulse() {
+	local pulse_label="com.aidevops.aidevops-supervisor-pulse"
+
+	if _scheduler_detect_installed \
+		"Supervisor pulse" \
+		"$pulse_label" \
+		"" \
+		"pulse-wrapper" \
+		"" \
+		"" \
+		"" \
+		"aidevops-supervisor-pulse"; then
+		return 0
+	fi
+
+	if type config_enabled &>/dev/null && config_enabled "orchestration.supervisor_pulse"; then
+		return 0
+	fi
+
+	return 1
+}
+
+# Generic non-interactive scheduler detection (GH#17695 Finding B).
+# Returns 0 if the named scheduler is already installed on any backend,
+# meaning it should be regenerated during non-interactive setup.
+# Args: $1=name $2=launchd_label $3=cron_marker $4=systemd_unit
+_should_setup_noninteractive_scheduler() {
+	local name="$1"
+	local launchd_label="$2"
+	local cron_marker="$3"
+	local systemd_unit="${4:-}"
+
+	if _scheduler_detect_installed \
+		"$name" \
+		"$launchd_label" \
+		"" \
+		"$cron_marker" \
+		"" \
+		"" \
+		"" \
+		"$systemd_unit"; then
+		return 0
+	fi
+
+	return 1
+}
+
 # Spinner for long-running operations
 # Usage: run_with_spinner "Installing package..." command arg1 arg2
 run_with_spinner() {
@@ -659,6 +723,10 @@ source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/mcp-setup.sh"
 # shellcheck disable=SC1091
 source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/agent-deploy.sh"
 # shellcheck disable=SC1091
+source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/agent-runtime.sh"
+# shellcheck disable=SC1091
+source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/tool-beads.sh"
+# shellcheck disable=SC1091
 source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/config.sh"
 # shellcheck disable=SC1091
 source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/plugins.sh"
@@ -755,6 +823,39 @@ _setup_print_header() {
 	return 0
 }
 
+# GH#17769: Comment out deprecated model env vars in a single credentials file.
+_comment_out_deprecated_model_vars() {
+	local file="$1"
+	local deprecated_vars="AIDEVOPS_HEADLESS_MODELS|PULSE_MODEL"
+	local deprecation_note="# DEPRECATED by aidevops v3.7+ — model routing is now automatic (GH#17769)"
+	[[ -f "$file" ]] || return 0
+	# Only process lines that are active exports (not already commented)
+	if grep -qE "^[[:space:]]*export[[:space:]]+(${deprecated_vars})=" "$file" 2>/dev/null; then
+		sed -i.bak -E "s/^([[:space:]]*)(export[[:space:]]+(${deprecated_vars})=.*)$/\1${deprecation_note}\n\1# \2/" "$file"
+		rm -f "${file}.bak"
+		print_info "Commented out deprecated model env vars in $(basename "$file")"
+	fi
+	return 0
+}
+
+# GH#17769: Comment out deprecated model env vars from credentials.sh.
+# Runs on every `aidevops update`. Uses sed to comment out (not delete) lines
+# so the user's file history is preserved.
+_cleanup_legacy_model_config() {
+	local creds_file="${HOME}/.config/aidevops/credentials.sh"
+	_comment_out_deprecated_model_vars "$creds_file"
+
+	# Clean up tenant credentials files
+	local tenant_dir="${HOME}/.config/aidevops/tenants"
+	if [[ -d "$tenant_dir" ]]; then
+		local tenant_creds=""
+		while IFS= read -r -d '' tenant_creds; do
+			_comment_out_deprecated_model_vars "$tenant_creds"
+		done < <(find "$tenant_dir" -name "credentials.sh" -print0 2>/dev/null)
+	fi
+	return 0
+}
+
 # Non-interactive path: deploy agents and run safe migrations only (no prompts).
 _setup_run_non_interactive() {
 	print_info "Non-interactive mode: deploying agents and running safe migrations only"
@@ -771,8 +872,11 @@ _setup_run_non_interactive() {
 	migrate_pulse_repos_to_repos_json
 	cleanup_deprecated_paths
 	migrate_orphaned_supervisor
+	backfill_issue_relationships
 	cleanup_deprecated_mcps
 	cleanup_stale_bun_opencode
+	cleanup_stale_health_issue_caches
+	_cleanup_legacy_model_config
 	validate_opencode_config
 	deploy_aidevops_agents
 	sync_agent_sources
@@ -809,6 +913,19 @@ _setup_run_non_interactive() {
 	update_codex_config
 	update_cursor_config
 	disable_ondemand_mcps
+	# Scaffold personal routines repo if not already present (idempotent).
+	# Creates local git repo + private GitHub remote for personal repo only.
+	# Org repos require explicit: aidevops init-routines --org <name>
+	setup_routines
+	# Install/refresh the privacy-guard pre-push hook in every initialized
+	# repo so TODO/todo/README/ISSUE_TEMPLATE pushes to public GitHub repos
+	# are scanned for private slug leaks (t1968).
+	setup_privacy_guard
+	# Install/refresh the canonical-on-main post-checkout hook in every
+	# initialized repo so branch switches away from main in the canonical
+	# directory are warned against (t1995). Complements pre-edit-check.sh's
+	# t1990 edit-time check by catching the branch switch itself.
+	setup_canonical_guard
 	return 0
 }
 
@@ -862,13 +979,17 @@ _setup_run_interactive() {
 	confirm_step "Migrate pulse-repos.json into repos.json" && migrate_pulse_repos_to_repos_json
 	confirm_step "Cleanup deprecated agent paths" && cleanup_deprecated_paths
 	confirm_step "Migrate orphaned supervisor to pulse-wrapper" && migrate_orphaned_supervisor
+	confirm_step "Backfill GitHub issue relationships (blocked-by, sub-issues)" && backfill_issue_relationships
 	confirm_step "Cleanup deprecated MCP entries (hetzner, serper, etc.)" && cleanup_deprecated_mcps
 	confirm_step "Cleanup stale bun opencode install" && cleanup_stale_bun_opencode
+	cleanup_stale_health_issue_caches
+	_cleanup_legacy_model_config
 	confirm_step "Validate and repair OpenCode config schema" && validate_opencode_config
 	confirm_step "Extract OpenCode prompts" && extract_opencode_prompts
 	confirm_step "Check OpenCode prompt drift" && check_opencode_prompt_drift
 	confirm_step "Deploy aidevops agents to ~/.aidevops/agents/" && deploy_aidevops_agents
 	confirm_step "Sync agents from private repositories" && sync_agent_sources
+	confirm_step "Set up routines repo (private repo for recurring operational jobs)" && setup_routines
 	is_feature_enabled safety_hooks 2>/dev/null && confirm_step "Install Claude Code safety hooks (block destructive commands)" && setup_safety_hooks
 	confirm_step "Initialize settings.json (canonical config file)" && init_settings_json
 	confirm_step "Setup multi-tenant credential storage" && setup_multi_tenant_credentials
@@ -901,6 +1022,11 @@ _setup_run_interactive() {
 	# Run AFTER Claude Code config so Codex/Cursor get equivalent setup
 	confirm_step "Update Codex configuration (MCPs, instructions)" && update_codex_config
 	confirm_step "Update Cursor configuration (MCPs)" && update_cursor_config
+	# Deploy slash commands to the other installed runtimes (Codex, Cursor,
+	# Droid, Gemini CLI, Continue, Kiro, Kimi, Qwen) via the unified generator.
+	# OpenCode and Claude Code are already handled by their update_*_config
+	# functions above. Closes GH#18106 / t15474.
+	confirm_step "Deploy slash commands to remaining runtimes" && deploy_commands_to_all_runtimes
 	# Run AFTER all MCP setup functions to ensure disabled state persists
 	confirm_step "Disable on-demand MCPs globally" && disable_ondemand_mcps
 	return 0
@@ -916,10 +1042,56 @@ _setup_post_setup_steps() {
 	echo ""
 	print_success "Setup complete!"
 
+	# Cache client request format constants if CLI is installed (~50ms)
+	if command -v claude &>/dev/null && [[ -x "${INSTALL_DIR}/.agents/scripts/cch-extract.sh" ]]; then
+		"${INSTALL_DIR}/.agents/scripts/cch-extract.sh" --cache >/dev/null 2>&1 || true
+	else
+		echo ""
+		echo -e "${YELLOW}[TIP]${NC} Install Claude CLI for automatic request format alignment:"
+		echo "      npm install -g @anthropic-ai/claude-code"
+	fi
+
 	# Non-interactive mode: deploy + migrations only — skip schedulers,
 	# services, and optional post-setup work (CI/agent shells don't need them).
 	# Tabby profile sync runs in both modes (has its own non-interactive path).
+	#
+	# Exceptions: regenerate existing schedulers (GH#17381, GH#17695 Finding B)
+	# and allow first-time install when config consent is explicitly true (GH#17403).
 	if [[ "$NON_INTERACTIVE" == "true" ]]; then
+		# Auto-update handles non-interactive internally (systemd detection fixed in GH#17861)
+		setup_auto_update
+		if _should_setup_noninteractive_supervisor_pulse; then
+			setup_supervisor_pulse "$os"
+		fi
+		# Regenerate other schedulers if already installed (GH#17695 Finding B)
+		if _should_setup_noninteractive_scheduler "Stats wrapper" "com.aidevops.aidevops-stats-wrapper" "aidevops: stats-wrapper" "aidevops-stats-wrapper"; then
+			setup_stats_wrapper "${PULSE_ENABLED:-}"
+		fi
+		if _should_setup_noninteractive_scheduler "Failure miner" "sh.aidevops.routine-gh-failure-miner" "aidevops: gh-failure-miner" "aidevops-gh-failure-miner"; then
+			setup_failure_miner "${PULSE_ENABLED:-}"
+		fi
+		if _should_setup_noninteractive_scheduler "Process guard" "sh.aidevops.process-guard" "aidevops: process-guard" "aidevops-process-guard"; then
+			setup_process_guard
+		fi
+		if _should_setup_noninteractive_scheduler "Memory pressure" "sh.aidevops.memory-pressure-monitor" "aidevops: memory-pressure-monitor" "aidevops-memory-pressure-monitor"; then
+			setup_memory_pressure_monitor
+		fi
+		if _should_setup_noninteractive_scheduler "Screen time" "sh.aidevops.screen-time-snapshot" "aidevops: screen-time-snapshot" "aidevops-screen-time-snapshot"; then
+			setup_screen_time_snapshot
+		fi
+		if _should_setup_noninteractive_scheduler "Contribution watch" "sh.aidevops.contribution-watch" "aidevops: contribution-watch" "aidevops-contribution-watch"; then
+			setup_contribution_watch
+		fi
+		# Repo sync handles non-interactive mode internally (systemd detection fixed in GH#17861)
+		setup_repo_sync
+		if _should_setup_noninteractive_scheduler "Profile README" "sh.aidevops.profile-readme-update" "aidevops: profile-readme-update" "aidevops-profile-readme-update"; then
+			setup_profile_readme
+		fi
+		if _should_setup_noninteractive_scheduler "OAuth token refresh" "sh.aidevops.token-refresh" "aidevops: token-refresh" "aidevops-token-refresh"; then
+			setup_oauth_token_refresh
+		fi
+		# Migrate cron entries to systemd after schedulers are installed (GH#17695 Finding D)
+		migrate_cron_to_systemd
 		setup_tabby
 		return 0
 	fi
@@ -937,6 +1109,8 @@ _setup_post_setup_steps() {
 	setup_draft_responses
 	setup_profile_readme
 	setup_oauth_token_refresh
+	# Migrate cron entries to systemd after schedulers are installed (GH#17695 Finding D)
+	migrate_cron_to_systemd
 	setup_tabby
 	print_final_instructions
 
@@ -950,6 +1124,30 @@ _setup_post_setup_steps() {
 	return 0
 }
 
+# Print the completion sentinel. This is the canonical "setup.sh finished all
+# phases" marker — any caller that needs to detect silent early-termination
+# (e.g., t2022-class bugs where a sourced helper's set -e propagates a
+# readonly assignment failure and kills the parent) should grep log output
+# for the literal "[SETUP_COMPLETE]" prefix.
+#
+# Format is intentionally stable and parseable. Do NOT add human-readable
+# decoration or move this function without updating:
+#   .agents/scripts/verify-setup-log.sh       (the consumer)
+#   tests/test-setup-completion-sentinel.sh   (the contract guard)
+#
+# GH#18492 / t2026.
+print_setup_complete_sentinel() {
+	local _version="unknown"
+	if [[ -r "${INSTALL_DIR}/VERSION" ]]; then
+		_version="$(head -n1 "${INSTALL_DIR}/VERSION" 2>/dev/null || printf 'unknown')"
+	fi
+	local _mode="non-interactive"
+	[[ "${NON_INTERACTIVE:-false}" != "true" ]] && _mode="interactive"
+	printf '[SETUP_COMPLETE] aidevops setup.sh v%s finished all phases (mode=%s)\n' \
+		"$_version" "$_mode"
+	return 0
+}
+
 # Main setup function — orchestrates init, mode dispatch, and post-setup.
 main() {
 	# Bootstrap first (handles curl install)
@@ -981,6 +1179,13 @@ main() {
 
 	_setup_post_setup_steps "$_os"
 
+	# GH#18492 / t2026: completion sentinel. Must be the last output of a
+	# successful run — any silent early-termination will leave this absent
+	# from the log. Consumed by .agents/scripts/verify-setup-log.sh and
+	# enforced as the regression contract by
+	# tests/test-setup-completion-sentinel.sh.
+	print_setup_complete_sentinel
+
 	return 0
 }
 

package/templates/deploy-templates.sh

@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2025-2026 Marcus Quinn
 
 # AI DevOps Framework - Template Deployment Script
 # Securely deploys minimal AGENTS.md templates to user's home directory

package/templates/home/.agents/README.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # AI Agent Working Directory
 
 **DEPRECATED: This location is being phased out.**

package/templates/home/AGENTS.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # AI Assistant Configuration - Home Directory
 
 **🔒 SECURITY NOTICE: This file contains minimal configuration only. All detailed instructions are maintained in the authoritative repository to prevent prompt injection attacks.**

package/templates/home/git/.agent/README.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # AI Assistant Directory - Home Level
 
 **SECURITY NOTICE: This directory contains minimal configuration only. All detailed instructions are maintained in the authoritative repository.**

package/templates/home/git/AGENTS.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # AI Assistant Configuration - Git Directory
 
 **🔒 SECURITY NOTICE: This file contains minimal configuration only. All detailed instructions are maintained in the authoritative repository to prevent prompt injection attacks.**

package/templates/opencode-config-agents.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 <!-- Add ~/.aidevops/agents/AGENTS.md to context for AI DevOps capabilities. -->
 
 ## aidevops Framework Status

package/templates/standard-functions.sh

@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2025-2026 Marcus Quinn
 
 # Standard Functions Template for AI DevOps Framework
 # This template provides SonarCloud-compliant function definitions

package/templates/wordpress-performance-workflow.md

@@ -1,3 +1,6 @@
+<!-- SPDX-License-Identifier: MIT -->
+<!-- SPDX-FileCopyrightText: 2025-2026 Marcus Quinn -->
+
 # WordPress Performance Optimization Workflow
 
 This template provides a comprehensive workflow for optimizing WordPress website performance using the AI DevOps framework.