aidevops 3.8.69 → 3.8.71

package/VERSION

@@ -1 +1 @@
-3.8.69
+3.8.71

package/aidevops.sh

@@ -5,7 +5,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.8.69
+# Version: 3.8.71
 
 set -euo pipefail
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.8.69",
+  "version": "3.8.71",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup-modules/schedulers.sh

@@ -9,6 +9,30 @@
 # Keep pulse workers alive long enough for opus-tier dispatches.
 PULSE_STALE_THRESHOLD_SECONDS=1800
 
+# Resolve the modern bash binary path for use in launchd ProgramArguments.
+# Launchd bypasses the shebang when ProgramArguments specifies an explicit
+# interpreter, so we must resolve the path at plist generation time.
+# Falls back to /bin/bash if no modern bash is available (the re-exec guard
+# in shared-constants.sh provides defense-in-depth). (GH#19632 / t2176)
+_resolve_modern_bash() {
+	local candidate
+	for candidate in /opt/homebrew/bin/bash /usr/local/bin/bash /home/linuxbrew/.linuxbrew/bin/bash; do
+		if [[ -x "$candidate" ]]; then
+			# Verify it's actually bash 4+
+			local ver
+			ver=$("$candidate" -c 'echo "${BASH_VERSINFO[0]}"' 2>/dev/null) || continue
+			if [[ "${ver:-0}" -ge 4 ]]; then
+				printf '%s' "$candidate"
+				return 0
+			fi
+		fi
+	done
+	# No modern bash found — fall back to /bin/bash. The re-exec guard in
+	# shared-constants.sh handles this case at runtime.
+	printf '%s' "/bin/bash"
+	return 0
+}
+
 # Shell safety baseline
 set -Eeuo pipefail
 IFS=$'\n\t'
@@ -490,6 +514,11 @@ _generate_pulse_plist_content() {
 	local _headless_xml_env
 	_headless_xml_env=$(_build_pulse_headless_env_xml)
 
+	# Resolve modern bash for ProgramArguments — launchd bypasses shebangs
+	# when an explicit interpreter is specified. (GH#19632 / t2176)
+	local _xml_bash_bin
+	_xml_bash_bin=$(_xml_escape "$(_resolve_modern_bash)")
+
 	cat <<PLIST
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -499,7 +528,7 @@ _generate_pulse_plist_content() {
 	<string>${pulse_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>${_xml_bash_bin}</string>
 		<string>${_xml_wrapper_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -941,7 +970,7 @@ setup_stats_wrapper() {
 	<string>${stats_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_stats_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -1040,7 +1069,7 @@ setup_failure_miner() {
 	<string>${miner_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_miner_script}</string>
 		<string>create-issues</string>
 		<string>--since-hours</string>
@@ -1137,7 +1166,7 @@ setup_process_guard() {
 	<string>${guard_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_guard_script}</string>
 		<string>kill-runaways</string>
 	</array>
@@ -1232,7 +1261,7 @@ setup_memory_pressure_monitor() {
 	<string>${monitor_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_monitor_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -1320,7 +1349,7 @@ setup_screen_time_snapshot() {
 	<string>${st_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_st_script}</string>
 		<string>snapshot</string>
 	</array>
@@ -1425,7 +1454,7 @@ _install_cw_launchd() {
 	<string>${cw_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_cw_script}</string>
 		<string>scan</string>
 	</array>
@@ -1587,7 +1616,7 @@ _install_profile_readme_launchd() {
 	<string>${pr_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_pr_script}</string>
 		<string>update</string>
 	</array>
@@ -1793,7 +1822,7 @@ _install_token_refresh_launchd() {
 	<string>${tr_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>-c</string>
 		<string>&quot;${_xml_tr_script}&quot; refresh anthropic; &quot;${_xml_tr_script}&quot; refresh openai</string>
 	</array>
@@ -1866,6 +1895,62 @@ setup_oauth_token_refresh() {
 	return 0
 }
 
+# Setup opencode DB maintenance scheduler (r913, t2183).
+# Runs weekly (Sun 04:00 local) to checkpoint/optimize/vacuum opencode.db.
+# The helper self-noops on missing DB, so installing unconditionally is safe —
+# a non-opencode machine wakes up weekly, sees no DB, exits 0 silently.
+#
+# Platform split (mirrors the pattern for token-refresh):
+#   macOS    — helper owns its plist generation via cmd_install (Approach B).
+#   Linux    — _install_scheduler_linux with cron `0 4 * * 0` + systemd
+#              OnCalendar `Sun *-*-* 04:00:00` for accurate wall-clock firing.
+#   Windows  — TODO(t2183-followup): opencode on Windows is rare and the
+#              helper self-noops on missing DB, so leaving unscheduled is
+#              low-risk for this iteration.
+setup_opencode_db_maintenance() {
+	local ocdbm_script="$HOME/.aidevops/agents/scripts/opencode-db-maintenance-helper.sh"
+	if ! [[ -x "$ocdbm_script" ]]; then
+		return 0
+	fi
+
+	local ocdbm_log_dir="$HOME/.aidevops/.agent-workspace/logs"
+	mkdir -p "$ocdbm_log_dir"
+
+	if [[ "$(uname -s)" == "Darwin" ]]; then
+		# Helper owns its own plist generation (Approach B, like repo-sync).
+		# Quiet the helper's multi-line output and emit one consolidated line
+		# to match the style of setup_profile_readme / setup_oauth_token_refresh.
+		if bash "$ocdbm_script" install >/dev/null 2>&1; then
+			print_info "OpenCode DB maintenance enabled (launchd, weekly Sun 04:00)"
+		else
+			print_warning "Failed to install opencode DB maintenance LaunchAgent"
+		fi
+	elif _is_windows; then
+		# Windows scheduling deferred — helper self-noops on missing DB so
+		# the cost of leaving unscheduled is ~0 until opencode lands on
+		# Windows in quantity.
+		return 0
+	else
+		# Linux / WSL: prefer systemd user timer, fall back to cron.
+		# Weekly Sunday 04:00 local — cron: `0 4 * * 0`; systemd OnCalendar
+		# ensures wall-clock firing even across suspends/reboots.
+		_install_scheduler_linux \
+			"aidevops-opencode-db-maintenance" \
+			"aidevops: opencode-db-maintenance" \
+			"0 4 * * 0" \
+			"\"${ocdbm_script}\" auto" \
+			"604800" \
+			"${ocdbm_log_dir}/opencode-db-maintenance.log" \
+			"" \
+			"OpenCode DB maintenance enabled (weekly Sun 04:00)" \
+			"Failed to install opencode DB maintenance scheduler" \
+			"false" \
+			"true" \
+			"Sun *-*-* 04:00:00"
+	fi
+	return 0
+}
+
 # Setup repo-sync scheduler if not already installed.
 # Keeps local git repos up to date with daily ff-only pulls.
 # Respects config: aidevops config set orchestration.repo_sync false

package/setup.sh

@@ -12,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.8.69
+# Version: 3.8.71
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)
@@ -90,15 +90,17 @@ if [[ -d "$SETUP_MODULES_DIR" ]]; then
 	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_privacy_guard.sh"
 	# shellcheck disable=SC1091
+	source "$SETUP_MODULES_DIR/_complexity_guard.sh"
+	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_task_id_guard.sh"
 	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_canonical_guard.sh"
 fi
 
-print_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
-print_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
-print_warning() { echo -e "${YELLOW}[WARNING]${NC} $1"; }
-print_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+print_info() { local _m="$1"; echo -e "${BLUE}[INFO]${NC} $_m"; return 0; }
+print_success() { local _m="$1"; echo -e "${GREEN}[SUCCESS]${NC} $_m"; return 0; }
+print_warning() { local _m="$1"; echo -e "${YELLOW}[WARNING]${NC} $_m"; return 0; }
+print_error() { local _m="$1"; echo -e "${RED}[ERROR]${NC} $_m"; return 0; }
 
 # Source shared-constants for config support (is_feature_enabled / config_enabled)
 # Try repo-local first, then deployed location
@@ -245,9 +247,9 @@ _launchd_install_if_changed() {
 
 # Detect whether a scheduler is already installed via launchd, cron, or systemd.
 # Optionally migrates legacy launchd labels / cron entries to launchd on macOS.
-# Args: $1=scheduler_name, $2=launchd_label, $3=legacy_launchd_label,
-#       $4=cron_marker, $5=migrate_script, $6=migrate_arg, $7=migrate_hint
-#       $8=systemd_unit (optional — base name without .timer suffix, e.g. "aidevops-supervisor-pulse")
+# Args: arg1=scheduler_name, arg2=launchd_label, arg3=legacy_launchd_label,
+#       arg4=cron_marker, arg5=migrate_script, arg6=migrate_arg, arg7=migrate_hint
+#       arg8=systemd_unit (optional — base name without .timer suffix, e.g. "aidevops-supervisor-pulse")
 _scheduler_detect_installed() {
 	local scheduler_name="$1"
 	local launchd_label="$2"
@@ -317,7 +319,7 @@ _should_setup_noninteractive_supervisor_pulse() {
 # Generic non-interactive scheduler detection (GH#17695 Finding B).
 # Returns 0 if the named scheduler is already installed on any backend,
 # meaning it should be regenerated during non-interactive setup.
-# Args: $1=name $2=launchd_label $3=cron_marker $4=systemd_unit
+# Args: arg1=name arg2=launchd_label arg3=cron_marker arg4=systemd_unit
 _should_setup_noninteractive_scheduler() {
 	local name="$1"
 	local launchd_label="$2"
@@ -739,7 +741,8 @@ source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/post-setup.sh"
 
 parse_args() {
 	while [[ $# -gt 0 ]]; do
-		case "$1" in
+		local _opt="$1"
+		case "$_opt" in
 		--clean)
 			CLEAN_MODE=true
 			shift
@@ -774,7 +777,7 @@ parse_args() {
 			exit 0
 			;;
 		*)
-			print_error "Unknown option: $1"
+			print_error "Unknown option: $_opt"
 			echo "Use --help for usage information"
 			exit 1
 			;;
@@ -957,6 +960,10 @@ _setup_run_non_interactive() {
 	# repo so TODO/todo/README/ISSUE_TEMPLATE pushes to public GitHub repos
 	# are scanned for private slug leaks (t1968).
 	setup_privacy_guard
+	# Install/refresh the complexity-regression pre-push hook in every
+	# initialized repo so pushes that introduce new function-complexity,
+	# nesting-depth, or file-size violations are caught before CI (t2198).
+	setup_complexity_guard
 	# Install/refresh the canonical-on-main post-checkout hook in every
 	# initialized repo so branch switches away from main in the canonical
 	# directory are warned against (t1995). Complements pre-edit-check.sh's
@@ -1131,6 +1138,9 @@ _setup_post_setup_steps() {
 		if _should_setup_noninteractive_scheduler "OAuth token refresh" "sh.aidevops.token-refresh" "aidevops: token-refresh" "aidevops-token-refresh"; then
 			setup_oauth_token_refresh
 		fi
+		# opencode DB maintenance (r913, t2183). Helper self-noops on missing
+		# DB — safe to install unconditionally in non-interactive mode too.
+		setup_opencode_db_maintenance
 		# Migrate cron entries to systemd after schedulers are installed (GH#17695 Finding D)
 		migrate_cron_to_systemd
 		setup_tabby
@@ -1150,6 +1160,7 @@ _setup_post_setup_steps() {
 	setup_draft_responses
 	setup_profile_readme
 	setup_oauth_token_refresh
+	setup_opencode_db_maintenance
 	# Migrate cron entries to systemd after schedulers are installed (GH#17695 Finding D)
 	migrate_cron_to_systemd
 	setup_tabby