aidevops 3.8.70 → 3.8.72

package/VERSION

@@ -1 +1 @@
-3.8.70
+3.8.72

package/aidevops.sh

@@ -5,7 +5,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.8.70
+# Version: 3.8.72
 
 set -euo pipefail
 
@@ -61,11 +61,31 @@ _timeout_cmd() {
 	fi
 }
 
-print_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
-print_success() { echo -e "${GREEN}[OK]${NC} $1"; }
-print_warning() { echo -e "${YELLOW}[WARN]${NC} $1"; }
-print_error() { echo -e "${RED}[ERROR]${NC} $1"; }
-print_header() { echo -e "${BOLD}${CYAN}$1${NC}"; }
+print_info() {
+	local msg="$1"
+	echo -e "${BLUE}[INFO]${NC} $msg"
+	return 0
+}
+print_success() {
+	local msg="$1"
+	echo -e "${GREEN}[OK]${NC} $msg"
+	return 0
+}
+print_warning() {
+	local msg="$1"
+	echo -e "${YELLOW}[WARN]${NC} $msg"
+	return 0
+}
+print_error() {
+	local msg="$1"
+	echo -e "${RED}[ERROR]${NC} $msg"
+	return 0
+}
+print_header() {
+	local msg="$1"
+	echo -e "${BOLD}${CYAN}$msg${NC}"
+	return 0
+}
 
 # Get current version
 get_version() {
@@ -106,17 +126,20 @@ get_public_release_tag() {
 
 # Check if a command exists
 check_cmd() {
-	command -v "$1" >/dev/null 2>&1
+	local cmd="$1"
+	command -v "$cmd" >/dev/null 2>&1
 }
 
 # Check if a directory exists
 check_dir() {
-	[[ -d "$1" ]]
+	local dir="$1"
+	[[ -d "$dir" ]]
 }
 
 # Check if a file exists
 check_file() {
-	[[ -f "$1" ]]
+	local file="$1"
+	[[ -f "$file" ]]
 }
 
 # Ensure file ends with a trailing newline (prevents malformed appends)
@@ -268,6 +291,61 @@ _compute_repo_registration_defaults() {
 	return 0
 }
 
+# Resolve a worktree path to its canonical main-worktree path, if applicable.
+# Usage: resolve_canonical_repo_path <path>
+# Prints the canonical path to stdout. If the input is already the main
+# worktree, a non-git path, or git is unavailable, prints the input unchanged.
+#
+# Why this exists: `find ~/Git -name .aidevops.json` in auto-discovery and
+# similar scans pick up .aidevops.json files that exist in linked worktrees
+# (because worktrees inherit the working tree contents), and without this
+# guard each worktree gets registered as a separate repo. That's what caused
+# tabby-profile-sync to emit a profile for a worktree directory.
+resolve_canonical_repo_path() {
+	local input_path="$1"
+	local common_dir
+	common_dir=$(git -C "$input_path" rev-parse --git-common-dir 2>/dev/null) || {
+		printf '%s\n' "$input_path"
+		return 0
+	}
+	local own_git_dir
+	own_git_dir=$(git -C "$input_path" rev-parse --git-dir 2>/dev/null) || {
+		printf '%s\n' "$input_path"
+		return 0
+	}
+
+	# Resolve both to absolute paths for a reliable comparison.
+	# git -C <path> returns paths relative to <path> when they are relative.
+	local common_abs own_abs
+	if [[ "$common_dir" = /* ]]; then
+		common_abs=$(cd "$common_dir" 2>/dev/null && pwd -P)
+	else
+		common_abs=$(cd "$input_path/$common_dir" 2>/dev/null && pwd -P)
+	fi
+	if [[ "$own_git_dir" = /* ]]; then
+		own_abs=$(cd "$own_git_dir" 2>/dev/null && pwd -P)
+	else
+		own_abs=$(cd "$input_path/$own_git_dir" 2>/dev/null && pwd -P)
+	fi
+
+	if [[ -z "$common_abs" || -z "$own_abs" || "$common_abs" == "$own_abs" ]]; then
+		# Main worktree or degraded resolution — pass through.
+		printf '%s\n' "$input_path"
+		return 0
+	fi
+
+	# Linked worktree — ask git for the main worktree's working tree path.
+	local main_path
+	main_path=$(git -C "$input_path" worktree list --porcelain 2>/dev/null | awk '/^worktree /{print $2; exit}')
+	if [[ -n "$main_path" && "$main_path" != "$input_path" && -d "$main_path" ]]; then
+		printf '%s\n' "$main_path"
+		return 0
+	fi
+
+	printf '%s\n' "$input_path"
+	return 0
+}
+
 # Register a repo in repos.json
 # Usage: register_repo <path> <version> <features>
 register_repo() {
@@ -283,6 +361,20 @@ register_repo() {
 		return 1
 	fi
 
+	# Resolve linked worktrees to their canonical main-worktree path.
+	# Every registration path (cmd_init, auto-discovery, scan) runs through
+	# register_repo, so the guard here catches all of them — not just the
+	# cmd_init path that previously checked only when WORKTREE_PATH was set.
+	local canonical_path
+	canonical_path=$(resolve_canonical_repo_path "$repo_path")
+	if [[ -n "$canonical_path" && "$canonical_path" != "$repo_path" ]]; then
+		print_info "Resolved worktree to canonical repo: $repo_path → $canonical_path"
+		if ! repo_path=$(cd "$canonical_path" 2>/dev/null && pwd -P); then
+			print_warning "Cannot access canonical path: $canonical_path"
+			return 1
+		fi
+	fi
+
 	if ! command -v jq &>/dev/null; then
 		print_warning "jq not installed - repo tracking disabled"
 		return 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.8.70",
+  "version": "3.8.72",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup-modules/migrations.sh

@@ -308,6 +308,62 @@ cleanup_stale_bun_opencode() {
 # by the 4-layer role resolution in stats-functions.sh.
 #
 # Gated by a flag file so it runs exactly once per install.
+cleanup_worktree_entries_in_repos_json() {
+	# t2250: `find ~/Git -name .aidevops.json` during auto-discovery picks up
+	# files that exist inside linked worktrees (because worktrees inherit the
+	# working tree). Before the register_repo guard, each worktree ended up as
+	# a separate entry in repos.json — confusing tabby-profile-sync, pulse,
+	# cross-repo tooling, and anything that enumerates `initialized_repos`.
+	#
+	# One-shot migration: scan `initialized_repos[].path`, detect entries that
+	# are linked worktrees (git rev-parse --git-dir != --git-common-dir), and
+	# remove them. Safe to re-run; a flag file suppresses re-execution once
+	# the cleanup has been done on this machine.
+	local flag_file="${HOME}/.aidevops/logs/.migrated-worktree-repos-json-t2250"
+	[[ -f "$flag_file" ]] && return 0
+
+	local repos_json="${HOME}/.config/aidevops/repos.json"
+	[[ -f "$repos_json" ]] || return 0
+
+	command -v jq &>/dev/null || return 0
+	command -v git &>/dev/null || return 0
+
+	local stale_paths=()
+	local path git_dir common_dir
+
+	while IFS= read -r path; do
+		[[ -n "$path" && -d "$path" ]] || continue
+		git_dir=$(git -C "$path" rev-parse --git-dir 2>/dev/null) || continue
+		common_dir=$(git -C "$path" rev-parse --git-common-dir 2>/dev/null) || continue
+		# Normalise to absolute paths for comparison.
+		[[ "$git_dir" = /* ]] || git_dir="$path/$git_dir"
+		[[ "$common_dir" = /* ]] || common_dir="$path/$common_dir"
+		git_dir=$(cd "$git_dir" 2>/dev/null && pwd -P) || git_dir=""
+		common_dir=$(cd "$common_dir" 2>/dev/null && pwd -P) || common_dir=""
+		if [[ -n "$git_dir" && -n "$common_dir" && "$git_dir" != "$common_dir" ]]; then
+			stale_paths+=("$path")
+		fi
+	done < <(jq -r '.initialized_repos[].path // empty' "$repos_json" 2>/dev/null)
+
+	if [[ ${#stale_paths[@]} -gt 0 ]]; then
+		local temp_file="${repos_json}.tmp"
+		local paths_json
+		paths_json=$(printf '%s\n' "${stale_paths[@]}" | jq -R . | jq -s .)
+		jq --argjson stale "$paths_json" \
+			'.initialized_repos |= map(select(.path as $p | ($stale | index($p)) | not))' \
+			"$repos_json" >"$temp_file" && mv "$temp_file" "$repos_json"
+		print_info "Removed ${#stale_paths[@]} worktree entry/entries from repos.json (t2250):"
+		local p
+		for p in "${stale_paths[@]}"; do
+			print_info "  - $p"
+		done
+	fi
+
+	mkdir -p "$(dirname "$flag_file")"
+	date -u +"%Y-%m-%dT%H:%M:%SZ" >"$flag_file"
+	return 0
+}
+
 cleanup_stale_health_issue_caches() {
 	local flag_file="${HOME}/.aidevops/logs/.migrated-health-issue-caches-t1929"
 	[[ -f "$flag_file" ]] && return 0

package/setup-modules/schedulers.sh

@@ -9,6 +9,30 @@
 # Keep pulse workers alive long enough for opus-tier dispatches.
 PULSE_STALE_THRESHOLD_SECONDS=1800
 
+# Resolve the modern bash binary path for use in launchd ProgramArguments.
+# Launchd bypasses the shebang when ProgramArguments specifies an explicit
+# interpreter, so we must resolve the path at plist generation time.
+# Falls back to /bin/bash if no modern bash is available (the re-exec guard
+# in shared-constants.sh provides defense-in-depth). (GH#19632 / t2176)
+_resolve_modern_bash() {
+	local candidate
+	for candidate in /opt/homebrew/bin/bash /usr/local/bin/bash /home/linuxbrew/.linuxbrew/bin/bash; do
+		if [[ -x "$candidate" ]]; then
+			# Verify it's actually bash 4+
+			local ver
+			ver=$("$candidate" -c 'echo "${BASH_VERSINFO[0]}"' 2>/dev/null) || continue
+			if [[ "${ver:-0}" -ge 4 ]]; then
+				printf '%s' "$candidate"
+				return 0
+			fi
+		fi
+	done
+	# No modern bash found — fall back to /bin/bash. The re-exec guard in
+	# shared-constants.sh handles this case at runtime.
+	printf '%s' "/bin/bash"
+	return 0
+}
+
 # Shell safety baseline
 set -Eeuo pipefail
 IFS=$'\n\t'
@@ -490,6 +514,11 @@ _generate_pulse_plist_content() {
 	local _headless_xml_env
 	_headless_xml_env=$(_build_pulse_headless_env_xml)
 
+	# Resolve modern bash for ProgramArguments — launchd bypasses shebangs
+	# when an explicit interpreter is specified. (GH#19632 / t2176)
+	local _xml_bash_bin
+	_xml_bash_bin=$(_xml_escape "$(_resolve_modern_bash)")
+
 	cat <<PLIST
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -499,7 +528,7 @@ _generate_pulse_plist_content() {
 	<string>${pulse_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>${_xml_bash_bin}</string>
 		<string>${_xml_wrapper_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -941,7 +970,7 @@ setup_stats_wrapper() {
 	<string>${stats_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_stats_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -1040,7 +1069,7 @@ setup_failure_miner() {
 	<string>${miner_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_miner_script}</string>
 		<string>create-issues</string>
 		<string>--since-hours</string>
@@ -1137,7 +1166,7 @@ setup_process_guard() {
 	<string>${guard_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_guard_script}</string>
 		<string>kill-runaways</string>
 	</array>
@@ -1232,7 +1261,7 @@ setup_memory_pressure_monitor() {
 	<string>${monitor_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_monitor_script}</string>
 	</array>
 	<key>StartInterval</key>
@@ -1320,7 +1349,7 @@ setup_screen_time_snapshot() {
 	<string>${st_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_st_script}</string>
 		<string>snapshot</string>
 	</array>
@@ -1425,7 +1454,7 @@ _install_cw_launchd() {
 	<string>${cw_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_cw_script}</string>
 		<string>scan</string>
 	</array>
@@ -1587,7 +1616,7 @@ _install_profile_readme_launchd() {
 	<string>${pr_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>${_xml_pr_script}</string>
 		<string>update</string>
 	</array>
@@ -1793,7 +1822,7 @@ _install_token_refresh_launchd() {
 	<string>${tr_label}</string>
 	<key>ProgramArguments</key>
 	<array>
-		<string>/bin/bash</string>
+		<string>$(_xml_escape "$(_resolve_modern_bash)")</string>
 		<string>-c</string>
 		<string>&quot;${_xml_tr_script}&quot; refresh anthropic; &quot;${_xml_tr_script}&quot; refresh openai</string>
 	</array>

package/setup.sh

@@ -12,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.8.70
+# Version: 3.8.72
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)
@@ -90,15 +90,17 @@ if [[ -d "$SETUP_MODULES_DIR" ]]; then
 	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_privacy_guard.sh"
 	# shellcheck disable=SC1091
+	source "$SETUP_MODULES_DIR/_complexity_guard.sh"
+	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_task_id_guard.sh"
 	# shellcheck disable=SC1091
 	source "$SETUP_MODULES_DIR/_canonical_guard.sh"
 fi
 
-print_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
-print_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
-print_warning() { echo -e "${YELLOW}[WARNING]${NC} $1"; }
-print_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+print_info() { local _m="$1"; echo -e "${BLUE}[INFO]${NC} $_m"; return 0; }
+print_success() { local _m="$1"; echo -e "${GREEN}[SUCCESS]${NC} $_m"; return 0; }
+print_warning() { local _m="$1"; echo -e "${YELLOW}[WARNING]${NC} $_m"; return 0; }
+print_error() { local _m="$1"; echo -e "${RED}[ERROR]${NC} $_m"; return 0; }
 
 # Source shared-constants for config support (is_feature_enabled / config_enabled)
 # Try repo-local first, then deployed location
@@ -245,9 +247,9 @@ _launchd_install_if_changed() {
 
 # Detect whether a scheduler is already installed via launchd, cron, or systemd.
 # Optionally migrates legacy launchd labels / cron entries to launchd on macOS.
-# Args: $1=scheduler_name, $2=launchd_label, $3=legacy_launchd_label,
-#       $4=cron_marker, $5=migrate_script, $6=migrate_arg, $7=migrate_hint
-#       $8=systemd_unit (optional — base name without .timer suffix, e.g. "aidevops-supervisor-pulse")
+# Args: arg1=scheduler_name, arg2=launchd_label, arg3=legacy_launchd_label,
+#       arg4=cron_marker, arg5=migrate_script, arg6=migrate_arg, arg7=migrate_hint
+#       arg8=systemd_unit (optional — base name without .timer suffix, e.g. "aidevops-supervisor-pulse")
 _scheduler_detect_installed() {
 	local scheduler_name="$1"
 	local launchd_label="$2"
@@ -317,7 +319,7 @@ _should_setup_noninteractive_supervisor_pulse() {
 # Generic non-interactive scheduler detection (GH#17695 Finding B).
 # Returns 0 if the named scheduler is already installed on any backend,
 # meaning it should be regenerated during non-interactive setup.
-# Args: $1=name $2=launchd_label $3=cron_marker $4=systemd_unit
+# Args: arg1=name arg2=launchd_label arg3=cron_marker arg4=systemd_unit
 _should_setup_noninteractive_scheduler() {
 	local name="$1"
 	local launchd_label="$2"
@@ -739,7 +741,8 @@ source "$(dirname "${BASH_SOURCE[0]}")/setup-modules/post-setup.sh"
 
 parse_args() {
 	while [[ $# -gt 0 ]]; do
-		case "$1" in
+		local _opt="$1"
+		case "$_opt" in
 		--clean)
 			CLEAN_MODE=true
 			shift
@@ -774,7 +777,7 @@ parse_args() {
 			exit 0
 			;;
 		*)
-			print_error "Unknown option: $1"
+			print_error "Unknown option: $_opt"
 			echo "Use --help for usage information"
 			exit 1
 			;;
@@ -912,6 +915,7 @@ _setup_run_non_interactive() {
 	cleanup_deprecated_mcps
 	cleanup_stale_bun_opencode
 	cleanup_stale_health_issue_caches
+	cleanup_worktree_entries_in_repos_json
 	_cleanup_legacy_model_config
 	validate_opencode_config
 	deploy_aidevops_agents
@@ -957,6 +961,10 @@ _setup_run_non_interactive() {
 	# repo so TODO/todo/README/ISSUE_TEMPLATE pushes to public GitHub repos
 	# are scanned for private slug leaks (t1968).
 	setup_privacy_guard
+	# Install/refresh the complexity-regression pre-push hook in every
+	# initialized repo so pushes that introduce new function-complexity,
+	# nesting-depth, or file-size violations are caught before CI (t2198).
+	setup_complexity_guard
 	# Install/refresh the canonical-on-main post-checkout hook in every
 	# initialized repo so branch switches away from main in the canonical
 	# directory are warned against (t1995). Complements pre-edit-check.sh's
@@ -1023,8 +1031,8 @@ _setup_run_interactive() {
 	confirm_step "Backfill GitHub issue relationships (blocked-by, sub-issues)" && backfill_issue_relationships
 	confirm_step "Cleanup deprecated MCP entries (hetzner, serper, etc.)" && cleanup_deprecated_mcps
 	confirm_step "Cleanup stale bun opencode install" && cleanup_stale_bun_opencode
-	cleanup_stale_health_issue_caches
-	_cleanup_legacy_model_config
+	# Silent one-shot migrations (idempotent, flag-guarded — no prompt needed).
+	cleanup_stale_health_issue_caches; cleanup_worktree_entries_in_repos_json; _cleanup_legacy_model_config
 	confirm_step "Validate and repair OpenCode config schema" && validate_opencode_config
 	confirm_step "Extract OpenCode prompts" && extract_opencode_prompts
 	confirm_step "Check OpenCode prompt drift" && check_opencode_prompt_drift