aidevops 3.8.94 → 3.8.96

package/VERSION

@@ -1 +1 @@
-3.8.94
+3.8.96

package/aidevops.sh

@@ -5,7 +5,7 @@
 # AI DevOps Framework CLI
 # Usage: aidevops <command> [options]
 #
-# Version: 3.8.94
+# Version: 3.8.96
 
 set -euo pipefail
 
@@ -1384,10 +1384,12 @@ _help_commands() {
 	echo "  security [cmd]     Full security assessment (posture + hygiene + supply chain)"
 	echo "  contributions      External contributions inbox (bare: status | seed/scan/stop/restart/install/uninstall)"
 	echo "  ip-check <cmd>     IP reputation checks (check/batch/report/providers)"
+	echo "  review-gate <cmd>  Configure review_gate.rate_limit_behavior (list/set/unset)"
 	echo "  secret <cmd>       Manage secrets (set/list/run/init/import/status)"
 	echo "  config <cmd>       Feature toggles (list/get/set/reset/path/help)"
 	echo "  stats <cmd>        LLM usage analytics (summary/models/projects/costs/trend)"
 	echo "  tabby <cmd>        Manage Tabby terminal profiles (sync/status/zshrc/help)"
+	echo "  parent-status <N>  Show decomposition state of parent-task issue #N (alias: ps)"
 	echo "  detect             Find and register aidevops projects"
 	echo "  uninstall          Remove aidevops from your system"
 	echo "  version            Show version information"
@@ -1748,6 +1750,7 @@ main() {
 	model-accounts-pool | map) _dispatch_helper "oauth-pool-helper.sh" "oauth-pool-helper.sh" "$@" ;;
 	client-format) _cmd_client_format "$@" ;;
 	opencode-sandbox | oc-sandbox) _dispatch_helper "opencode-sandbox-helper.sh" "opencode-sandbox-helper.sh" "$@" ;;
+	review-gate | review_gate) _dispatch_helper "review-gate-config-helper.sh" "review-gate-config-helper.sh" "$@" ;;
 	secret | secrets) _dispatch_helper "secret-helper.sh" "secret-helper.sh" "$@" ;;
 	approve) _dispatch_helper "approval-helper.sh" "approval-helper.sh" "$@" ;;
 	signing) _dispatch_helper "signing-setup.sh" "signing-setup.sh" "$@" ;;
@@ -1760,6 +1763,7 @@ main() {
 	stats | observability) _dispatch_helper "observability-helper.sh" "observability-helper.sh" "$@" ;;
 	tabby) _dispatch_helper "tabby-helper.sh" "tabby-helper.sh" "$@" ;;
 	init-routines) _dispatch_helper "init-routines-helper.sh" "init-routines-helper.sh" "$@" ;;
+	parent-status | ps) _dispatch_helper "parent-status-helper.sh" "parent-status-helper.sh" "$@" ;;
 	config | configure) _dispatch_config "$@" ;;
 	uninstall | remove) cmd_uninstall ;;
 	version | v | -v | --version) cmd_version ;;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aidevops",
-  "version": "3.8.94",
+  "version": "3.8.96",
   "description": "AI DevOps Framework - AI-assisted development workflows, code quality, and deployment automation",
   "type": "module",
   "bin": {

package/setup-modules/schedulers.sh

@@ -9,6 +9,11 @@
 # Keep pulse workers alive long enough for opus-tier dispatches.
 PULSE_STALE_THRESHOLD_SECONDS=1800
 
+# Cron expression: top of every hour. Shared by stats-wrapper,
+# contribution-watch, and profile-readme schedulers — keep DRY so a
+# future cadence shift only touches one place.
+CRON_HOURLY="0 * * * *"
+
 # Resolve the modern bash binary path for use in launchd ProgramArguments.
 # Launchd bypasses the shebang when ProgramArguments specifies an explicit
 # interpreter, so we must resolve the path at plist generation time.
@@ -263,12 +268,14 @@ PULSE_STALE_THRESHOLD=${PULSE_STALE_THRESHOLD_SECONDS}"
 }
 
 # Read supervisor.pulse_interval_seconds from settings.json.
-# Falls back to 120 if the file is missing, the key is absent, or jq is unavailable.
+# Falls back to 180 if the file is missing, the key is absent, or jq is unavailable.
 # Clamps to the validated range [30, 3600].
 # GH#18018: previously this was hardcoded as "120" in _install_supervisor_pulse.
+# t2744: default raised 120 → 180 to reduce GraphQL pressure (33% fewer cycles)
+#        on multi-repo setups where per-cycle cost chronically exceeds 5000/hr.
 _read_pulse_interval_seconds() {
 	local _settings_file="$HOME/.config/aidevops/settings.json"
-	local _interval=120
+	local _interval=180
 
 	if command -v jq >/dev/null 2>&1 && [[ -f "$_settings_file" ]]; then
 		local _raw
@@ -492,9 +499,100 @@ _build_pulse_headless_env_xml() {
 	return 0
 }
 
+# Read user-owned plist env override file and emit XML key/string pairs
+# for the matching label's env vars. Keys prefixed with _ are skipped
+# (used as comments in the JSON template).
+#
+# Args: $1=plist_label (e.g. "com.aidevops.aidevops-supervisor-pulse")
+#       $2=override_file (absolute path; default ~/.agents/configs/plist-env-overrides.json)
+#       $3=indent (string to prepend each line; default "\t\t")
+#
+# Returns 0 on success (including empty result when label not found).
+# Prints WARN to stderr and returns 0 when file is present but malformed.
+# Emits nothing when file is absent.
+_build_plist_env_overrides_xml() {
+	local _label="$1"
+	local _override_file="${2:-$HOME/.aidevops/agents/configs/plist-env-overrides.json}"
+	local _indent="${3:-		}"
+
+	# Missing file is the normal case (user has not created the override file yet)
+	[[ -f "$_override_file" ]] || return 0
+
+	# Require jq — without it we cannot parse JSON safely
+	if ! command -v jq >/dev/null 2>&1; then
+		echo "[schedulers] WARN: jq not found; skipping plist-env-overrides.json injection" >&2
+		return 0
+	fi
+
+	# Validate JSON
+	if ! jq empty "$_override_file" 2>/dev/null; then
+		echo "[schedulers] WARN: plist-env-overrides.json is malformed; skipping injection (file: $_override_file)" >&2
+		return 0
+	fi
+
+	# Extract key=value pairs for the matching label; skip _ prefixed keys
+	local _pairs
+	_pairs=$(jq -r --arg label "$_label" '
+		.[$label] // {} |
+		to_entries[] |
+		select(.key | startswith("_") | not) |
+		"\(.key)=\(.value)"
+	' "$_override_file" 2>/dev/null) || return 0
+
+	[[ -z "$_pairs" ]] && return 0
+
+	local _line _key _val _xml_key _xml_val
+	while IFS= read -r _line; do
+		[[ -z "$_line" ]] && continue
+		_key="${_line%%=*}"
+		_val="${_line#*=}"
+		_xml_key=$(_xml_escape "$_key")
+		_xml_val=$(_xml_escape "$_val")
+		printf '%s<key>%s</key>\n%s<string>%s</string>\n' \
+			"$_indent" "$_xml_key" "$_indent" "$_xml_val"
+	done <<<"$_pairs"
+
+	return 0
+}
+
+# Log which env var overrides were injected from plist-env-overrides.json for a label.
+# Prints to stdout (setup.sh output). No-op when file absent or label not found.
+# Args: $1=plist_label, $2=override_file (optional)
+_log_plist_env_overrides() {
+	local _label="$1"
+	local _override_file="${2:-$HOME/.aidevops/agents/configs/plist-env-overrides.json}"
+
+	[[ -f "$_override_file" ]] || return 0
+	command -v jq >/dev/null 2>&1 || return 0
+	jq empty "$_override_file" 2>/dev/null || return 0
+
+	local _keys
+	_keys=$(jq -r --arg label "$_label" '
+		.[$label] // {} |
+		keys[] |
+		select(startswith("_") | not)
+	' "$_override_file" 2>/dev/null) || return 0
+
+	[[ -z "$_keys" ]] && return 0
+
+	local _count
+	_count=$(echo "$_keys" | wc -l | tr -d ' ')
+	local _keys_inline
+	_keys_inline=$(echo "$_keys" | tr '\n' ' ' | sed 's/ $//')
+	print_info "  plist-env-overrides: injected ${_count} var(s) into ${_label}: ${_keys_inline}"
+	return 0
+}
+
 # Generate the full pulse launchd plist XML content.
 # Args: $1=pulse_label, $2=wrapper_script, $3=opencode_bin
 # Prints the complete plist XML to stdout.
+#
+# StartInterval is read from supervisor.pulse_interval_seconds in
+# settings.json via _read_pulse_interval_seconds (default 180 — t2744).
+# Previously this was hardcoded as 120, meaning macOS users could not
+# tune the pulse cadence via settings (Linux/cron path always honoured
+# the setting). The hardcoding is now removed; the macOS path matches
+# the Linux path's behaviour.
 _generate_pulse_plist_content() {
 	local pulse_label="$1"
 	local wrapper_script="$2"
@@ -519,6 +617,17 @@ _generate_pulse_plist_content() {
 	local _xml_bash_bin
 	_xml_bash_bin=$(_xml_escape "$(_resolve_modern_bash)")
 
+	# Resolve the configured pulse interval (settings.json, with default).
+	# Already validated to [30, 3600] inside _read_pulse_interval_seconds.
+	local _pulse_interval_sec
+	_pulse_interval_sec=$(_read_pulse_interval_seconds)
+
+	# Inject user-owned plist env overrides (GH#20563 / t2759).
+	# Reads ~/.aidevops/agents/configs/plist-env-overrides.json when present.
+	# Missing file or label not found → emits nothing (no-op, safe default).
+	local _env_overrides_xml
+	_env_overrides_xml=$(_build_plist_env_overrides_xml "$pulse_label")
+
 	cat <<PLIST
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -532,7 +641,7 @@ _generate_pulse_plist_content() {
 		<string>${_xml_wrapper_script}</string>
 	</array>
 	<key>StartInterval</key>
-	<integer>120</integer>
+	<integer>${_pulse_interval_sec}</integer>
 	<key>StandardOutPath</key>
 	<string>${_xml_home}/.aidevops/logs/pulse-wrapper.log</string>
 	<key>StandardErrorPath</key>
@@ -550,7 +659,7 @@ _generate_pulse_plist_content() {
 		<key>PULSE_STALE_THRESHOLD</key>
 		<string>${PULSE_STALE_THRESHOLD_SECONDS}</string>
 		${_headless_xml_env}
-	</dict>
+${_env_overrides_xml}	</dict>
 	<key>SoftResourceLimits</key>
 	<dict>
 		<key>NumberOfFiles</key>
@@ -579,13 +688,24 @@ _install_pulse_launchd() {
 	# Write the plist (always regenerated to pick up config changes)
 	_generate_pulse_plist_content "$pulse_label" "$wrapper_script" "$opencode_bin" >"$pulse_plist"
 
+	# Resolve interval for the user-facing message (matches what the plist contains).
+	local _interval_sec _interval_label
+	_interval_sec=$(_read_pulse_interval_seconds)
+	if (( _interval_sec % 60 == 0 )); then
+		_interval_label="$((_interval_sec / 60)) min"
+	else
+		_interval_label="${_interval_sec}s"
+	fi
+
 	# shell-portability: ignore next — _install_pulse_launchd is macOS-only (launchd)
 	if launchctl load "$pulse_plist"; then
 		if [[ "$_pulse_installed" == "true" ]]; then
-			print_info "Supervisor pulse updated (launchd config regenerated)"
+			print_info "Supervisor pulse updated (launchd config regenerated, every ${_interval_label})"
 		else
-			print_info "Supervisor pulse enabled (launchd, every 2 min)"
+			print_info "Supervisor pulse enabled (launchd, every ${_interval_label})"
 		fi
+		# Log any user-provided env var overrides that were injected (GH#20563 / t2759)
+		_log_plist_env_overrides "$pulse_label"
 	else
 		print_warning "Failed to load supervisor pulse LaunchAgent"
 	fi
@@ -940,7 +1060,10 @@ _uninstall_pulse() {
 # Setup stats-wrapper scheduler — runs quality sweep and health issue updates
 # separately from the pulse (t1429). Only installed when the supervisor
 # pulse is enabled (stats are useless without it).
-# macOS: launchd plist (every 15 min) | Linux: systemd timer or cron (every 15 min)
+# macOS: launchd plist (hourly) | Linux: systemd timer or cron (hourly)
+# t2744: interval raised from 15 min → hourly. Stats UI is not realtime,
+# the four-times-an-hour cadence drove ~200-400 GraphQL points/hr of pure
+# overhead on multi-repo setups.
 setup_stats_wrapper() {
 	local _pulse_lower="$1"
 	# Use effective pulse state (PULSE_ENABLED) if available; fall back to consent string.
@@ -974,7 +1097,7 @@ setup_stats_wrapper() {
 		<string>${_xml_stats_script}</string>
 	</array>
 	<key>StartInterval</key>
-	<integer>900</integer>
+	<integer>3600</integer>
 	<key>StandardOutPath</key>
 	<string>${_xml_stats_home}/.aidevops/logs/stats.log</string>
 	<key>StandardErrorPath</key>
@@ -995,7 +1118,7 @@ setup_stats_wrapper() {
 PLIST
 			)
 			if _launchd_install_if_changed "$stats_label" "$stats_plist" "$stats_plist_content"; then
-				print_info "Stats wrapper enabled (launchd, every 15 min)"
+				print_info "Stats wrapper enabled (launchd, every hour)"
 			else
 				print_warning "Failed to load stats wrapper LaunchAgent"
 			fi
@@ -1003,12 +1126,12 @@ PLIST
 			_install_scheduler_linux \
 				"$stats_systemd" \
 				"aidevops: stats-wrapper" \
-				"*/15 * * * *" \
+				"$CRON_HOURLY" \
 				"\"${stats_script}\"" \
-				"900" \
+				"3600" \
 				"$stats_log" \
 				"" \
-				"Stats wrapper enabled (every 15 min)" \
+				"Stats wrapper enabled (every hour)" \
 				"Failed to install stats wrapper scheduler" \
 				"true" \
 				"false"
@@ -1503,7 +1626,7 @@ _install_cw_linux() {
 	_install_scheduler_linux \
 		"$cw_systemd" \
 		"aidevops: contribution-watch" \
-		"0 * * * *" \
+		"$CRON_HOURLY" \
 		"\"${cw_script}\" scan" \
 		"3600" \
 		"${_cw_log_dir}/contribution-watch.log" \
@@ -1670,7 +1793,7 @@ _install_profile_readme_scheduler() {
 	_install_scheduler_linux \
 		"$pr_systemd" \
 		"aidevops: profile-readme-update" \
-		"0 * * * *" \
+		"$CRON_HOURLY" \
 		"\"${pr_script}\" update" \
 		"3600" \
 		"$pr_log" \

package/setup-modules/tool-install.sh

@@ -388,6 +388,44 @@ setup_shell_linting_tools() {
 	return 0
 }
 
+setup_setsid_advisory() {
+	# setsid is required to detach pulse workers into their own process group
+	# (t2757, GH#20561). Without it, workers inherit pulse's PGID and are
+	# killed by any PG-scoped signal (launchd unload, restart chain).
+	#
+	# Linux: setsid ships with util-linux (present on all mainstream distros).
+	# macOS: available from macOS 12+ at /usr/bin/setsid. Older versions need
+	#        util-linux via Homebrew (brew install util-linux).
+	if command -v setsid >/dev/null 2>&1; then
+		local setsid_path
+		setsid_path="$(command -v setsid)"
+		print_success "setsid found at $setsid_path (worker process-group isolation enabled)"
+		return 0
+	fi
+
+	# setsid missing — emit an advisory; it's a quality-of-life improvement,
+	# not a hard requirement (pulse falls back to nohup-only).
+	print_warning "setsid not found — pulse workers will share the pulse process group"
+	echo "  Impact: a pulse restart or launchd unload may kill in-flight workers"
+	echo "  (GH#20561 / t2757: worker survived 3/4 dispatches without setsid isolation)"
+	echo ""
+	if [[ "$(uname)" == "Darwin" ]]; then
+		if command -v brew >/dev/null 2>&1; then
+			echo "  Install: brew install util-linux"
+		else
+			echo "  Install Homebrew first, then: brew install util-linux"
+			echo "  Or upgrade to macOS 12+ where /usr/bin/setsid ships by default"
+		fi
+	else
+		echo "  Install: sudo apt install util-linux  # Debian/Ubuntu"
+		echo "           sudo dnf install util-linux  # Fedora/RHEL"
+		echo "           sudo pacman -S util-linux    # Arch"
+	fi
+	echo ""
+
+	return 0
+}
+
 setup_shellcheck_wrapper() {
 	# Replace the real shellcheck binary with our wrapper script to prevent
 	# --external-sources from causing exponential memory growth (GH#2915).

package/setup.sh

@@ -12,7 +12,7 @@ shopt -s inherit_errexit 2>/dev/null || true
 # AI Assistant Server Access Framework Setup Script
 # Helps developers set up the framework for their infrastructure
 #
-# Version: 3.8.94
+# Version: 3.8.96
 #
 # Quick Install:
 #   npm install -g aidevops && aidevops update          (recommended)