shipwright-cli 2.4.0 → 3.1.0

package/scripts/lib/pipeline-github.sh

@@ -9,14 +9,14 @@ gh_init() {
         return
     fi
 
-    if ! command -v gh &>/dev/null; then
+    if ! command -v gh >/dev/null 2>&1; then
         GH_AVAILABLE=false
         warn "gh CLI not found — GitHub integration disabled"
         return
     fi
 
     # Check if authenticated
-    if ! gh auth status &>/dev/null 2>&1; then
+    if ! gh auth status >/dev/null 2>&1; then
         GH_AVAILABLE=false
         warn "gh not authenticated — GitHub integration disabled"
         return
@@ -46,7 +46,7 @@ gh_init() {
 gh_comment_issue() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" body="$2"
-    gh issue comment "$issue_num" --body "$body" 2>/dev/null || true
+    _timeout 30 gh issue comment "$issue_num" --body "$body" 2>/dev/null || true
 }
 
 # Post a progress-tracking comment and save its ID for later updates
@@ -56,7 +56,7 @@ gh_post_progress() {
     local issue_num="$1" body="$2"
     local result
     result=$(gh api "repos/${REPO_OWNER}/${REPO_NAME}/issues/${issue_num}/comments" \
-        -f body="$body" --jq '.id' 2>/dev/null) || true
+        -f body="$body" --jq '.id' --timeout 30 2>/dev/null) || true
     if [[ -n "$result" && "$result" != "null" ]]; then
         PROGRESS_COMMENT_ID="$result"
     fi
@@ -68,7 +68,7 @@ gh_update_progress() {
     [[ "$GH_AVAILABLE" != "true" || -z "$PROGRESS_COMMENT_ID" ]] && return 0
     local body="$1"
     gh api "repos/${REPO_OWNER}/${REPO_NAME}/issues/comments/${PROGRESS_COMMENT_ID}" \
-        -X PATCH -f body="$body" 2>/dev/null || true
+        -X PATCH -f body="$body" --timeout 30 2>/dev/null || true
 }
 
 # Add labels to an issue or PR
@@ -77,7 +77,7 @@ gh_add_labels() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" labels="$2"
     [[ -z "$labels" ]] && return 0
-    gh issue edit "$issue_num" --add-label "$labels" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --add-label "$labels" 2>/dev/null || true
 }
 
 # Remove a label from an issue
@@ -85,7 +85,7 @@ gh_add_labels() {
 gh_remove_label() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1" label="$2"
-    gh issue edit "$issue_num" --remove-label "$label" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --remove-label "$label" 2>/dev/null || true
 }
 
 # Self-assign an issue
@@ -93,7 +93,7 @@ gh_remove_label() {
 gh_assign_self() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1"
-    gh issue edit "$issue_num" --add-assignee "@me" 2>/dev/null || true
+    _timeout 30 gh issue edit "$issue_num" --add-assignee "@me" 2>/dev/null || true
 }
 
 # Get full issue metadata as JSON
@@ -101,7 +101,7 @@ gh_assign_self() {
 gh_get_issue_meta() {
     [[ "$GH_AVAILABLE" != "true" ]] && return 0
     local issue_num="$1"
-    gh issue view "$issue_num" --json title,body,labels,milestone,assignees,comments,number,state 2>/dev/null || true
+    _timeout 30 gh issue view "$issue_num" --json title,body,labels,milestone,assignees,comments,number,state 2>/dev/null || true
 }
 
 # Build a progress table for GitHub comment

package/scripts/lib/pipeline-intelligence.sh

@@ -106,8 +106,45 @@ pipeline_should_skip_stage() {
 # Returns JSON with classified findings and routing recommendations.
 # ──────────────────────────────────────────────────────────────────────────────
 classify_quality_findings() {
-    local findings_dir="$ARTIFACTS_DIR"
-    local result_file="$ARTIFACTS_DIR/classified-findings.json"
+    local findings_dir="${1:-$ARTIFACTS_DIR}"
+    local result_file="$findings_dir/classified-findings.json"
+
+    # Build combined content for semantic classification
+    local content=""
+    if [[ -f "$findings_dir/adversarial-review.md" ]]; then
+        content="${content}
+--- adversarial-review.md ---
+$(head -500 "$findings_dir/adversarial-review.md" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/negative-review.md" ]]; then
+        content="${content}
+--- negative-review.md ---
+$(head -300 "$findings_dir/negative-review.md" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/security-audit.log" ]]; then
+        content="${content}
+--- security-audit.log ---
+$(cat "$findings_dir/security-audit.log" 2>/dev/null)"
+    fi
+    if [[ -f "$findings_dir/compound-architecture-validation.json" ]]; then
+        content="${content}
+--- compound-architecture-validation.json ---
+$(jq -r '.[] | "\(.severity): \(.message // .description // .)"' "$findings_dir/compound-architecture-validation.json" 2>/dev/null | head -50)"
+    fi
+
+    # Try semantic classification first when Claude is available
+    local route=""
+    if command -v claude &>/dev/null && [[ "${INTELLIGENCE_ENABLED:-false}" != "false" ]] && [[ -n "$content" ]]; then
+        local prompt="Classify these code review findings into exactly ONE primary category. Return ONLY a single word: security, architecture, correctness, performance, testing, documentation, style.
+
+Findings:
+$content"
+        local category
+        category=$(echo "$prompt" | timeout 30 claude -p --model sonnet 2>/dev/null | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]')
+        if [[ "$category" =~ ^(security|architecture|correctness|performance|testing|documentation|style)$ ]]; then
+            route="$category"
+        fi
+    fi
 
     # Initialize counters
     local arch_count=0 security_count=0 correctness_count=0 performance_count=0 testing_count=0 style_count=0
@@ -173,40 +210,53 @@ classify_quality_findings() {
     fi
 
     # ── Determine routing ──
-    # Priority order: security > architecture > correctness > performance > testing > style
-    local route="correctness"  # default
+    # Use semantic classification when available; else fall back to grep-derived priority
     local needs_backtrack=false
     local priority_findings=""
 
-    if [[ "$security_count" -gt 0 ]]; then
-        route="security"
-        priority_findings="security:${security_count}"
-    fi
+    if [[ -z "$route" ]]; then
+        # Fallback: grep-based priority order: security > architecture > correctness > performance > testing > style
+        route="correctness"
 
-    if [[ "$arch_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" ]]; then
-            route="architecture"
-            needs_backtrack=true
+        if [[ "$security_count" -gt 0 ]]; then
+            route="security"
+            priority_findings="security:${security_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}architecture:${arch_count}"
-    fi
 
-    if [[ "$correctness_count" -gt 0 ]]; then
-        priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
-    fi
+        if [[ "$arch_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" ]]; then
+                route="architecture"
+                needs_backtrack=true
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}architecture:${arch_count}"
+        fi
 
-    if [[ "$performance_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" && "$correctness_count" -eq 0 ]]; then
-            route="performance"
+        if [[ "$correctness_count" -gt 0 ]]; then
+            priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
+        fi
+
+        if [[ "$performance_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" && "$correctness_count" -eq 0 ]]; then
+                route="performance"
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
-    fi
 
-    if [[ "$testing_count" -gt 0 ]]; then
-        if [[ "$route" == "correctness" && "$correctness_count" -eq 0 && "$performance_count" -eq 0 ]]; then
-            route="testing"
+        if [[ "$testing_count" -gt 0 ]]; then
+            if [[ "$route" == "correctness" && "$correctness_count" -eq 0 && "$performance_count" -eq 0 ]]; then
+                route="testing"
+            fi
+            priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
         fi
-        priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
+    else
+        # Semantic route: build priority_findings from counts, set needs_backtrack for architecture
+        [[ "$route" == "architecture" ]] && needs_backtrack=true
+        [[ "$arch_count" -gt 0 ]] && priority_findings="architecture:${arch_count}"
+        [[ "$security_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}security:${security_count}"
+        [[ "$correctness_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}correctness:${correctness_count}"
+        [[ "$performance_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}performance:${performance_count}"
+        [[ "$testing_count" -gt 0 ]] && priority_findings="${priority_findings:+${priority_findings},}testing:${testing_count}"
+        [[ -z "$priority_findings" ]] && priority_findings="${route}:1"
     fi
 
     # Style findings don't affect routing or count toward failure threshold
@@ -749,7 +799,7 @@ pipeline_record_quality_score() {
     rm -f "$tmp_score"
 
     # Rotate quality scores file to prevent unbounded growth
-    type rotate_jsonl &>/dev/null 2>&1 && rotate_jsonl "$scores_file" 5000
+    type rotate_jsonl >/dev/null 2>&1 && rotate_jsonl "$scores_file" 5000
 
     emit_event "pipeline.quality_score_recorded" \
         "issue=${ISSUE_NUMBER:-0}" \
@@ -1098,7 +1148,16 @@ stage_compound_quality() {
     _cq_real_changes=$(git diff --name-only "origin/${BASE_BRANCH:-main}...HEAD" \
         -- . ':!.claude/loop-state.md' ':!.claude/pipeline-state.md' \
         ':!.claude/pipeline-artifacts/*' ':!**/progress.md' \
-        ':!**/error-summary.json' 2>/dev/null | wc -l | xargs || echo "0")
+        ':!**/error-summary.json' 2>/dev/null | wc -l || echo "0")
+    _cq_real_changes=$(echo "$_cq_real_changes" | tr -d '[:space:]')
+    [[ -z "$_cq_real_changes" ]] && _cq_real_changes=0
+    # Fallback: if no remote, compare against first commit
+    if [[ "$_cq_real_changes" -eq 0 ]] 2>/dev/null; then
+        _cq_real_changes=$(git diff --name-only "$(git rev-list --max-parents=0 HEAD 2>/dev/null)...HEAD" \
+            -- . ':!.claude/*' ':!**/progress.md' ':!**/error-summary.json' 2>/dev/null | wc -l || echo "0")
+        _cq_real_changes=$(echo "$_cq_real_changes" | tr -d '[:space:]')
+        [[ -z "$_cq_real_changes" ]] && _cq_real_changes=0
+    fi
     if [[ "${_cq_real_changes:-0}" -eq 0 ]]; then
         error "Compound quality: no meaningful code changes found — failing quality gate"
         return 1
@@ -1117,7 +1176,7 @@ stage_compound_quality() {
 
     # Intelligent audit selection
     local audit_plan='{"adversarial":"targeted","architecture":"targeted","simulation":"targeted","security":"targeted","dod":"targeted"}'
-    if type pipeline_select_audits &>/dev/null 2>&1; then
+    if type pipeline_select_audits >/dev/null 2>&1; then
         local _selected
         _selected=$(pipeline_select_audits 2>/dev/null) || true
         if [[ -n "$_selected" && "$_selected" != "null" ]]; then
@@ -1157,8 +1216,11 @@ stage_compound_quality() {
 
     # 2. Test coverage check
     local coverage_pct=0
-    coverage_pct=$(run_test_coverage_check 2>/dev/null) || coverage_pct=0
+    coverage_pct=$(run_test_coverage_check 2>/dev/null | tr -d '[:space:][:cntrl:]') || coverage_pct=0
     coverage_pct="${coverage_pct:-0}"
+    # Sanitize: strip anything non-numeric (ANSI codes, whitespace, etc.)
+    coverage_pct=$(echo "$coverage_pct" | sed 's/[^0-9]//g')
+    [[ -z "$coverage_pct" ]] && coverage_pct=0
 
     if [[ "$coverage_pct" != "skip" ]]; then
         if [[ "$coverage_pct" -lt "${PIPELINE_COVERAGE_THRESHOLD:-60}" ]]; then
@@ -1204,16 +1266,21 @@ stage_compound_quality() {
     fi
 
     # Vitals-driven adaptive cycle limit (preferred)
+    # Respect the template's max_cycles as a ceiling — vitals can only reduce, not inflate
     local base_max_cycles="$max_cycles"
-    if type pipeline_adaptive_limit &>/dev/null 2>&1; then
+    local template_max_cycles="$max_cycles"
+    if type pipeline_adaptive_limit >/dev/null 2>&1; then
         local _cq_vitals=""
-        if type pipeline_compute_vitals &>/dev/null 2>&1; then
+        if type pipeline_compute_vitals >/dev/null 2>&1; then
             _cq_vitals=$(pipeline_compute_vitals "$STATE_FILE" "$ARTIFACTS_DIR" "${ISSUE_NUMBER:-}" 2>/dev/null) || true
         fi
         local vitals_cq_limit
         vitals_cq_limit=$(pipeline_adaptive_limit "compound_quality" "$_cq_vitals" 2>/dev/null) || true
         if [[ -n "$vitals_cq_limit" && "$vitals_cq_limit" =~ ^[0-9]+$ && "$vitals_cq_limit" -gt 0 ]]; then
-            max_cycles="$vitals_cq_limit"
+            # Cap at template max — don't let vitals override the pipeline template's intent
+            if [[ "$vitals_cq_limit" -le "$template_max_cycles" ]]; then
+                max_cycles="$vitals_cq_limit"
+            fi
             if [[ "$max_cycles" != "$base_max_cycles" ]]; then
                 info "Vitals-driven cycles: ${base_max_cycles} → ${max_cycles} (compound_quality)"
             fi
@@ -1270,7 +1337,7 @@ stage_compound_quality() {
         fi
 
         # 3. Developer Simulation (intelligence module)
-        if type simulation_review &>/dev/null 2>&1; then
+        if type simulation_review >/dev/null 2>&1; then
             local sim_enabled
             sim_enabled=$(jq -r '.intelligence.simulation_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
             local daemon_cfg="${PROJECT_ROOT}/.claude/daemon-config.json"
@@ -1310,7 +1377,7 @@ stage_compound_quality() {
         fi
 
         # 4. Architecture Enforcer (intelligence module)
-        if type architecture_validate_changes &>/dev/null 2>&1; then
+        if type architecture_validate_changes >/dev/null 2>&1; then
             local arch_enabled
             arch_enabled=$(jq -r '.intelligence.architecture_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
             local daemon_cfg="${PROJECT_ROOT}/.claude/daemon-config.json"
@@ -1474,7 +1541,7 @@ All quality checks clean:
 
             # DoD verification on successful pass
             local _dod_pass_rate=100
-            if type pipeline_verify_dod &>/dev/null 2>&1; then
+            if type pipeline_verify_dod >/dev/null 2>&1; then
                 pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
                 if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
                     _dod_pass_rate=$(jq -r '.pass_rate // 100' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "100")
@@ -1496,7 +1563,7 @@ All quality checks clean:
 
             # DoD verification on successful pass
             local _dod_pass_rate=100
-            if type pipeline_verify_dod &>/dev/null 2>&1; then
+            if type pipeline_verify_dod >/dev/null 2>&1; then
                 pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
                 if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
                     _dod_pass_rate=$(jq -r '.pass_rate // 100' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "100")
@@ -1590,7 +1657,7 @@ All quality checks clean:
 
     # DoD verification
     local _dod_pass_rate=0
-    if type pipeline_verify_dod &>/dev/null 2>&1; then
+    if type pipeline_verify_dod >/dev/null 2>&1; then
         pipeline_verify_dod "$ARTIFACTS_DIR" 2>/dev/null || true
         if [[ -f "$ARTIFACTS_DIR/dod-verification.json" ]]; then
             _dod_pass_rate=$(jq -r '.pass_rate // 0' "$ARTIFACTS_DIR/dod-verification.json" 2>/dev/null || echo "0")

package/scripts/lib/pipeline-quality-checks.sh

@@ -10,15 +10,15 @@ quality_check_security() {
     local tool_found=false
 
     # Try npm audit
-    if [[ -f "package.json" ]] && command -v npm &>/dev/null; then
+    if [[ -f "package.json" ]] && command -v npm >/dev/null 2>&1; then
         tool_found=true
         npm audit --production 2>&1 | tee "$audit_log" || audit_exit=$?
     # Try pip-audit
-    elif [[ -f "requirements.txt" || -f "pyproject.toml" ]] && command -v pip-audit &>/dev/null; then
+    elif [[ -f "requirements.txt" || -f "pyproject.toml" ]] && command -v pip-audit >/dev/null 2>&1; then
         tool_found=true
         pip-audit 2>&1 | tee "$audit_log" || audit_exit=$?
     # Try cargo audit
-    elif [[ -f "Cargo.toml" ]] && command -v cargo-audit &>/dev/null; then
+    elif [[ -f "Cargo.toml" ]] && command -v cargo-audit >/dev/null 2>&1; then
         tool_found=true
         cargo audit 2>&1 | tee "$audit_log" || audit_exit=$?
     fi
@@ -170,7 +170,7 @@ quality_check_bundle_size() {
     mv "$tmp_bundle_hist" "$bundle_history_file" 2>/dev/null || true
 
     # Intelligence: identify top dependency bloaters
-    if type intelligence_search_memory &>/dev/null 2>&1 && [[ -f "package.json" ]] && command -v jq &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && [[ -f "package.json" ]] && command -v jq >/dev/null 2>&1; then
         local dep_sizes=""
         local deps
         deps=$(jq -r '.dependencies // {} | keys[]' package.json 2>/dev/null || true)
@@ -237,7 +237,7 @@ quality_check_perf_regression() {
         if [[ -f "$daemon_cfg" ]]; then
             intel_enabled=$(jq -r '.intelligence.enabled // false' "$daemon_cfg" 2>/dev/null || echo "false")
         fi
-        if [[ "$intel_enabled" == "true" ]] && command -v claude &>/dev/null; then
+        if [[ "$intel_enabled" == "true" ]] && command -v claude >/dev/null 2>&1; then
             local tail_output
             tail_output=$(tail -30 "$test_log" 2>/dev/null || true)
             if [[ -n "$tail_output" ]]; then
@@ -378,7 +378,7 @@ quality_check_api_compat() {
 
     # Check for breaking changes: removed endpoints, changed methods
     local removed_endpoints=""
-    if command -v jq &>/dev/null && [[ "$spec_file" == *.json ]]; then
+    if command -v jq >/dev/null 2>&1 && [[ "$spec_file" == *.json ]]; then
         local old_paths new_paths
         old_paths=$(echo "$old_spec" | jq -r '.paths | keys[]' 2>/dev/null | sort || true)
         new_paths=$(jq -r '.paths | keys[]' "$spec_file" 2>/dev/null | sort || true)
@@ -387,7 +387,7 @@ quality_check_api_compat() {
 
     # Enhanced schema diff: parameter changes, response schema, auth changes
     local param_changes="" schema_changes=""
-    if command -v jq &>/dev/null && [[ "$spec_file" == *.json ]]; then
+    if command -v jq >/dev/null 2>&1 && [[ "$spec_file" == *.json ]]; then
         # Detect parameter changes on existing endpoints
         local common_paths
         common_paths=$(comm -12 <(echo "$old_spec" | jq -r '.paths | keys[]' 2>/dev/null | sort) <(jq -r '.paths | keys[]' "$spec_file" 2>/dev/null | sort) 2>/dev/null || true)
@@ -407,7 +407,7 @@ quality_check_api_compat() {
 
     # Intelligence: semantic API diff for complex changes
     local semantic_diff=""
-    if type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local spec_git_diff
         spec_git_diff=$(git diff "${BASE_BRANCH}...HEAD" -- "$spec_file" 2>/dev/null | head -200 || true)
         if [[ -n "$spec_git_diff" ]]; then
@@ -441,7 +441,7 @@ ${spec_git_diff}" --model haiku < /dev/null 2>/dev/null || true)
     if [[ -n "$removed_endpoints" || -n "$param_changes" ]]; then
         local issue_count=0
         [[ -n "$removed_endpoints" ]] && issue_count=$((issue_count + $(echo "$removed_endpoints" | wc -l | xargs)))
-        [[ -n "$param_changes" ]] && issue_count=$((issue_count + $(echo "$param_changes" | grep -c '.' || true)))
+        [[ -n "$param_changes" ]] && issue_count=$((issue_count + $(echo "$param_changes" | grep -c '.' 2>/dev/null || true)))
         warn "API breaking changes: ${issue_count} issue(s) found"
         return 1
     fi
@@ -470,7 +470,7 @@ quality_check_coverage() {
         if [[ -f "$daemon_cfg_cov" ]]; then
             intel_enabled_cov=$(jq -r '.intelligence.enabled // false' "$daemon_cfg_cov" 2>/dev/null || echo "false")
         fi
-        if [[ "$intel_enabled_cov" == "true" ]] && command -v claude &>/dev/null; then
+        if [[ "$intel_enabled_cov" == "true" ]] && command -v claude >/dev/null 2>&1; then
             local tail_cov_output
             tail_cov_output=$(tail -40 "$test_log" 2>/dev/null || true)
             if [[ -n "$tail_cov_output" ]]; then
@@ -559,7 +559,7 @@ run_adversarial_review() {
     fi
 
     # Delegate to sw-adversarial.sh module when available (uses intelligence cache)
-    if type adversarial_review &>/dev/null 2>&1; then
+    if type adversarial_review >/dev/null 2>&1; then
         info "Using intelligence-backed adversarial review..."
         local json_result
         json_result=$(adversarial_review "$diff_content" "${GOAL:-}" 2>/dev/null || echo "[]")
@@ -605,7 +605,7 @@ run_adversarial_review() {
 
     # Inject previous adversarial findings from memory
     local adv_memory=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         adv_memory=$(intelligence_search_memory "adversarial review security findings for: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
     fi
 
@@ -676,7 +676,7 @@ $(head -200 "$file" 2>/dev/null || true)
 
     # Inject previous negative prompting findings from memory
     local neg_memory=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         neg_memory=$(intelligence_search_memory "negative prompting findings common concerns for: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
     fi
 
@@ -853,9 +853,9 @@ run_bash_compat_check() {
     while IFS= read -r filepath; do
         [[ -z "$filepath" ]] && continue
 
-        # declare -A (associative arrays)
+        # declare -A (associative arrays; declare -a is bash 3.2 compatible)
         local declare_a_count
-        declare_a_count=$(grep -c 'declare[[:space:]]*-[aA]' "$filepath" 2>/dev/null || true)
+        declare_a_count=$(grep -c 'declare[[:space:]]*-A' "$filepath" 2>/dev/null || true)
         if [[ "$declare_a_count" -gt 0 ]]; then
             violations=$((violations + declare_a_count))
             violation_details="${violation_details}${filepath}: declare -A (${declare_a_count} occurrences)
@@ -990,7 +990,8 @@ run_atomic_write_check() {
 
         # Check for direct redirection writes (> file) in state/config paths
         local bad_writes
-        bad_writes=$(git show "HEAD:$filepath" 2>/dev/null | grep -c 'echo.*>' "$filepath" 2>/dev/null || true)
+        bad_writes=$(git show "HEAD:$filepath" 2>/dev/null | grep -c 'echo.*>' 2>/dev/null || true)
+        bad_writes="${bad_writes:-0}"
 
         if [[ "$bad_writes" -gt 0 ]]; then
             violations=$((violations + bad_writes))

package/scripts/lib/pipeline-quality.sh

@@ -5,7 +5,7 @@ _PIPELINE_QUALITY_LOADED=1
 
 # Policy overrides when config/policy.json exists
 [[ -f "${SCRIPT_DIR:-}/lib/policy.sh" ]] && source "${SCRIPT_DIR:-}/lib/policy.sh"
-if type policy_get &>/dev/null 2>&1; then
+if type policy_get >/dev/null 2>&1; then
     PIPELINE_COVERAGE_THRESHOLD=$(policy_get ".pipeline.coverage_threshold_percent" "60")
     PIPELINE_QUALITY_GATE_THRESHOLD=$(policy_get ".pipeline.quality_gate_score_threshold" "70")
     QUALITY_COVERAGE_THRESHOLD=$(policy_get ".quality.coverage_threshold" "70")