Remove check_memory() from lib/formula-session.sh and update all *-run.sh scripts
to use memory_guard() from lib/env.sh.
Changes:
- lib/formula-session.sh: Removed check_memory() function and its documentation
- gardener/gardener-run.sh: Replaced check_memory(2000) with memory_guard(2000)
- planner/planner-run.sh: Replaced check_memory(2000) with memory_guard(2000)
- architect/architect-run.sh: Replaced check_memory(2000) with memory_guard(2000)
- predictor/predictor-run.sh: Replaced check_memory(2000) with memory_guard(2000)
- supervisor/supervisor-run.sh: Replaced check_memory(2000) with memory_guard(2000)
Benefits:
- Only one memory check function exists now
- All agents use the same function
- No dependency on free command - uses /proc/meminfo which is more portable
Capture exit code from claude invocations instead of suppressing with || true.
Log timeout (rc=124) and non-zero exits distinctly. Skip nudge when output is
empty (claude crashed or failed). Log empty output as a clear diagnostic message.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fix python3 -c injection: pass lock_file as sys.argv[1] instead of
interpolating it inside the double-quoted -c string. Removes the
single-quote escape risk when project names contain special chars.
Also drop the misleading "atomic" comment on the tmp+mv write.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add sops --verify to validate GCM ciphertext tag before decryption
- Treat all decryption failures as fatal errors (exit 1) instead of warnings
- Added integrity check comment for clarity
- Ensures tampered .env.enc files are rejected before use
Add URL validation helper to prevent URL injection attacks in API calls.
- Added validate_url() helper in lib/env.sh to validate URL format
- Added validation to forge_api() to prevent URL injection
- Added validation to woodpecker_api() to prevent URL injection
- Added validation to ci-debug.sh api() function
- All URLs are already properly quoted with "${VAR}/..." patterns
- This adds defense-in-depth by validating URL variables before use
Same pattern as FORGE_URL — the llama container sets FORGE_TOKEN
to dev-qwen token via FORGE_TOKEN_OVERRIDE, but env.sh sources .env
which clobbers it back to dev-bot. All PRs and issue claims show
dev-bot instead of dev-qwen, and assignee locking fails.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Some models (especially local) emit end_turn prematurely. After
agent_run completes, check if code was pushed. If not, resume the
session with a nudge: "You stopped but did not push. Complete the
implementation, commit, and push."
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Save agent_run output to agent-run-last.json. On no_push, log the
result text, turn count, and cost. Save full output to
no-push-{issue}-{ts}.json for later analysis.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
source .env clobbers FORGE_URL from http://forgejo:3000 (Docker DNS)
to http://localhost:3000 (unreachable inside container). Save and
restore FORGE_URL around the source.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause: env.sh skipped sourcing .env when DISINTO_CONTAINER=1,
assuming compose injects all env vars. But cron jobs do NOT inherit
compose env vars — they only get crontab-level variables.
Result: FORGE_TOKEN was empty in every cron poll. API calls returned
nothing, polls silently found "no open PRs" and exited.
Fix: always source .env regardless of DISINTO_CONTAINER. Compose env
vars (FORGE_URL) are set in the crontab env and take precedence.
Entrypoint also adds FORGE_URL to crontab env vars.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move SID_FILE recovery into agent_recover_session() in lib/agent-sdk.sh
to eliminate remaining duplicate block between dev-agent.sh and
review-pr.sh.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract agent_run() into shared lib/agent-sdk.sh to eliminate code
duplication between dev-agent.sh and review-pr.sh (CI dedup check).
Rewrite review-pr.sh from tmux-based agent-session.sh to synchronous
claude -p invocations via shared agent-sdk.sh, matching the SDK pattern
from dev-agent.sh (#798).
Key changes:
- Create lib/agent-sdk.sh with shared agent_run() function
- Both dev-agent.sh and review-pr.sh now source lib/agent-sdk.sh
instead of defining agent_run() inline
- Replace agent-session.sh (tmux + monitor_phase_loop) with agent_run()
- Add .sid file for session continuity: re-reviews resume the original
session via --resume, so Claude remembers its prior review
- Use worktree.sh for worktree cleanup
- Remove phase file signaling — completion is automatic when claude -p
returns
- Keep all review business logic unchanged
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
