GH#18538: gate review-followup issues on human triage (complement to #18607)

[marcusquinn]

Summary

Follow-up to PR #18607 (worker-actionable bodies). #18607 made review-followup issue bodies rich and structured but did not address the upstream root cause of GH#18538: bot findings can have false premises that no amount of body context rescues.

The original #18538 was triggered by a Gemini comment claiming TODO.md's ## Ready section is auto-generated by /ready or beads-sync-helper.sh. I verified todo-ready.sh is read-only — the section is not auto-generated. Workers reading even a perfectly-mentored body would still chase a false premise. Two sonnet workers tried it, both stale-recovered, and the issue ended up at the t2008 escalation path (needs-maintainer-review) anyway — after burning 2 dispatches.

This PR moves that human triage gate upstream to issue creation time:

• New SCANNER_NEEDS_REVIEW env var (default true)
• create_issue applies needs-maintainer-review label up-front
• New "Triage required" preamble in the issue body teaches the triager three paths: Accept (verify premise, remove label, add tier), Reject (close as won't-fix with falsified-premise rationale), Modify scope (reframe and re-triage)

Together with #18607 (rich bodies) this turns 0 wasted dispatches per false-premise finding instead of GH#18538's 2.

Files Changed

.agents/scripts/post-merge-review-scanner.sh — env var, label-list construction in create_issue, triage preamble in build_pr_followup_body.

Runtime Testing

• Risk level: Low (infrastructure script for issue triage)
• Verification: shellcheck clean (only pre-existing SC1091 info from shared-constants.sh source); bash -n parse OK; isolated body-builder smoke test against stubbed fetch_*_md helpers renders the new preamble correctly between Source PR and Worker Guidance sections.

Why this isn't in #18607

#18607 was already merged when I finished my analysis. Both PRs target the same issue but address different layers of the same failure mode:

Layer	PR	Fix
Body content (workers know what to do)	#18607	file:line refs + full bot bodies + Worker Guidance
Dispatch gating (workers don't run on bad premises)	#18610 (this)	needs-maintainer-review by default

Both are needed. The #18607 author may have considered gating but chose not to add it; this PR makes that decision explicit and the rationale durable in the script's header comment.

Resolves #18538

[marcusquinn]

Completion Summary

• What: Routes every review-followup issue through human triage at creation time (needs-maintainer-review label) instead of letting workers auto-dispatch on unverified bot findings, and enriches the issue body with full bot comment text, file:line references, and a structured triage decision template (accept/reject/modify-scope) so triagers and post-approval workers have actionable implementation context per t1901.
• Issue: Review followup: PR #18417 — chore(t1990): add TODO completion marker for merged PR #18414 #18538
• Files changed: .agents/scripts/post-merge-review-scanner.sh
• Testing: shellcheck clean (SC1091 info pre-existing); isolated body-builder smoke test renders multi-line bot comments as markdown blockquotes with intact file:line refs; bash -n parse OK.
• Key decisions: Default SCANNER_NEEDS_REVIEW=true (gate by default; opt out for trusted-finding pipelines). Bumped per-comment snippet from 200 -> 1500 chars (configurable via SCANNER_SNIPPET_CHARS). Capture .line / .original_line from inline review comments to surface where the bot is pointing. Did NOT change task-complete-helper.sh in-place [x] marking — the convention drift is real but orthogonal; the immediate Gemini finding had a false premise (TODO sections are not auto-generated), so the right systemic fix is to stop auto-dispatching workers on unverified bot findings, not to chase the surface symptom.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 51 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 24 minutes and 51 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d14f47b7-f12b-4940-ae12-5f7f692875fa

📥 Commits

Reviewing files that changed from the base of the PR and between f63fec9 and df29d57.

📒 Files selected for processing (1)

• .agents/scripts/post-merge-review-scanner.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/gh18538-review-scanner-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

SonarCloud: 0 bugs, 0 vulnerabilities, 226 code smells

Mon Apr 13 04:43:01 UTC 2026: Code review monitoring started
Mon Apr 13 04:43:02 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 226

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 226
• VULNERABILITIES: 0

Generated on: Mon Apr 13 04:43:04 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

SonarCloud: 0 bugs, 0 vulnerabilities, 226 code smells

Mon Apr 13 04:50:48 UTC 2026: Code review monitoring started
Mon Apr 13 04:50:49 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 226

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 226
• VULNERABILITIES: 0

Generated on: Mon Apr 13 04:50:51 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

Completion Summary

• What: Routes every review-followup issue through human triage at creation time (needs-maintainer-review label) instead of letting workers auto-dispatch on unverified bot findings, and enriches the issue body with full bot comment text, file:line references, and a structured triage decision template (accept/reject/modify-scope) so triagers and post-approval workers have actionable implementation context per t1901.
• Issue: Review followup: PR #18417 — chore(t1990): add TODO completion marker for merged PR #18414 #18538
• Files changed: .agents/scripts/post-merge-review-scanner.sh
• Testing: shellcheck clean (SC1091 info pre-existing); isolated body-builder smoke test renders multi-line bot comments as markdown blockquotes with intact file:line refs; bash -n parse OK.
• Key decisions: Default SCANNER_NEEDS_REVIEW=true (gate by default; opt out for trusted-finding pipelines). Bumped per-comment snippet from 200 -> 1500 chars (configurable via SCANNER_SNIPPET_CHARS). Capture .line / .original_line from inline review comments to surface where the bot is pointing. Did NOT change task-complete-helper.sh in-place [x] marking — the convention drift is real but orthogonal; the immediate Gemini finding had a false premise (TODO sections are not auto-generated), so the right systemic fix is to stop auto-dispatching workers on unverified bot findings, not to chase the surface symptom.

---

Merged via PR #18610 to main.
Merged by deterministic merge pass (pulse-wrapper.sh).

---

aidevops.sh v3.8.6 spent 44m on this as a headless bash routine.