fix(batch): harden status score handling

[luochen211]

What

• validates score-shaped values before numeric comparisons or aggregation
• passes score values into awk with -v instead of interpolating shell/state data into awk programs
• removes the bc dependency from batch status/summary score averages
• lets --status and --watch read an existing batch-state.tsv without requiring batch-input.tsv, batch-prompt.md, or the claude CLI

Closes #1125.
Closes #1127.

Why

batch-runner.sh previously treated CLI/state score data as awk source code in a few places, which created a code-injection surface. The read-only status paths also ran the full batch prerequisites and still used bc, making status inspection fail in minimal or post-cleanup environments.

Validation

• bash -n batch/batch-runner.sh
• git diff --check
• node verify-pipeline.mjs
• node test-all.mjs reached the new batch assertions successfully; the overall local run reports 387 passed, 1 failed, 15 warnings because the existing smoke step for verify-portals.mjs times out against my real portals.yml. Running node verify-portals.mjs directly completed successfully afterward.

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Strengthened validation for score-related command-line inputs and stricter handling of numeric comparisons
  • Improved batch --status/--watch behavior to avoid unnecessary prerequisite checks when state is unavailable
  • Updated summary and status score aggregation to use safer numeric evaluation and consistent N/A handling for missing values
• Tests
  • Added coverage to ensure score arithmetic doesn’t rely on bc and that score values are passed into awk safely
  • Extended batch status test to validate reading and reporting of existing batch-state.tsv contents

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 48600c1c-b5fb-4462-9140-e91c812f84fa

📥 Commits

Reviewing files that changed from the base of the PR and between 0930700 and 8b89edd.

📒 Files selected for processing (1)

• batch/batch-runner.sh

---

📝 Walkthrough

Walkthrough

batch-runner.sh adds is_decimal_number for numeric validation and check_status_prerequisites to short-circuit --status/--watch when only batch-state.tsv is needed. Score gating and all sum/average calculations are rewritten to use awk -v variables instead of shell interpolation or bc. Tests assert the absence of bc and correct -v usage.

Changes

Batch runner hardening and --status prerequisite bypass

Layer / File(s)	Summary
Helper functions: is_decimal_number and check_status_prerequisites batch/batch-runner.sh	Adds is_decimal_number() for decimal string validation, check_status_prerequisites() to exit 0 when batch-state.tsv is missing, and validates --min-score at parse time using is_decimal_number.
Score gating and arithmetic rewritten with awk -v batch/batch-runner.sh	Rewrites the min-score skip condition, print_summary summation/average, and print_status_table summation/average to gate on is_decimal_number and pass values via awk -v, removing bc-based division.
main() control flow: check_status_prerequisites before check_prerequisites batch/batch-runner.sh	Reorders main() so --status and --watch call the lighter check_status_prerequisites and exit early; full check_prerequisites now runs only for normal batch processing.
Tests: no-bc assertion and --status without full prerequisites test-all.mjs	Adds assertions that bc is absent from score arithmetic and that awk receives score variables via -v; extends rate-limit pause tests to write a synthetic batch-state.tsv and assert --status output including average score and raw error field.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• santifer/career-ops#735: Directly related — that PR already replaced bc with awk in the same score-sum/average paths that this PR further hardens by adding awk -v variable passing and is_decimal_number gating.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(batch): harden status score handling' is directly related to the main changes: stricter score validation, code injection prevention via awk -v, dependency removal, and status feature improvements.
Linked Issues check	✅ Passed	The PR fully addresses both linked issues: it validates numeric scores before comparison [#1125], passes values to awk via -v flag [#1125], removes bc dependency [#1127], and allows --status/--watch to work without full prerequisites [#1127].
Out of Scope Changes check	✅ Passed	All changes in batch-runner.sh and test-all.mjs are directly scoped to addressing the security, portability, and functionality issues specified in the linked issues.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[luochen211]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.