feat: Rosetta audit helper + shell linter optimisations (t301)

[marcusquinn]

Summary

• New rosetta-audit-helper.sh: Detects x86 Homebrew packages running under Rosetta 2 emulation on Apple Silicon Macs. Categorises packages as migratable (ARM formula available), duplicate (already in both brews), or x86-only (no ARM formula). Supports scan, migrate --dry-run, and migrate commands. Intel Macs and Linux skip gracefully.

• setup.sh integration: New setup_shell_linting_tools step installs shellcheck + shfmt with spinner feedback. New setup_rosetta_audit step detects dual-brew setups and offers migration. Both use existing run_with_spinner and confirm_step patterns.

• linters-local.sh improvements: Added shfmt as a fast advisory pre-pass. Converted shellcheck from per-file invocation to batch mode (single process for all files) — significantly faster. Shows issue counts and file-level detail.

Benchmark Data (M1 Max)

Test	x86 (Rosetta)	ARM (Native)	Improvement
Single file (14,644 lines)	19.1s	13.3s	30% faster
Batch (20 files, 6,029 lines)	2.5s	1.8s	28% faster
System/kernel time (single)	1.34s	0.53s	60% less overhead

Testing

• rosetta-audit-helper.sh scan — verified on Apple Silicon with dual-brew setup (122 x86 + 128 ARM packages)
• rosetta-audit-helper.sh migrate --dry-run — correctly categorises 75 migratable, 44 duplicates, 3 non-migratable
• rosetta-audit-helper.sh status — quick summary with cache
• linters-local.sh — shfmt pre-pass + batched shellcheck both working
• setup.sh — syntax verified with bash -n
• ShellCheck: zero violations on all new/modified code

Files Changed

• New: .agents/scripts/rosetta-audit-helper.sh
• Modified: setup.sh, .agents/scripts/linters-local.sh, .agents/subagent-index.toon, README.md

Closes t301

Summary by CodeRabbit

• New Features

  • Shell formatting check added to local linting (advisory, auto-fix suggested).
  • New Apple Silicon utility to scan and migrate x86 Homebrew packages (scan, migrate, status, help).

• Chores

  • Setup now offers detection/installation for shell linting tools and Rosetta audit steps.
  • README and agent index updated to list the added linting tool and the new audit utility.

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the development environment setup and maintenance by introducing a utility to optimize Homebrew package management on Apple Silicon, ensuring native performance for installed tools. Concurrently, it significantly boosts the efficiency of shell script linting and formatting processes, streamlining code quality checks for shell scripts.

Highlights

• New Rosetta Audit Helper: A new script, rosetta-audit-helper.sh, was introduced to detect and manage x86 Homebrew packages running under Rosetta 2 emulation on Apple Silicon Macs. It categorizes packages as migratable, duplicate, or x86-only, and supports scan, migrate --dry-run, and migrate commands.
• Shell Linter Optimizations: The linters-local.sh script was improved by adding shfmt as a fast advisory pre-pass and converting shellcheck to batch mode processing, leading to significant speed improvements (28-30% faster).
• Setup Integration: The setup.sh script now includes new steps: setup_shell_linting_tools for installing shellcheck and shfmt with spinner feedback, and setup_rosetta_audit to detect dual-brew setups and offer migration for x86 packages on Apple Silicon.

Changelog

• .agents/scripts/linters-local.sh
  • Introduced run_shfmt function for fast shell script formatting pre-pass.
  • Refactored run_shellcheck to use batch processing for multiple files, significantly improving performance.
  • Updated main function to include run_shfmt before run_shellcheck.
• .agents/scripts/rosetta-audit-helper.sh
  • New script created to detect and manage x86 Homebrew packages on Apple Silicon.
  • Includes scan, migrate, migrate --dry-run, and status commands.
  • Provides logic for identifying migratable, duplicate, and x86-only packages.
• .agents/subagent-index.toon
  • Updated the description for linters-local.sh to reflect the inclusion of shfmt.
  • Added an entry for the new rosetta-audit-helper.sh script.
• README.md
  • Updated the /linters-local command description to mention shfmt.
• setup.sh
  • Implemented setup_shell_linting_tools function to install shellcheck and shfmt with architecture checks.
  • Implemented setup_rosetta_audit function to detect dual Homebrew setups and prompt for Rosetta migration.
  • Integrated both new setup functions into the main setup.sh workflow.

Activity

• The rosetta-audit-helper.sh scan command was verified on Apple Silicon with a dual-brew setup.
• The rosetta-audit-helper.sh migrate --dry-run command was verified to correctly categorize packages.
• The rosetta-audit-helper.sh status command was verified to provide a quick summary with cache.
• The linters-local.sh script's shfmt pre-pass and batched shellcheck were verified to be working.
• The setup.sh script's syntax was verified using bash -n.
• All new and modified code passed ShellCheck with zero violations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 20 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

Adds shfmt as an advisory pre-pass to the shell linter pipeline, introduces a new rosetta-audit-helper.sh CLI for detecting and migrating x86 Homebrew packages on Apple Silicon, and extends setup.sh to detect/install shell linting tools and to offer Rosetta audit integration.

Changes

Cohort / File(s)	Summary
Shell Linting Script .agents/scripts/linters-local.sh	Reworked shfmt handling into a fast, advisory batch pre-pass (reports suggestions, does not block). Simplified ShellCheck collection and centralized batch invocation; shfmt now runs before ShellCheck but no longer enforces exit on format issues.
Rosetta Audit Helper .agents/scripts/rosetta-audit-helper.sh	New modular CLI (scan, migrate, status, help) that detects Apple Silicon + dual Homebrew installs, categorizes x86-only & duplicate packages, supports dry-run migration phases, caching of scan results, and colored summaries.
Setup Integration setup.sh	Added setup_shell_linting_tools() and setup_rosetta_audit() to detect/report/install shellcheck/shfmt and to offer Rosetta audit/migration; integrated into both non-interactive and interactive setup flows (note: new helper functions appear multiple times in diffs).
Index & Docs .agents/subagent-index.toon, README.md	Updated linters-local description to include shfmt; added subagent index entry for rosetta-audit-helper.sh.

Sequence Diagram

sequenceDiagram
    autonumber
    participant User
    participant RosettaAudit as Rosetta<br/>Audit Script
    participant BrewARM as ARM<br/>Homebrew
    participant BrewX86 as x86<br/>Homebrew
    participant Analyzer as Package<br/>Analyzer
    participant Migrator as Migration<br/>Executor

    User->>RosettaAudit: scan
    RosettaAudit->>RosettaAudit: detect Apple Silicon & dual-brew
    RosettaAudit->>BrewARM: list installed packages
    RosettaAudit->>BrewX86: list installed packages
    BrewARM-->>RosettaAudit: ARM list
    BrewX86-->>RosettaAudit: x86 list
    RosettaAudit->>Analyzer: categorize packages
    Analyzer-->>RosettaAudit: migratable / non-migratable
    RosettaAudit-->>User: summary & recommendations

    User->>RosettaAudit: migrate (--dry-run)?
    RosettaAudit->>Migrator: run Phase 1 (remove duplicates)
    Migrator->>BrewX86: uninstall duplicates
    Migrator->>BrewARM: ensure ARM installs (Phase 2)
    Migrator->>BrewX86: remove x86-only after ARM installs
    Migrator-->>RosettaAudit: per-package status
    RosettaAudit-->>User: migration report

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• t301: Rosetta audit + shell linter optimisation #1173 — Implements the same shfmt + ShellCheck linter flow and Rosetta audit/migration helper described in this PR.

Poem

✨ shfmt hums softly before ShellCheck’s gaze,

Rosetta sheds old x86 ways,
Setup nudges tools into place,
Packages migrate with tidy grace,
DevOps sings—clean scripts, lighter space.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: addition of a Rosetta audit helper and optimizations to shell linters, with a reference ticket.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t301-rosetta-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 9 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 12 00:30:04 UTC 2026: Code review monitoring started
Thu Feb 12 00:30:04 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 9

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 9
• VULNERABILITIES: 0

Generated on: Thu Feb 12 00:30:07 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 6

🤖 Fix all issues with AI agents

In @.agents/scripts/rosetta-audit-helper.sh:
- Around line 156-161: cmd_scan creates temporary files (migratable_file,
non_migratable_file) and stores them in _SCAN_CLEANUP_FILES but doesn’t register
them with the existing cleanup mechanism, so they can leak on unexpected exit;
modify cmd_scan to call _save_cleanup_scope and push_cleanup (the same pattern
used by check_positional_parameters) immediately after creating migratable_file
and non_migratable_file so the files are removed on exit, and then delete the
manual rm -f $_SCAN_CLEANUP_FILES calls (leave _SCAN_CLEANUP_FILES assignment
intact so other code can reference it).
- Around line 339-368: The cmd_migrate function currently always returns 0;
update its exit behavior so callers can detect failures by returning a non-zero
status when failures occurred: after the block that checks "$failed" and prints
the warning (the branch that prints "Migration completed with $failed
failures"), change the final return to return a non-zero value (e.g., return
$failed or return 1) while keeping dry-run and success paths returning 0; locate
the cmd_migrate function and the "$failed" variable usage to implement this
change so setup.sh and other callers can react to partial failures.
- Around line 44-54: The functions is_apple_silicon and has_dual_brew rely on
the fragile pattern "[[ ]] && [[ ]]; return $?" which can cause unexpected exits
under set -e; change each to an explicit boolean return path so the function
body never lets a failing test trigger errexit — e.g., evaluate the compound
condition and then return 0 on success and return 1 on failure (or use a guarded
"if ...; then return 0; else return 1; fi" around the existing tests) so callers
like "is_apple_silicon && do_something" won't cause the script to abort
unexpectedly.

In @.agents/subagent-index.toon:
- Around line 97-98: Update the TOON header script count from scripts[74] to
scripts[76] on the header line referenced (change the scripts[...] value near
line 90); ensure the header reflects the actual inventory that now includes
"linters-local.sh" and "rosetta-audit-helper.sh" so the total script count
matches 76.

In `@setup.sh`:
- Around line 2069-2077: The current check can misdetect universal (fat)
binaries because sc_arch uses grep ... | head -1 and may pick x86_64 even when
arm64 is present; update the logic around sc_path/sc_arch in the shellcheck
detection: instead of treating presence of x86_64 as the Rosetta case, test
whether the shellcheck binary lacks arm64 support (e.g., inspect the output of
file "$sc_path" and check for the presence of "arm64" with grep -q or similar)
and only warn (via print_warning/print_info) when uname -m is arm64 and the file
output does NOT contain arm64; otherwise report success with shellcheck
--version as before.
- Around line 2103-2109: The loop unconditionally calls brew and prints
duplicate success; change it to use the detected pkg_manager and the existing
installer helper: replace the for loop over missing_tools that calls
run_with_spinner "Installing $tool" brew install "$tool" with a call to
install_packages "$pkg_manager" "$tool" (or invoke install_packages once with
the missing_tools list if supported) and remove the redundant print_success call
(keep run_with_spinner's success/failure handling via run_with_spinner and its
exit codes). Ensure you reference the existing symbols missing_tools,
pkg_manager, run_with_spinner, and install_packages when updating the code.

🧹 Nitpick comments (2)

.agents/scripts/linters-local.sh (1)

240-246: File collection pattern is duplicated between run_shfmt and run_shellcheck.

Both functions iterate .agents/scripts/*.sh with the same guard. Consider extracting a shared helper (e.g., collect_shell_files()) to keep things DRY. Not blocking — just a future-proofing nit.

♻️ Example extraction

+# Collect shell files for linting
+collect_shell_files() {
+    local -n _files_ref=$1
+    for file in .agents/scripts/*.sh; do
+        [[ -f "$file" ]] && _files_ref+=("$file")
+    done
+    return 0
+}
+
 run_shfmt() {
     ...
-    local sh_files=()
-    for file in .agents/scripts/*.sh; do
-        [[ -f "$file" ]] && sh_files+=("$file")
-    done
+    local sh_files=()
+    collect_shell_files sh_files
     ...

setup.sh (1)

2160-2176: Consider running migrate --dry-run first before the actual migration.

When the user answers "y" at line 2163, the script jumps straight to migrate (line 2167), which performs actual package reinstallation. Given that the PR provides a --dry-run mode, it would be safer to show a preview first and then confirm.

♻️ Proposed two-step migration flow

         if [[ "$run_audit" =~ ^[Yy]$ ]]; then
             local script_dir
             script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-            if [[ -f "$script_dir/.agents/scripts/rosetta-audit-helper.sh" ]]; then
-                bash "$script_dir/.agents/scripts/rosetta-audit-helper.sh" migrate
-            elif [[ -f "$HOME/.aidevops/agents/scripts/rosetta-audit-helper.sh" ]]; then
-                bash "$HOME/.aidevops/agents/scripts/rosetta-audit-helper.sh" migrate
+            local audit_script=""
+            if [[ -f "$script_dir/.agents/scripts/rosetta-audit-helper.sh" ]]; then
+                audit_script="$script_dir/.agents/scripts/rosetta-audit-helper.sh"
+            elif [[ -f "$HOME/.aidevops/agents/scripts/rosetta-audit-helper.sh" ]]; then
+                audit_script="$HOME/.aidevops/agents/scripts/rosetta-audit-helper.sh"
+            fi
+            if [[ -n "$audit_script" ]]; then
+                bash "$audit_script" migrate --dry-run
+                echo ""
+                local confirm_migrate
+                read -r -p "Proceed with migration? [y/N]: " confirm_migrate
+                if [[ "$confirm_migrate" =~ ^[Yy]$ ]]; then
+                    bash "$audit_script" migrate
+                else
+                    print_info "Skipped — run manually: rosetta-audit-helper.sh migrate"
+                fi
             else
                 print_warning "rosetta-audit-helper.sh not found — run setup again after deployment"
             fi

[gemini-code-assist]

Code Review

This pull request introduces a valuable rosetta-audit-helper.sh script for Apple Silicon users and significantly improves the performance of linters-local.sh. The changes are well-structured and the new features are a great addition. I've identified a few areas for improvement, mainly concerning script robustness, adherence to the repository's style guide, and a bug in the setup script that affects non-macOS users. My comments provide specific suggestions to address these points.

[gemini-code-assist]

The script's temporary file handling can be improved for robustness and to adhere to the style guide.

1. Guaranteed Cleanup: A trap should be used to ensure temporary files are removed even if the script exits unexpectedly. This is required by style guide rule feat: add /session-review and /full-loop commands for comprehensive AI workflow #33.
2. Robust File List: The _SCAN_CLEANUP_FILES global variable should be an array to be robust against filenames with special characters and avoid shellcheck disable=SC2086.

I recommend defining _SCAN_CLEANUP_FILES as an array and setting an EXIT trap at the top of the script.

At top of script (e.g., after set -euo pipefail):

_SCAN_CLEANUP_FILES=()
trap 'rm -f "${_SCAN_CLEANUP_FILES[@]}"' EXIT

Then, this block can be updated to populate the array. The explicit rm calls at the end of cmd_scan can then be removed.

Suggested change

	local migratable_file non_migratable_file
	migratable_file=$(mktemp "${TMPDIR:-/tmp}/rosetta-migrate.XXXXXX")
	non_migratable_file=$(mktemp "${TMPDIR:-/tmp}/rosetta-nomigrate.XXXXXX")
	_SCAN_CLEANUP_FILES="$migratable_file $non_migratable_file"
	local migratable_file non_migratable_file
	migratable_file=$(mktemp "${TMPDIR:-/tmp}/rosetta-migrate.XXXXXX")
	non_migratable_file=$(mktemp "${TMPDIR:-/tmp}/rosetta-nomigrate.XXXXXX")
	_SCAN_CLEANUP_FILES=("$migratable_file" "$non_migratable_file")

References

1. Temp files must have trap cleanup (RETURN or EXIT). The current implementation creates temp files but does not guarantee their cleanup if the script exits unexpectedly. ^(link)

[gemini-code-assist]

The installation command for shell linting tools is hardcoded to brew install. This will fail on Linux systems where apt, dnf, etc., should be used. The install_packages helper function should be used here with the detected $pkg_manager to make the installation cross-platform.

Suggested change

	if run_with_spinner "Installing $tool" brew install "$tool"; then
	if run_with_spinner "Installing $tool" install_packages "$pkg_manager" "$tool"; then

[gemini-code-assist]

Redirecting stderr to /dev/null suppresses potentially useful error messages from brew uninstall. This makes debugging failures difficult and violates style guide rule #50, which states that 2>/dev/null should only be used when redirecting to log files, not for blanket suppression. Since the command is inside an if statement, removing the redirection will print the error without exiting the script, providing better diagnostic information on failure.

Suggested change

	if "$X86_BREW" uninstall "$pkg" 2>/dev/null; then
	if "$X86_BREW" uninstall "$pkg"; then

References

1. 2>/dev/null is acceptable ONLY when redirecting to log files, not blanket suppression. This code uses it to suppress errors from brew commands, which hinders debugging. ^(link)

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 9 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 12 00:42:07 UTC 2026: Code review monitoring started
Thu Feb 12 00:42:08 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 9

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 9
• VULNERABILITIES: 0

Generated on: Thu Feb 12 00:42:10 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 9 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 12 00:58:03 UTC 2026: Code review monitoring started
Thu Feb 12 00:58:03 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 9

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 9
• VULNERABILITIES: 0

Generated on: Thu Feb 12 00:58:06 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud