t304: Fix rm -rf on potentially empty variable in setup.sh

[marcusquinn]

Summary

Addresses CodeRabbit security finding from PR#762 regarding rm -rf commands on potentially empty variables.

Changes

• Added ${var:?} parameter expansion for critical variables (old_backup_dir, legacy_state_dir, tmp_preserve)
• Added [[ -n "$var" ]] validation checks for loop variables (old_backup, path, venv_dir)
• Added function-level validation for agents_dir in cleanup_deprecated_paths

Safety Improvements

All rm -rf commands with variables in setup.sh now have protection against empty variable expansion:

• :? expansion causes immediate exit if variable is unset/empty
• Explicit non-empty checks prevent execution if variable is empty
• Function-level validation ensures base paths are valid before operations

Testing

• Manual review of all rm -rf instances in setup.sh
• Verified protection patterns are consistent and comprehensive
• All changes preserve existing functionality while adding safety

Protected Instances

1. Line 278: old_backup - protected with [[ -n "$old_backup" ]]
2. Line 318: path - protected with [[ -e "$path" && -n "$path" ]]
3. Lines 871, 900: old_backup_dir - protected with ${old_backup_dir:?}
4. Line 981: legacy_state_dir - protected with ${legacy_state_dir:?}
5. Lines 2948, 2958: tmp_preserve - protected with ${tmp_preserve:?}
6. Line 3409: venv_dir - protected with [[ -n "$venv_dir" ]]

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 47 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/t304

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 15 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Feb 12 02:40:32 UTC 2026: Code review monitoring started
Thu Feb 12 02:40:32 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 15

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 15
• VULNERABILITIES: 0

Generated on: Thu Feb 12 02:40:35 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud