GH#2993: Fix ShellCheck memory explosion regression — PATH shim for bash-language-server

[marcusquinn]

Summary

• Fixes bash-language-server bypassing shellcheck-wrapper.sh by resolving shellcheck via PATH to /opt/homebrew/bin/shellcheck instead of the wrapper
• Creates ~/.aidevops/bin/shellcheck symlink pointing to shellcheck-wrapper.sh and prepends ~/.aidevops/bin to PATH in .zshenv and shell rc files
• Prevents the 9+ GB RAM blowup from --external-sources flag that the language server hardcodes

Root Cause

GH#2915 set SHELLCHECK_PATH env var, but bash-language-server ignores it — it does a standard PATH lookup for shellcheck, finding /opt/homebrew/bin/shellcheck directly. The wrapper's --external-sources stripping and ulimit protections never applied.

Fix

Added Layer 0 (PATH shim) to setup_shellcheck_wrapper():

1. Creates ~/.aidevops/bin/shellcheck as a symlink to shellcheck-wrapper.sh
2. Prepends ~/.aidevops/bin to PATH in .zshenv (all zsh processes) and shell rc files
3. bash-language-server's PATH lookup now finds the wrapper first
4. Wrapper's existing realpath self-detection correctly skips the symlink, finds the real binary — no recursion

Layers 1-3 (launchctl, .zshenv SHELLCHECK_PATH, rc files) are retained for tools that honour SHELLCHECK_PATH.

Testing

Verified locally:

• which shellcheck with ~/.aidevops/bin on PATH → finds the shim
• Shim executes correctly (--version works, finds real binary)
• --external-sources is stripped (no memory explosion)
• No infinite recursion (wrapper skips symlink via realpath comparison)
• ShellCheck passes on modified file (zero violations)

Closes #2993

Summary by CodeRabbit

• Chores
  • Improved shell environment setup for ShellCheck wrapper: adds a PATH shim, validates and wires the wrapper only when usable, propagates shim and SHELLCHECK_PATH across macOS launchctl, .zshenv and common shell rc files, avoids duplicate entries, and updates current session environment so the wrapper is used consistently.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a critical memory consumption issue within the bash-language-server when interacting with shellcheck. The previous setup allowed the language server to bypass a protective shellcheck wrapper, leading to significant memory usage. By introducing a new PATH shim, this change ensures that the shellcheck wrapper is correctly invoked, effectively mitigating the memory explosion and establishing a more robust and efficient environment for shell script analysis.

Highlights

• ShellCheck Memory Fix: Implemented a PATH shim for bash-language-server to correctly use shellcheck-wrapper.sh, preventing a memory explosion caused by the --external-sources flag.
• PATH Shim Creation: Created a ~/.aidevops/bin/shellcheck symlink pointing to shellcheck-wrapper.sh.
• PATH Prepending: Ensured ~/.aidevops/bin is prepended to the system PATH in .zshenv and shell RC files, making the shim discoverable by the language server.

Changelog

• setup-modules/shell-env.sh
  • Updated documentation comments to reflect the new "Layer 0" (PATH shim) and the context of GH#2993, explaining how it addresses the bash-language-server issue.
  • Added code to create the ~/.aidevops/bin directory and establish a symbolic link ~/.aidevops/bin/shellcheck that points to the shellcheck-wrapper.sh. This includes logic to update or replace existing files/symlinks.
  • Modified the logic for updating .zshenv and other shell RC files to not only set SHELLCHECK_PATH but also to prepend ~/.aidevops/bin to the system's PATH environment variable.
  • Ensured the updated PATH is exported for the current shell session.

Activity

• No human activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 33 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e1c37b30-ec93-43bb-88b7-79fb877f1b5a

📥 Commits

Reviewing files that changed from the base of the PR and between 0026bf1 and e806f30.

📒 Files selected for processing (1)

• setup-modules/shell-env.sh

Walkthrough

Implements a multi-layer ShellCheck wrapper wiring in setup-modules/shell-env.sh: validates wrapper, creates/updates a PATH shim (~/.aidevops/bin/shellcheck), and propagates PATH/SHELLCHECK_PATH across launchctl, .zshenv, and shell rc files so processes (e.g., bash-language-server) resolve the wrapper before the real binary.

Changes

Cohort / File(s)	Summary
ShellCheck wrapper & environment wiring setup-modules/shell-env.sh	Adds wrapper validation, symlink shim creation/repair at ~/.aidevops/bin/shellcheck, PATH prepending logic, deduplication guards, and current-session exports. Propagates SHELLCHECK_PATH and PATH changes to launchctl, .zshenv, and shell rc files (zsh/bash/fish) with shell-specific syntax and early-return safety checks.

Sequence Diagram(s)

sequenceDiagram
    participant Installer as Setup Script
    participant FS as Filesystem (shim)
    participant Env as Shell Envs (.zshenv/.bashrc/fish)
    participant Launchctl as macOS launchctl
    participant Session as Current Session
    participant LSP as bash-language-server

    Installer->>Installer: validate wrapper executable & locate real shellcheck
    alt valid
        Installer->>FS: create/replace symlink ~/.aidevops/bin/shellcheck -> wrapper
        Installer->>Env: prepend ~/.aidevops/bin to PATH, write SHELLCHECK_PATH
        Installer->>Launchctl: set PATH/SHELLCHECK_PATH for launchctl (macOS)
        Installer->>Session: export PATH and SHELLCHECK_PATH in current session
        LSP->>Session: spawn shellcheck (resolves PATH)
        Session->>FS: resolves to ~/.aidevops/bin/shellcheck (wrapper)
    else invalid
        Installer->>Installer: skip wiring (no changes)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

bug

Poem

🐚 A tiny shim takes center stage,
Prepends the path, secures the cage.
Wrappers validate and gently steer,
Language servers now behave clear. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the main change: creating a PATH shim for shellcheck to fix bash-language-server bypassing the wrapper and causing memory explosion.
Linked Issues check	✅ Passed	All code changes directly address issue #2993 requirements: PATH shim creation, wrapper viability validation, and ensuring bashls finds the wrapped shellcheck via PATH prepending.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the PATH shim solution; no unrelated modifications detected beyond the defined objective of fixing the bashls shellcheck bypass.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/shellcheck-path-shim

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 15:49:56 UTC 2026: Code review monitoring started
Fri Mar 6 15:49:57 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 15:49:59 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request effectively addresses the issue of bash-language-server bypassing the shellcheck-wrapper.sh by introducing a PATH shim. The implementation is robust, handling the creation of the symlink idempotently and updating the necessary shell configuration files. My review focuses on improving debuggability by adhering to the project's guidelines on error handling, specifically by removing unnecessary stderr suppression. The changes are well-commented and clearly explained.

[gemini-code-assist]

The script calls touch "$zshenv" before this block, and set -e is active, which should ensure the file exists. Suppressing stderr with 2>/dev/null can hide important errors like read permissions issues. To align with the project's general rules on error visibility for debugging, please remove 2>/dev/null from the grep commands.

Suggested change

	if grep -q 'SHELLCHECK_PATH' "$zshenv" 2>/dev/null; then
	already_in="${already_in:+$already_in, }$zshenv"
	else
	touch "$zshenv"
	echo "" >>"$zshenv"
	echo "# Added by aidevops setup (GH#2915: prevent ShellCheck memory explosion)" >>"$zshenv"
	echo "$env_line" >>"$zshenv"
	added_to="${added_to:+$added_to, }$zshenv"
	fi
	# PATH prepend for ~/.aidevops/bin (GH#2993: shim must be on PATH)
	if ! grep -q '\.aidevops/bin' "$zshenv" 2>/dev/null; then
	echo "" >>"$zshenv"
	echo "# Added by aidevops setup (GH#2993: shellcheck shim on PATH)" >>"$zshenv"
	echo "$path_line" >>"$zshenv"
	print_success "Prepended $shim_dir to PATH in .zshenv"
	else
	print_info "$shim_dir already on PATH in .zshenv"
	fi
	if grep -q 'SHELLCHECK_PATH' "$zshenv"; then
	already_in="${already_in:+$already_in, }$zshenv"
	else
	echo "" >>"$zshenv"
	echo "# Added by aidevops setup (GH#2915: prevent ShellCheck memory explosion)" >>"$zshenv"
	echo "$env_line" >>"$zshenv"
	added_to="${added_to:+$added_to, }$zshenv"
	fi
	# PATH prepend for ~/.aidevops/bin (GH#2993: shim must be on PATH)
	if ! grep -q '\.aidevops/bin' "$zshenv"; then
	echo "" >>"$zshenv"
	echo "# Added by aidevops setup (GH#2993: shellcheck shim on PATH)" >>"$zshenv"
	echo "$path_line" >>"$zshenv"
	print_success "Prepended $shim_dir to PATH in .zshenv"
	else
	print_info "$shim_dir already on PATH in .zshenv"
	fi

References

1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[gemini-code-assist]

Similar to the .zshenv block, touch "$rc_file" is called before this, ensuring the file exists. To improve debuggability by making potential read errors visible, please remove 2>/dev/null from the grep commands, in accordance with the project's general rules.

Suggested change

	if grep -q 'SHELLCHECK_PATH' "$rc_file" 2>/dev/null; then
	already_in="${already_in:+$already_in, }$rc_file"
	continue
	else
	echo "" >>"$rc_file"
	echo "# Added by aidevops setup (GH#2915: prevent ShellCheck memory explosion)" >>"$rc_file"
	echo "$env_line" >>"$rc_file"
	added_to="${added_to:+$added_to, }$rc_file"
	fi
	echo "" >>"$rc_file"
	echo "# Added by aidevops setup (GH#2915: prevent ShellCheck memory explosion)" >>"$rc_file"
	echo "$env_line" >>"$rc_file"
	added_to="${added_to:+$added_to, }$rc_file"
	# PATH prepend for ~/.aidevops/bin (GH#2993)
	if ! grep -q '\.aidevops/bin' "$rc_file" 2>/dev/null; then
	echo "" >>"$rc_file"
	echo "# Added by aidevops setup (GH#2993: shellcheck shim on PATH)" >>"$rc_file"
	echo "$path_line" >>"$rc_file"
	fi
	if grep -q 'SHELLCHECK_PATH' "$rc_file"; then
	already_in="${already_in:+$already_in, }$rc_file"
	else
	echo "" >>"$rc_file"
	echo "# Added by aidevops setup (GH#2915: prevent ShellCheck memory explosion)" >>"$rc_file"
	echo "$env_line" >>"$rc_file"
	added_to="${added_to:+$added_to, }$rc_file"
	fi
	# PATH prepend for ~/.aidevops/bin (GH#2993)
	if ! grep -q '\.aidevops/bin' "$rc_file"; then
	echo "" >>"$rc_file"
	echo "# Added by aidevops setup (GH#2993: shellcheck shim on PATH)" >>"$rc_file"
	echo "$path_line" >>"$rc_file"
	fi

References

1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@setup-modules/shell-env.sh`:
- Around line 503-504: The current check that skips adding .aidevops/bin if any
mention exists is too permissive; update the logic that uses the path_line
variable (local path_line='export PATH="$HOME/.aidevops/bin:$PATH"') and the
rc-file loop to check for an exact match of that whole line (not just
substring), e.g. use a fixed-string exact-line grep/awk (grep -Fx or grep -F -x)
against each rc file before appending, or implement a managed block (delimited
begin/end markers) and replace the block atomically; ensure you change both the
initial presence check and the rc-file loop so only the exact prepend form
short-circuits, preventing stale append-form entries from remaining earlier in
PATH.
- Around line 471-480: The launchctl section only sets SHELLCHECK_PATH but not
PATH, so GUI-launched apps can still resolve the real shellcheck; update the
launchctl block to also set the PATH environment via launchctl setenv PATH to
prepend ~/.aidevops/bin (e.g. compute new_path="$HOME/.aidevops/bin:$PATH"
safely expanding $HOME) alongside launchctl setenv SHELLCHECK_PATH, and ensure
you use the same symbol names as in the file (launchctl setenv, SHELLCHECK_PATH)
and handle idempotency so repeated runs don't duplicate entries.
- Around line 583-598: get_all_shell_rcs() currently treats fish rc files like
bash/zsh and appends $env_line/$path_line (bash-style exports) to $rc_file which
breaks fish; update the logic around the blocks that append $env_line and
$path_line to detect when $rc_file is the fish config (e.g.,
~/.config/fish/config.fish) and instead write fish-compatible lines using the
same pattern used by alias_block_fish (use "set -gx" syntax and fish-specific
comment header), leaving bash/zsh behavior unchanged for other rc files.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7e0d12b0-5a40-4923-8d53-69566236b1e7

📥 Commits

Reviewing files that changed from the base of the PR and between 4a4b6c1 and 3772867.

📒 Files selected for processing (1)

• setup-modules/shell-env.sh

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 16:11:17 UTC 2026: Code review monitoring started
Fri Mar 6 16:11:18 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 16:11:20 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 6 16:21:47 UTC 2026: Code review monitoring started
Fri Mar 6 16:21:47 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 108
• VULNERABILITIES: 0

Generated on: Fri Mar 6 16:21:50 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

Worker killed after 6h47m with 0 commits (struggle_ratio: 19764). Re-dispatching with more context. The issue is a ShellCheck PATH shim fix — CodeRabbit requested changes. New worker will read the review comments and address them.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

🧹 Nitpick comments (1)

setup-modules/shell-env.sh (1)

643-645: Consider adding idempotency guard to current-session PATH export.

The current-session export at line 645 is unconditional, while the persisted path_line (line 505) uses a case guard to prevent duplicates. If setup_shellcheck_wrapper() is called multiple times in the same session (e.g., during testing), PATH would accumulate duplicates.

♻️ Optional: Add consistency with persisted path_line

 	# Also export for current session
 	export SHELLCHECK_PATH="$wrapper_path"
-	export PATH="$HOME/.aidevops/bin:$PATH"
+	if [[ ":$PATH:" != *":$HOME/.aidevops/bin:"* ]]; then
+		export PATH="$HOME/.aidevops/bin:$PATH"
+	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@setup-modules/shell-env.sh` around lines 643 - 645, The current-session PATH
export in setup_shellcheck_wrapper() unconditionally prepends
"$HOME/.aidevops/bin" causing duplicates if called multiple times; change the
in-session export to check whether "$HOME/.aidevops/bin" is already in PATH
before modifying it (match the persisted path_line behavior), and ensure
SHELLCHECK_PATH is still exported; locate the block that sets export
SHELLCHECK_PATH and export PATH and wrap the PATH change with a guard (e.g.,
using a case or conditional that tests $PATH for the directory) so repeated
calls do not accumulate duplicates.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@setup-modules/shell-env.sh`:
- Around line 643-645: The current-session PATH export in
setup_shellcheck_wrapper() unconditionally prepends "$HOME/.aidevops/bin"
causing duplicates if called multiple times; change the in-session export to
check whether "$HOME/.aidevops/bin" is already in PATH before modifying it
(match the persisted path_line behavior), and ensure SHELLCHECK_PATH is still
exported; locate the block that sets export SHELLCHECK_PATH and export PATH and
wrap the PATH change with a guard (e.g., using a case or conditional that tests
$PATH for the directory) so repeated calls do not accumulate duplicates.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff216773-0162-4b05-82e2-3a2e546a9255

📥 Commits

Reviewing files that changed from the base of the PR and between 3772867 and 0026bf1.

📒 Files selected for processing (1)

• setup-modules/shell-env.sh