fix: prevent ShellCheck memory explosion with RSS watchdog, rate limiting, and PATH fix

[marcusquinn]

Summary

Rebased version of #3105 — all CodeRabbit and Gemini Code Assist review feedback addressed. Rebased onto current main to eliminate stale version/planning file diffs.

Fixes the recurring ShellCheck memory explosion that caused a system crash on Mar 7 (20 GB -> 48 GB+ in minutes, 18.5 GB single shellcheck process).

Root cause analysis:

• ulimit -v is a complete no-op on macOS ARM (setrlimit failed: invalid argument) — the wrapper's memory cap was doing nothing
• The memory-pressure monitor polls every 60s, but shellcheck grows from 0 to 18 GB in under 60s
• bash-language-server immediately respawns killed shellcheck processes, creating a kill-respawn-grow cycle
• PATH shim was at the end of PATH in some contexts, so the real shellcheck was found first

Three-layer fix:

1. shellcheck-wrapper.sh — RSS watchdog + rate limiter

• Background RSS watchdog replaces broken ulimit -v: polls child process RSS every 2s, kills at 1 GB
• Respawn rate limiter with exponential backoff (5s -> 10s -> 20s -> ... -> 300s max) prevents kill-respawn-grow cycles
• Hard timeout of 120s as additional safety net
• Input validation (_validate_int) prevents tight loops from invalid env vars
• Atomic lock in _record_kill prevents race conditions from concurrent kills
• Preserves .real fast-path from main for binary discovery

2. memory-pressure-monitor.sh v2.1.0 — faster detection

• Lower thresholds: warn at 1 GB, kill at 2 GB (was 2/4 GB) — secondary defense behind wrapper's 1 GB limit
• Faster polling: 30s launchd interval (was 60s), adaptive 10s when shellcheck detected
• Fix zsh false positives: match patterns against command basename only
• Lower shellcheck runtime: 5 min max (was 10 min)

3. setup-modules/shell-env.sh — PATH ordering fix

• Strip existing ~/.aidevops/bin from PATH before prepending, guaranteeing first position
• Sticky for all shells: sanitize-and-prepend logic in .zshenv, all rc files, and fish config
• Security: empty-PATH guard prevents trailing colon (PATH injection vector)
• Old case guard entries cleaned up on upgrade

Review feedback addressed (from #3105)

1. Validate watchdog tunables — _validate_int() with min bounds (128/1/10)
2. Race condition in _record_kill — mkdir-based atomic lock
3. PATH trailing colon security — empty-PATH guard
4. Remove 2>/dev/null from mkdir -p — surface permission errors
5. PATH sticky for rc-file layers — sanitize-and-prepend in all shell configs
6. Docstring coverage — all functions documented

Testing

• ShellCheck: zero violations on all 3 files (info level)
• Rebased cleanly onto current main (v2.154.3)

Closes #2915

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 5 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 400b144c-57d8-4a8c-a001-7751458a6a78

📥 Commits

Reviewing files that changed from the base of the PR and between 31b0b6a and 25290b2.

📒 Files selected for processing (3)

• .agents/scripts/memory-pressure-monitor.sh
• .agents/scripts/shellcheck-wrapper.sh
• setup-modules/shell-env.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/shellcheck-memory-watchdog

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 125 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sat Mar 7 18:08:47 UTC 2026: Code review monitoring started
Sat Mar 7 18:08:47 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 125

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 125
• VULNERABILITIES: 0

Generated on: Sat Mar 7 18:08:50 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

@coderabbitai review

Review bots were rate-limited when this PR was created (affected: coderabbitai gemini-code-assist). Requesting a review retry.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

@marcusquinn Sure! Triggering a full review of PR #3146 now. I'll analyse the three-layer fix across shellcheck-wrapper.sh, memory-pressure-monitor.sh, and setup-modules/shell-env.sh and provide detailed feedback shortly.

---

🧠 Learnings used

Learnt from: marcusquinn
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-03T16:33:18.313Z
Learning: For the marcusquinn/aidevops repository: The daily quality sweep system (pulse-wrapper.sh) should only mention coderabbitai for full codebase review when there are significant changes (Quality Gate failure, +10 issues in one day, etc.), not on every automated sweep with stable metrics.

---

Learnt from: alex-solovyev
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-04T05:50:49.615Z
Learning: In the marcusquinn/aidevops repository: As of 2026-03-04, the chrome-webstore-helper.sh SC2119/SC2120 (load_credentials argument mismatch) and stash-audit-helper.sh SC2181 (indirect exit code checking) ShellCheck issues have been resolved. ShellCheck now reports 0 errors and 0 warnings for these files.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[marcusquinn]

This PR appears orphaned — no active worker process found and no activity for 25+ hours. Flagging for re-dispatch. If work is still in progress, remove the status:orphaned label.

[marcusquinn]

Merging via pulse supervisor.

• CI: All checks passing
• Reviews: 0 formal reviews (systemic issue systemic: CodeRabbit not submitting formal reviews on maintainer PRs — all merges blocked #3932 — CodeRabbit not submitting formal reviews on maintainer PRs)
• Bot gate: PASS (CodeRabbit commented)
• Rationale: PASS_RATE_LIMITED scenario — PR is 3+ hours old with bot gate PASS. Safe to merge per pulse.md.