chore: adopt checkmake + extract procedural Makefile targets to scripts/

[27Bslash6]

Why

A CodeRabbit/checkmake nit on benchmark-compare (PR #188) exceeding maxbodylength=5 turned out to be the tip of a config mismatch: checkmake's default flags 33 of 74 targets, because this Makefile's idioms (cmd 2>&1 | tee log; if-fail; exit 1, the help echo-menu, $(MAKE)-orchestration) are legitimately longer than 5 lines. The right response to a linter whose defaults don't fit is to configure it and fix the findings that are real — not contort 33 targets.

What's here

Adopt checkmake, tuned to the repo (checkmake.ini)

• Disable maxbodylength (doesn't fit the idiom — see above) and minphony (repo uses .DEFAULT_GOAL := help, not all). Keep phonydeclared.
• Wired as make lint-makefile + a pre-commit hook (language: system, consistent with the existing cargo/basedpyright hooks). Requires go install github.com/checkmake/checkmake/cmd/checkmake@latest.

Fix the 2 genuine phonydeclared findings — add test-critical and security-deep to .PHONY (alias/dependency-only targets that were silently missing).

Extract the 5 genuinely-procedural targets to scripts/ (loops, multi-branch logic — script-shaped), each now a thin target calling a behavior-equivalent script:

target	→ script
security-install (58 lines)	scripts/install-security-tools.sh
security-report (31)	scripts/security-report.sh
version-check (11)	scripts/version-check.sh
fuzz-quick (Python arm)	scripts/fuzz-python.sh (rust arm stays in the target)
build-multiarch-linux (22)	scripts/build-multiarch-linux.sh

scripts/_common.sh provides shared ANSI colors. The Makefile shrinks by 134 lines.

Deliberately NOT extracted: the ~20 command-wrapper targets (test-*, lint-*, format-*, build, ci, …) and make-orchestration (release, release-check). They're long but flat — extracting them would create dozens of trivial one-line scripts (the actual anti-pattern). The tell for "should be a script" is control flow, not line count.

Known follow-ups (out of scope here)

• build-pgo calls scripts/build_with_pgo.sh, which doesn't exist — so make build-pgo silently falls back to a plain uv build and does no PGO. Pre-existing latent bug; reviving real PGO needs careful authoring, tracked separately.
• CI doesn't run pre-commit, so checkmake enforcement is local (hook) + opt-in (make lint-makefile). A CI step is a possible follow-up.

Verification

• checkmake --config checkmake.ini Makefile → 0 violations; make lint-makefile → passes.
• make version-check → behavior-identical (0.10.1/0.10.1 ✓).
• make security-install → all branches exercised, exit 0 (idempotent).
• bash -n clean on all 6 scripts; executables are 0755.
• Makefile parses; the 5 rewritten targets keep their ## help text and setup-logs prereqs.
• Branched off current main (f35d0cd, 0.10.1).

[coderabbitai]

Warning

Review limit reached

@27Bslash6, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 41 minutes, and 47 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e183b4db-559a-4925-8052-9cf988200df1

📥 Commits

Reviewing files that changed from the base of the PR and between f35d0cd and 7164112.

📒 Files selected for processing (9)

• .pre-commit-config.yaml
• Makefile
• checkmake.ini
• scripts/_common.sh
• scripts/build-multiarch-linux.sh
• scripts/fuzz-python.sh
• scripts/install-security-tools.sh
• scripts/security-report.sh
• scripts/version-check.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/adopt-checkmake

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}