2026-04-08 Daily Audit (#9)

## Summary
- refresh the dogfood .github/scripts copy to the released 1.0.4 set,
including sync.py
- tighten reusable workflow and template CI permissions so only the
coverage publish job has contents: write
- pin overlapping dev-tool dependencies in root and reference
pyproject.toml to the same versions used by pre-commit hooks

## Audit notes
- Open PR backlog on 2026-04-08: none
- Latest verified Template CI main-branch run: 24152483904 (all jobs
green; tests succeeded on ubuntu-latest, windows-latest, and
macos-latest)
- Latest verified Auto Release run: 24151035753 (success)
- Self Update remains blocked for live validation in this session
because authenticated workflow dispatch / PR automation access is
unavailable here

## Local validation
- .venv\\Scripts\\python.exe scripts\\qa.py
- .venv\\Scripts\\python.exe .github\\scripts\\qa.py --skip lint --skip
types --skip tests --skip security --skip spelling --skip package

## Remaining blockers
- GitHub CLI auth in this environment is invalid, so any follow-up
API-driven PR updates / manual workflow dispatches may require
re-authentication outside this session

Author: NWarila

.github/scripts/.version

@@ -1 +1 @@
-none
+v1.0.4

.github/scripts/qa.py

@@ -4,7 +4,7 @@
 """Local QA orchestrator. Discovers and runs all check_*.py scripts.
 
 Usage:
-    python scripts/qa.py [--fix] [--skip name ...]
+    python path/to/qa.py [--fix] [--skip name ...]
 """
 
 from __future__ import annotations
@@ -18,7 +18,20 @@
 from pathlib import Path
 
 SCRIPT_DIR = Path(__file__).resolve().parent
-PROJECT_ROOT = SCRIPT_DIR.parent
+
+
+def _find_project_root(start: Path | None = None) -> Path:
+    """Walk up from *start* (default SCRIPT_DIR) to find pyproject.toml."""
+    d = start or SCRIPT_DIR
+    while d != d.parent:
+        if (d / "pyproject.toml").exists():
+            return d
+        d = d.parent
+    print(f"Error: could not find pyproject.toml above {d}", file=sys.stderr)
+    sys.exit(1)
+
+
+PROJECT_ROOT = _find_project_root()
 
 
 # ---------------------------------------------------------------------------

.github/scripts/setup.ps1

@@ -3,7 +3,26 @@
 $ErrorActionPreference = 'Stop'
 
 $ScriptDir = Split-Path -Parent $PSCommandPath
-$ProjectRoot = if ($env:PROJECT_ROOT) { $env:PROJECT_ROOT } else { Split-Path -Parent $ScriptDir }
+
+# Walk up from ScriptDir to find the repo root (where pyproject.toml lives).
+# This works whether the script is at scripts/ or .github/scripts/.
+if ($env:PROJECT_ROOT) {
+    $ProjectRoot = $env:PROJECT_ROOT
+} else {
+    $SearchDir = $ScriptDir
+    $ProjectRoot = $null
+    while ($SearchDir -and $SearchDir -ne (Split-Path -Parent $SearchDir)) {
+        if (Test-Path (Join-Path $SearchDir 'pyproject.toml')) {
+            $ProjectRoot = $SearchDir
+            break
+        }
+        $SearchDir = Split-Path -Parent $SearchDir
+    }
+    if (-not $ProjectRoot) {
+        Write-Error "Could not find pyproject.toml above $ScriptDir"
+        exit 1
+    }
+}
 
 Write-Host "Project root: $ProjectRoot"
 Set-Location $ProjectRoot

.github/scripts/setup.sh

@@ -4,7 +4,25 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
-PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$SCRIPT_DIR/.." && pwd)}"
+
+# Walk up from SCRIPT_DIR to find the repo root (where pyproject.toml lives).
+# This works whether the script is at scripts/ or .github/scripts/.
+if [ -n "${PROJECT_ROOT:-}" ]; then
+    : # Already set via env var
+else
+    _dir="$SCRIPT_DIR"
+    while [ "$_dir" != "/" ]; do
+        if [ -f "$_dir/pyproject.toml" ]; then
+            PROJECT_ROOT="$_dir"
+            break
+        fi
+        _dir="$(dirname "$_dir")"
+    done
+    if [ -z "${PROJECT_ROOT:-}" ]; then
+        echo "Error: could not find pyproject.toml above $SCRIPT_DIR" >&2
+        exit 1
+    fi
+fi
 
 echo "Project root: ${PROJECT_ROOT}"
 cd "$PROJECT_ROOT"

.github/scripts/sync.py

@@ -0,0 +1,94 @@
+"""Sync template-managed files into a target repo using sync-manifest.json.
+
+Usage:
+    python sync.py TEMPLATE_ROOT REPO_ROOT
+
+Reads sync-manifest.json from TEMPLATE_ROOT, copies files into REPO_ROOT using
+the mode specified for each mapping:
+
+    overwrite          Full replacement.
+    marker-preserve    Replaces template-owned // #region sections while
+                       preserving repo-specific content.
+
+Exit codes:
+    0    Success (prints synced file count).
+    1    Missing arguments or manifest not found.
+"""
+
+from __future__ import annotations
+
+import json
+import re
+import sys
+from pathlib import Path
+
+
+def marker_preserve_copy(src: Path, dst: Path) -> None:
+    """Copy src to dst, preserving content outside template marker regions."""
+    if not dst.exists():
+        dst.parent.mkdir(parents=True, exist_ok=True)
+        dst.write_text(src.read_text(), encoding="utf-8")
+        return
+
+    src_text = src.read_text(encoding="utf-8")
+    dst_text = dst.read_text(encoding="utf-8")
+
+    pattern = re.compile(
+        r"(//\s*#region\s+Template:\s*\S+.*?\n)(.*?)(//\s*#endregion\s+Template:)",
+        re.DOTALL,
+    )
+
+    src_regions: dict[str, str] = {}
+    for match in pattern.finditer(src_text):
+        name_match = re.search(r"Template:\s*(\S+)", match.group(1))
+        if name_match:
+            src_regions[name_match.group(1)] = match.group(2)
+
+    def replace_region(match: re.Match[str]) -> str:
+        name_match = re.search(r"Template:\s*(\S+)", match.group(1))
+        if name_match and name_match.group(1) in src_regions:
+            return match.group(1) + src_regions[name_match.group(1)] + match.group(3)
+        return match.group(0)
+
+    dst.write_text(pattern.sub(replace_region, dst_text), encoding="utf-8")
+
+
+def sync(template_root: Path, repo_root: Path) -> int:
+    """Run the sync and return the number of files synced."""
+    manifest_path = template_root / "sync-manifest.json"
+    if not manifest_path.exists():
+        print(f"Error: {manifest_path} not found", file=sys.stderr)
+        sys.exit(1)
+
+    manifest = json.loads(manifest_path.read_text(encoding="utf-8"))
+
+    changed: list[str] = []
+    for mapping in manifest.get("files", []):
+        src = template_root / mapping["src"]
+        dst = repo_root / mapping["dest"]
+        mode = mapping.get("mode", "overwrite")
+
+        if not src.exists():
+            print(f"  Skip (source missing): {mapping['src']}")
+            continue
+
+        dst.parent.mkdir(parents=True, exist_ok=True)
+
+        if mode == "marker-preserve":
+            marker_preserve_copy(src, dst)
+        else:
+            dst.write_text(src.read_text(encoding="utf-8"), encoding="utf-8")
+
+        changed.append(mapping["dest"])
+        print(f"  Synced: {mapping['src']} -> {mapping['dest']} ({mode})")
+
+    print(f"\n{len(changed)} file(s) synced.")
+    return len(changed)
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print(f"Usage: {sys.argv[0]} TEMPLATE_ROOT REPO_ROOT", file=sys.stderr)
+        sys.exit(1)
+
+    sync(Path(sys.argv[1]), Path(sys.argv[2]))

.github/workflows/python-qa.yml

@@ -21,7 +21,7 @@ on:
         default: true
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   lint:
@@ -204,6 +204,8 @@ jobs:
   coverage-badge:
     if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
     needs: [tests]
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Download coverage badge data

.github/workflows/template-ci.yml

@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -133,6 +133,8 @@ jobs:
   coverage-badge:
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     needs: [tests]
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Download coverage badge data

pyproject.toml

@@ -16,15 +16,15 @@ license = "MIT"
 [project.optional-dependencies]
 dev = [
     "build",
-    "codespell",
-    "mypy>=1.16",
+    "codespell==2.4.1",
+    "mypy==1.16.0",
     "pip-audit",
     "pre-commit",
     "pytest",
     "pytest-cov",
-    "ruff>=0.11",
+    "ruff==0.11.12",
     "twine",
-    "validate-pyproject",
+    "validate-pyproject==0.24",
 ]
 
 [tool.ruff]

reference/pyproject.toml

@@ -14,15 +14,15 @@ license = "MIT"
 [project.optional-dependencies]
 dev = [
     "build",
-    "codespell",
-    "mypy>=1.16",
+    "codespell==2.4.1",
+    "mypy==1.16.0",
     "pip-audit",
     "pre-commit",
     "pytest",
     "pytest-cov",
-    "ruff>=0.11",
+    "ruff==0.11.12",
     "twine",
-    "validate-pyproject",
+    "validate-pyproject==0.24",
 ]
 
 # [project.scripts]