refactor(scripts): shared common.sh library + grouped subgroups + new health/sync tools

Adds scripts/lib/common.sh — every script now sources it for safe-by-default
strict mode + ERR/EXIT traps, structured timestamped logging, dry-run plumbing
(GS_DRY_RUN, gs::do, gs::sh), bounded parallelism, single-instance locks,
snapshot/rollback on destructive edits, GH CLI auth + rate-limit + retry
wrappers, repo-iteration helpers, and structured A2ML reporting. Honours
NO_COLOR and non-TTY.

Groups scripts/ into purposeful subgroups via symlinks (real files stay at
scripts/ root because the Elixir TUI hardcodes those names):

  audit/   contractiles, wiki, project-tabs, sync-status, secrets-and-deps
  fix/     unwrap, innerhtml, branch-protection, all (composite)
  sync/    update-repos, standardize-readmes, mirror-check
  health/  gh-doctor, estate-report
  lib/     common.sh (new), ownership_guard.sh (existing)

Heavy refactors that now ride the lib end-to-end:
- audit_contractiles.sh — 6 canonical verbs (post-2026-04-18 lust deprecation),
  K9 SVC vs contractile-drift detection, A2ML report.
- branch-protection-apply.sh — gh preflight, retry-on-flake, in-place ruleset
  updates (no duplicates), per-repo failure isolation.
- fix-unwrap-to-match.sh — defaults to REPORT-ONLY per the unwrap-to-expect
  anti-pattern memo; --apply-expect opts in with snapshot+rollback.
- update_repos.sh — fetch + safe-rebase + force-with-lease push, ff-only
  abort safety, per-repo failure capture, lock-protected.
- fix-innerhtml.sh — text-only innerHTML rewrite + SECURITY-comment
  annotations; idempotent; snapshot+rollback.
- audit_script.sh — gitleaks + Dependabot, graceful degrade if gitleaks absent.
- verify.sh — read-only HEAD-vs-origin Markdown table.

New tools:
- health/gh-doctor.sh   — gh auth/scope/rate-limit/jq/git-credentials check.
- health/estate-report.sh — runs every read-only audit + aggregates Markdown.
- sync/mirror-check.sh  — verifies the GitHub-only push policy; honours
  the 007 and bitfuckit estate-wide exceptions.
- fix/all.sh            — runs every fixer in sequence (replaces
  fix-security-issues.sh).

Reconciled / dropped:
- ci-integration-example.sh -> moved to docs/ci-integration-example.adoc
  (it was prose, not a script).
- md_to_adoc_converter.sh, fix-security-issues.sh, USE-GH-CLI.sh become
  deprecation stubs forwarding to standardize_readmes.sh, fix/all.sh, and
  health/gh-doctor.sh respectively, so the Elixir TUI's hardcoded names
  still resolve.

scripts/README.adoc documents the layout, common flags
(-n/--dry-run, -y/--yes, -j/--jobs N, -v/-q, -h/--help) and common env
(GS_REPOS_DIR, GS_REPO_LIST, GS_BACKUP_DIR, GS_REPORT_DIR, NO_COLOR), with
a template for new scripts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

scripts/ci-integration-example.sh docs/ci-integration-example.adocscripts/ci-integration-example.sh renamed to docs/ci-integration-example.adoc

@@ -0,0 +1,148 @@
+= scripts/
+:toc: preamble
+
+Estate-wide bash automation. Every script is built on
+`lib/common.sh`, which provides safe-by-default strict mode, structured
+logging, dry-run support, bounded parallelism, single-instance locking,
+signal-safe cleanup, GH CLI rate-limit + retry, snapshot-based rollback,
+and repo-iteration helpers.
+
+== Layout
+
+The directory tree is *grouped by purpose* via symlinks. The actual
+scripts continue to live at `scripts/` root (the Elixir TUI hardcodes
+those paths).
+
+[cols="1,3", options="header"]
+|===
+| Group     | Purpose
+
+| `lib/`    | Shared library (`common.sh`); source it from every script.
+| `audit/`  | Read-only inspection: contractiles, wiki, About metadata, sync, secrets+deps.
+| `fix/`    | Mutating remediations: unwrap, innerHTML, branch protection, composite `all.sh`.
+| `sync/`   | Estate-wide sync: update-repos, README standardisation, mirror-policy verification.
+| `health/` | Diagnostics: `gh-doctor`, `estate-report` aggregator.
+|===
+
+== Common flags
+
+Every script that uses `lib/common.sh` understands:
+
+[cols="1,3", options="header"]
+|===
+| Flag                | Effect
+
+| `-n` / `--dry-run`  | Read-only; destructive ops are logged, not executed.
+| `-y` / `--yes`      | Skip confirmation prompts (CI mode).
+| `-j` / `--jobs N`   | Bounded parallelism (default 4).
+| `-v` / `--verbose`  | Debug-level logging.
+| `-q` / `--quiet`    | Warnings/errors only.
+| `-h` / `--help`     | Per-script help text.
+|===
+
+== Common environment
+
+[cols="1,3", options="header"]
+|===
+| Var               | Default
+
+| `GS_REPOS_DIR`    | `/var/mnt/eclipse/repos`
+| `GS_LOG_LEVEL`    | `info`
+| `GS_DRY_RUN`      | `0`
+| `GS_PARALLEL`     | `4`
+| `GS_BACKUP_DIR`   | `~/.cache/git-scripts/backups`
+| `GS_REPORT_DIR`   | `~/.cache/git-scripts/reports`
+| `GS_LOCK_DIR`     | `${TMPDIR}/git-scripts.locks`
+| `GS_REPO_LIST`    | (optional) one-repo-per-line filter list
+| `NO_COLOR`        | non-empty disables ANSI colours
+|===
+
+== audit/
+
+[cols="1,3", options="header"]
+|===
+| Script                     | Reports
+
+| `audit/contractiles.sh`    | 6 canonical verbs (`intend trust must bust adjust dust`), K9 SVC location, accessibility hooks/docs. Drift vs missing vs ok.
+| `audit/wiki.sh`            | Wiki enabled/disabled + page count + page list.
+| `audit/project-tabs.sh`    | GitHub repo About: description, homepage, mandatory topics.
+| `audit/sync-status.sh`     | Local HEAD vs origin/<branch> table. Read-only (no fetch).
+| `audit/secrets-and-deps.sh`| gitleaks scan + open-Dependabot-alert count.
+|===
+
+== fix/
+
+[cols="1,3", options="header"]
+|===
+| Script                       | Effect
+
+| `fix/unwrap.sh`              | Reports bare `.unwrap()` in non-test Rust. Rewrite is opt-in via `--apply-expect` (anti-pattern; see memory).
+| `fix/innerhtml.sh`           | Annotates / rewrites XSS-prone DOM writes. Snapshot+rollback per file.
+| `fix/branch-protection.sh`   | Applies the canonical 'Base' ruleset to every non-archived repo. Updates pre-existing rulesets in place.
+| `fix/all.sh`                 | Runs every fixer in sequence against one repo. Replaces legacy `fix-security-issues.sh`.
+|===
+
+== sync/
+
+[cols="1,3", options="header"]
+|===
+| Script                       | Effect
+
+| `sync/update-repos.sh`       | Fetch + safe-rebase + force-with-lease push across the configured set. ff-only safety; per-repo failure capture.
+| `sync/standardize-readmes.sh`| README.md -> README.adoc via pandoc; snapshots saved.
+| `sync/mirror-check.sh`       | Verifies the GitHub-only-push policy. Flags non-github origins, multi-forge drift, suspicious `pushurl` redirects. Honours estate-wide exceptions (`007`, `bitfuckit`).
+|===
+
+== health/
+
+[cols="1,3", options="header"]
+|===
+| Script                  | Effect
+
+| `health/gh-doctor.sh`   | Validates gh installed, authenticated, scoped (`repo`, `workflow`, `read:org`), rate-limit headroom, jq present, git credential helper sane. Replaces legacy `USE-GH-CLI.sh`.
+| `health/estate-report.sh`| Runs every read-only audit and aggregates into a single Markdown report.
+|===
+
+== Removed / deprecated
+
+* `ci-integration-example.sh` -> moved to `docs/ci-integration-example.adoc` (it was prose, not a script).
+* `md_to_adoc_converter.sh` -> deprecation stub forwarding to `standardize_readmes.sh` (original sed regexes were broken).
+* `fix-security-issues.sh` -> deprecation stub forwarding to `fix/all.sh`.
+* `USE-GH-CLI.sh` -> deprecation stub forwarding to `health/gh-doctor.sh`.
+
+The deprecation stubs still resolve, so the Elixir TUI's hardcoded names
+keep working — they just print a notice and exec the replacement.
+
+== Writing a new script
+
+[source,bash]
+----
+#!/usr/bin/env bash
+# SPDX-License-Identifier: PMPL-1.0-or-later
+set -uo pipefail
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+. "${SCRIPT_DIR}/lib/common.sh"   # or ../lib/common.sh from a subgroup
+
+GS_SCRIPT_NAME="my-thing"
+GS_HELP_TEXT="Usage: my-thing.sh [--dry-run] [--help]"
+gs::strict
+gs::install_trap
+gs::install_trap_summary
+gs::lock my-thing            # single-instance protection
+gs::need gh jq               # fail fast on missing tools
+gs::gh_check                 # auth + rate-limit headroom
+
+while (( $# > 0 )); do
+    case "$1" in
+        -n|--dry-run) GS_DRY_RUN=1 ;;
+        -h|--help)    printf '%s\n' "${GS_HELP_TEXT}"; exit 0 ;;
+        *)            gs::die "unknown flag: $1" ;;
+    esac
+    shift
+done
+
+while IFS= read -r repo; do
+    gs::info "scanning $(basename "${repo}")..."
+    gs::do touch "${repo}/.scanned"     # honours --dry-run
+done < <(gs::repos)
+----

scripts/README.adoc

@@ -1,42 +1,12 @@
 #!/usr/bin/env bash
-# Use GitHub CLI to address PR issues
-
-echo "🔧 USING GITHUB CLI"
-echo "=================="
-echo ""
-
-# Check gh is available
-if ! command -v gh &> /dev/null; then
-    echo "❌ GitHub CLI not found"
-    exit 1
-fi
-
-# Authenticate
-if ! gh auth status &> /dev/null; then
-    echo "🔑 Authenticating..."
-    gh auth login
-fi
-
-echo "✅ GitHub CLI ready"
-echo ""
-
-# Function to address a PR
-target_pr() {
-    local repo="$1"
-    local pr_num="$2"
-    local action="$3"
-    
-    echo "Processing $repo #$pr_num: $action"
-    
-    # Example: gh pr comment $pr_num -b "message"
-    # Add your specific actions here
-}
-
-echo "📋 Available commands:"
-echo "gh pr list --state open"
-echo "gh pr view <number>"
-echo "gh pr comment <number> -b 'message'"
-echo ""
-
-echo "Run manual commands like:"
-echo "gh pr comment 3 -b 'Thanks for the review! Fixing now.'"
+# SPDX-License-Identifier: PMPL-1.0-or-later
+#
+# DEPRECATED — replaced by health/gh-doctor.sh.
+#
+# This file used to be a printed tutorial. It has been replaced with a real
+# diagnostic. Stub kept so the Elixir TUI's hardcoded reference
+# (lib/script_manager/gh_cli.ex) still resolves.
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+echo "[deprecated] USE-GH-CLI.sh -> health/gh-doctor.sh" >&2
+exec "${SCRIPT_DIR}/health/gh-doctor.sh" "$@"

scripts/USE-GH-CLI.sh

@@ -0,0 +1 @@
+../audit_contractiles.sh

scripts/audit/contractiles.sh

@@ -0,0 +1 @@
+../project-tabs-audit.sh

scripts/audit/project-tabs.sh

@@ -0,0 +1 @@
+../audit_script.sh

scripts/audit/secrets-and-deps.sh

@@ -0,0 +1 @@
+../verify.sh

scripts/audit/sync-status.sh

@@ -0,0 +1 @@
+../wiki-audit.sh