feat(safety): owner allowlist + two-tier menu with clearer item names (#1)

Adds an ownership safety guard so scripts NEVER touch repositories outside
a configured allowlist of owners (defaults to ["hyperpolymath"]; edit
config/owners.config or set GIT_SCRIPTS_ALLOWED_OWNERS to add personal /
family / additional org accounts). The guard is enforced in two parallel
implementations that share the same config:

  - scripts/lib/ownership_guard.sh — sourced by every shell script that
    targets a single org or pushes to remotes; provides
    owner_allowed/repo_allowed/assert_owner_allowed and a host-agnostic
    owner extractor (works for GitHub, GitLab, Bitbucket, Gitea,
    self-hosted, SSH-style, etc.).
  - lib/script_manager/ownership_guard.ex — the Elixir equivalent;
    exposes allowed_owners/0, owner_allowed?/1, repo_allowed?/1,
    filter_allowed/1, filter_allowed_verbose/1 and assert_owner_allowed!/1.

Wired into all the scripts/modules that can mutate or affect repos:
  shell: branch-protection-apply, wiki-audit, project-tabs-audit,
         audit_script (per-repo filter + uses derived owner for the
         Dependabot URL), update_repos (per-repo filter before push),
         standardize_readmes & md_to_adoc_converter (per-repo filter).
  elixir: PRProcessor.process_all/add_standard_comment (asserts org),
          GitSyncer.run (filters discovered repos before push),
          EstateDeployer.deploy_by_paths (filters before writing files),
          DependencyFixer.fix_lithoglyph/fix_rgtv (refuses to patch when
          enclosing repo is foreign-owned),
          RepoCleanup (warns the external cleanup scripts are NOT bound
          by the allowlist).

Also rewrites the TUI menu as two tiers with clearer item names:
  [A] Audits & Reports         — wiki, project metadata, contractiles,
                                 secrets/Dependabot, health dashboard,
                                 local-vs-remote sync verification
  [B] Repository Maintenance   — update repos, global git sync,
                                 standardise READMEs, MD→AsciiDoc,
                                 clean unicode, cleanup ops, dep fixes
  [C] GitHub Operations        — branch protection rulesets, mass PR
                                 processor, gh CLI helper
  [D] Estate-Wide Deployment   — deploy estate standards, link
                                 toolchains, find media repos
  [E] External Tools           — launch NQC, launch Invariant Path
  [F] Coming Soon              — dependency updater, release manager
The startup banner shows the active owner allowlist and the help and
system-status screens both surface it so it's obvious at a glance.

Note: rebuild the escript with `mix escript.build` to pick up the
Elixir-side changes; the bash-side guard is active immediately.

https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath

config/owners.config

@@ -0,0 +1,27 @@
+# Git Scripts — Owner Allowlist
+#
+# These scripts must NEVER touch repositories owned by anyone outside this
+# list. The guard refuses to operate (and exits non-zero) if a target repo's
+# GitHub owner is not present here.
+#
+# Add to this list:
+#   - your own GitHub username
+#   - any family members you maintain repos for (e.g. your son)
+#   - any organisations you control
+#
+# The owner check is case-insensitive. One owner per line in the array.
+#
+# Override at runtime without editing this file by exporting:
+#   GIT_SCRIPTS_ALLOWED_OWNERS="ownerA ownerB ownerC"
+# (space- or comma-separated).
+
+ALLOWED_OWNERS=(
+  "hyperpolymath"
+)
+
+if [[ -n "${GIT_SCRIPTS_ALLOWED_OWNERS:-}" ]]; then
+    # Replace the array entirely from the env var
+    IFS=', ' read -r -a ALLOWED_OWNERS <<< "${GIT_SCRIPTS_ALLOWED_OWNERS}"
+fi
+
+export ALLOWED_OWNERS

lib/script_manager/dependency_fixer.ex

@@ -11,71 +11,115 @@ defmodule ScriptManager.DependencyFixer do
   def run do
     IO.puts("\n🔧 DEPENDENCY FIXER (Hardened Mode)")
     IO.puts("===================================")
-    
+
     fix_lithoglyph()
     fix_rgtv()
-    
+
     IO.puts("\n✅ Dependency fixing complete!")
     :ok
   end
 
+  # Walk up to the enclosing git working tree and check the owner allowlist.
+  # Returns true if the directory has no enclosing repo (we can't tell, so allow
+  # the explicit per-path edits to proceed inside our own filesystem layout).
+  @spec safe_to_edit?(String.t()) :: boolean()
+  defp safe_to_edit?(path) do
+    case System.cmd("git", ["-C", path, "rev-parse", "--show-toplevel"], stderr_to_stdout: true) do
+      {toplevel, 0} ->
+        ScriptManager.OwnershipGuard.repo_allowed?(String.trim(toplevel))
+
+      _ ->
+        # Not inside a git repo: nothing remote to push to, no owner to violate.
+        true
+    end
+  end
+
   @spec fix_lithoglyph() :: :ok
   defp fix_lithoglyph do
     path = "/var/mnt/eclipse/repos/nextgen-databases/lithoglyph/core-zig"
     IO.puts("Fixing Lithoglyph in #{path}...")
-    
+
     try do
-      if File.dir?(path) do
-        build_zig = Path.join(path, "build.zig")
-        if File.exists?(build_zig) do
-          content = File.read!(build_zig)
-          new_content = String.replace(content, "const crypto_tests = b.addTest(.{", "const _crypto_tests = b.addTest(.{")
-          File.write!(build_zig, new_content)
-          IO.puts("  ✓ build.zig patched")
-          
-          IO.puts("  Running tests...")
-          System.cmd("zig", ["build", "test"], cd: path, into: IO.stream(:stdio, :line))
-        end
-      else
-        IO.puts("  ⚠ Lithoglyph directory not found")
+      cond do
+        not File.dir?(path) ->
+          IO.puts("  ⚠ Lithoglyph directory not found")
+
+        not safe_to_edit?(path) ->
+          IO.puts("  🛡  Skipping: enclosing repo is outside the owner allowlist.")
+
+        true ->
+          do_fix_lithoglyph(path)
       end
     rescue
       e -> IO.puts("  ❌ Failed to fix Lithoglyph: #{inspect(e)}")
     end
+
+    :ok
+  end
+
+  @spec do_fix_lithoglyph(String.t()) :: :ok
+  defp do_fix_lithoglyph(path) do
+    build_zig = Path.join(path, "build.zig")
+
+    if File.exists?(build_zig) do
+      content = File.read!(build_zig)
+      new_content = String.replace(content, "const crypto_tests = b.addTest(.{", "const _crypto_tests = b.addTest(.{")
+      File.write!(build_zig, new_content)
+      IO.puts("  ✓ build.zig patched")
+
+      IO.puts("  Running tests...")
+      System.cmd("zig", ["build", "test"], cd: path, into: IO.stream(:stdio, :line))
+    end
+
     :ok
   end
 
   @spec fix_rgtv() :: :ok
   defp fix_rgtv do
     path = "/var/mnt/eclipse/repos/reasonably-good-token-vault/vault-core"
     IO.puts("Fixing RGTV in #{path}...")
-    
+
     try do
-      if File.dir?(path) do
-        primes_rs = Path.join([path, "src", "primes.rs"])
-        if File.exists?(primes_rs) do
-          content = File.read!(primes_rs)
-          new_content = String.replace(content, "use num_bigint::{BigUint, RandBigInt, ToBigUint};", "use num_bigint::{BigUint, ToBigUint};")
-          File.write!(primes_rs, new_content)
-          IO.puts("  ✓ src/primes.rs patched")
-        end
-        
-        crypto_rs = Path.join([path, "src", "crypto.rs"])
-        if File.exists?(crypto_rs) do
-          content = File.read!(crypto_rs)
-          new_content = String.replace(content, "use ed448_goldilocks::EdwardsPoint::generator()", "use ed448_goldilocks::edwards::EdwardsPoint::generator()")
-          File.write!(crypto_rs, new_content)
-          IO.puts("  ✓ src/crypto.rs patched")
-        end
-        
-        IO.puts("  Running tests...")
-        System.cmd("cargo", ["test", "--lib"], cd: path, into: IO.stream(:stdio, :line))
-      else
-        IO.puts("  ⚠ RGTV directory not found")
+      cond do
+        not File.dir?(path) ->
+          IO.puts("  ⚠ RGTV directory not found")
+
+        not safe_to_edit?(path) ->
+          IO.puts("  🛡  Skipping: enclosing repo is outside the owner allowlist.")
+
+        true ->
+          do_fix_rgtv(path)
       end
     rescue
       e -> IO.puts("  ❌ Failed to fix RGTV: #{inspect(e)}")
     end
+
+    :ok
+  end
+
+  @spec do_fix_rgtv(String.t()) :: :ok
+  defp do_fix_rgtv(path) do
+    primes_rs = Path.join([path, "src", "primes.rs"])
+
+    if File.exists?(primes_rs) do
+      content = File.read!(primes_rs)
+      new_content = String.replace(content, "use num_bigint::{BigUint, RandBigInt, ToBigUint};", "use num_bigint::{BigUint, ToBigUint};")
+      File.write!(primes_rs, new_content)
+      IO.puts("  ✓ src/primes.rs patched")
+    end
+
+    crypto_rs = Path.join([path, "src", "crypto.rs"])
+
+    if File.exists?(crypto_rs) do
+      content = File.read!(crypto_rs)
+      new_content = String.replace(content, "use ed448_goldilocks::EdwardsPoint::generator()", "use ed448_goldilocks::edwards::EdwardsPoint::generator()")
+      File.write!(crypto_rs, new_content)
+      IO.puts("  ✓ src/crypto.rs patched")
+    end
+
+    IO.puts("  Running tests...")
+    System.cmd("cargo", ["test", "--lib"], cd: path, into: IO.stream(:stdio, :line))
+
     :ok
   end
 end

lib/script_manager/estate_deployer.ex

@@ -2,6 +2,7 @@ defmodule ScriptManager.EstateDeployer do
   @moduledoc "Estate deployment logic generalized for all repositories"
 
   alias ScriptManager.RepoHelper
+  alias ScriptManager.OwnershipGuard
 
   @contractile_types ["must", "trust", "dust", "lust", "adjust", "intend"]
   @standards_dir "/var/mnt/eclipse/repos/standards"
@@ -65,9 +66,12 @@ defmodule ScriptManager.EstateDeployer do
   end
 
   defp deploy_by_paths(repo_paths, phases) do
+    # Ownership guard: refuse to deploy into repos outside the allowlist.
+    repo_paths = OwnershipGuard.filter_allowed_verbose(repo_paths)
+
     total = length(repo_paths)
     IO.puts("Processing #{total} repositories...")
-    
+
     repo_paths
     |> Enum.with_index(1)
     |> Enum.each(fn {path, index} ->

lib/script_manager/git_syncer.ex

@@ -5,6 +5,7 @@ defmodule ScriptManager.GitSyncer do
   """
 
   alias ScriptManager.RepoHelper
+  alias ScriptManager.OwnershipGuard
 
   @type sync_status :: String.t()
   @type merge_status :: String.t()
@@ -16,9 +17,12 @@ defmodule ScriptManager.GitSyncer do
   def run do
     IO.puts("\n🌐 GLOBAL GIT SYNC (Concurrent Strict Mode)")
     IO.puts("============================================")
-    
-    all_repos = RepoHelper.find_all_repos()
-    
+
+    # Ownership guard: never push to repos outside the allowlist.
+    all_repos =
+      RepoHelper.find_all_repos()
+      |> OwnershipGuard.filter_allowed_verbose()
+
     header = "| Repository | Sync Status | Merge Status | Push Status |"
     separator = "| :--- | :--- | :--- | :--- |"