fix: repair fix scripts — SPDX license, action SHAs, tmp-paths, CORS

- fix-missing-spdx.sh: AGPL-3.0 → PMPL-1.0-or-later (license policy)
- fix-unpinned-actions.sh: updated SHA pins to 2026-02-04 values, scans
  all workflows instead of single file from finding
- fix-tmp-paths.sh: converted from report-only to actual fixer — inserts
  mktemp block and replaces hardcoded /tmp/ paths
- fix-cors-wildcard.sh: removed direct git commit (dispatch runner handles)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Jonathan D.A. Jewell

scripts/fix-cors-wildcard.sh

@@ -62,23 +62,6 @@ if ! diff -q "$FILE" "${FILE}.bak" >/dev/null 2>&1; then
     # Add comment explaining the change
     sed -i "${LINE}i\\    // SECURITY FIX: Replaced CORS wildcard with environment-based origin" "$FILE"
 
-    # Create git commit if in git repo
-    if [[ -d "$REPO_PATH/.git" ]]; then
-        cd "$REPO_PATH"
-        git add "$FILE"
-        git commit -m "security: replace CORS wildcard with environment variable
-
-Replaced Access-Control-Allow-Origin: '*' with environment-based origin
-whitelist to prevent CORS misconfiguration vulnerability (CWE-942).
-
-Set ALLOWED_ORIGINS environment variable to configure permitted origins.
-
-Auto-fixed by: robot-repo-automaton
-Finding: $(jq -r '.id' "$FINDING_FILE")
-
-Co-Authored-By: Hypatia Scanner <hypatia@reposystem.dev>"
-    fi
-
     rm -f "${FILE}.bak"
     exit 0
 else

scripts/fix-missing-spdx.sh

@@ -13,8 +13,8 @@ echo "Fixing missing SPDX header in $REPO_PATH..."
 FILE_PATH=$(jq -r '.location.file' "$FINDING_FILE")
 FULL_PATH="$REPO_PATH/$FILE_PATH"
 
-# Default license (can be overridden by repo's LICENSE file)
-DEFAULT_LICENSE="AGPL-3.0-or-later"
+# Default license for hyperpolymath repos
+DEFAULT_LICENSE="PMPL-1.0-or-later"
 
 if [[ ! -f "$FULL_PATH" ]]; then
     echo "ERROR: File not found: $FULL_PATH"

scripts/fix-tmp-paths.sh

@@ -20,30 +20,67 @@ FIXED_COUNT=0
 
 # Find shell files with hardcoded /tmp/ paths
 while IFS= read -r -d '' file; do
-    if grep -q '/tmp/' "$file" 2>/dev/null; then
+    # Skip binary files
+    if file "$file" | grep -q "binary"; then
+        continue
+    fi
+
+    # Only match static /tmp/name patterns (not /tmp/$VAR or /tmp/${VAR})
+    if grep -qP '/tmp/[a-zA-Z][\w.-]+' "$file" 2>/dev/null; then
         rel_path="${file#$REPO_PATH/}"
 
-        # Count instances
-        count=$(grep -c '/tmp/' "$file" 2>/dev/null || echo 0)
+        # Skip files that already use mktemp properly
+        if grep -q 'mktemp' "$file" 2>/dev/null; then
+            echo "  SKIP $rel_path — already uses mktemp"
+            continue
+        fi
+
+        count=$(grep -cP '/tmp/[a-zA-Z][\w.-]+' "$file" 2>/dev/null || echo 0)
+
+        # Check if file already has our TMPDIR block (idempotent)
+        if grep -q 'HYPATIA_TMPDIR' "$file" 2>/dev/null; then
+            echo "  SKIP $rel_path — already patched"
+            continue
+        fi
 
-        # Replace simple /tmp/filename patterns with variable
-        # Only do safe replacements (not paths like /tmp/$DYNAMIC)
-        if grep -qP '/tmp/[a-zA-Z][\w.-]+' "$file" 2>/dev/null; then
-            # Check if file already uses mktemp
-            if grep -q 'mktemp' "$file" 2>/dev/null; then
-                echo "  SKIP $rel_path — already uses mktemp ($count /tmp/ refs)"
-                continue
-            fi
+        # Strategy: Add a mktemp block after set -e (or shebang) and replace /tmp/X with $HYPATIA_TMPDIR/X
+        # Step 1: Extract all static /tmp/filename patterns
+        tmp_names=$(grep -oP '/tmp/\K[a-zA-Z][\w.-]+' "$file" 2>/dev/null | sort -u)
 
-            echo "  FOUND $rel_path — $count hardcoded /tmp/ path(s)"
-            ((FIXED_COUNT++)) || true
+        if [[ -z "$tmp_names" ]]; then
+            continue
         fi
+
+        # Step 2: Insert mktemp block after the first 'set -' line or after shebang
+        MKTEMP_BLOCK='# Auto-generated temp dir (replaces hardcoded /tmp/)
+HYPATIA_TMPDIR="$(mktemp -d)"
+trap '\''rm -rf "$HYPATIA_TMPDIR"'\'' EXIT'
+
+        if grep -q '^set -' "$file"; then
+            # Insert after the 'set -' line
+            sed -i "/^set -/a\\
+\\
+${MKTEMP_BLOCK}" "$file" 2>/dev/null || true
+        else
+            # Insert after shebang
+            sed -i "1a\\
+\\
+${MKTEMP_BLOCK}" "$file" 2>/dev/null || true
+        fi
+
+        # Step 3: Replace /tmp/name with $HYPATIA_TMPDIR/name for each static name
+        while IFS= read -r name; do
+            sed -i "s|/tmp/${name}|\"\$HYPATIA_TMPDIR/${name}\"|g" "$file" 2>/dev/null || true
+        done <<< "$tmp_names"
+
+        echo "  FIXED $rel_path — replaced $count hardcoded /tmp/ path(s) with mktemp"
+        ((FIXED_COUNT++)) || true
     fi
 done < <(find "$REPO_PATH" -type f \( -name "*.sh" -o -name "*.bash" \) -not -path "*/\.git/*" -not -path "*/target/*" -print0 2>/dev/null)
 
 echo ""
 if [[ "$FIXED_COUNT" -gt 0 ]]; then
-    echo "Found $FIXED_COUNT file(s) with hardcoded /tmp/ paths (review recommended)"
+    echo "Fixed $FIXED_COUNT file(s) — hardcoded /tmp/ replaced with mktemp"
 else
     echo "No fixable /tmp/ patterns found"
 fi

scripts/fix-unpinned-actions.sh

@@ -9,38 +9,59 @@ FINDING_FILE="$2"
 
 echo "Fixing unpinned actions in $REPO_PATH..."
 
-# Common action SHA pins (updated 2025-12-15)
+# Common action SHA pins (updated 2026-02-04)
 declare -A ACTION_PINS=(
-    ["actions/checkout@v4"]="b4ffde65f46336ab88eb53be808477a3936bae11"
-    ["actions/upload-artifact@v4"]="65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478"
-    ["github/codeql-action/init@v3"]="662472033e021d55d94146f66f6058822b0b39fd"
-    ["github/codeql-action/analyze@v3"]="662472033e021d55d94146f66f6058822b0b39fd"
-    ["github/codeql-action/upload-sarif@v3"]="662472033e021d55d94146f66f6058822b0b39fd"
+    ["actions/checkout@v4"]="34e114876b0b11c390a56381ad16ebd13914f8d5"
+    ["actions/checkout@v5"]="93cb6efe18208431cddfb8368fd83d5badbf9bfd"
+    ["github/codeql-action/init@v3"]="6624720a57d4c312633c7b953db2f2da5bcb4c3a"
+    ["github/codeql-action/analyze@v3"]="6624720a57d4c312633c7b953db2f2da5bcb4c3a"
+    ["github/codeql-action/upload-sarif@v3"]="6624720a57d4c312633c7b953db2f2da5bcb4c3a"
     ["ossf/scorecard-action@v2.4.0"]="62b2cac7ed8198b15735ed49ab1e5cf35480ba46"
-    ["trufflesecurity/trufflehog@v3"]="8a8ef8526528d8a4ff3e2c90be08e25ef8efbd9b"
-    ["editorconfig-checker/action-editorconfig-checker@main"]="9f8f6065f4db902c0c56cafa67cea18b3ebbb680"
+    ["trufflesecurity/trufflehog@main"]="7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8"
+    ["editorconfig-checker/action-editorconfig-checker@main"]="4054fa83a075fdf090bd098bdb1c09aaf64a4169"
+    ["dtolnay/rust-toolchain@stable"]="4be9e76fd7c4901c61fb841f559994984270fce7"
+    ["Swatinem/rust-cache@v2"]="779680da715d629ac1d338a641029a2f4372abb5"
+    ["codecov/codecov-action@v5"]="671740ac38dd9b0130fbe1cec585b89eea48d3de"
+    ["slsa-framework/slsa-github-generator@v2.1.0"]="f7dd8c54c2067bafc12ca7a55595d5ee9b75204a"
+    ["webfactory/ssh-agent@v0.9.0"]="dc588b651fe13675774614f8e6a936a468676387"
+    ["ocaml/setup-ocaml@v3"]="dec6499fef64fc5d7ed43d43a87251b7b1c306f5"
+    ["softprops/action-gh-release@v2"]="a06a81a03ee405af7f2048a818ed3f03bbf83c7b"
+    ["actions/configure-pages@v5"]="983d7736d9b0ae728b81ab479565c72886d7745b"
+    ["actions/jekyll-build-pages@v1"]="44a6e6beabd48582f863aeeb6cb2151cc1716697"
+    ["actions/upload-pages-artifact@v3"]="56afc609e74202658d3ffba0e8f6dda462b719fa"
+    ["actions/deploy-pages@v4"]="d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e"
+    ["ruby/setup-ruby@v1"]="09a7688d3b55cf0e976497ff046b70949eeaccfd"
+    ["actions/upload-artifact@v4"]="65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478"
 )
 
-# Extract file path from finding
-WORKFLOW_FILE=$(jq -r '.location.file' "$FINDING_FILE")
-WORKFLOW_PATH="$REPO_PATH/$WORKFLOW_FILE"
+# Find all workflow files in repo
+FIXED_COUNT=0
+while IFS= read -r -d '' workflow; do
+    rel_path="${workflow#$REPO_PATH/}"
+    changed=false
 
-if [[ ! -f "$WORKFLOW_PATH" ]]; then
-    echo "ERROR: Workflow file not found: $WORKFLOW_PATH"
-    exit 1
-fi
+    for action_version in "${!ACTION_PINS[@]}"; do
+        SHA="${ACTION_PINS[$action_version]}"
+        ACTION_NAME="${action_version%@*}"
+        VERSION="${action_version#*@}"
 
-# Pin actions to SHA
-for action_version in "${!ACTION_PINS[@]}"; do
-    SHA="${ACTION_PINS[$action_version]}"
-    ACTION_NAME="${action_version%@*}"
-    VERSION="${action_version#*@}"
+        # Replace unpinned action with SHA-pinned version
+        # Match both "uses: action@version" and "uses: action@version # comment"
+        if grep -q "uses: ${action_version}" "$workflow" 2>/dev/null; then
+            sed -i "s|uses: ${action_version}|uses: ${ACTION_NAME}@${SHA} # ${VERSION}|g" "$workflow"
+            echo "  Pinned ${ACTION_NAME} (${VERSION}) in ${rel_path}"
+            changed=true
+        fi
+    done
 
-    # Replace unpinned action with SHA-pinned version
-    if grep -q "uses: ${action_version}" "$WORKFLOW_PATH"; then
-        sed -i "s|uses: ${action_version}|uses: ${ACTION_NAME}@${SHA} # ${VERSION}|g" "$WORKFLOW_PATH"
-        echo "  ✓ Pinned ${ACTION_NAME} to ${SHA}"
+    if [[ "$changed" == "true" ]]; then
+        ((FIXED_COUNT++)) || true
     fi
-done
+done < <(find "$REPO_PATH/.github/workflows" -type f \( -name "*.yml" -o -name "*.yaml" \) -print0 2>/dev/null)
 
-echo "✅ Unpinned actions fixed in $WORKFLOW_FILE"
+echo ""
+if [[ "$FIXED_COUNT" -gt 0 ]]; then
+    echo "Pinned actions in $FIXED_COUNT workflow(s)"
+else
+    echo "No unpinned actions found"
+fi