[codex] Harden installer, docs, and release governance

[jbdevprimary]

What changed

• hardened the installer/runtime contract around modern Bash bootstrap, dry-run semantics, non-destructive managed-file sync, explicit-only Doppler integration, and reliable asdf activation
• rebuilt the docs and release surface to match the implementation, including a docs-hosted installer, structured Sphinx docs, generated installer references, and a draft-first release pipeline with package-manager publication scripts
• added repo-owned governance and supply-chain verification for branch protection, CodeQL, immutable-release cutover, Scorecard, secret-scanning posture, and release/publication wiring
• expanded the test suite and local quality gates to cover installer behavior, runtime modules, docs drift, release packaging, workflow permissions, and GitHub governance checks

Why

The repo had multiple documented production guarantees that were either incomplete, untested, or not enforced by CI/GitHub settings. This change set closes those gaps and makes the repo-owned scripts the source of truth for release, docs, and governance posture.

Impact

• make ci, make release-validate, and the docs/release verification paths are now the merge-equivalent quality gates
• release publication now follows a draft-first flow compatible with immutable releases
• post-merge GitHub cutovers are scripted instead of being left as undocumented manual toggles

Validation

• make ci
• make release-validate

[coderabbitai]

Warning

Rate limit exceeded

@jbdevprimary has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 7 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 13 minutes and 7 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 43d4c6bf-8565-4c8a-b86f-07c68dc66b21

📥 Commits

Reviewing files that changed from the base of the PR and between 22eff2b and 7dc6807.

⛔ Files ignored due to path filters (1)

• .DS_Store is excluded by !**/.DS_Store

📒 Files selected for processing (125)

• .github/dependabot.yml
• .github/workflows/automerge.yml
• .github/workflows/cd.yml
• .github/workflows/ci.yml
• .github/workflows/codeql.yml
• .github/workflows/release.yml
• .github/workflows/scorecard.yml
• .gitignore
• AGENTS.md
• CONTRIBUTING.md
• Makefile
• README.md
• STANDARDS.md
• TOOLS.md
• bash_profile
• bashrc
• bashrc.d/10-helpers.sh
• bashrc.d/20-path.sh
• bashrc.d/30-buildflags.sh
• bashrc.d/40-completions.sh
• bashrc.d/50-tool-init.sh
• bashrc.d/60-asdf.sh
• bashrc.d/65-tools.sh
• bashrc.d/70-bash-it.sh
• bashrc.d/70-env.sh
• bashrc.d/95-ssh-agent.sh
• bashrc.d/99-secrets.sh
• bin/README.md
• bin/gen_tool_versions
• bin/ram_usage
• bin/ram_usage_lib.py
• bin/ram_usage_report.py
• docs/CONFIG.md
• docs/DESIGN.md
• docs/INSTALLER.md
• docs/INSTALLERS.md
• docs/INSTALLERS_HELPERS.md
• docs/MODULES.md
• docs/README.md
• docs/SHDOC.md
• docs/STATE.md
• docs/TESTING.md
• docs/api/index.md
• docs/conf.py
• docs/getting-started/downloads.md
• docs/getting-started/index.md
• docs/getting-started/install-and-verify.md
• docs/index.md
• docs/public/install.sh
• docs/reference/architecture.md
• docs/reference/index.md
• docs/reference/release-checklist.md
• docs/reference/release-verification.md
• docs/reference/security.md
• docs/reference/supply-chain.md
• docs/reference/testing.md
• install.bash
• install.sh
• installers/README.md
• installers/_helpers.sh
• installers/bootstrap_sources.sh
• installers/lib/asdf.sh
• installers/lib/core.sh
• installers/lib/installers.sh
• installers/lib/languages.sh
• installers/lib/packages.sh
• installers/lib/system.sh
• installers/lib/tool_runner.sh
• installers/sources.sh
• installers/tools.sh
• installlib/config.sh
• installlib/filesystem.sh
• installlib/installers.sh
• installlib/managed_files.sh
• installlib/resolve.sh
• installlib/runtime_files.sh
• installlib/ui.sh
• release-please-config.json
• scripts/build_release_artifact.sh
• scripts/ci-setup.sh
• scripts/gen-docs.sh
• scripts/generate_pkg_manifests.sh
• scripts/lib/immutable_release_flow.sh
• scripts/lib/supply_chain_common.sh
• scripts/package.sh
• scripts/pre-commit-ci.sh
• scripts/publish_draft_release.sh
• scripts/publish_pkg_pr.sh
• scripts/reconcile_codeql_governance.sh
• scripts/reconcile_immutable_release_governance.sh
• scripts/release_validate.sh
• scripts/smoke_test_release_artifact.sh
• scripts/supply_chain_verify.sh
• scripts/test-setup.sh
• scripts/validate-docs.sh
• scripts/verify-install.sh
• scripts/verify_branch_protection.sh
• scripts/verify_immutable_release_governance.sh
• scripts/verify_published_release.sh
• scripts/wsl-quality.sh
• tests/asdf_pins.bats
• tests/bootstrap.bats
• tests/branch_protection.bats
• tests/brew_runtime.bats
• tests/codeql_contract.bats
• tests/codeql_governance.bats
• tests/config_output.bats
• tests/docs_contract.bats
• tests/dry_run.bats
• tests/git_sources.bats
• tests/immutable_release_governance.bats
• tests/install.bats
• tests/interactive_features.bats
• tests/link_dotfiles.bats
• tests/managed_assets.bats
• tests/migration.bats
• tests/optional_deps.bats
• tests/registry_idempotent.bats
• tests/release_pipeline.bats
• tests/runtime_modules.bats
• tests/supply_chain_verify.bats
• tests/test_helper.bash
• tests/test_setup.bats
• tests/workflow_permissions.bats
• tox.ini

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/production-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Summary

This PR introduces comprehensive hardening improvements for installer security, documentation, and release governance. The changes demonstrate strong security practices with SHA-pinned GitHub Actions, least-privilege permissions, and robust supply chain verification.

Critical Security Issues

I've identified 7 critical security vulnerabilities that must be addressed before merge:

1. Missing integrity verification for bootstrap downloads (install.sh): Both the Homebrew installer and repository archive are downloaded and executed without checksum validation, creating supply chain attack vectors
2. Command injection risks (install.sh): Unquoted variable expansion in candidate path loops allows shell metacharacter injection
3. Race condition in backup file naming (installlib/managed_files.sh): Concurrent installations with identical timestamps can overwrite backups
4. Unrestricted script execution (bashrc.d/99-secrets.sh): Loading secrets without permission validation allows execution of world-writable malicious scripts
5. Hard-coded repository names (scripts/supply_chain_verify.sh): Security checks won't work correctly in forks

Required Actions

All flagged security vulnerabilities must be fixed before this PR can be merged. Each issue includes a code suggestion that can be applied directly from the PR review interface.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

---

⚠️ This PR contains more than 30 files. Amazon Q is better at reviewing smaller PRs, and may miss issues in larger changesets.

[gemini-code-assist]

Code Review

This pull request implements a comprehensive hardening of the get-bashed environment, refactoring the installer into modular libraries, establishing a draft-first release pipeline with automated package manifests, and introducing a suite of supply-chain verification scripts. The runtime is enhanced with better idempotency and pinned dependencies, supported by a restructured Sphinx documentation site. Feedback focuses on improving the robustness and security of the new scripts, specifically by ensuring the supply-chain verifier handles empty action lists, preventing credential leakage in clone URLs, maintaining portability by avoiding ripgrep, and refining the interactive UI logic to preserve configuration defaults during automated installs.

[Copilot]

Pull request overview

This PR hardens the repo’s installer/runtime contract and aligns the documentation, release pipeline, and GitHub governance checks so the repo-owned scripts become the enforceable source of truth.

Changes:

• Adds a draft-first release pipeline (artifact build/validation, attestations, publish, published-surface verification, and package-manager PR automation).
• Expands CI + BATS coverage for installer behavior, tool pinning, WSL quality runs, docs drift, and GitHub governance posture checks.
• Reworks docs into a Sphinx/MyST structure and introduces a docs-hosted /install.sh that installs from verified release bundles.

Reviewed changes

Copilot reviewed 119 out of 126 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tox.ini	Adds tox v4 requirements + linkcheck env.
tests/workflow_permissions.bats	Enforces workflow permissions lockdown patterns.
tests/test_setup.bats	Tests helper repo pin realignment + lock behavior.
tests/test_helper.bash	Bootstraps BATS libs + adds modern bash detection helpers.
tests/registry_idempotent.bats	Uses repo installer entrypoint directly.
tests/optional_deps.bats	Updates installer invocation and asserts dry-run deps.
tests/migration.bats	Adds legacy module collision migration coverage.
tests/managed_assets.bats	Tests managed-file refresh + preservation semantics.
tests/link_dotfiles.bats	Updates installer invocation for dotfile linking flows.
tests/install.bats	Adds CSV install list + actionlint checksum tests.
tests/immutable_release_governance.bats	Tests immutable release governance scripts via gh stubs.
tests/git_sources.bats	Tests git-backed tool/asdf realignment to pinned refs.
tests/dry_run.bats	Adds dry-run “zero write” behavior coverage.
tests/config_output.bats	Updates installer invocation and config output checks.
tests/codeql_governance.bats	Tests CodeQL cutover reconciliation behavior via gh stubs.
tests/codeql_contract.bats	Verifies repo-owned CodeQL workflow + doc references.
tests/branch_protection.bats	Tests branch protection verification logic via gh stubs.
tests/asdf_pins.bats	Validates asdf + pip/pipx pin enforcement behaviors.
scripts/wsl-quality.sh	Adds WSL-focused quality runner wrapper.
scripts/verify_published_release.sh	Verifies published release assets, checksums, attestations, smoke.
scripts/verify_immutable_release_governance.sh	Verifies immutable releases enabled after rollout.
scripts/verify_branch_protection.sh	Verifies required checks/review/branch-safety flags.
scripts/verify-install.sh	Sets GET_BASHED_HOME explicitly for smoke install wiring.
scripts/validate-docs.sh	Enforces required docs/release surface files + key strings.
scripts/test-setup.sh	Adds lock + pinned-sha realignment for BATS helper libs.
scripts/smoke_test_release_artifact.sh	Smoke-tests unix/windows release bundles.
scripts/reconcile_immutable_release_governance.sh	Enables immutable releases after branch readiness.
scripts/reconcile_codeql_governance.sh	Retires default CodeQL + patches required checks.
scripts/publish_pkg_pr.sh	Automates PR creation/merge into jbcom/pkgs manifests.
scripts/publish_draft_release.sh	Uploads assets to draft + optionally publishes.
scripts/pre-commit-ci.sh	CI-friendly tool bootstrap + docs generation integration.
scripts/package.sh	Wrapper delegating to new release artifact builder.
scripts/lib/supply_chain_common.sh	Adds shared helpers for supply-chain verification scripts.
scripts/lib/immutable_release_flow.sh	Shared “draft-first flow ready?” logic for immutable releases.
scripts/generate_pkg_manifests.sh	Generates Homebrew/Scoop/Chocolatey manifests from checksums.
scripts/gen-docs.sh	Rebuilds doc generation (shdoc + registry catalog).
scripts/ci-setup.sh	Stabilizes CI prefix/PATH + brew discovery + GitHub env persistence.
scripts/build_release_artifact.sh	Builds validated unix/windows archives + checksums.
release-please-config.json	Enables draft releases + force tag creation.
installlib/ui.sh	Adds dialog/prompt flows and interactive selection logic.
installlib/runtime_files.sh	Adds config writing, migration, pins, and startup wiring.
installlib/managed_files.sh	Adds manifest-backed managed asset sync + safe migration helpers.
installlib/installers.sh	Adds dependency resolution + dry-run installer execution.
installlib/filesystem.sh	Sources managed/runtime file helpers.
installlib/config.sh	Adds CLI parsing, defaults, and interactive-mode prep.
installers/tools.sh	Adds target dir support + new tools + pinned sources integration.
installers/sources.sh	Centralizes pinned git/curl sources, refs, runtime defaults, checksums.
installers/lib/tool_runner.sh	Implements install routing across package managers/git/curl/asdf.
installers/lib/system.sh	Adds system detection, git pin checks, sha256 helper.
installers/lib/packages.sh	Adds package manager wrappers + pinned pip/pipx install helpers.
installers/lib/languages.sh	Adds pinned asdf runtime installers + fallbacks.
installers/lib/installers.sh	Adds handlers for shdoc/vimrc/actionlint + GNU tools.
installers/lib/core.sh	Wires core installer libraries together.
installers/lib/asdf.sh	Pins asdf plugins to configured refs and defaults.
installers/bootstrap_sources.sh	Pins bootstrap download URLs + SHA256s.
installers/README.md	Documents new registry + sources/lib structure.
docs/reference/testing.md	Documents updated quality gates and CI matrix.
docs/reference/supply-chain.md	Documents pinning, governance checks, and cutover scripts.
docs/reference/security.md	Documents security posture + verification entrypoints.
docs/reference/release-verification.md	Documents release validation and published-release verification.
docs/reference/release-checklist.md	Adds pre/post release checklist with governance cutovers.
docs/reference/index.md	Adds structured reference section toctree.
docs/reference/architecture.md	Documents dual install surfaces + release bundles.
docs/public/install.sh	Adds docs-site installer that downloads + verifies release bundle.
docs/index.md	Rebuilds docs landing page for new structure and release surface.
docs/getting-started/install-and-verify.md	Adds install/verify guidance for docs installer + bundles.
docs/getting-started/index.md	Adds getting-started toctree and install surface explanation.
docs/getting-started/downloads.md	Documents assets + package manager channels.
docs/conf.py	Adds release/version derivation, pages support, linkcheck settings.
docs/api/index.md	Adds API toctree for generated shell docs.
docs/STATE.md	Updates project state to hardening/release posture.
docs/SHDOC.md	Updates shdoc install/generation guidance.
docs/README.md	Documents docs pipeline commands + CI integration.
docs/MODULES.md	Replaces generated module docs with curated behavioral table.
docs/INSTALLERS_HELPERS.md	Updates generated helper docs content/structure.
docs/INSTALLERS.md	Switches to generated tool registry catalog output.
docs/INSTALLER.md	Removes outdated breaking-change blurb from generated page.
docs/DESIGN.md	Updates installer goals (pinned archive + brew bootstrap).
docs/CONFIG.md	Updates runtime config keys, profiles, and branch protection contract.
bin/ram_usage_report.py	Adds RAM report formatting helpers (new utility).
bin/ram_usage_lib.py	Adds RAM data collection + reporting entrypoint (new utility).
bin/gen_tool_versions	Reworks to print manifest-ready asdf runtime pins.
bin/README.md	Updates helper descriptions for gen_tool_versions.
bashrc.d/99-secrets.sh	Enforces owner-only permissions before sourcing secrets.
bashrc.d/95-ssh-agent.sh	Hardens agent setup + adds test override and idempotence guard.
bashrc.d/70-env.sh	Removes duplicate shebang line.
bashrc.d/70-bash-it.sh	Prevents double-loading bash-it in a shell session.
bashrc.d/65-tools.sh	Adds pinned npm package specs + idempotent install checks.
bashrc.d/60-asdf.sh	Improves activation logic for git + brew installs.
bashrc.d/50-tool-init.sh	Makes cargo/starship/direnv init idempotent per session.
bashrc.d/40-completions.sh	Uses brew prefix helper + idempotent completion init.
bashrc.d/30-buildflags.sh	Uses brew prefix helper + safer env var concatenation.
bashrc.d/20-path.sh	Adds asdf bin path + uses brew prefix helper for GNU paths.
bashrc.d/10-helpers.sh	Adds brew bin/prefix helper functions.
bashrc	Adds explicit bash header + shellcheck disables.
bash_profile	Uses brew shellenv via robust brew-bin discovery.
TOOLS.md	Aligns tool docs with pins, registry behavior, and release surface.
STANDARDS.md	Updates standards to reflect new CI/gates and pin storage location.
Makefile	Adds ci, docs validation, security/governance, and release targets.
CONTRIBUTING.md	Points contributors to make test / make docs entrypoints.
.gitignore	Ignores .DS_Store and dist/.
.github/workflows/scorecard.yml	Adds pinned, least-privilege Scorecard workflow.
.github/workflows/release.yml	Replaces published-trigger flow with dispatchable draft-first pipeline.
.github/workflows/codeql.yml	Adds repo-owned CodeQL workflow with pinned actions.
.github/workflows/ci.yml	Expands to matrix quality + WSL run + supply-chain verification.
.github/workflows/automerge.yml	Locks down top-level perms and scopes writes per-job.
.github/dependabot.yml	Adds schedule metadata + grouping + labels + commit prefix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.