Owner allowlist + two-tier menu + clear vite/esbuild Dependabot alerts#2
Merged
hyperpolymath merged 2 commits intomainfrom Apr 16, 2026
Merged
Conversation
Adds an ownership safety guard so scripts NEVER touch repositories outside
a configured allowlist of owners (defaults to ["hyperpolymath"]; edit
config/owners.config or set GIT_SCRIPTS_ALLOWED_OWNERS to add personal /
family / additional org accounts). The guard is enforced in two parallel
implementations that share the same config:
- scripts/lib/ownership_guard.sh — sourced by every shell script that
targets a single org or pushes to remotes; provides
owner_allowed/repo_allowed/assert_owner_allowed and a host-agnostic
owner extractor (works for GitHub, GitLab, Bitbucket, Gitea,
self-hosted, SSH-style, etc.).
- lib/script_manager/ownership_guard.ex — the Elixir equivalent;
exposes allowed_owners/0, owner_allowed?/1, repo_allowed?/1,
filter_allowed/1, filter_allowed_verbose/1 and assert_owner_allowed!/1.
Wired into all the scripts/modules that can mutate or affect repos:
shell: branch-protection-apply, wiki-audit, project-tabs-audit,
audit_script (per-repo filter + uses derived owner for the
Dependabot URL), update_repos (per-repo filter before push),
standardize_readmes & md_to_adoc_converter (per-repo filter).
elixir: PRProcessor.process_all/add_standard_comment (asserts org),
GitSyncer.run (filters discovered repos before push),
EstateDeployer.deploy_by_paths (filters before writing files),
DependencyFixer.fix_lithoglyph/fix_rgtv (refuses to patch when
enclosing repo is foreign-owned),
RepoCleanup (warns the external cleanup scripts are NOT bound
by the allowlist).
Also rewrites the TUI menu as two tiers with clearer item names:
[A] Audits & Reports — wiki, project metadata, contractiles,
secrets/Dependabot, health dashboard,
local-vs-remote sync verification
[B] Repository Maintenance — update repos, global git sync,
standardise READMEs, MD→AsciiDoc,
clean unicode, cleanup ops, dep fixes
[C] GitHub Operations — branch protection rulesets, mass PR
processor, gh CLI helper
[D] Estate-Wide Deployment — deploy estate standards, link
toolchains, find media repos
[E] External Tools — launch NQC, launch Invariant Path
[F] Coming Soon — dependency updater, release manager
The startup banner shows the active owner allowlist and the help and
system-status screens both surface it so it's obvious at a glance.
Note: rebuild the escript with `mix escript.build` to pick up the
Elixir-side changes; the bash-side guard is active immediately.
https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf
Resolves the two moderate-severity advisories Dependabot reports against the ui/ project on the default branch: - GHSA-67mh-4wv8-2f99 (esbuild dev server CORS, CWE-346, CVSS 5.3) — transitive via vite 5.x's pinned esbuild 0.21.5. - GHSA-4w7w-66w2-5vf9 (Vite path traversal in optimized deps `.map` handling, CWE-22/CWE-200) — affects vite ≤ 6.4.1. Both share the same fix path (vite ≥ 8.0.8). Vite 8 also drops esbuild in favour of rolldown, so the esbuild advisory is structurally gone rather than just patched. Verified locally: `npm install` clean, `npx vite --version` reports 8.0.8, `npm audit` reports 0 vulnerabilities, and vite.config.mjs (defineConfig with resolve.preserveSymlinks + server.proxy /api → 4077) parses unchanged under the new version. Node engine requirement (^20.19.0 || >=22.12.0) is satisfied by the existing toolchain. https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hyperpolymath; editconfig/owners.configor setGIT_SCRIPTS_ALLOWED_OWNERSto add personal / family / additional org accounts). Implemented in parallel for bash (scripts/lib/ownership_guard.sh) and Elixir (lib/script_manager/ownership_guard.ex) sharing the same config.[A]–[F](Audits & Reports, Repository Maintenance, GitHub Operations, Estate-Wide Deployment, External Tools, Coming Soon) each open a sub-menu of numbered items. Names rewritten to describe what each item actually does (e.g.Use GH CLI→GitHub CLI Helper,Verify→Verify Local-vs-Remote Sync,Audit Scripts→Security Audit (Secrets & Dependabot)).ui/vite5.4 → 8.0.8: clears GHSA-67mh-4wv8-2f99 (esbuild dev server CORS) and GHSA-4w7w-66w2-5vf9 (Vite path traversal in optimized deps.maphandling). Vite 8 also drops esbuild for rolldown, so the esbuild advisory is structurally gone.Where the guard is enforced
branch-protection-apply.sh,wiki-audit.sh,project-tabs-audit.shassert_owner_allowedat script start — refuse to run against a non-allowlisted org.audit_script.shhyperpolymath.update_repos.shstandardize_readmes.sh,md_to_adoc_converter.shScriptManager.PRProcessorassert_owner_allowed!on the org argument.ScriptManager.GitSyncerfilter_allowed_verbose/1on discovered repos before pushing.ScriptManager.EstateDeployerfilter_allowed_verbose/1before deploying contractiles / K9-SVC / accessibility / VPAT / pre-commit.ScriptManager.DependencyFixerlithoglyph/RGTVsource if the enclosing repo's owner is foreign.ScriptManager.RepoCleanup/var/mnt/eclipse/cleanup_scripts/*are NOT bound by the allowlist.Owner extractor — host-agnostic
Works for GitHub, GitLab, Bitbucket, Gitea, codeberg, self-hosted servers, SSH-style URLs (
git@host:owner/repo), HTTP(S) URLs (with creds, ports, and arbitrary path prefixes). Verified end-to-end with 6 unit tests + 6 URL-format tests.One follow-up step on your side
Run
mix escript.buildin the repo root to rebuildscript_managerso the Elixir-side guard and the new menu are live. The bash-side guard is active immediately for any shell script that runs.Test plan
bash -nsyntax check on every modified shell script +ownership_guard.sh+owners.config— all clean.owner_allowed/assert_owner_allowed(allow / case-insensitive / disallow / empty / env-var override / exit code 78 on rejection) — all pass.https://github.com/...,git@github.com:...,https://gitlab.com/...,ssh://git@codeberg.org/..., local-proxy URL, non-git path — all pass.npm install+npx vite --version(reports 8.0.8) +npm audit(0 vulnerabilities) +vite.config.mjsparses unchanged.mix escript.buildto rebuildscript_managerso the Elixir side picks upOwnershipGuardand the new TUI.[h]/[s]show the active allowlist.[B] → [1] Update Repos) and confirm any non-allowlisted repos inrepos.configare reported as skipped.https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf