fix: 7 high-severity bugs + repo path overrides for monorepo dispatch

Corrective fixes:
- fix-missing-spdx.sh: preserve shebang before SPDX header insertion
- fix-sast-workflow.sh: use double quotes in YAML flow sequences
- fix-believe-me.sh: check preceding line before inserting PROOF_TODO
- fix-sorry-lean.sh: same idempotency fix for Lean sorry
- fix-unsafe-type-coercion.sh: same idempotency fix for SAFETY comments
- fix-unsafe-ffi.sh: remove trap overwrite in loop
- Delete fix-missing-permissions.sh (duplicate of fix-workflow-permissions.sh)

Dispatch improvements:
- repo-path-overrides.json: 96 monorepo subdirectory mappings
- dispatch-runner.sh: resolve repos via overrides when not found at top level

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Jonathan D.A. Jewell

scripts/dispatch-runner.sh

@@ -192,6 +192,18 @@ execute_entry() {
             return
         fi
         repo_path="$REPOS_BASE/$repo"
+
+        # If repo not found, check path overrides (monorepo subdirectories)
+        if [[ ! -d "$repo_path" ]]; then
+            local overrides="$FLEET_SCRIPTS/repo-path-overrides.json"
+            if [[ -f "$overrides" ]]; then
+                local override
+                override=$(jq -r --arg r "$repo" '.[$r] // empty' "$overrides" 2>/dev/null || true)
+                if [[ -n "$override" && -d "$override" ]]; then
+                    repo_path="$override"
+                fi
+            fi
+        fi
     fi
 
     # Double-check path stays within REPOS_BASE

scripts/fix-believe-me.sh

@@ -27,8 +27,12 @@ while IFS= read -r -d '' file; do
         echo "  FOUND $rel_path — $count believe_me call(s)"
 
         # Add TODO comments above believe_me calls (only on non-comment lines)
-        # Use a unique marker so re-runs are idempotent
-        sed -i '/^\s*--/!{/believe_me/{/PROOF_TODO/!s/\(.*believe_me\)/-- PROOF_TODO: Replace believe_me with actual proof\n\1/}}' "$file" 2>/dev/null || true
+        # Skip if PROOF_TODO already exists on the preceding line (prevents duplicates on re-run)
+        if grep -B1 'believe_me' "$file" 2>/dev/null | grep -q 'PROOF_TODO'; then
+            echo "    (PROOF_TODO comments already present — skipping)"
+        else
+            sed -i '/^\s*--/!{/believe_me/{/PROOF_TODO/!s/\(.*believe_me\)/-- PROOF_TODO: Replace believe_me with actual proof\n\1/}}' "$file" 2>/dev/null || true
+        fi
 
         ((FIXED_COUNT++)) || true
     fi

scripts/fix-missing-permissions.sh

@@ -50,11 +50,16 @@ fi
 # Create temp file with SPDX header
 TEMP_FILE=$(mktemp)
 
-# Write SPDX header
-echo "${COMMENT_PREFIX} SPDX-License-Identifier: ${DEFAULT_LICENSE}" > "$TEMP_FILE"
-
-# Append original file content
-cat "$FULL_PATH" >> "$TEMP_FILE"
+# Check if line 1 is a shebang — if so, preserve it before the SPDX header
+FIRST_LINE=$(head -1 "$FULL_PATH")
+if [[ "$FIRST_LINE" == "#!"* ]]; then
+    echo "$FIRST_LINE" > "$TEMP_FILE"
+    echo "${COMMENT_PREFIX} SPDX-License-Identifier: ${DEFAULT_LICENSE}" >> "$TEMP_FILE"
+    tail -n +2 "$FULL_PATH" >> "$TEMP_FILE"
+else
+    echo "${COMMENT_PREFIX} SPDX-License-Identifier: ${DEFAULT_LICENSE}" > "$TEMP_FILE"
+    cat "$FULL_PATH" >> "$TEMP_FILE"
+fi
 
 # Replace original file
 mv "$TEMP_FILE" "$FULL_PATH"

scripts/fix-missing-spdx.sh

@@ -64,7 +64,7 @@ for i in "${!LANGUAGES[@]}"; do
   if [[ $i -gt 0 ]]; then
     LANG_MATRIX+=", "
   fi
-  LANG_MATRIX+="'${LANGUAGES[$i]}'"
+  LANG_MATRIX+="\"${LANGUAGES[$i]}\""
 done
 LANG_MATRIX+="]"
 

scripts/fix-sast-workflow.sh

@@ -35,9 +35,12 @@ while IFS= read -r -d '' file; do
         echo "  FOUND $rel_path — $count sorry occurrence(s)"
 
         # Add PROOF_TODO comment above sorry lines (only on non-comment lines)
-        # Idempotent: skip if PROOF_TODO already present on the line or preceding line
-        # Uses sed to insert a comment line before any line containing sorry as a word
-        sed -i '/^\s*--/!{/\bsorry\b/{/PROOF_TODO/!s/\(.*\bsorry\b\)/-- PROOF_TODO: Replace sorry with actual proof\n\1/}}' "$file" 2>/dev/null || true
+        # Skip if PROOF_TODO already exists on a preceding line (prevents duplicates on re-run)
+        if grep -B1 '\bsorry\b' "$file" 2>/dev/null | grep -q 'PROOF_TODO'; then
+            echo "    (PROOF_TODO comments already present — skipping)"
+        else
+            sed -i '/^\s*--/!{/\bsorry\b/{/PROOF_TODO/!s/\(.*\bsorry\b\)/-- PROOF_TODO: Replace sorry with actual proof\n\1/}}' "$file" 2>/dev/null || true
+        fi
 
         ((FIXED_COUNT++)) || true
         SORRY_TOTAL=$((SORRY_TOTAL + count))

scripts/fix-sorry-lean.sh

@@ -30,7 +30,6 @@ while IFS= read -r -d '' file; do
 
     # Process the file line-by-line using a temp file for output
     tmpfile="$(mktemp)"
-    trap "rm -f '$tmpfile'" EXIT
 
     prev_line=""
     line_num=0
@@ -66,7 +65,6 @@ while IFS= read -r -d '' file; do
     fi
 
     rm -f "$tmpfile"
-    trap - EXIT
 
 done < <(find "$REPO_PATH" -type f -name "*.rs" \
     -not -path "*/\.git/*" \

scripts/fix-unsafe-ffi.sh

@@ -31,8 +31,12 @@ while IFS= read -r -d '' file; do
         count=$(grep -v '^\s*--' "$file" 2>/dev/null | grep -c 'unsafeCoerce' || echo 0)
         echo "  FOUND [Haskell] $rel_path — $count unsafeCoerce call(s)"
 
-        # Idempotent: only add comment if SAFETY marker not already present on that line group
-        sed -i '/^\s*--/!{/unsafeCoerce/{/SAFETY.*unsafeCoerce/!s/\(.*unsafeCoerce\)/-- SAFETY: unsafeCoerce bypasses type checker — replace with safe cast\n\1/}}' "$file" 2>/dev/null || true
+        # Idempotent: skip if SAFETY comment already exists on preceding line
+        if grep -B1 'unsafeCoerce' "$file" 2>/dev/null | grep -q 'SAFETY'; then
+            echo "    (SAFETY comments already present — skipping)"
+        else
+            sed -i '/^\s*--/!{/unsafeCoerce/{/SAFETY.*unsafeCoerce/!s/\(.*unsafeCoerce\)/-- SAFETY: unsafeCoerce bypasses type checker — replace with safe cast\n\1/}}' "$file" 2>/dev/null || true
+        fi
 
         ((FIXED_COUNT++)) || true
     fi
@@ -50,8 +54,12 @@ while IFS= read -r -d '' file; do
         count=$(grep -c 'Obj\.magic' "$file" || echo 0)
         echo "  FOUND [OCaml] $rel_path — $count Obj.magic call(s)"
 
-        # Idempotent: only add comment if SAFETY marker not already present
-        sed -i '/Obj\.magic/{/SAFETY.*Obj\.magic/!s/\(.*Obj\.magic\)/(* SAFETY: Obj.magic bypasses type checker — use proper conversion *)\n\1/}' "$file" 2>/dev/null || true
+        # Idempotent: skip if SAFETY comment already exists on preceding line
+        if grep -B1 'Obj\.magic' "$file" 2>/dev/null | grep -q 'SAFETY'; then
+            echo "    (SAFETY comments already present — skipping)"
+        else
+            sed -i '/Obj\.magic/{/SAFETY.*Obj\.magic/!s/\(.*Obj\.magic\)/(* SAFETY: Obj.magic bypasses type checker — use proper conversion *)\n\1/}' "$file" 2>/dev/null || true
+        fi
 
         ((FIXED_COUNT++)) || true
     fi
@@ -69,8 +77,12 @@ while IFS= read -r -d '' file; do
         count=$(grep -c 'Admitted' "$file" || echo 0)
         echo "  FOUND [Coq] $rel_path — $count Admitted usage(s)"
 
-        # Idempotent: only add comment if PROOF_TODO marker not already present
-        sed -i '/Admitted/{/PROOF_TODO/!s/\(.*Admitted\)/(* PROOF_TODO: Replace Admitted with actual proof *)\n\1/}' "$file" 2>/dev/null || true
+        # Idempotent: skip if PROOF_TODO comment already exists on preceding line
+        if grep -B1 'Admitted' "$file" 2>/dev/null | grep -q 'PROOF_TODO'; then
+            echo "    (PROOF_TODO comments already present — skipping)"
+        else
+            sed -i '/Admitted/{/PROOF_TODO/!s/\(.*Admitted\)/(* PROOF_TODO: Replace Admitted with actual proof *)\n\1/}' "$file" 2>/dev/null || true
+        fi
 
         ((FIXED_COUNT++)) || true
     fi

scripts/fix-unsafe-type-coercion.sh

@@ -0,0 +1,98 @@
+{
+  "absolute-zero": "/var/mnt/eclipse/repos/maa-framework/absolute-zero",
+  "accessibilitybot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/accessibilitybot",
+  "affinescript": "/var/mnt/eclipse/repos/nextgen-languages/affinescript",
+  "aggregate-library": "/var/mnt/eclipse/repos/developer-ecosystem/aggregate-library",
+  "aletheia": "/var/mnt/eclipse/repos/maa-framework/aletheia",
+  "algorithm-shield": "/var/mnt/eclipse/repos/misinformation-defence-platform/algorithm-shield",
+  "asdf-augmenters": "/var/mnt/eclipse/repos/asdf-tool-plugins/asdf-augmenters",
+  "avow-protocol": "/var/mnt/eclipse/repos/standards/avow-protocol",
+  "axel-protocol": "/var/mnt/eclipse/repos/standards/axel-protocol",
+  "Axiom.jl": "/var/mnt/eclipse/repos/developer-ecosystem/julia-ecosystem/packages/Axiom.jl",
+  "betlang": "/var/mnt/eclipse/repos/nextgen-languages/betlang",
+  "bitfuckit": "/var/mnt/eclipse/repos/reposystem/bitfuckit",
+  "blue-screen-of-app": "/var/mnt/eclipse/repos/games & trivia/blue-screen-of-app",
+  "BowtieRisk.jl": "/var/mnt/eclipse/repos/developer-ecosystem/julia-ecosystem/packages/BowtieRisk.jl",
+  "broad-spectrum": "/var/mnt/eclipse/repos/ambientops/broad-spectrum",
+  "cadre-router": "/var/mnt/eclipse/repos/developer-ecosystem/rescript-ecosystem/cadre-router",
+  "candy-crash": "/var/mnt/eclipse/repos/games & trivia/candy-crash",
+  "casket-ssg": "/var/mnt/eclipse/repos/asdf-tool-plugins/asdf-plugin-collection/plugins/casket-ssg",
+  "cerro-torre": "/var/mnt/eclipse/repos/odds-and-sods-package-manager/services/cerro-torre",
+  "cipherbot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/cipherbot",
+  "claim-forge": "/var/mnt/eclipse/repos/reposystem/claim-forge",
+  "claude-integrations": "/var/mnt/eclipse/repos/patallm-gallery/claude-integrations",
+  "coq-jr": "/var/mnt/eclipse/repos/developer-ecosystem/coq-ecosystem/coq-jr",
+  "czech-file-knife": "/var/mnt/eclipse/repos/ambientops/czech-file-knife",
+  "deno-ecosystem": "/var/mnt/eclipse/repos/developer-ecosystem/deno-ecosystem",
+  "dicti0nary-attack": "/var/mnt/eclipse/repos/games & trivia/dicti0nary-attack",
+  "did-you-actually-do-that": "/var/mnt/eclipse/repos/patallm-gallery/did-you-actually-do-that",
+  "disinfo-nesy-detector": "/var/mnt/eclipse/repos/neural-foundations/satellites/neurosymbolic/disinfo-nesy-detector",
+  "dnfinition": "/var/mnt/eclipse/repos/ambientops/total-update/elixir/dnfinition",
+  "echidnabot": "/var/mnt/eclipse/repos/echidna/echidnabot",
+  "eclexia": "/var/mnt/eclipse/repos/nextgen-languages/eclexia",
+  "elegant-state": "/var/mnt/eclipse/repos/neural-foundations/satellites/agentic/elegant-state",
+  "error-lang": "/var/mnt/eclipse/repos/nextgen-languages/error-lang",
+  "esn": "/var/mnt/eclipse/repos/neural-foundations/satellites/neurosymbolic/esn",
+  "finishingbot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/finishingbot",
+  "fogbinder": "/var/mnt/eclipse/repos/zotero-tools/fogbinder",
+  "formdb-http": "/var/mnt/eclipse/repos/nextgen-databases/lithoglyph/formdb-http",
+  "games": "/var/mnt/eclipse/repos/games & trivia",
+  "glambot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/glambot",
+  "glyphbase": "/var/mnt/eclipse/repos/nextgen-databases/lithoglyph/glyphbase",
+  "gql-dt": "/var/mnt/eclipse/repos/nextgen-databases/lithoglyph/gql-dt",
+  "hybrid-automation-router": "/var/mnt/eclipse/repos/ambientops/hybrid-automation-router",
+  "IDApixiTIK": "/var/mnt/eclipse/repos/idaptik",
+  "idris2-ecosystem": "/var/mnt/eclipse/repos/developer-ecosystem/idris2-ecosystem",
+  "immutable-linux-auditor": "/var/mnt/eclipse/repos/ambientops/immutable-linux-auditor",
+  "indieweb2-bastion": "/var/mnt/eclipse/repos/civic-connect/indieweb2-bastion",
+  "julia-the-viper": "/var/mnt/eclipse/repos/nextgen-languages/julia-the-viper",
+  "k9-svc": "/var/mnt/eclipse/repos/standards/k9-svc",
+  "kea-tools": "/var/mnt/eclipse/repos/kea/kea-tools",
+  "kith": "/var/mnt/eclipse/repos/developer-ecosystem/well-known-ecosystem/kith",
+  "language-bridges": "/var/mnt/eclipse/repos/nextgen-languages/language-bridges",
+  "language-interop-compiler": "/var/mnt/eclipse/repos/nextgen-languages/language-interop-compiler",
+  "lithoglyph": "/var/mnt/eclipse/repos/nextgen-databases/lithoglyph",
+  "llm-tools": "/var/mnt/eclipse/repos/patallm-gallery/llm-tools",
+  "lol": "/var/mnt/eclipse/repos/standards/lol",
+  "lsm": "/var/mnt/eclipse/repos/neural-foundations/satellites/neurosymbolic/lsm",
+  "mcp-repo-guardian": "/var/mnt/eclipse/repos/standards/0-ai-gatekeeper-protocol/mcp-repo-guardian",
+  "my-lang": "/var/mnt/eclipse/repos/nextgen-languages/my-lang",
+  "nerdsafe-restart": "/var/mnt/eclipse/repos/ambientops/nerdsafe-restart",
+  "nick-shells": "/var/mnt/eclipse/repos/ambientops/nick-shells",
+  "oblibeny": "/var/mnt/eclipse/repos/nextgen-languages/oblibeny",
+  "package-publishers": "/var/mnt/eclipse/repos/developer-ecosystem/package-publishers",
+  "_pathroot": "/var/mnt/eclipse/repos/ambientops/_pathroot",
+  "personal-sysadmin": "/var/mnt/eclipse/repos/ambientops/personal-sysadmin",
+  "phantom-metal-taste": "/var/mnt/eclipse/repos/games & trivia/phantom-metal-taste",
+  "phronesis": "/var/mnt/eclipse/repos/nextgen-languages/phronesis",
+  "poly-k8s-mcp": "/var/mnt/eclipse/repos/flatracoon/netstack/modules/poly-k8s-mcp",
+  "poly-secret-mcp": "/var/mnt/eclipse/repos/flatracoon/netstack/modules/poly-secret-mcp",
+  "ProvenCrypto.jl": "/var/mnt/eclipse/repos/developer-ecosystem/julia-ecosystem/packages/ProvenCrypto.jl",
+  "qubes-sdp": "/var/mnt/eclipse/repos/aerie/qubes-sdp",
+  "reasonably-good-token-vault": "/var/mnt/eclipse/repos/ambientops/reasonably-good-token-vault",
+  "recon-silly-ation": "/var/mnt/eclipse/repos/developer-ecosystem/satellites/developer-ux/recon-silly-ation",
+  "repo-batcher": "/var/mnt/eclipse/repos/reposystem/scaffoldia/repo-batcher",
+  "repo-guardian-fs": "/var/mnt/eclipse/repos/standards/0-ai-gatekeeper-protocol/repo-guardian-fs",
+  "rescript-ecosystem": "/var/mnt/eclipse/repos/developer-ecosystem/rescript-ecosystem",
+  "rhodibot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/rhodibot",
+  "rhodium-standard-repositories": "/var/mnt/eclipse/repos/standards/rhodium-standard-repositories",
+  "robot-repo-automaton": "/var/mnt/eclipse/repos/developer-ecosystem/satellites/repo-management/robot-repo-automaton",
+  "safe-brute-force": "/var/mnt/eclipse/repos/games & trivia/safe-brute-force",
+  "scaffoldia": "/var/mnt/eclipse/repos/reposystem/scaffoldia",
+  "seambot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/seambot",
+  "selur": "/var/mnt/eclipse/repos/odds-and-sods-package-manager/services/selur",
+  "SMTLib.jl": "/var/mnt/eclipse/repos/developer-ecosystem/julia-ecosystem/packages/SMTLib.jl",
+  "sustainabot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/sustainabot",
+  "svalinn": "/var/mnt/eclipse/repos/project-wharf/infra/svalinn",
+  "system-tools": "/var/mnt/eclipse/repos/ambientops/system-tools",
+  "test-repo": "/var/mnt/eclipse/repos/hypatia/integration/fixtures/test-repo",
+  "the-hotchocolabot": "/var/mnt/eclipse/repos/gitbot-fleet/bots/the-hotchocolabot",
+  "thejeffparadox": "/var/mnt/eclipse/repos/games & trivia/thejeffparadox",
+  "total-update": "/var/mnt/eclipse/repos/ambientops/total-update",
+  "union-policy-parser": "/var/mnt/eclipse/repos/palimpsest-plasma/union-policy-parser",
+  "verified-container-spec": "/var/mnt/eclipse/repos/stapeln/verified-container-spec",
+  "verisimdb": "/var/mnt/eclipse/repos/nextgen-databases/verisimdb",
+  "vordr": "/var/mnt/eclipse/repos/stapeln/container-stack/vordr",
+  "well-known-ecosystem": "/var/mnt/eclipse/repos/developer-ecosystem/well-known-ecosystem",
+  "zig-ffi": "/var/mnt/eclipse/repos/developer-ecosystem/rescript-ecosystem/packages/ffi/zig-ffi"
+}