fix(lint): fix all sonarcloud detected issues (#279)

* fix(ci): replace broad permissions with specific scopes in workflows

Replace read-all/write-all with minimum required permission scopes
across all GitHub Actions workflows to follow the principle of least
privilege (SonarCloud rule githubactions:S8234).

* fix(shell): use [[ instead of [ for conditional tests

Replace single brackets with double brackets in bash conditional
expressions across 14 files (28 changes). All scripts use bash
shebangs so [[ is safe everywhere (SonarCloud rule shelldre:S7688).

* fix(shell): add explicit return statements to functions

Add return 0 as the last statement in ~46 shell functions across
17 files that previously relied on implicit return codes
(SonarCloud rule shelldre:S7682).

* fix(shell): assign positional parameters to local variables

Replace direct $1/$2/$3 usage with named local variables in _log(),
msg(), msg_err(), msg_done(), msg_run(), msg_ok(), and array_diff()
(SonarCloud rule shelldre:S7679).

* fix(python): replace dict() constructor with literal

Use {} instead of dict() for empty dictionary initialization
(SonarCloud rule python:S7498).

* fix(shell): fix husky shebang and tolerate npm outdated exit code

* docs(shell): add function docstring comments

* fix(shell): fix heredoc indentation in x-sonarcloud

* feat(python): add ruff linter and formatter configuration

* fix(ci): align megalinter config with biome, ruff, and shfmt settings

* fix(ci): disable black and yaml-prettier in megalinter config

* chore(ci): update ruff-pre-commit to v0.15.0 and fix hook name

* fix(scripts): check for .git dir before skipping clone in install-fonts

* fix(shell): address code review issues in scripts and shared.sh

- Guard wezterm show-keys failure in create-wezterm-keymaps.sh
- Stop masking git failures with return 0 in install-cheat-purebashbible.sh
- Add missing shared.sh source in install-xcode-cli-tools.sh
- Replace exit 1 with return 1 in sourced shared.sh

* fix(scripts): address code review and security findings

- Guard wezterm show-keys failure in create-wezterm-keymaps.sh
- Stop masking git failures with return 0 in install-cheat-purebashbible.sh
- Add missing shared.sh source in install-xcode-cli-tools.sh
- Replace exit 1 with return 1 in sourced shared.sh
- Remove shell=True subprocess calls in x-git-largest-files.py

* style(shell): apply shfmt formatting and add args to pre-commit hook

* fix(python): suppress bandit false positives in x-git-largest-files

* fix(python): add nosemgrep suppression for check_output call

* feat(format): add prettier for YAML formatting

Install prettier, add .prettierrc.json config (200-char width, 2-space
indent, LF endings), .prettierignore, yarn scripts (lint:prettier,
fix:prettier, format:yaml), and pre-commit hook scoped to YAML files.

* style(yaml): apply prettier formatting

* fix(scripts): address remaining code review findings

- Python: use list comprehension to filter empty strings instead of
  slicing off the last element
- create-wezterm-keymaps: write to temp file and mv for atomic updates
- install-xcode-cli-tools: fix shellcheck source directive path

* fix(python): sort imports alphabetically in x-git-largest-files

* fix(lint): disable PYTHON_ISORT in MegaLinter, ruff handles it

* chore(git): add __pycache__ to gitignore

* fix(python): rename ambiguous variable l to line (E741)

* style: remove trailing whitespace and blank lines

* style(fzf): apply shfmt formatting

* style(shell): apply shfmt formatting

* docs(plans): add design documents

* style(docs): add language specifier to fenced code block

* feat(lint): add markdown-table-formatter to dev tooling

Add markdown-table-formatter as a dev dependency with yarn scripts
(lint:md-table, fix:md-table) and a local pre-commit hook to
automatically format markdown tables on commit.

config/fish/functions/__bass.py

@@ -7,65 +7,67 @@ To be used with a companion fish function like this:
 
 """
 
-from __future__ import print_function
-
 import json
 import os
 import signal
 import subprocess
 import sys
-import traceback
 
-
-BASH = 'bash'
+BASH = "bash"
 
 FISH_READONLY = [
-    'PWD', 'SHLVL', 'history', 'pipestatus', 'status', 'version',
-    'FISH_VERSION', 'fish_pid', 'hostname', '_', 'fish_private_mode'
+    "PWD",
+    "SHLVL",
+    "history",
+    "pipestatus",
+    "status",
+    "version",
+    "FISH_VERSION",
+    "fish_pid",
+    "hostname",
+    "_",
+    "fish_private_mode",
 ]
 
-IGNORED = [
- 'PS1', 'XPC_SERVICE_NAME'
-]
+IGNORED = ["PS1", "XPC_SERVICE_NAME"]
+
 
 def ignored(name):
-    if name == 'PWD':  # this is read only, but has special handling
+    if name == "PWD":  # this is read only, but has special handling
         return False
     # ignore other read only variables
     if name in FISH_READONLY:
         return True
     if name in IGNORED or name.startswith("BASH_FUNC"):
         return True
-    if name.startswith('%'):
-        return True
-    return False
+    return name.startswith("%")
+
 
 def escape(string):
     # use json.dumps to reliably escape quotes and backslashes
-    return json.dumps(string).replace(r'$', r'\$')
+    return json.dumps(string).replace(r"$", r"\$")
+
 
 def escape_identifier(word):
-    return escape(word.replace('?', '\\?'))
+    return escape(word.replace("?", "\\?"))
+
 
 def comment(string):
-    return '\n'.join(['# ' + line for line in string.split('\n')])
+    return "\n".join(["# " + line for line in string.split("\n")])
+
 
 def gen_script():
     # Use the following instead of /usr/bin/env to read environment so we can
     # deal with multi-line environment variables (and other odd cases).
-    env_reader = "%s -c 'import os,json; print(json.dumps({k:v for k,v in os.environ.items()}))'" % (sys.executable)
-    args = [BASH, '-c', env_reader]
+    env_reader = f"{sys.executable} -c 'import os,json; print(json.dumps({{k:v for k,v in os.environ.items()}}))'"
+    args = [BASH, "-c", env_reader]
     output = subprocess.check_output(args, universal_newlines=True)
     old_env = output.strip()
 
     pipe_r, pipe_w = os.pipe()
-    if sys.version_info >= (3, 4):
-      os.set_inheritable(pipe_w, True)
-    command = 'eval $1 && ({}; alias) >&{}'.format(
-        env_reader,
-        pipe_w
-    )
-    args = [BASH, '-c', command, 'bass', ' '.join(sys.argv[1:])]
+    os.set_inheritable(pipe_w, True)
+    command = f"eval $1 && ({env_reader}; alias) >&{pipe_w}"
+    args = [BASH, "-c", command, "bass", " ".join(sys.argv[1:])]
     p = subprocess.Popen(args, universal_newlines=True, close_fds=False)
     os.close(pipe_w)
     with os.fdopen(pipe_r) as f:
@@ -73,9 +75,7 @@ def gen_script():
         alias_str = f.read()
     if p.wait() != 0:
         raise subprocess.CalledProcessError(
-            returncode=p.returncode,
-            cmd=' '.join(sys.argv[1:]),
-            output=new_env + alias_str
+            returncode=p.returncode, cmd=" ".join(sys.argv[1:]), output=new_env + alias_str
         )
     new_env = new_env.strip()
 
@@ -89,41 +89,41 @@ def gen_script():
             continue
         v1 = old_env.get(k)
         if not v1:
-            script_lines.append(comment('adding %s=%s' % (k, v)))
+            script_lines.append(comment(f"adding {k}={v}"))
         elif v1 != v:
-            script_lines.append(comment('updating %s=%s -> %s' % (k, v1, v)))
+            script_lines.append(comment(f"updating {k}={v1} -> {v}"))
             # process special variables
-            if k == 'PWD':
-                script_lines.append('cd %s' % escape(v))
+            if k == "PWD":
+                script_lines.append(f"cd {escape(v)}")
                 continue
         else:
             continue
-        if k == 'PATH':
-            value = ' '.join([escape(directory)
-                              for directory in v.split(':')])
+        if k == "PATH":  # noqa: SIM108
+            value = " ".join([escape(directory) for directory in v.split(":")])
         else:
             value = escape(v)
-        script_lines.append('set -g -x %s %s' % (k, value))
+        script_lines.append(f"set -g -x {k} {value}")
 
     for var in set(old_env.keys()) - set(new_env.keys()):
-        script_lines.append(comment('removing %s' % var))
-        script_lines.append('set -e %s' % var)
+        script_lines.append(comment(f"removing {var}"))
+        script_lines.append(f"set -e {var}")
 
-    script = '\n'.join(script_lines)
+    script = "\n".join(script_lines)
 
     alias_lines = []
     for line in alias_str.splitlines():
         _, rest = line.split(None, 1)
         k, v = rest.split("=", 1)
         alias_lines.append("alias " + escape_identifier(k) + "=" + v)
-    alias = '\n'.join(alias_lines)
+    alias = "\n".join(alias_lines)
 
-    return script + '\n' + alias
+    return script + "\n" + alias
 
-script_file = os.fdopen(3, 'w')
+
+script_file = os.fdopen(3, "w")
 
 if not sys.argv[1:]:
-    print('__bass_usage', file=script_file, end='')
+    print("__bass_usage", file=script_file, end="")
     sys.exit(0)
 
 try:
@@ -131,8 +131,8 @@ try:
 except subprocess.CalledProcessError as e:
     sys.exit(e.returncode)
 except Exception:
-    print('Bass internal error!', file=sys.stderr)
-    raise # traceback will output to stderr
+    print("Bass internal error!", file=sys.stderr)
+    raise  # traceback will output to stderr
 except KeyboardInterrupt:
     signal.signal(signal.SIGINT, signal.SIG_DFL)
     os.kill(os.getpid(), signal.SIGINT)

config/fish/functions/fisher.fish

@@ -8,8 +8,8 @@ function fisher --argument-names cmd --description "A plugin manager for Fish"
             echo "fisher, version $fisher_version"
         case "" -h --help
             echo "Usage: fisher install   <plugins...>  Install plugins"
-            echo "       fisher remove    <plugins...>  Remove installed plugins" 
-            echo "       fisher uninstall <plugins...>  Remove installed plugins (alias)" 
+            echo "       fisher remove    <plugins...>  Remove installed plugins"
+            echo "       fisher uninstall <plugins...>  Remove installed plugins (alias)"
             echo "       fisher update    <plugins...>  Update installed plugins"
             echo "       fisher update                  Update all installed plugins"
             echo "       fisher list    [<regex>]       List installed plugins matching regex"
@@ -41,7 +41,7 @@ function fisher --argument-names cmd --description "A plugin manager for Fish"
                     echo "fisher: \"$fish_plugins\" file not found: \"$cmd\"" >&2 && return 1
                 end
                 set arg_plugins $file_plugins
-            else if test "$cmd" = install && ! set --query old_plugins[1] 
+            else if test "$cmd" = install && ! set --query old_plugins[1]
                 set --append arg_plugins $file_plugins
             end
 

config/fish/themes/Catppuccin Frappe.theme

@@ -58,4 +58,3 @@ fish_pager_color_progress 737994
 fish_pager_color_prefix f4b8e4
 fish_pager_color_completion c6d0f5
 fish_pager_color_description 737994
-

config/fish/themes/Catppuccin Macchiato.theme

@@ -58,4 +58,3 @@ fish_pager_color_progress 6e738d
 fish_pager_color_prefix f5bde6
 fish_pager_color_completion cad3f5
 fish_pager_color_description 6e738d
-

config/fish/themes/Catppuccin Mocha.theme

@@ -58,4 +58,3 @@ fish_pager_color_progress 6c7086
 fish_pager_color_prefix f5c2e7
 fish_pager_color_completion cdd6f4
 fish_pager_color_description 6c7086
-