fix(lint): fix all sonarcloud detected issues (#279)

* fix(ci): replace broad permissions with specific scopes in workflows

Replace read-all/write-all with minimum required permission scopes
across all GitHub Actions workflows to follow the principle of least
privilege (SonarCloud rule githubactions:S8234).

* fix(shell): use [[ instead of [ for conditional tests

Replace single brackets with double brackets in bash conditional
expressions across 14 files (28 changes). All scripts use bash
shebangs so [[ is safe everywhere (SonarCloud rule shelldre:S7688).

* fix(shell): add explicit return statements to functions

Add return 0 as the last statement in ~46 shell functions across
17 files that previously relied on implicit return codes
(SonarCloud rule shelldre:S7682).

* fix(shell): assign positional parameters to local variables

Replace direct $1/$2/$3 usage with named local variables in _log(),
msg(), msg_err(), msg_done(), msg_run(), msg_ok(), and array_diff()
(SonarCloud rule shelldre:S7679).

* fix(python): replace dict() constructor with literal

Use {} instead of dict() for empty dictionary initialization
(SonarCloud rule python:S7498).

* fix(shell): fix husky shebang and tolerate npm outdated exit code

* docs(shell): add function docstring comments

* fix(shell): fix heredoc indentation in x-sonarcloud

* feat(python): add ruff linter and formatter configuration

* fix(ci): align megalinter config with biome, ruff, and shfmt settings

* fix(ci): disable black and yaml-prettier in megalinter config

* chore(ci): update ruff-pre-commit to v0.15.0 and fix hook name

* fix(scripts): check for .git dir before skipping clone in install-fonts

* fix(shell): address code review issues in scripts and shared.sh

- Guard wezterm show-keys failure in create-wezterm-keymaps.sh
- Stop masking git failures with return 0 in install-cheat-purebashbible.sh
- Add missing shared.sh source in install-xcode-cli-tools.sh
- Replace exit 1 with return 1 in sourced shared.sh

* fix(scripts): address code review and security findings

- Guard wezterm show-keys failure in create-wezterm-keymaps.sh
- Stop masking git failures with return 0 in install-cheat-purebashbible.sh
- Add missing shared.sh source in install-xcode-cli-tools.sh
- Replace exit 1 with return 1 in sourced shared.sh
- Remove shell=True subprocess calls in x-git-largest-files.py

* style(shell): apply shfmt formatting and add args to pre-commit hook

* fix(python): suppress bandit false positives in x-git-largest-files

* fix(python): add nosemgrep suppression for check_output call

* feat(format): add prettier for YAML formatting

Install prettier, add .prettierrc.json config (200-char width, 2-space
indent, LF endings), .prettierignore, yarn scripts (lint:prettier,
fix:prettier, format:yaml), and pre-commit hook scoped to YAML files.

* style(yaml): apply prettier formatting

* fix(scripts): address remaining code review findings

- Python: use list comprehension to filter empty strings instead of
  slicing off the last element
- create-wezterm-keymaps: write to temp file and mv for atomic updates
- install-xcode-cli-tools: fix shellcheck source directive path

* fix(python): sort imports alphabetically in x-git-largest-files

* fix(lint): disable PYTHON_ISORT in MegaLinter, ruff handles it

* chore(git): add __pycache__ to gitignore

* fix(python): rename ambiguous variable l to line (E741)

* style: remove trailing whitespace and blank lines

* style(fzf): apply shfmt formatting

* style(shell): apply shfmt formatting

* docs(plans): add design documents

* style(docs): add language specifier to fenced code block

* feat(lint): add markdown-table-formatter to dev tooling

Add markdown-table-formatter as a dev dependency with yarn scripts
(lint:md-table, fix:md-table) and a local pre-commit hook to
automatically format markdown tables on commit.

local/bin/x-ssh-audit

@@ -154,6 +154,7 @@ get_state()
 # ERROR HANDLING AND CLEANUP
 # ============================================================================
 
+# Clean up temporary files and handle exit
 cleanup()
 {
   exit_code=$?
@@ -177,6 +178,7 @@ trap cleanup EXIT INT TERM
 # LOGGING FUNCTIONS
 # ============================================================================
 
+# Create audit directories and initialize log file
 setup_logging()
 {
   # Create all necessary directories
@@ -197,6 +199,7 @@ setup_logging()
   } >> "$LOG_FILE"
 }
 
+# Log a message with timestamp and severity level
 log_message()
 {
   level="$1"
@@ -225,6 +228,7 @@ log_message()
 # INPUT VALIDATION
 # ============================================================================
 
+# Validate hostname format for SSH connection
 validate_hostname()
 {
   hostname="$1"
@@ -244,6 +248,7 @@ validate_hostname()
   return 0
 }
 
+# Validate username format for SSH connection
 validate_username()
 {
   username="$1"
@@ -263,6 +268,7 @@ validate_username()
   return 0
 }
 
+# Parse input file into validated host entries
 parse_host_list()
 {
   input_file="$1"
@@ -309,6 +315,7 @@ parse_host_list()
 # SSH CONNECTION FUNCTIONS
 # ============================================================================
 
+# Execute SSH command with retry logic and key fallback
 ssh_with_retry()
 {
   host="$1"
@@ -373,6 +380,7 @@ ssh_with_retry()
   return 1
 }
 
+# Verify SSH connectivity to a host
 test_ssh_connectivity()
 {
   host="$1"
@@ -392,6 +400,7 @@ test_ssh_connectivity()
 # SSH SECURITY AUDIT FUNCTIONS
 # ============================================================================
 
+# Audit SSH daemon configuration on a remote host
 check_sshd_config()
 {
   host="$1"
@@ -451,6 +460,7 @@ check_sshd_config()
 # AUTOMATED UPDATES DETECTION
 # ============================================================================
 
+# Check if automated security updates are enabled
 check_automated_updates()
 {
   host="$1"
@@ -532,6 +542,7 @@ check_automated_updates()
 # PENDING REBOOT DETECTION
 # ============================================================================
 
+# Detect if a remote host requires a reboot
 check_pending_reboot()
 {
   host="$1"
@@ -602,6 +613,7 @@ check_pending_reboot()
 # REMEDIATION FUNCTIONS
 # ============================================================================
 
+# Create a timestamped backup of sshd_config
 backup_sshd_config()
 {
   host="$1"
@@ -616,6 +628,7 @@ backup_sshd_config()
     " "$ssh_key"
 }
 
+# Disable password authentication on a remote host
 disable_password_auth()
 {
   host="$1"
@@ -668,6 +681,7 @@ ClientAliveCountMax 2
 # REPORTING FUNCTIONS
 # ============================================================================
 
+# Generate CSV report from audit results
 generate_csv_report()
 {
   report_file="$1"
@@ -693,6 +707,7 @@ generate_csv_report()
   done < "$HOSTS_LIST_FILE"
 }
 
+# Display formatted audit summary to terminal
 display_summary()
 {
   printf '\n'
@@ -743,6 +758,7 @@ display_summary()
 # MAIN AUDIT FUNCTION
 # ============================================================================
 
+# Run all audit checks on a single host
 audit_host()
 {
   host_entry="$1"
@@ -788,6 +804,7 @@ audit_host()
 # MAIN EXECUTION
 # ============================================================================
 
+# Main entry point: parse args, run audits, generate report
 main()
 {
   input_file="${1:-}"