chore(quality): automated quality improvement pass — security fixes, test coverage +~170 tests, quality scorecard

Security:
- system: replace curl|bash with download→SHA256→verify→exec for Homebrew installer (mirrors OMZ pattern)
- config/validate: add regex validation for macOS defaults domain/key (reject whitespace/metacharacters)
- dotfiles: add regex guard on git branch names to prevent refspec injection
- shell/state: tighten .zshrc and state.json write permissions 0644→0600
- macos: move dry-run output from os.Stderr to stdout
- updater: replace sh -c dynamic string in execBrewUpgrade with sequential exec.Command calls
- brew: route Install/InstallCask through brewInstallCmd to inherit HOMEBREW_NO_AUTO_UPDATE=1

Tests (+~170 new tests, all green):
- internal/system:   39% → 66% (+27pp)
- internal/macos:    51% → 84% (+33pp)
- internal/npm:      55% → 93% (+38pp)
- internal/shell:    55% → 74% (+19pp)
- internal/brew:     65% → 74% (+9pp)
- internal/sync:     28% → 55% (+27pp)
- internal/cli:      19% → 35% (+16pp)
- internal/installer: 40% → 44% (+4pp)

Quality toolchain:
- Add quality/scorecard.yaml with weighted scoring dimensions
- Add scripts/quality-score.sh (deterministic score from golangci-lint + gosec + gocyclo + coverage)
- Add make quality / quality-lint / quality-security / quality-diff targets
- Update .golangci.yml with gosec, gocyclo (threshold 15), staticcheck, ineffassign
- Baseline score: 5.4/10 → 6.8/10

Author: fullstackjam

.gitignore

@@ -49,3 +49,9 @@ vendor/
 coverage.out
 coverage.html
 *.coverprofile
+
+# Quality scorecard — ignore generated coverage artifact, track the rest
+quality/coverage.out
+# quality/score.json      — tracked (committed score snapshots)
+# quality/scorecard.yaml  — tracked (config)
+# quality/findings.md     — tracked (human-readable report)

.golangci.yml

@@ -1,17 +1,31 @@
 version: "2"
 
+run:
+  timeout: 5m
+  skip-dirs:
+    - vendor
+    - testutil
+
 formatters:
   enable:
     - gofmt
     - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/openbootdotdev/openboot
 
 linters:
   default: none
   enable:
     - errcheck
     - govet
     - staticcheck
+    - gosimple
+    - ineffassign
     - unused
+    - gocyclo
+    - gosec
     - misspell
     - unconvert
     - exhaustive
@@ -25,8 +39,19 @@ linters:
         - (*encoding/json.Encoder).Encode
         - os.WriteFile
         - (*os.File).Close
+    gocyclo:
+      min-complexity: 15
+    gosec:
+      excludes:
+        - G304 # File path provided as taint input — acceptable for CLI tools
   exclusions:
     rules:
       - path: "_test\\.go"
         linters:
           - errcheck
+          - gosec
+      - path: "testutil/"
+        linters:
+          - gosec
+          - errcheck
+          - unused

Makefile

@@ -1,6 +1,7 @@
 .PHONY: test-unit test-integration test-e2e test-destructive test-smoke test-smoke-prebuilt test-coverage test-all \
        test-vm test-vm-short test-vm-run test-vm-quick test-vm-release test-vm-full \
-       install-hooks uninstall-hooks
+       install-hooks uninstall-hooks \
+       quality quality-lint quality-security quality-diff
 
 BINARY_NAME=openboot
 BINARY_PATH=./$(BINARY_NAME)
@@ -113,3 +114,25 @@ uninstall-hooks:
 		rm -f .git/hooks/$$hook; \
 		echo "✓ removed .git/hooks/$$hook"; \
 	done
+
+# =============================================================================
+# Quality scorecard
+# =============================================================================
+
+quality: ## Run full quality scorecard
+	@bash scripts/quality-score.sh
+
+quality-lint: ## Run golangci-lint only
+	golangci-lint run ./...
+
+quality-security: ## Run gosec only
+	gosec ./...
+
+quality-diff: ## Show score change vs last run then re-run scorecard
+	@if [ -f quality/score.json ]; then \
+		echo "Last recorded score:"; \
+		python3 -c "import json,sys; d=json.load(open('quality/score.json')); print('  total_score:', d['total_score'], '  (', d['timestamp'], '  sha:', d['git_sha'], ')')" 2>/dev/null || \
+		grep -E '"total_score"|"timestamp"|"git_sha"' quality/score.json | sed 's/^/  /'; \
+		echo; \
+	fi
+	@bash scripts/quality-score.sh

internal/brew/brew.go

@@ -137,7 +137,7 @@ func Install(packages []string, dryRun bool) error {
 	ui.Info(fmt.Sprintf("Installing %d CLI packages...", len(packages)))
 
 	args := append([]string{"install"}, packages...)
-	cmd := exec.Command("brew", args...)
+	cmd := brewInstallCmd(args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	return cmd.Run()
@@ -182,7 +182,7 @@ func InstallCask(packages []string, dryRun bool) error {
 	ui.Info(fmt.Sprintf("Installing %d GUI applications...", len(packages)))
 
 	args := append([]string{"install", "--cask"}, packages...)
-	cmd := exec.Command("brew", args...)
+	cmd := brewInstallCmd(args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	return cmd.Run()