Claude/safety checks script org oty yv (#3)

* feat(safety): owner allowlist + two-tier menu with clearer item names

Adds an ownership safety guard so scripts NEVER touch repositories outside
a configured allowlist of owners (defaults to ["hyperpolymath"]; edit
config/owners.config or set GIT_SCRIPTS_ALLOWED_OWNERS to add personal /
family / additional org accounts). The guard is enforced in two parallel
implementations that share the same config:

  - scripts/lib/ownership_guard.sh — sourced by every shell script that
    targets a single org or pushes to remotes; provides
    owner_allowed/repo_allowed/assert_owner_allowed and a host-agnostic
    owner extractor (works for GitHub, GitLab, Bitbucket, Gitea,
    self-hosted, SSH-style, etc.).
  - lib/script_manager/ownership_guard.ex — the Elixir equivalent;
    exposes allowed_owners/0, owner_allowed?/1, repo_allowed?/1,
    filter_allowed/1, filter_allowed_verbose/1 and assert_owner_allowed!/1.

Wired into all the scripts/modules that can mutate or affect repos:
  shell: branch-protection-apply, wiki-audit, project-tabs-audit,
         audit_script (per-repo filter + uses derived owner for the
         Dependabot URL), update_repos (per-repo filter before push),
         standardize_readmes & md_to_adoc_converter (per-repo filter).
  elixir: PRProcessor.process_all/add_standard_comment (asserts org),
          GitSyncer.run (filters discovered repos before push),
          EstateDeployer.deploy_by_paths (filters before writing files),
          DependencyFixer.fix_lithoglyph/fix_rgtv (refuses to patch when
          enclosing repo is foreign-owned),
          RepoCleanup (warns the external cleanup scripts are NOT bound
          by the allowlist).

Also rewrites the TUI menu as two tiers with clearer item names:
  [A] Audits & Reports         — wiki, project metadata, contractiles,
                                 secrets/Dependabot, health dashboard,
                                 local-vs-remote sync verification
  [B] Repository Maintenance   — update repos, global git sync,
                                 standardise READMEs, MD→AsciiDoc,
                                 clean unicode, cleanup ops, dep fixes
  [C] GitHub Operations        — branch protection rulesets, mass PR
                                 processor, gh CLI helper
  [D] Estate-Wide Deployment   — deploy estate standards, link
                                 toolchains, find media repos
  [E] External Tools           — launch NQC, launch Invariant Path
  [F] Coming Soon              — dependency updater, release manager
The startup banner shows the active owner allowlist and the help and
system-status screens both surface it so it's obvious at a glance.

Note: rebuild the escript with `mix escript.build` to pick up the
Elixir-side changes; the bash-side guard is active immediately.

https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf

* fix(deps): upgrade vite 5.4 -> 8.0 to clear 2 moderate Dependabot alerts

Resolves the two moderate-severity advisories Dependabot reports against
the ui/ project on the default branch:

  - GHSA-67mh-4wv8-2f99 (esbuild dev server CORS, CWE-346, CVSS 5.3) —
    transitive via vite 5.x's pinned esbuild 0.21.5.
  - GHSA-4w7w-66w2-5vf9 (Vite path traversal in optimized deps `.map`
    handling, CWE-22/CWE-200) — affects vite ≤ 6.4.1.

Both share the same fix path (vite ≥ 8.0.8). Vite 8 also drops esbuild
in favour of rolldown, so the esbuild advisory is structurally gone
rather than just patched.

Verified locally: `npm install` clean, `npx vite --version` reports
8.0.8, `npm audit` reports 0 vulnerabilities, and vite.config.mjs
(defineConfig with resolve.preserveSymlinks + server.proxy /api → 4077)
parses unchanged under the new version. Node engine requirement
(^20.19.0 || >=22.12.0) is satisfied by the existing toolchain.

https://claude.ai/code/session_014ME3ph3UecQQAPQDKY2HPf

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: hyperpolymath