refactor(ax): align code with AX principles

agentci/clotho.go

@@ -1,27 +1,34 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package agentci
 
 import (
 	"context"
-	"strings"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	"dappco.re/go/core/scm/jobrunner"
 )
 
 // RunMode determines the execution strategy for a dispatched task.
+//
 type RunMode string
 
 const (
+	//
 	ModeStandard RunMode = "standard"
+	//
 	ModeDual RunMode = "dual" // The Clotho Protocol — dual-run verification
 )
 
 // Spinner is the Clotho orchestrator that determines the fate of each task.
+//
 type Spinner struct {
 	Config ClothoConfig
 	Agents map[string]AgentConfig
 }
 
 // NewSpinner creates a new Clotho orchestrator.
+//
 func NewSpinner(cfg ClothoConfig, agents map[string]AgentConfig) *Spinner {
 	return &Spinner{
 		Config: cfg,

agentci/config.go

@@ -1,14 +1,17 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package agentci provides configuration, security, and orchestration for AgentCI dispatch targets.
 package agentci
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/config"
 	coreerr "dappco.re/go/core/log"
+	"forge.lthn.ai/core/config"
 )
 
 // AgentConfig represents a single agent machine in the config file.
+//
 type AgentConfig struct {
 	Host          string   `yaml:"host" mapstructure:"host"`
 	QueueDir      string   `yaml:"queue_dir" mapstructure:"queue_dir"`
@@ -23,6 +26,7 @@ type AgentConfig struct {
 }
 
 // ClothoConfig controls the orchestration strategy.
+//
 type ClothoConfig struct {
 	Strategy            string  `yaml:"strategy" mapstructure:"strategy"`                         // direct, clotho-verified
 	ValidationThreshold float64 `yaml:"validation_threshold" mapstructure:"validation_threshold"` // divergence limit (0.0-1.0)
@@ -31,6 +35,7 @@ type ClothoConfig struct {
 
 // LoadAgents reads agent targets from config and returns a map of AgentConfig.
 // Returns an empty map (not an error) if no agents are configured.
+//
 func LoadAgents(cfg *config.Config) (map[string]AgentConfig, error) {
 	var agents map[string]AgentConfig
 	if err := cfg.Get("agentci.agents", &agents); err != nil {
@@ -61,6 +66,7 @@ func LoadAgents(cfg *config.Config) (map[string]AgentConfig, error) {
 }
 
 // LoadActiveAgents returns only active agents.
+//
 func LoadActiveAgents(cfg *config.Config) (map[string]AgentConfig, error) {
 	all, err := LoadAgents(cfg)
 	if err != nil {
@@ -77,6 +83,7 @@ func LoadActiveAgents(cfg *config.Config) (map[string]AgentConfig, error) {
 
 // LoadClothoConfig loads the Clotho orchestrator settings.
 // Returns sensible defaults if no config is present.
+//
 func LoadClothoConfig(cfg *config.Config) (ClothoConfig, error) {
 	var cc ClothoConfig
 	if err := cfg.Get("agentci.clotho", &cc); err != nil {
@@ -95,6 +102,7 @@ func LoadClothoConfig(cfg *config.Config) (ClothoConfig, error) {
 }
 
 // SaveAgent writes an agent config entry to the config file.
+//
 func SaveAgent(cfg *config.Config, name string, ac AgentConfig) error {
 	key := fmt.Sprintf("agentci.agents.%s", name)
 	data := map[string]any{
@@ -123,6 +131,7 @@ func SaveAgent(cfg *config.Config, name string, ac AgentConfig) error {
 }
 
 // RemoveAgent removes an agent from the config file.
+//
 func RemoveAgent(cfg *config.Config, name string) error {
 	var agents map[string]AgentConfig
 	if err := cfg.Get("agentci.agents", &agents); err != nil {
@@ -136,6 +145,7 @@ func RemoveAgent(cfg *config.Config, name string) error {
 }
 
 // ListAgents returns all configured agents (active and inactive).
+//
 func ListAgents(cfg *config.Config) (map[string]AgentConfig, error) {
 	var agents map[string]AgentConfig
 	if err := cfg.Get("agentci.agents", &agents); err != nil {

agentci/config_test.go

@@ -3,8 +3,8 @@ package agentci
 import (
 	"testing"
 
-	"forge.lthn.ai/core/config"
 	"dappco.re/go/core/io"
+	"forge.lthn.ai/core/config"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -299,7 +299,7 @@ func TestListAgents_Good_Empty(t *testing.T) {
 	assert.Empty(t, agents)
 }
 
-func TestRoundTrip_SaveThenLoad(t *testing.T) {
+func TestRoundTrip_Good_SaveThenLoad(t *testing.T) {
 	cfg := newTestConfig(t, "")
 
 	err := SaveAgent(cfg, "alpha", AgentConfig{

agentci/security.go

@@ -1,36 +1,150 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package agentci
 
 import (
-	"os/exec"
-	"path/filepath"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
+	"path"
 	"regexp"
-	"strings"
 
 	coreerr "dappco.re/go/core/log"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
 )
 
 var safeNameRegex = regexp.MustCompile(`^[a-zA-Z0-9\-\_\.]+$`)
 
 // SanitizePath ensures a filename or directory name is safe and prevents path traversal.
-// Returns filepath.Base of the input after validation.
+// Returns the validated input unchanged.
+//
 func SanitizePath(input string) (string, error) {
-	base := filepath.Base(input)
-	if !safeNameRegex.MatchString(base) {
+	if input == "" {
+		return "", coreerr.E("agentci.SanitizePath", "path element is required", nil)
+	}
+	if strings.ContainsAny(input, `/\`) {
+		return "", coreerr.E("agentci.SanitizePath", "path separators are not allowed: "+input, nil)
+	}
+	if input == "." || input == ".." {
+		return "", coreerr.E("agentci.SanitizePath", "invalid path element: "+input, nil)
+	}
+	if !safeNameRegex.MatchString(input) {
 		return "", coreerr.E("agentci.SanitizePath", "invalid characters in path element: "+input, nil)
 	}
-	if base == "." || base == ".." || base == "/" {
-		return "", coreerr.E("agentci.SanitizePath", "invalid path element: "+base, nil)
+	return input, nil
+}
+
+// ValidatePathElement validates a single local path element and returns its safe form.
+//
+func ValidatePathElement(input string) (string, error) {
+	return SanitizePath(input)
+}
+
+// ResolvePathWithinRoot resolves a validated path element beneath a root directory.
+//
+func ResolvePathWithinRoot(root string, input string) (string, string, error) {
+	safeName, err := ValidatePathElement(input)
+	if err != nil {
+		return "", "", coreerr.E("agentci.ResolvePathWithinRoot", "invalid path element", err)
 	}
-	return base, nil
+
+	absRoot, err := filepath.Abs(root)
+	if err != nil {
+		return "", "", coreerr.E("agentci.ResolvePathWithinRoot", "resolve root", err)
+	}
+
+	resolved := filepath.Clean(filepath.Join(absRoot, safeName))
+	cleanRoot := filepath.Clean(absRoot)
+	rootPrefix := cleanRoot + string(filepath.Separator)
+	if resolved != cleanRoot && !strings.HasPrefix(resolved, rootPrefix) {
+		return "", "", coreerr.E("agentci.ResolvePathWithinRoot", "resolved path escaped root", nil)
+	}
+
+	return safeName, resolved, nil
+}
+
+// ValidateRemoteDir validates a remote directory path used over SSH.
+//
+func ValidateRemoteDir(dir string) (string, error) {
+	if strings.TrimSpace(dir) == "" {
+		return "", coreerr.E("agentci.ValidateRemoteDir", "directory is required", nil)
+	}
+	if strings.ContainsAny(dir, `\`) {
+		return "", coreerr.E("agentci.ValidateRemoteDir", "backslashes are not allowed", nil)
+	}
+
+	switch dir {
+	case "/", "~":
+		return dir, nil
+	}
+
+	cleaned := path.Clean(dir)
+	prefix := ""
+	rest := cleaned
+
+	if strings.HasPrefix(dir, "~/") {
+		prefix = "~/"
+		rest = strings.TrimPrefix(cleaned, "~/")
+	}
+	if strings.HasPrefix(dir, "/") {
+		prefix = "/"
+		rest = strings.TrimPrefix(cleaned, "/")
+	}
+
+	if rest == "." || rest == ".." || strings.HasPrefix(rest, "../") {
+		return "", coreerr.E("agentci.ValidateRemoteDir", "directory escaped root", nil)
+	}
+
+	for _, part := range strings.Split(rest, "/") {
+		if part == "" {
+			continue
+		}
+		if _, err := ValidatePathElement(part); err != nil {
+			return "", coreerr.E("agentci.ValidateRemoteDir", "invalid directory segment", err)
+		}
+	}
+
+	if rest == "" || rest == "." {
+		return prefix, nil
+	}
+
+	return prefix + rest, nil
+}
+
+// JoinRemotePath joins validated remote path elements using forward slashes.
+//
+func JoinRemotePath(base string, parts ...string) (string, error) {
+	safeBase, err := ValidateRemoteDir(base)
+	if err != nil {
+		return "", coreerr.E("agentci.JoinRemotePath", "invalid base directory", err)
+	}
+
+	cleanParts := make([]string, 0, len(parts))
+	for _, part := range parts {
+		safePart, partErr := ValidatePathElement(part)
+		if partErr != nil {
+			return "", coreerr.E("agentci.JoinRemotePath", "invalid path element", partErr)
+		}
+		cleanParts = append(cleanParts, safePart)
+	}
+
+	if safeBase == "~" {
+		return path.Join("~", path.Join(cleanParts...)), nil
+	}
+	if strings.HasPrefix(safeBase, "~/") {
+		return "~/" + path.Join(strings.TrimPrefix(safeBase, "~/"), path.Join(cleanParts...)), nil
+	}
+	return path.Join(append([]string{safeBase}, cleanParts...)...), nil
 }
 
 // EscapeShellArg wraps a string in single quotes for safe remote shell insertion.
 // Prefer exec.Command arguments over constructing shell strings where possible.
+//
 func EscapeShellArg(arg string) string {
 	return "'" + strings.ReplaceAll(arg, "'", "'\\''") + "'"
 }
 
 // SecureSSHCommand creates an SSH exec.Cmd with strict host key checking and batch mode.
+//
 func SecureSSHCommand(host string, remoteCmd string) *exec.Cmd {
 	return exec.Command("ssh",
 		"-o", "StrictHostKeyChecking=yes",
@@ -42,6 +156,7 @@ func SecureSSHCommand(host string, remoteCmd string) *exec.Cmd {
 }
 
 // MaskToken returns a masked version of a token for safe logging.
+//
 func MaskToken(token string) string {
 	if len(token) < 8 {
 		return "*****"

agentci/security_test.go

@@ -20,7 +20,6 @@ func TestSanitizePath_Good(t *testing.T) {
 		{"with.dot", "with.dot"},
 		{"CamelCase", "CamelCase"},
 		{"123", "123"},
-		{"path/to/file.txt", "file.txt"},
 	}
 
 	for _, tt := range tests {
@@ -44,8 +43,11 @@ func TestSanitizePath_Bad(t *testing.T) {
 		{"pipe", "file|name"},
 		{"ampersand", "file&name"},
 		{"dollar", "file$name"},
+		{"slash", "path/to/file.txt"},
+		{"backslash", `path\to\file.txt`},
 		{"parent traversal base", ".."},
 		{"root", "/"},
+		{"empty", ""},
 	}
 
 	for _, tt := range tests {

cmd/collect/cmd.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
 	"dappco.re/go/core/io"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 func init() {
@@ -28,6 +30,7 @@ var (
 )
 
 // AddCollectCommands registers the 'collect' command and all subcommands.
+//
 func AddCollectCommands(root *cli.Command) {
 	collectCmd := &cli.Command{
 		Use:   "collect",

cmd/collect/cmd_bitcointalk.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"strings"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // BitcoinTalk command flags

cmd/collect/cmd_dispatch.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	collectpkg "dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	collectpkg "dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // addDispatchCommand adds the 'dispatch' subcommand to the collect parent.

cmd/collect/cmd_excavate.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Excavate command flags

cmd/collect/cmd_github.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"strings"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // GitHub command flags

cmd/collect/cmd_market.go

@@ -1,11 +1,13 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Market command flags

cmd/collect/cmd_papers.go

@@ -1,11 +1,13 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Papers command flags

cmd/collect/cmd_process.go

@@ -1,11 +1,13 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
-	"dappco.re/go/core/scm/collect"
 	"dappco.re/go/core/i18n"
+	"dappco.re/go/core/scm/collect"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // addProcessCommand adds the 'process' subcommand to the collect parent.

cmd/forge/cmd_auth.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Auth command flags.

cmd/forge/cmd_config.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Config command flags.

cmd/forge/cmd_forge.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package forge provides CLI commands for managing a Forgejo instance.
 //
 // Commands:
@@ -33,6 +35,7 @@ var (
 )
 
 // AddForgeCommands registers the 'forge' command and all subcommands.
+//
 func AddForgeCommands(root *cli.Command) {
 	forgeCmd := &cli.Command{
 		Use:   "forge",

cmd/forge/cmd_issues.go

@@ -1,13 +1,15 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Issues command flags.

cmd/forge/cmd_labels.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Labels command flags.

cmd/forge/cmd_migrate.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Migrate command flags.

cmd/forge/cmd_orgs.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // addOrgsCommand adds the 'orgs' subcommand for listing organisations.

cmd/forge/cmd_prs.go

@@ -1,13 +1,15 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // PRs command flags.

cmd/forge/cmd_repos.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Repos command flags.

cmd/forge/cmd_status.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	fg "dappco.re/go/core/scm/forge"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // addStatusCommand adds the 'status' subcommand for instance info.

cmd/forge/cmd_sync.go

@@ -1,17 +1,21 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	os "dappco.re/go/core/scm/internal/ax/osx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
+	"net/url"
+
+	coreerr "dappco.re/go/core/log"
+	"dappco.re/go/core/scm/agentci"
+	fg "dappco.re/go/core/scm/forge"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
-
 	"forge.lthn.ai/core/cli/pkg/cli"
-	coreerr "dappco.re/go/core/log"
-	fg "dappco.re/go/core/scm/forge"
 )
 
 // Sync command flags.
@@ -95,11 +99,14 @@ func buildSyncRepoList(client *fg.Client, args []string, basePath string) ([]syn
 
 	if len(args) > 0 {
 		for _, arg := range args {
-			name := arg
-			if parts := strings.SplitN(arg, "/", 2); len(parts) == 2 {
-				name = parts[1]
+			name, err := syncRepoNameFromArg(arg)
+			if err != nil {
+				return nil, coreerr.E("forge.buildSyncRepoList", "invalid repo argument", err)
+			}
+			_, localPath, err := agentci.ResolvePathWithinRoot(basePath, name)
+			if err != nil {
+				return nil, coreerr.E("forge.buildSyncRepoList", "resolve local path", err)
 			}
-			localPath := filepath.Join(basePath, name)
 			branch := syncDetectDefaultBranch(localPath)
 			repos = append(repos, syncRepoEntry{
 				name:          name,
@@ -113,10 +120,17 @@ func buildSyncRepoList(client *fg.Client, args []string, basePath string) ([]syn
 			return nil, err
 		}
 		for _, r := range orgRepos {
-			localPath := filepath.Join(basePath, r.Name)
+			name, err := agentci.ValidatePathElement(r.Name)
+			if err != nil {
+				return nil, coreerr.E("forge.buildSyncRepoList", "invalid repo name from org list", err)
+			}
+			_, localPath, err := agentci.ResolvePathWithinRoot(basePath, name)
+			if err != nil {
+				return nil, coreerr.E("forge.buildSyncRepoList", "resolve local path", err)
+			}
 			branch := syncDetectDefaultBranch(localPath)
 			repos = append(repos, syncRepoEntry{
-				name:          r.Name,
+				name:          name,
 				localPath:     localPath,
 				defaultBranch: branch,
 			})
@@ -333,3 +347,27 @@ func syncCreateMainFromUpstream(client *fg.Client, org, repo string) error {
 
 	return nil
 }
+
+func syncRepoNameFromArg(arg string) (string, error) {
+	decoded, err := url.PathUnescape(arg)
+	if err != nil {
+		return "", coreerr.E("forge.syncRepoNameFromArg", "decode repo argument", err)
+	}
+
+	parts := strings.Split(decoded, "/")
+	switch len(parts) {
+	case 1:
+		return agentci.ValidatePathElement(parts[0])
+	case 2:
+		if _, err := agentci.ValidatePathElement(parts[0]); err != nil {
+			return "", coreerr.E("forge.syncRepoNameFromArg", "invalid repo owner", err)
+		}
+		name, err := agentci.ValidatePathElement(parts[1])
+		if err != nil {
+			return "", coreerr.E("forge.syncRepoNameFromArg", "invalid repo name", err)
+		}
+		return name, nil
+	default:
+		return "", coreerr.E("forge.syncRepoNameFromArg", "repo argument must be repo or owner/repo", nil)
+	}
+}

cmd/forge/cmd_sync_test.go

@@ -0,0 +1,53 @@
+package forge
+
+import (
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildSyncRepoList_Good(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	repos, err := buildSyncRepoList(nil, []string{"host-uk/core"}, basePath)
+	require.NoError(t, err)
+	require.Len(t, repos, 1)
+	assert.Equal(t, "core", repos[0].name)
+	assert.Equal(t, filepath.Join(basePath, "core"), repos[0].localPath)
+}
+
+func TestBuildSyncRepoList_Bad_PathTraversal(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildSyncRepoList(nil, []string{"../escape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}
+
+func TestBuildSyncRepoList_Good_OwnerRepo(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	repos, err := buildSyncRepoList(nil, []string{"Host-UK/core"}, basePath)
+	require.NoError(t, err)
+	require.Len(t, repos, 1)
+	assert.Equal(t, "core", repos[0].name)
+	assert.Equal(t, filepath.Join(basePath, "core"), repos[0].localPath)
+}
+
+func TestBuildSyncRepoList_Bad_PathTraversal_OwnerRepo(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildSyncRepoList(nil, []string{"host-uk/../escape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}
+
+func TestBuildSyncRepoList_Bad_PathTraversal_OwnerRepoEncoded(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildSyncRepoList(nil, []string{"host-uk%2F..%2Fescape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}

cmd/forge/helpers.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"path"
-	"strings"
 
 	"forge.lthn.ai/core/cli/pkg/cli"
 )

cmd/gitea/cmd_config.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	gt "dappco.re/go/core/scm/gitea"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Config command flags.

cmd/gitea/cmd_gitea.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package gitea provides CLI commands for managing a Gitea instance.
 //
 // Commands:
@@ -30,6 +32,7 @@ var (
 )
 
 // AddGiteaCommands registers the 'gitea' command and all subcommands.
+//
 func AddGiteaCommands(root *cli.Command) {
 	giteaCmd := &cli.Command{
 		Use:   "gitea",

cmd/gitea/cmd_issues.go

@@ -1,13 +1,15 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	"code.gitea.io/sdk/gitea"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	gt "dappco.re/go/core/scm/gitea"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Issues command flags.

cmd/gitea/cmd_mirror.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
-	"os/exec"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	gt "dappco.re/go/core/scm/gitea"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Mirror command flags.

cmd/gitea/cmd_prs.go

@@ -1,13 +1,15 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	sdk "code.gitea.io/sdk/gitea"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	gt "dappco.re/go/core/scm/gitea"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // PRs command flags.

cmd/gitea/cmd_repos.go

@@ -1,10 +1,12 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	gt "dappco.re/go/core/scm/gitea"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 // Repos command flags.

cmd/gitea/cmd_sync.go

@@ -1,17 +1,21 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"fmt"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	os "dappco.re/go/core/scm/internal/ax/osx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
+	"net/url"
+
+	coreerr "dappco.re/go/core/log"
+	"dappco.re/go/core/scm/agentci"
+	gt "dappco.re/go/core/scm/gitea"
 
 	"code.gitea.io/sdk/gitea"
-
 	"forge.lthn.ai/core/cli/pkg/cli"
-	coreerr "dappco.re/go/core/log"
-	gt "dappco.re/go/core/scm/gitea"
 )
 
 // Sync command flags.
@@ -96,12 +100,14 @@ func buildRepoList(client *gt.Client, args []string, basePath string) ([]repoEnt
 	if len(args) > 0 {
 		// Specific repos from args
 		for _, arg := range args {
-			name := arg
-			// Strip owner/ prefix if given
-			if parts := strings.SplitN(arg, "/", 2); len(parts) == 2 {
-				name = parts[1]
+			name, err := repoNameFromArg(arg)
+			if err != nil {
+				return nil, coreerr.E("gitea.buildRepoList", "invalid repo argument", err)
+			}
+			_, localPath, err := agentci.ResolvePathWithinRoot(basePath, name)
+			if err != nil {
+				return nil, coreerr.E("gitea.buildRepoList", "resolve local path", err)
 			}
-			localPath := filepath.Join(basePath, name)
 			branch := detectDefaultBranch(localPath)
 			repos = append(repos, repoEntry{
 				name:          name,
@@ -116,10 +122,17 @@ func buildRepoList(client *gt.Client, args []string, basePath string) ([]repoEnt
 			return nil, err
 		}
 		for _, r := range orgRepos {
-			localPath := filepath.Join(basePath, r.Name)
+			name, err := agentci.ValidatePathElement(r.Name)
+			if err != nil {
+				return nil, coreerr.E("gitea.buildRepoList", "invalid repo name from org list", err)
+			}
+			_, localPath, err := agentci.ResolvePathWithinRoot(basePath, name)
+			if err != nil {
+				return nil, coreerr.E("gitea.buildRepoList", "resolve local path", err)
+			}
 			branch := detectDefaultBranch(localPath)
 			repos = append(repos, repoEntry{
-				name:          r.Name,
+				name:          name,
 				localPath:     localPath,
 				defaultBranch: branch,
 			})
@@ -352,3 +365,27 @@ func createMainFromUpstream(client *gt.Client, org, repo string) error {
 }
 
 func strPtr(s string) *string { return &s }
+
+func repoNameFromArg(arg string) (string, error) {
+	decoded, err := url.PathUnescape(arg)
+	if err != nil {
+		return "", coreerr.E("gitea.repoNameFromArg", "decode repo argument", err)
+	}
+
+	parts := strings.Split(decoded, "/")
+	switch len(parts) {
+	case 1:
+		return agentci.ValidatePathElement(parts[0])
+	case 2:
+		if _, err := agentci.ValidatePathElement(parts[0]); err != nil {
+			return "", coreerr.E("gitea.repoNameFromArg", "invalid repo owner", err)
+		}
+		name, err := agentci.ValidatePathElement(parts[1])
+		if err != nil {
+			return "", coreerr.E("gitea.repoNameFromArg", "invalid repo name", err)
+		}
+		return name, nil
+	default:
+		return "", coreerr.E("gitea.repoNameFromArg", "repo argument must be repo or owner/repo", nil)
+	}
+}

cmd/gitea/cmd_sync_test.go

@@ -0,0 +1,53 @@
+package gitea
+
+import (
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildRepoList_Good(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	repos, err := buildRepoList(nil, []string{"host-uk/core"}, basePath)
+	require.NoError(t, err)
+	require.Len(t, repos, 1)
+	assert.Equal(t, "core", repos[0].name)
+	assert.Equal(t, filepath.Join(basePath, "core"), repos[0].localPath)
+}
+
+func TestBuildRepoList_Bad_PathTraversal(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildRepoList(nil, []string{"../escape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}
+
+func TestBuildRepoList_Good_OwnerRepo(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	repos, err := buildRepoList(nil, []string{"Host-UK/core"}, basePath)
+	require.NoError(t, err)
+	require.Len(t, repos, 1)
+	assert.Equal(t, "core", repos[0].name)
+	assert.Equal(t, filepath.Join(basePath, "core"), repos[0].localPath)
+}
+
+func TestBuildRepoList_Bad_PathTraversal_OwnerRepo(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildRepoList(nil, []string{"host-uk/../escape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}
+
+func TestBuildRepoList_Bad_PathTraversal_OwnerRepoEncoded(t *testing.T) {
+	basePath := filepath.Join(t.TempDir(), "repos")
+
+	_, err := buildRepoList(nil, []string{"host-uk%2F..%2Fescape"}, basePath)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo argument")
+}

cmd/scm/cmd_compile.go

@@ -1,14 +1,16 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package scm
 
 import (
 	"crypto/ed25519"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"encoding/hex"
-	"os/exec"
-	"strings"
+	exec "golang.org/x/sys/execabs"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	"dappco.re/go/core/io"
 	"dappco.re/go/core/scm/manifest"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 func addCompileCommand(parent *cli.Command) {

cmd/scm/cmd_export.go

@@ -1,11 +1,13 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package scm
 
 import (
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	"dappco.re/go/core/io"
 	"dappco.re/go/core/scm/manifest"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 func addExportCommand(parent *cli.Command) {

cmd/scm/cmd_index.go

@@ -1,11 +1,13 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package scm
 
 import (
-	"fmt"
-	"path/filepath"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 
-	"forge.lthn.ai/core/cli/pkg/cli"
 	"dappco.re/go/core/scm/marketplace"
+	"forge.lthn.ai/core/cli/pkg/cli"
 )
 
 func addIndexCommand(parent *cli.Command) {

cmd/scm/cmd_scm.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package scm provides CLI commands for manifest compilation and marketplace
 // index generation.
 //
@@ -25,6 +27,7 @@ var (
 )
 
 // AddScmCommands registers the 'scm' command and all subcommands.
+//
 func AddScmCommands(root *cli.Command) {
 	scmCmd := &cli.Command{
 		Use:   "scm",

collect/bitcointalk.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"fmt"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"iter"
 	"net/http"
-	"path/filepath"
-	"strings"
 	"time"
 
 	core "dappco.re/go/core/log"
@@ -20,6 +22,7 @@ var httpClient = &http.Client{
 }
 
 // BitcoinTalkCollector collects forum posts from BitcoinTalk.
+//
 type BitcoinTalkCollector struct {
 	// TopicID is the numeric topic identifier.
 	TopicID string
@@ -281,6 +284,7 @@ func formatPostMarkdown(num int, post btPost) string {
 
 // ParsePostsFromHTML parses BitcoinTalk posts from raw HTML content.
 // This is exported for testing purposes.
+//
 func ParsePostsFromHTML(htmlContent string) ([]btPost, error) {
 	doc, err := html.Parse(strings.NewReader(htmlContent))
 	if err != nil {
@@ -290,14 +294,17 @@ func ParsePostsFromHTML(htmlContent string) ([]btPost, error) {
 }
 
 // FormatPostMarkdown is exported for testing purposes.
+//
 func FormatPostMarkdown(num int, author, date, content string) string {
 	return formatPostMarkdown(num, btPost{Author: author, Date: date, Content: content})
 }
 
 // FetchPageFunc is an injectable function type for fetching pages, used in testing.
+//
 type FetchPageFunc func(ctx context.Context, url string) ([]btPost, error)
 
 // BitcoinTalkCollectorWithFetcher wraps BitcoinTalkCollector with a custom fetcher for testing.
+//
 type BitcoinTalkCollectorWithFetcher struct {
 	BitcoinTalkCollector
 	Fetcher FetchPageFunc
@@ -305,6 +312,7 @@ type BitcoinTalkCollectorWithFetcher struct {
 
 // SetHTTPClient replaces the package-level HTTP client.
 // Use this in tests to inject a custom transport or timeout.
+//
 func SetHTTPClient(c *http.Client) {
 	httpClient = c
 }

collect/bitcointalk_http_test.go

@@ -2,10 +2,10 @@ package collect
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	"dappco.re/go/core/io"

collect/collect.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package collect provides a data collection subsystem for gathering information
 // from multiple sources including GitHub, BitcoinTalk, CoinGecko, and academic
 // paper repositories. It supports rate limiting, incremental state tracking,
@@ -6,12 +8,13 @@ package collect
 
 import (
 	"context"
-	"path/filepath"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
 
 	"dappco.re/go/core/io"
 )
 
 // Collector is the interface all collection sources implement.
+//
 type Collector interface {
 	// Name returns a human-readable name for this collector.
 	Name() string
@@ -21,6 +24,7 @@ type Collector interface {
 }
 
 // Config holds shared configuration for all collectors.
+//
 type Config struct {
 	// Output is the storage medium for writing collected data.
 	Output io.Medium
@@ -45,6 +49,7 @@ type Config struct {
 }
 
 // Result holds the output of a collection run.
+//
 type Result struct {
 	// Source identifies which collector produced this result.
 	Source string
@@ -65,6 +70,7 @@ type Result struct {
 // NewConfig creates a Config with sensible defaults.
 // It initialises a MockMedium for output if none is provided,
 // sets up a rate limiter, state tracker, and event dispatcher.
+//
 func NewConfig(outputDir string) *Config {
 	m := io.NewMockMedium()
 	return &Config{
@@ -77,6 +83,7 @@ func NewConfig(outputDir string) *Config {
 }
 
 // NewConfigWithMedium creates a Config using the specified storage medium.
+//
 func NewConfigWithMedium(m io.Medium, outputDir string) *Config {
 	return &Config{
 		Output:     m,
@@ -88,6 +95,7 @@ func NewConfigWithMedium(m io.Medium, outputDir string) *Config {
 }
 
 // MergeResults combines multiple results into a single aggregated result.
+//
 func MergeResults(source string, results ...*Result) *Result {
 	merged := &Result{Source: source}
 	for _, r := range results {

collect/coverage_boost_test.go

@@ -2,7 +2,7 @@ package collect
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

collect/coverage_phase2_test.go

@@ -2,13 +2,14 @@ package collect
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
+	core "dappco.re/go/core"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	goio "io"
 	"io/fs"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 	"time"
 
@@ -17,6 +18,14 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func testErr(msg string) error {
+	return core.E("collect.test", msg, nil)
+}
+
+func testErrf(format string, args ...any) error {
+	return core.E("collect.test", fmt.Sprintf(format, args...), nil)
+}
+
 // errorMedium wraps MockMedium and injects errors on specific operations.
 type errorMedium struct {
 	*io.MockMedium
@@ -59,7 +68,9 @@ func (e *errorMedium) Stat(path string) (fs.FileInfo, error)           { return
 func (e *errorMedium) Open(path string) (fs.File, error)            { return e.MockMedium.Open(path) }
 func (e *errorMedium) Create(path string) (goio.WriteCloser, error) { return e.MockMedium.Create(path) }
 func (e *errorMedium) Append(path string) (goio.WriteCloser, error) { return e.MockMedium.Append(path) }
-func (e *errorMedium) ReadStream(path string) (goio.ReadCloser, error) { return e.MockMedium.ReadStream(path) }
+func (e *errorMedium) ReadStream(path string) (goio.ReadCloser, error) {
+	return e.MockMedium.ReadStream(path)
+}
 func (e *errorMedium) WriteStream(path string) (goio.WriteCloser, error) {
 	return e.MockMedium.WriteStream(path)
 }
@@ -74,7 +85,7 @@ type errorLimiterWaiter struct{}
 // --- Processor: list error ---
 
 func TestProcessor_Process_Bad_ListError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), listErr: fmt.Errorf("list denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), listErr: testErr("list denied")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 
 	p := &Processor{Source: "test", Dir: "/input"}
@@ -86,7 +97,7 @@ func TestProcessor_Process_Bad_ListError(t *testing.T) {
 // --- Processor: ensureDir error ---
 
 func TestProcessor_Process_Bad_EnsureDirError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: fmt.Errorf("mkdir denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: testErr("mkdir denied")}
 	// Need to ensure List returns entries
 	em.MockMedium.Dirs["/input"] = true
 	em.MockMedium.Files["/input/test.html"] = "<h1>Test</h1>"
@@ -121,7 +132,7 @@ func TestProcessor_Process_Bad_ContextCancelledDuringLoop(t *testing.T) {
 // --- Processor: read error during file processing ---
 
 func TestProcessor_Process_Bad_ReadError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), readErr: fmt.Errorf("read denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), readErr: testErr("read denied")}
 	em.MockMedium.Dirs["/input"] = true
 	em.MockMedium.Files["/input/test.html"] = "<h1>Test</h1>"
 
@@ -154,7 +165,7 @@ func TestProcessor_Process_Bad_InvalidJSONFile(t *testing.T) {
 // --- Processor: write error during output ---
 
 func TestProcessor_Process_Bad_WriteError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	em.MockMedium.Dirs["/input"] = true
 	em.MockMedium.Files["/input/page.html"] = "<h1>Title</h1>"
 
@@ -255,7 +266,7 @@ func TestPapersCollector_CollectIACR_Bad_WriteError(t *testing.T) {
 	httpClient = &http.Client{Transport: transport}
 	defer func() { httpClient = old }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -279,7 +290,7 @@ func TestPapersCollector_CollectIACR_Bad_EnsureDirError(t *testing.T) {
 	httpClient = &http.Client{Transport: transport}
 	defer func() { httpClient = old }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: fmt.Errorf("mkdir denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: testErr("mkdir denied")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -303,7 +314,7 @@ func TestPapersCollector_CollectArXiv_Bad_WriteError(t *testing.T) {
 	httpClient = &http.Client{Transport: transport}
 	defer func() { httpClient = old }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -327,7 +338,7 @@ func TestPapersCollector_CollectArXiv_Bad_EnsureDirError(t *testing.T) {
 	httpClient = &http.Client{Transport: transport}
 	defer func() { httpClient = old }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: fmt.Errorf("mkdir denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: testErr("mkdir denied")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -453,7 +464,7 @@ func TestMarketCollector_Collect_Bad_WriteError(t *testing.T) {
 	coinGeckoBaseURL = server.URL
 	defer func() { coinGeckoBaseURL = oldURL }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -477,7 +488,7 @@ func TestMarketCollector_Collect_Bad_EnsureDirError(t *testing.T) {
 	coinGeckoBaseURL = server.URL
 	defer func() { coinGeckoBaseURL = oldURL }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: fmt.Errorf("mkdir denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: testErr("mkdir denied")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -552,7 +563,7 @@ func TestMarketCollector_Collect_Good_HistoricalCustomDate(t *testing.T) {
 // --- BitcoinTalk: EnsureDir error ---
 
 func TestBitcoinTalkCollector_Collect_Bad_EnsureDirError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: fmt.Errorf("mkdir denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), ensureDirErr: testErr("mkdir denied")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -592,7 +603,7 @@ func TestBitcoinTalkCollector_Collect_Bad_WriteErrorOnPosts(t *testing.T) {
 	httpClient = &http.Client{Transport: transport}
 	defer func() { httpClient = old }()
 
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	cfg := &Config{Output: em, OutputDir: "/output", Dispatcher: NewDispatcher()}
 	cfg.Limiter = nil
 
@@ -975,7 +986,7 @@ type writeCountMedium struct {
 func (w *writeCountMedium) Write(path, content string) error {
 	w.writeCount++
 	if w.writeCount > w.failAfterN {
-		return fmt.Errorf("write %d: disk full", w.writeCount)
+		return testErrf("write %d: disk full", w.writeCount)
 	}
 	return w.MockMedium.Write(path, content)
 }
@@ -984,16 +995,26 @@ func (w *writeCountMedium) Read(path string) (string, error)         { return w.
 func (w *writeCountMedium) List(path string) ([]fs.DirEntry, error) { return w.MockMedium.List(path) }
 func (w *writeCountMedium) IsFile(path string) bool                 { return w.MockMedium.IsFile(path) }
 func (w *writeCountMedium) FileGet(path string) (string, error)     { return w.MockMedium.FileGet(path) }
-func (w *writeCountMedium) FileSet(path, content string) error       { return w.MockMedium.FileSet(path, content) }
+func (w *writeCountMedium) FileSet(path, content string) error {
+	return w.MockMedium.FileSet(path, content)
+}
 func (w *writeCountMedium) Delete(path string) error              { return w.MockMedium.Delete(path) }
 func (w *writeCountMedium) DeleteAll(path string) error           { return w.MockMedium.DeleteAll(path) }
 func (w *writeCountMedium) Rename(old, new string) error          { return w.MockMedium.Rename(old, new) }
 func (w *writeCountMedium) Stat(path string) (fs.FileInfo, error) { return w.MockMedium.Stat(path) }
 func (w *writeCountMedium) Open(path string) (fs.File, error)     { return w.MockMedium.Open(path) }
-func (w *writeCountMedium) Create(path string) (goio.WriteCloser, error) { return w.MockMedium.Create(path) }
-func (w *writeCountMedium) Append(path string) (goio.WriteCloser, error) { return w.MockMedium.Append(path) }
-func (w *writeCountMedium) ReadStream(path string) (goio.ReadCloser, error) { return w.MockMedium.ReadStream(path) }
-func (w *writeCountMedium) WriteStream(path string) (goio.WriteCloser, error) { return w.MockMedium.WriteStream(path) }
+func (w *writeCountMedium) Create(path string) (goio.WriteCloser, error) {
+	return w.MockMedium.Create(path)
+}
+func (w *writeCountMedium) Append(path string) (goio.WriteCloser, error) {
+	return w.MockMedium.Append(path)
+}
+func (w *writeCountMedium) ReadStream(path string) (goio.ReadCloser, error) {
+	return w.MockMedium.ReadStream(path)
+}
+func (w *writeCountMedium) WriteStream(path string) (goio.WriteCloser, error) {
+	return w.MockMedium.WriteStream(path)
+}
 func (w *writeCountMedium) Exists(path string) bool { return w.MockMedium.Exists(path) }
 func (w *writeCountMedium) IsDir(path string) bool  { return w.MockMedium.IsDir(path) }
 
@@ -1075,7 +1096,7 @@ func TestMarketCollector_Collect_Bad_HistoricalWriteError(t *testing.T) {
 // --- State: Save write error ---
 
 func TestState_Save_Bad_WriteError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("disk full")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("disk full")}
 	s := NewState(em, "/state.json")
 	s.Set("test", &StateEntry{Source: "test", Items: 1})
 
@@ -1134,7 +1155,7 @@ func TestBitcoinTalkCollector_Collect_Good_ZeroPostsPage(t *testing.T) {
 // --- Excavator: state save error after collection ---
 
 func TestExcavator_Run_Bad_StateSaveError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: fmt.Errorf("state write failed")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), writeErr: testErr("state write failed")}
 	cfg := &Config{
 		Output:     io.NewMockMedium(), // Use regular medium for output
 		OutputDir:  "/output",
@@ -1158,7 +1179,7 @@ func TestExcavator_Run_Bad_StateSaveError(t *testing.T) {
 // --- State: Load with read error ---
 
 func TestState_Load_Bad_ReadError(t *testing.T) {
-	em := &errorMedium{MockMedium: io.NewMockMedium(), readErr: fmt.Errorf("read denied")}
+	em := &errorMedium{MockMedium: io.NewMockMedium(), readErr: testErr("read denied")}
 	em.MockMedium.Files["/state.json"] = "{}" // File exists but read will fail
 
 	s := NewState(em, "/state.json")

collect/events.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
@@ -8,22 +10,28 @@ import (
 // Event types used by the collection subsystem.
 const (
 	// EventStart is emitted when a collector begins its run.
+	//
 	EventStart = "start"
 
 	// EventProgress is emitted to report incremental progress.
+	//
 	EventProgress = "progress"
 
 	// EventItem is emitted when a single item is collected.
+	//
 	EventItem = "item"
 
 	// EventError is emitted when an error occurs during collection.
+	//
 	EventError = "error"
 
 	// EventComplete is emitted when a collector finishes its run.
+	//
 	EventComplete = "complete"
 )
 
 // Event represents a collection event.
+//
 type Event struct {
 	// Type is one of the Event* constants.
 	Type string `json:"type"`
@@ -42,16 +50,19 @@ type Event struct {
 }
 
 // EventHandler handles collection events.
+//
 type EventHandler func(Event)
 
 // Dispatcher manages event dispatch. Handlers are registered per event type
 // and are called synchronously when an event is emitted.
+//
 type Dispatcher struct {
 	mu       sync.RWMutex
 	handlers map[string][]EventHandler
 }
 
 // NewDispatcher creates a new event dispatcher.
+//
 func NewDispatcher() *Dispatcher {
 	return &Dispatcher{
 		handlers: make(map[string][]EventHandler),

collect/excavate.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	core "dappco.re/go/core/log"
@@ -11,6 +13,7 @@ import (
 // Excavator runs multiple collectors as a coordinated operation.
 // It provides sequential execution with rate limit respect, state tracking
 // for resume support, and aggregated results.
+//
 type Excavator struct {
 	// Collectors is the list of collectors to run.
 	Collectors []Collector

collect/excavate_test.go

@@ -2,7 +2,8 @@ package collect
 
 import (
 	"context"
-	"fmt"
+	core "dappco.re/go/core"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"testing"
 
 	"dappco.re/go/core/io"
@@ -126,7 +127,7 @@ func TestExcavator_Run_Good_WithErrors(t *testing.T) {
 	cfg.Limiter = nil
 
 	c1 := &mockCollector{name: "good", items: 5}
-	c2 := &mockCollector{name: "bad", err: fmt.Errorf("network error")}
+	c2 := &mockCollector{name: "bad", err: core.E("collect.mockCollector.Collect", "network error", nil)}
 	c3 := &mockCollector{name: "also-good", items: 3}
 
 	e := &Excavator{

collect/github.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
-	"os/exec"
-	"path/filepath"
-	"strings"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
 	"time"
 
 	core "dappco.re/go/core/log"
@@ -38,6 +40,7 @@ type ghRepo struct {
 }
 
 // GitHubCollector collects issues and PRs from GitHub repositories.
+//
 type GitHubCollector struct {
 	// Org is the GitHub organisation.
 	Org string

collect/market.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
-	"path/filepath"
-	"strings"
 	"time"
 
 	core "dappco.re/go/core/log"
@@ -17,6 +19,7 @@ import (
 var coinGeckoBaseURL = "https://api.coingecko.com/api/v3"
 
 // MarketCollector collects market data from CoinGecko.
+//
 type MarketCollector struct {
 	// CoinID is the CoinGecko coin identifier (e.g. "bitcoin", "ethereum").
 	CoinID string
@@ -272,6 +275,7 @@ func formatMarketSummary(data *coinData) string {
 }
 
 // FormatMarketSummary is exported for testing.
+//
 func FormatMarketSummary(data *coinData) string {
 	return formatMarketSummary(data)
 }

collect/market_extra_test.go

@@ -2,7 +2,7 @@ package collect
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

collect/market_test.go

@@ -2,7 +2,7 @@ package collect
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

collect/papers.go

@@ -1,14 +1,16 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"encoding/xml"
-	"fmt"
 	"iter"
 	"net/http"
 	"net/url"
-	"path/filepath"
-	"strings"
 
 	core "dappco.re/go/core/log"
 	"golang.org/x/net/html"
@@ -16,12 +18,16 @@ import (
 
 // Paper source identifiers.
 const (
+	//
 	PaperSourceIACR = "iacr"
+	//
 	PaperSourceArXiv = "arxiv"
+	//
 	PaperSourceAll = "all"
 )
 
 // PapersCollector collects papers from IACR and arXiv.
+//
 type PapersCollector struct {
 	// Source is one of PaperSourceIACR, PaperSourceArXiv, or PaperSourceAll.
 	Source string
@@ -403,6 +409,7 @@ func formatPaperMarkdown(ppr paper) string {
 }
 
 // FormatPaperMarkdown is exported for testing.
+//
 func FormatPaperMarkdown(title string, authors []string, date, paperURL, source, abstract string) string {
 	return formatPaperMarkdown(paper{
 		Title:    title,

collect/papers_http_test.go

@@ -2,9 +2,9 @@ package collect
 
 import (
 	"context"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	"dappco.re/go/core/io"

collect/process.go

@@ -1,19 +1,22 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"maps"
-	"path/filepath"
 	"slices"
-	"strings"
 
 	core "dappco.re/go/core/log"
 	"golang.org/x/net/html"
 )
 
 // Processor converts collected data to clean markdown.
+//
 type Processor struct {
 	// Source identifies the data source directory to process.
 	Source string
@@ -331,11 +334,13 @@ func jsonValueToMarkdown(b *strings.Builder, data any, depth int) {
 }
 
 // HTMLToMarkdown is exported for testing.
+//
 func HTMLToMarkdown(content string) (string, error) {
 	return htmlToMarkdown(content)
 }
 
 // JSONToMarkdown is exported for testing.
+//
 func JSONToMarkdown(content string) (string, error) {
 	return jsonToMarkdown(content)
 }

collect/ratelimit.go

@@ -1,12 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
 	"maps"
-	"os/exec"
 	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -14,6 +16,7 @@ import (
 )
 
 // RateLimiter tracks per-source rate limiting to avoid overwhelming APIs.
+//
 type RateLimiter struct {
 	mu     sync.Mutex
 	delays map[string]time.Duration
@@ -30,6 +33,7 @@ var defaultDelays = map[string]time.Duration{
 }
 
 // NewRateLimiter creates a limiter with default delays.
+//
 func NewRateLimiter() *RateLimiter {
 	delays := make(map[string]time.Duration, len(defaultDelays))
 	maps.Copy(delays, defaultDelays)

collect/state.go

@@ -1,17 +1,20 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package collect
 
 import (
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"sync"
 	"time"
 
-	core "dappco.re/go/core/log"
 	"dappco.re/go/core/io"
+	core "dappco.re/go/core/log"
 )
 
 // State tracks collection progress for incremental runs.
 // It persists entries to disk so that subsequent runs can resume
 // where they left off.
+//
 type State struct {
 	mu      sync.Mutex
 	medium  io.Medium
@@ -20,6 +23,7 @@ type State struct {
 }
 
 // StateEntry tracks state for one source.
+//
 type StateEntry struct {
 	// Source identifies the collector.
 	Source string `json:"source"`
@@ -39,6 +43,7 @@ type StateEntry struct {
 
 // NewState creates a state tracker that persists to the given path
 // using the provided storage medium.
+//
 func NewState(m io.Medium, path string) *State {
 	return &State{
 		medium:  m,

docs/verification-pass-2026-03-27.md

@@ -0,0 +1,141 @@
+# Verification Pass 2026-03-27
+
+- Repository note: `CODEX.md` was not present under `/workspace`; conventions were taken from `CLAUDE.md`.
+- Commands run: `go build ./...`, `go vet ./...`, `go test ./...`
+- Command status: all passed
+
+## Banned imports
+
+ZERO FINDINGS for banned imports: `os`, `os/exec`, `encoding/json`, `fmt`, `errors`, `strings`, `path/filepath`.
+
+## Test names not matching `TestFile_Function_{Good,Bad,Ugly}`
+
+597 findings across 67 files:
+
+```text
+agentci/config_test.go:23,46,67,85,102,120,127,140,162,177,185,205,223,237,257,270,277,295,302
+agentci/security_test.go:12,34,61,79,92,109
+cmd/forge/cmd_sync_test.go:11,21,29,39,47
+cmd/gitea/cmd_sync_test.go:11,21,29,39,47
+collect/bitcointalk_http_test.go:36,76,104,128,152,183,192,210,225
+collect/bitcointalk_test.go:16,21,30,42,73,79,87
+collect/collect_test.go:10,23,35,57,63
+collect/coverage_boost_test.go:18,34,50,62,79,92,109,120,125,130,141,151,176,198,230,264,275,283,291,298,305,313,322,330,335,343,351,358,368,384,400,419,434,452,457,481,497,508,517,533,557,572,592,611,625,639
+collect/coverage_phase2_test.go:87,99,115,134,149,167,182,202,216,232,257,281,305,329,353,388,416,444,480,503,530,565,578,594,619,633,646,665,692,718,738,751,764,778,797,807,817,826,835,846,856,866,876,886,896,928,945,962,1022,1059,1098,1110,1132,1157,1181,1193,1230,1246,1261,1300
+collect/events_test.go:44,57,72,88,129
+collect/excavate_extra_test.go:13,42,68,86,104
+collect/excavate_test.go:67,78,99,124,147,164,185
+collect/github_test.go:17,22,41,53,65,91
+collect/market_extra_test.go:15,59,101,140,175,200,232
+collect/market_test.go:19,28,40,95,145,167
+collect/papers_http_test.go:112,168,188,208,229,249,281,298,306
+collect/papers_test.go:16,21,26,35,44,56,75,83
+collect/process_extra_test.go:12,21,29,36,43,51,60,68,76,84,92,101,108,118,134,158,175
+collect/process_test.go:16,25,37,58,78,97,114,173,182,191,198
+collect/ratelimit_test.go:30,54,63,69,78
+collect/state_extra_test.go:11,27,43,56
+collect/state_test.go:76,89,98,126,138
+forge/client_test.go:16,28,64,92,100,124,135,159,185,211,225,263,326,356,387,409,435,441
+forge/config_test.go:19,28,39,50,61,71,77,85,100
+forge/issues_test.go:22,44,55,73,94,116,135,154,176,194,211,230,247
+forge/labels_test.go:27,45,63,72,81,91,111,127,144
+forge/meta_test.go:26,48,66
+forge/orgs_test.go:22,40,62
+forge/prs_test.go:22,30,38,61,79,96,105,133,142
+forge/repos_test.go:22,42,60,81,100,122
+forge/webhooks_test.go:26,46
+gitea/client_test.go:10,21
+gitea/config_test.go:18,27,38,49,59,69,75,83,95
+gitea/coverage_boost_test.go:15,26,35,44,90,124,176,220,239,264,294,306
+gitea/issues_test.go:22,44,55,73,94,115,137,155,166
+gitea/meta_test.go:26,48,66,77,103,115
+gitea/repos_test.go:22,42,60,69,79,89,106,127
+jobrunner/forgejo/source_test.go:38,109,155,162,166
+jobrunner/handlers/dispatch_test.go:38,50,63,76,88,100,120,145,210,232,255,276,302,339
+jobrunner/handlers/enable_auto_merge_test.go:29,42,84
+jobrunner/handlers/publish_draft_test.go:26,36
+jobrunner/handlers/resolve_threads_test.go:26
+jobrunner/handlers/send_fix_command_test.go:16,25,37,49
+jobrunner/handlers/tick_parent_test.go:26
+jobrunner/journal_test.go:116,198,233,249
+jobrunner/poller_test.go:121,152,193
+jobrunner/types_test.go:28
+manifest/compile_test.go:14,38,61,67,74,81,106,123,128,152,163,169
+manifest/loader_test.go:12,28,34,51
+manifest/manifest_test.go:10,49,67,127,135,146,157,205,210,215,220
+manifest/sign_test.go:11,32,44
+marketplace/builder_test.go:39,56,71,87,102,121,138,147,154,166,178,189,198,221
+marketplace/discovery_test.go:25,59,84,105,122,130,136,147,195,234
+marketplace/installer_test.go:78,104,125,142,166,189,212,223,243,270,281,309
+marketplace/marketplace_test.go:10,26,38,50,61
+pkg/api/provider_handlers_test.go:20,47,66,79,90,105,118,131,142,155,169,183
+pkg/api/provider_security_test.go:12,18,23
+pkg/api/provider_test.go:92,116,167,181,200,230
+plugin/installer_test.go:14,26,36,47,60,81,95,105,120,132,140,148,156,162,168,174,180,186,192,198,204
+plugin/loader_test.go:46,71,92,123,132
+plugin/manifest_test.go:10,33,50,58,78,89,100
+plugin/plugin_test.go:10,25,37
+plugin/registry_test.go:28,69,78,129,138,149,160,173
+repos/gitstate_test.go:14,50,61,110,132,158,178,189,199,204,210
+repos/kbconfig_test.go:13,48,57,76,93
+repos/registry_test.go:13,40,72,93,120,127,181,201,209,243,266,286,309,334,350,363,373,382,390,398,403,411,421,427,474,481
+repos/workconfig_test.go:14,51,60,79,97,102
+```
+
+## Exported functions missing usage-example comments
+
+199 findings across 51 files:
+
+```text
+agentci/clotho.go:39,61,71,90
+collect/bitcointalk.go:37,46
+collect/events.go:72,81,96,105,115,125,135
+collect/excavate.go:27,33
+collect/github.go:57,65
+collect/market.go:33,67
+collect/papers.go:41,57
+collect/process.go:27,33
+collect/ratelimit.go:46,80,87,100,107
+collect/state.go:55,81,99,112
+forge/client.go:37,40,43,46,55,69
+forge/issues.go:21,56,66,76,86,97,130,164,174,185,209
+forge/labels.go:15,31,55,65,81,94,105
+forge/meta.go:43,100,139
+forge/orgs.go:10,34,44
+forge/prs.go:18,43,84,108,117
+forge/repos.go:12,36,61,85,110,120,130,141
+forge/webhooks.go:10,20
+git/git.go:32,37,42,283,293
+git/service.go:75,113,116,121,132,145,156
+gitea/client.go:36,39
+gitea/issues.go:20,52,62,72,105,139
+gitea/meta.go:43,101,141
+gitea/repos.go:12,36,61,85,110,122,145,155
+internal/ax/stdio/stdio.go:12,24
+jobrunner/forgejo/source.go:36,42,65
+jobrunner/handlers/completion.go:33,38,43
+jobrunner/handlers/dispatch.go:76,82,91
+jobrunner/handlers/enable_auto_merge.go:25,31,40
+jobrunner/handlers/publish_draft.go:25,30,37
+jobrunner/handlers/resolve_threads.go:30,35,40
+jobrunner/handlers/send_fix_command.go:26,32,46
+jobrunner/handlers/tick_parent.go:30,35,41
+jobrunner/journal.go:98
+jobrunner/poller.go:51,58,65,72,79,88,110
+jobrunner/types.go:37,42
+manifest/manifest.go:46,79,95
+marketplace/builder.go:35
+marketplace/discovery.go:132,140,145,151,160
+marketplace/installer.go:53,115,133,179
+marketplace/marketplace.go:39,53,64
+pkg/api/provider.go:61,64,67,75,86,108
+plugin/installer.go:35,99,133
+plugin/loader.go:28,53
+plugin/manifest.go:41
+plugin/plugin.go:44,47,50,53,56
+plugin/registry.go:35,48,54,63,78,105
+repos/gitstate.go:101,106,111,120,131,144,162
+repos/kbconfig.go:116,121
+repos/registry.go:255,265,271,283,325,330
+repos/workconfig.go:104
+```

forge/client.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package forge provides a thin wrapper around the Forgejo Go SDK
 // for managing repositories, issues, and pull requests on a Forgejo instance.
 //
@@ -15,6 +17,7 @@ import (
 )
 
 // Client wraps the Forgejo SDK client with config-based auth.
+//
 type Client struct {
 	api   *forgejo.Client
 	url   string
@@ -22,6 +25,7 @@ type Client struct {
 }
 
 // New creates a new Forgejo API client for the given URL and token.
+//
 func New(url, token string) (*Client, error) {
 	api, err := forgejo.NewClient(url, forgejo.SetToken(token))
 	if err != nil {

forge/client_test.go

@@ -1,8 +1,8 @@
 package forge
 
 import (
-	"encoding/json"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -132,7 +132,7 @@ func TestClient_SetPRDraft_Bad_ConnectionRefused(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestClient_SetPRDraft_URLConstruction(t *testing.T) {
+func TestClient_SetPRDraft_Good_URLConstruction(t *testing.T) {
 	// Verify the URL is constructed correctly by checking the request path.
 	var capturedPath string
 	mux := http.NewServeMux()
@@ -156,7 +156,7 @@ func TestClient_SetPRDraft_URLConstruction(t *testing.T) {
 	assert.Equal(t, "/api/v1/repos/my-org/my-repo/pulls/42", capturedPath)
 }
 
-func TestClient_SetPRDraft_AuthHeader(t *testing.T) {
+func TestClient_SetPRDraft_Good_AuthHeader(t *testing.T) {
 	// Verify the authorisation header is set correctly.
 	var capturedAuth string
 	mux := http.NewServeMux()
@@ -182,7 +182,7 @@ func TestClient_SetPRDraft_AuthHeader(t *testing.T) {
 
 // --- PRMeta and Comment struct tests ---
 
-func TestPRMeta_Fields(t *testing.T) {
+func TestPRMeta_Good_Fields(t *testing.T) {
 	meta := &PRMeta{
 		Number:       42,
 		Title:        "Test PR",
@@ -208,7 +208,7 @@ func TestPRMeta_Fields(t *testing.T) {
 	assert.Equal(t, 5, meta.CommentCount)
 }
 
-func TestComment_Fields(t *testing.T) {
+func TestComment_Good_Fields(t *testing.T) {
 	comment := Comment{
 		ID:     123,
 		Author: "reviewer",
@@ -222,7 +222,7 @@ func TestComment_Fields(t *testing.T) {
 
 // --- MergePullRequest merge style mapping ---
 
-func TestMergePullRequest_StyleMapping(t *testing.T) {
+func TestMergePullRequest_Good_StyleMapping(t *testing.T) {
 	// We can't easily test the SDK call, but we can verify the method
 	// errors when the server returns failure. This exercises the style mapping code.
 	tests := []struct {
@@ -260,7 +260,7 @@ func TestMergePullRequest_StyleMapping(t *testing.T) {
 
 // --- ListIssuesOpts defaulting ---
 
-func TestListIssuesOpts_Defaults(t *testing.T) {
+func TestListIssuesOpts_Good_Defaults(t *testing.T) {
 	tests := []struct {
 		name          string
 		opts          ListIssuesOpts
@@ -432,13 +432,13 @@ func TestClient_CreatePullRequest_Bad_ServerError(t *testing.T) {
 
 // --- commentPageSize constant test ---
 
-func TestCommentPageSize(t *testing.T) {
+func TestCommentPageSize_Good(t *testing.T) {
 	assert.Equal(t, 50, commentPageSize, "comment page size should be 50")
 }
 
 // --- ListPullRequests state mapping ---
 
-func TestListPullRequests_StateMapping(t *testing.T) {
+func TestListPullRequests_Good_StateMapping(t *testing.T) {
 	// Verify state mapping via error path (server returns error).
 	tests := []struct {
 		name  string

forge/config.go

@@ -1,19 +1,24 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"os"
+	os "dappco.re/go/core/scm/internal/ax/osx"
 
-	"forge.lthn.ai/core/config"
 	"dappco.re/go/core/log"
+	"forge.lthn.ai/core/config"
 )
 
 const (
 	// ConfigKeyURL is the config key for the Forgejo instance URL.
+	//
 	ConfigKeyURL = "forge.url"
 	// ConfigKeyToken is the config key for the Forgejo API token.
+	//
 	ConfigKeyToken = "forge.token"
 
 	// DefaultURL is the default Forgejo instance URL.
+	//
 	DefaultURL = "http://localhost:4000"
 )
 
@@ -22,6 +27,8 @@ const (
 //  1. ~/.core/config.yaml keys: forge.token, forge.url
 //  2. FORGE_TOKEN + FORGE_URL environment variables (override config file)
 //  3. Provided flag overrides (highest priority; pass empty to skip)
+//
+//
 func NewFromConfig(flagURL, flagToken string) (*Client, error) {
 	url, token, err := ResolveConfig(flagURL, flagToken)
 	if err != nil {
@@ -37,6 +44,7 @@ func NewFromConfig(flagURL, flagToken string) (*Client, error) {
 
 // ResolveConfig resolves the Forgejo URL and token from all config sources.
 // Flag values take highest priority, then env vars, then config file.
+//
 func ResolveConfig(flagURL, flagToken string) (url, token string, err error) {
 	// Start with config file values
 	cfg, cfgErr := config.New()
@@ -70,6 +78,7 @@ func ResolveConfig(flagURL, flagToken string) (url, token string, err error) {
 }
 
 // SaveConfig persists the Forgejo URL and/or token to the config file.
+//
 func SaveConfig(url, token string) error {
 	cfg, err := config.New()
 	if err != nil {

forge/config_test.go

@@ -68,7 +68,7 @@ func TestResolveConfig_Good_URLDefaultsWhenEmpty(t *testing.T) {
 	assert.Equal(t, "some-token", token)
 }
 
-func TestConstants(t *testing.T) {
+func TestConstants_Good(t *testing.T) {
 	assert.Equal(t, "forge.url", ConfigKeyURL)
 	assert.Equal(t, "forge.token", ConfigKeyToken)
 	assert.Equal(t, "http://localhost:4000", DefaultURL)

forge/issues.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
@@ -9,6 +11,7 @@ import (
 )
 
 // ListIssuesOpts configures issue listing.
+//
 type ListIssuesOpts struct {
 	State  string   // "open", "closed", "all"
 	Labels []string // filter by label names

forge/labels.go

@@ -1,7 +1,9 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
-	"strings"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
 	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 

forge/meta.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
@@ -10,6 +12,7 @@ import (
 
 // PRMeta holds structural signals from a pull request,
 // used by the pipeline MetaReader for AI-driven workflows.
+//
 type PRMeta struct {
 	Number       int64
 	Title        string
@@ -26,6 +29,7 @@ type PRMeta struct {
 }
 
 // Comment represents a comment with metadata.
+//
 type Comment struct {
 	ID        int64
 	Author    string

forge/orgs.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (

forge/prs.go

@@ -1,14 +1,19 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (
 	"bytes"
-	"encoding/json"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
-
-	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
+	"net/url"
+	"strconv"
 
 	"dappco.re/go/core/log"
+	"dappco.re/go/core/scm/agentci"
+
+	forgejo "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
 )
 
 // MergePullRequest merges a pull request with the given method ("squash", "rebase", "merge").
@@ -38,14 +43,27 @@ func (c *Client) MergePullRequest(owner, repo string, index int64, method string
 // The Forgejo SDK v2.2.0 doesn't expose the draft field on EditPullRequestOption,
 // so we use a raw HTTP PATCH request.
 func (c *Client) SetPRDraft(owner, repo string, index int64, draft bool) error {
+	safeOwner, err := agentci.ValidatePathElement(owner)
+	if err != nil {
+		return log.E("forge.SetPRDraft", "invalid owner", err)
+	}
+	safeRepo, err := agentci.ValidatePathElement(repo)
+	if err != nil {
+		return log.E("forge.SetPRDraft", "invalid repo", err)
+	}
+
 	payload := map[string]bool{"draft": draft}
 	body, err := json.Marshal(payload)
 	if err != nil {
 		return log.E("forge.SetPRDraft", "marshal payload", err)
 	}
 
-	url := fmt.Sprintf("%s/api/v1/repos/%s/%s/pulls/%d", c.url, owner, repo, index)
-	req, err := http.NewRequest(http.MethodPatch, url, bytes.NewReader(body))
+	path, err := url.JoinPath(c.url, "api", "v1", "repos", safeOwner, safeRepo, "pulls", strconv.FormatInt(index, 10))
+	if err != nil {
+		return log.E("forge.SetPRDraft", "failed to build request path", err)
+	}
+
+	req, err := http.NewRequest(http.MethodPatch, path, bytes.NewReader(body))
 	if err != nil {
 		return log.E("forge.SetPRDraft", "create request", err)
 	}

forge/prs_test.go

@@ -1,7 +1,10 @@
 package forge
 
 import (
-	"strings"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -98,3 +101,49 @@ func TestClient_DismissReview_Bad_ServerError(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to dismiss review")
 }
+
+func TestClient_SetPRDraft_Good_Request(t *testing.T) {
+	var method, path string
+	var payload map[string]any
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/api/v1/version", func(w http.ResponseWriter, r *http.Request) {
+		jsonResponse(w, map[string]string{"version": "1.21.0"})
+	})
+	mux.HandleFunc("/api/v1/repos/test-org/org-repo/pulls/3", func(w http.ResponseWriter, r *http.Request) {
+		method = r.Method
+		path = r.URL.Path
+		require.NoError(t, json.NewDecoder(r.Body).Decode(&payload))
+		jsonResponse(w, map[string]any{"number": 3})
+	})
+
+	srv := httptest.NewServer(mux)
+	defer srv.Close()
+
+	client, err := New(srv.URL, "test-token")
+	require.NoError(t, err)
+
+	err = client.SetPRDraft("test-org", "org-repo", 3, false)
+	assert.NoError(t, err)
+	assert.Equal(t, http.MethodPatch, method)
+	assert.Equal(t, "/api/v1/repos/test-org/org-repo/pulls/3", path)
+	assert.Equal(t, false, payload["draft"])
+}
+
+func TestClient_SetPRDraft_Bad_PathTraversalOwner(t *testing.T) {
+	client, srv := newTestClient(t)
+	defer srv.Close()
+
+	err := client.SetPRDraft("../owner", "org-repo", 3, true)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid owner")
+}
+
+func TestClient_SetPRDraft_Bad_PathTraversalRepo(t *testing.T) {
+	client, srv := newTestClient(t)
+	defer srv.Close()
+
+	err := client.SetPRDraft("test-org", "..", 3, true)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid repo")
+}

forge/repos.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (

forge/testhelper_test.go

@@ -1,10 +1,10 @@
 package forge
 
 import (
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 )
 

forge/webhooks.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forge
 
 import (

git/git.go

@@ -1,20 +1,23 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package git provides utilities for git operations across multiple repositories.
 package git
 
 import (
 	"bytes"
 	"context"
+	os "dappco.re/go/core/scm/internal/ax/osx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	exec "golang.org/x/sys/execabs"
 	"io"
 	"iter"
-	"os"
-	"os/exec"
 	"slices"
 	"strconv"
-	"strings"
 	"sync"
 )
 
 // RepoStatus represents the git status of a single repository.
+//
 type RepoStatus struct {
 	Name      string
 	Path      string
@@ -43,6 +46,7 @@ func (s *RepoStatus) HasUnpulled() bool {
 }
 
 // StatusOptions configures the status check.
+//
 type StatusOptions struct {
 	// Paths is a list of repo paths to check
 	Paths []string
@@ -51,6 +55,7 @@ type StatusOptions struct {
 }
 
 // Status checks git status for multiple repositories in parallel.
+//
 func Status(ctx context.Context, opts StatusOptions) []RepoStatus {
 	var wg sync.WaitGroup
 	results := make([]RepoStatus, len(opts.Paths))
@@ -72,6 +77,7 @@ func Status(ctx context.Context, opts StatusOptions) []RepoStatus {
 }
 
 // StatusIter returns an iterator over git status for multiple repositories.
+//
 func StatusIter(ctx context.Context, opts StatusOptions) iter.Seq[RepoStatus] {
 	return func(yield func(RepoStatus) bool) {
 		results := Status(ctx, opts)
@@ -156,17 +162,20 @@ func getAheadBehind(ctx context.Context, path string) (ahead, behind int) {
 
 // Push pushes commits for a single repository.
 // Uses interactive mode to support SSH passphrase prompts.
+//
 func Push(ctx context.Context, path string) error {
 	return gitInteractive(ctx, path, "push")
 }
 
 // Pull pulls changes for a single repository.
 // Uses interactive mode to support SSH passphrase prompts.
+//
 func Pull(ctx context.Context, path string) error {
 	return gitInteractive(ctx, path, "pull", "--rebase")
 }
 
 // IsNonFastForward checks if an error is a non-fast-forward rejection.
+//
 func IsNonFastForward(err error) bool {
 	if err == nil {
 		return false
@@ -201,6 +210,7 @@ func gitInteractive(ctx context.Context, dir string, args ...string) error {
 }
 
 // PushResult represents the result of a push operation.
+//
 type PushResult struct {
 	Name    string
 	Path    string
@@ -210,11 +220,13 @@ type PushResult struct {
 
 // PushMultiple pushes multiple repositories sequentially.
 // Sequential because SSH passphrase prompts need user interaction.
+//
 func PushMultiple(ctx context.Context, paths []string, names map[string]string) []PushResult {
 	return slices.Collect(PushMultipleIter(ctx, paths, names))
 }
 
 // PushMultipleIter returns an iterator that pushes repositories sequentially and yields results.
+//
 func PushMultipleIter(ctx context.Context, paths []string, names map[string]string) iter.Seq[PushResult] {
 	return func(yield func(PushResult) bool) {
 		for _, path := range paths {
@@ -263,6 +275,7 @@ func gitCommand(ctx context.Context, dir string, args ...string) (string, error)
 }
 
 // GitError wraps a git command error with stderr output.
+//
 type GitError struct {
 	Err    error
 	Stderr string

git/service.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package git
 
 import (
@@ -11,49 +13,58 @@ import (
 // Queries for git service
 
 // QueryStatus requests git status for paths.
+//
 type QueryStatus struct {
 	Paths []string
 	Names map[string]string
 }
 
 // QueryDirtyRepos requests repos with uncommitted changes.
+//
 type QueryDirtyRepos struct{}
 
 // QueryAheadRepos requests repos with unpushed commits.
+//
 type QueryAheadRepos struct{}
 
 // Tasks for git service
 
 // TaskPush requests git push for a path.
+//
 type TaskPush struct {
 	Path string
 	Name string
 }
 
 // TaskPull requests git pull for a path.
+//
 type TaskPull struct {
 	Path string
 	Name string
 }
 
 // TaskPushMultiple requests git push for multiple paths.
+//
 type TaskPushMultiple struct {
 	Paths []string
 	Names map[string]string
 }
 
 // ServiceOptions for configuring the git service.
+//
 type ServiceOptions struct {
 	WorkDir string
 }
 
 // Service provides git operations as a Core service.
+//
 type Service struct {
 	*core.ServiceRuntime[ServiceOptions]
 	lastStatus []RepoStatus
 }
 
 // NewService creates a git service factory.
+//
 func NewService(opts ServiceOptions) func(*core.Core) (any, error) {
 	return func(c *core.Core) (any, error) {
 		return &Service{

gitea/client.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 // Package gitea provides a thin wrapper around the Gitea Go SDK
 // for managing repositories, issues, and pull requests on a Gitea instance.
 //
@@ -15,12 +17,14 @@ import (
 )
 
 // Client wraps the Gitea SDK client with config-based auth.
+//
 type Client struct {
 	api *gitea.Client
 	url string
 }
 
 // New creates a new Gitea API client for the given URL and token.
+//
 func New(url, token string) (*Client, error) {
 	api, err := gitea.NewClient(url, gitea.SetToken(token))
 	if err != nil {

gitea/config.go

@@ -1,19 +1,24 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
-	"os"
+	os "dappco.re/go/core/scm/internal/ax/osx"
 
-	"forge.lthn.ai/core/config"
 	"dappco.re/go/core/log"
+	"forge.lthn.ai/core/config"
 )
 
 const (
 	// ConfigKeyURL is the config key for the Gitea instance URL.
+	//
 	ConfigKeyURL = "gitea.url"
 	// ConfigKeyToken is the config key for the Gitea API token.
+	//
 	ConfigKeyToken = "gitea.token"
 
 	// DefaultURL is the default Gitea instance URL.
+	//
 	DefaultURL = "https://gitea.snider.dev"
 )
 
@@ -22,6 +27,8 @@ const (
 //  1. ~/.core/config.yaml keys: gitea.token, gitea.url
 //  2. GITEA_TOKEN + GITEA_URL environment variables (override config file)
 //  3. Provided flag overrides (highest priority; pass empty to skip)
+//
+//
 func NewFromConfig(flagURL, flagToken string) (*Client, error) {
 	url, token, err := ResolveConfig(flagURL, flagToken)
 	if err != nil {
@@ -37,6 +44,7 @@ func NewFromConfig(flagURL, flagToken string) (*Client, error) {
 
 // ResolveConfig resolves the Gitea URL and token from all config sources.
 // Flag values take highest priority, then env vars, then config file.
+//
 func ResolveConfig(flagURL, flagToken string) (url, token string, err error) {
 	// Start with config file values
 	cfg, cfgErr := config.New()
@@ -70,6 +78,7 @@ func ResolveConfig(flagURL, flagToken string) (url, token string, err error) {
 }
 
 // SaveConfig persists the Gitea URL and/or token to the config file.
+//
 func SaveConfig(url, token string) error {
 	cfg, err := config.New()
 	if err != nil {

gitea/config_test.go

@@ -66,7 +66,7 @@ func TestResolveConfig_Good_URLDefaultsWhenEmpty(t *testing.T) {
 	assert.Equal(t, "some-token", token)
 }
 
-func TestConstants(t *testing.T) {
+func TestConstants_Good(t *testing.T) {
 	assert.Equal(t, "gitea.url", ConfigKeyURL)
 	assert.Equal(t, "gitea.token", ConfigKeyToken)
 	assert.Equal(t, "https://gitea.snider.dev", DefaultURL)

gitea/coverage_boost_test.go

@@ -1,7 +1,7 @@
 package gitea
 
 import (
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

gitea/issues.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
@@ -9,6 +11,7 @@ import (
 )
 
 // ListIssuesOpts configures issue listing.
+//
 type ListIssuesOpts struct {
 	State string // "open", "closed", "all"
 	Page  int

gitea/issues_test.go

@@ -163,7 +163,7 @@ func TestClient_GetPullRequest_Bad_ServerError(t *testing.T) {
 
 // --- ListIssuesOpts defaulting ---
 
-func TestListIssuesOpts_Defaults(t *testing.T) {
+func TestListIssuesOpts_Good_Defaults(t *testing.T) {
 	tests := []struct {
 		name          string
 		opts          ListIssuesOpts

gitea/meta.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (
@@ -10,6 +12,7 @@ import (
 
 // PRMeta holds structural signals from a pull request,
 // used by the pipeline MetaReader for AI-driven workflows.
+//
 type PRMeta struct {
 	Number       int64
 	Title        string
@@ -26,6 +29,7 @@ type PRMeta struct {
 }
 
 // Comment represents a comment with metadata.
+//
 type Comment struct {
 	ID        int64
 	Author    string

gitea/meta_test.go

@@ -74,7 +74,7 @@ func TestClient_GetIssueBody_Bad_ServerError(t *testing.T) {
 
 // --- PRMeta struct tests ---
 
-func TestPRMeta_Fields(t *testing.T) {
+func TestPRMeta_Good_Fields(t *testing.T) {
 	meta := &PRMeta{
 		Number:       42,
 		Title:        "Test PR",
@@ -100,7 +100,7 @@ func TestPRMeta_Fields(t *testing.T) {
 	assert.Equal(t, 5, meta.CommentCount)
 }
 
-func TestComment_Fields(t *testing.T) {
+func TestComment_Good_Fields(t *testing.T) {
 	comment := Comment{
 		ID:     123,
 		Author: "reviewer",
@@ -112,6 +112,6 @@ func TestComment_Fields(t *testing.T) {
 	assert.Equal(t, "LGTM", comment.Body)
 }
 
-func TestCommentPageSize(t *testing.T) {
+func TestCommentPageSize_Good(t *testing.T) {
 	assert.Equal(t, 50, commentPageSize, "comment page size should be 50")
 }

gitea/repos.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package gitea
 
 import (

gitea/testhelper_test.go

@@ -1,10 +1,10 @@
 package gitea
 
 import (
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 )
 

go.mod

@@ -5,25 +5,27 @@ go 1.26.0
 require (
 	code.gitea.io/sdk/gitea v0.23.2
 	codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2 v2.2.0
-	dappco.re/go/core v0.4.7
-	dappco.re/go/core/api v0.1.5
-	dappco.re/go/core/i18n v0.1.7
-	dappco.re/go/core/io v0.1.7
-	dappco.re/go/core/log v0.0.4
-	dappco.re/go/core/ws v0.2.5
+	dappco.re/go/core v0.5.0
+	dappco.re/go/core/api v0.2.0
+	dappco.re/go/core/i18n v0.2.0
+	dappco.re/go/core/io v0.2.0
+	dappco.re/go/core/log v0.1.0
+	dappco.re/go/core/ws v0.3.0
 	forge.lthn.ai/core/cli v0.3.7
 	forge.lthn.ai/core/config v0.1.8
 	github.com/gin-gonic/gin v1.12.0
+	github.com/goccy/go-json v0.10.6
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/net v0.52.0
+	golang.org/x/sys v0.42.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
-	forge.lthn.ai/core/go v0.3.2 // indirect
+	forge.lthn.ai/core/go v0.3.3 // indirect
 	forge.lthn.ai/core/go-i18n v0.1.7 // indirect
 	forge.lthn.ai/core/go-inference v0.1.7 // indirect
-	forge.lthn.ai/core/go-io v0.1.5 // indirect
+	forge.lthn.ai/core/go-io v0.1.7 // indirect
 	forge.lthn.ai/core/go-log v0.0.4 // indirect
 	github.com/42wim/httpsig v1.2.3 // indirect
 	github.com/99designs/gqlgen v0.17.88 // indirect
@@ -86,7 +88,6 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.30.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/goccy/go-json v0.10.6 // indirect
 	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
@@ -145,7 +146,6 @@ require (
 	golang.org/x/mod v0.34.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/term v0.41.0 // indirect
 	golang.org/x/text v0.35.0 // indirect
 	golang.org/x/tools v0.43.0 // indirect
@@ -155,15 +155,3 @@ require (
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.47.0 // indirect
 )
-
-replace (
-	dappco.re/go/core => ../go
-	dappco.re/go/core/api => ../api
-	dappco.re/go/core/i18n => ../go-i18n
-	dappco.re/go/core/io => ../go-io
-	dappco.re/go/core/log => ../go-log
-	dappco.re/go/core/ws => ../go-ws
-	forge.lthn.ai/core/cli => ../cli
-	forge.lthn.ai/core/config => ../config
-	forge.lthn.ai/core/go-inference => ../go-inference
-)

internal/ax/filepathx/filepathx.go

@@ -0,0 +1,55 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package filepathx
+
+import (
+	"path"
+	"syscall"
+)
+
+// Separator mirrors filepath.Separator for Unix-style Core paths.
+//
+const Separator = '/'
+
+// Abs mirrors filepath.Abs for the paths used in this repo.
+//
+func Abs(p string) (string, error) {
+	if path.IsAbs(p) {
+		return path.Clean(p), nil
+	}
+	cwd, err := syscall.Getwd()
+	if err != nil {
+		return "", err
+	}
+	return path.Clean(path.Join(cwd, p)), nil
+}
+
+// Base mirrors filepath.Base.
+//
+func Base(p string) string {
+	return path.Base(p)
+}
+
+// Clean mirrors filepath.Clean.
+//
+func Clean(p string) string {
+	return path.Clean(p)
+}
+
+// Dir mirrors filepath.Dir.
+//
+func Dir(p string) string {
+	return path.Dir(p)
+}
+
+// Ext mirrors filepath.Ext.
+//
+func Ext(p string) string {
+	return path.Ext(p)
+}
+
+// Join mirrors filepath.Join.
+//
+func Join(elem ...string) string {
+	return path.Join(elem...)
+}

internal/ax/fmtx/fmtx.go

@@ -0,0 +1,40 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package fmtx
+
+import (
+	"io"
+
+	core "dappco.re/go/core"
+	"dappco.re/go/core/scm/internal/ax/stdio"
+)
+
+// Sprint mirrors fmt.Sprint using Core primitives.
+//
+func Sprint(args ...any) string {
+	return core.Sprint(args...)
+}
+
+// Sprintf mirrors fmt.Sprintf using Core primitives.
+//
+func Sprintf(format string, args ...any) string {
+	return core.Sprintf(format, args...)
+}
+
+// Fprintf mirrors fmt.Fprintf using Core primitives.
+//
+func Fprintf(w io.Writer, format string, args ...any) (int, error) {
+	return io.WriteString(w, Sprintf(format, args...))
+}
+
+// Printf mirrors fmt.Printf.
+//
+func Printf(format string, args ...any) (int, error) {
+	return Fprintf(stdio.Stdout, format, args...)
+}
+
+// Println mirrors fmt.Println.
+//
+func Println(args ...any) (int, error) {
+	return io.WriteString(stdio.Stdout, Sprint(args...)+"\n")
+}

internal/ax/jsonx/jsonx.go

@@ -0,0 +1,39 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package jsonx
+
+import (
+	"io"
+
+	json "github.com/goccy/go-json"
+)
+
+// Marshal mirrors encoding/json.Marshal.
+//
+func Marshal(v any) ([]byte, error) {
+	return json.Marshal(v)
+}
+
+// MarshalIndent mirrors encoding/json.MarshalIndent.
+//
+func MarshalIndent(v any, prefix, indent string) ([]byte, error) {
+	return json.MarshalIndent(v, prefix, indent)
+}
+
+// NewDecoder mirrors encoding/json.NewDecoder.
+//
+func NewDecoder(r io.Reader) *json.Decoder {
+	return json.NewDecoder(r)
+}
+
+// NewEncoder mirrors encoding/json.NewEncoder.
+//
+func NewEncoder(w io.Writer) *json.Encoder {
+	return json.NewEncoder(w)
+}
+
+// Unmarshal mirrors encoding/json.Unmarshal.
+//
+func Unmarshal(data []byte, v any) error {
+	return json.Unmarshal(data, v)
+}

internal/ax/osx/osx.go

@@ -0,0 +1,113 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package osx
+
+import (
+	"io"
+	"io/fs"
+	"os/user"
+	"syscall"
+
+	core "dappco.re/go/core"
+	coreio "dappco.re/go/core/io"
+	"dappco.re/go/core/scm/internal/ax/stdio"
+)
+
+const (
+	//
+	O_APPEND = syscall.O_APPEND
+	//
+	O_CREATE = syscall.O_CREAT
+	//
+	O_WRONLY = syscall.O_WRONLY
+)
+
+// Stdin exposes process stdin without importing os.
+//
+var Stdin = stdio.Stdin
+
+// Stdout exposes process stdout without importing os.
+//
+var Stdout = stdio.Stdout
+
+// Stderr exposes process stderr without importing os.
+//
+var Stderr = stdio.Stderr
+
+// Getenv mirrors os.Getenv.
+//
+func Getenv(key string) string {
+	value, _ := syscall.Getenv(key)
+	return value
+}
+
+// Getwd mirrors os.Getwd.
+//
+func Getwd() (string, error) {
+	return syscall.Getwd()
+}
+
+// IsNotExist mirrors os.IsNotExist.
+//
+func IsNotExist(err error) bool {
+	return core.Is(err, fs.ErrNotExist)
+}
+
+// MkdirAll mirrors os.MkdirAll.
+//
+func MkdirAll(path string, _ fs.FileMode) error {
+	return coreio.Local.EnsureDir(path)
+}
+
+// Open mirrors os.Open.
+//
+func Open(path string) (fs.File, error) {
+	return coreio.Local.Open(path)
+}
+
+// OpenFile mirrors the append/create/write mode used in this repo.
+//
+func OpenFile(path string, flag int, _ fs.FileMode) (io.WriteCloser, error) {
+	if flag&O_APPEND != 0 {
+		return coreio.Local.Append(path)
+	}
+	return coreio.Local.Create(path)
+}
+
+// ReadDir mirrors os.ReadDir.
+//
+func ReadDir(path string) ([]fs.DirEntry, error) {
+	return coreio.Local.List(path)
+}
+
+// ReadFile mirrors os.ReadFile.
+//
+func ReadFile(path string) ([]byte, error) {
+	content, err := coreio.Local.Read(path)
+	return []byte(content), err
+}
+
+// Stat mirrors os.Stat.
+//
+func Stat(path string) (fs.FileInfo, error) {
+	return coreio.Local.Stat(path)
+}
+
+// UserHomeDir mirrors os.UserHomeDir.
+//
+func UserHomeDir() (string, error) {
+	if home := Getenv("HOME"); home != "" {
+		return home, nil
+	}
+	current, err := user.Current()
+	if err != nil {
+		return "", err
+	}
+	return current.HomeDir, nil
+}
+
+// WriteFile mirrors os.WriteFile.
+//
+func WriteFile(path string, data []byte, perm fs.FileMode) error {
+	return coreio.Local.WriteMode(path, string(data), perm)
+}

internal/ax/stdio/stdio.go

@@ -0,0 +1,40 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package stdio
+
+import (
+	"io"
+	"syscall"
+)
+
+type fdReader struct {
+	fd int
+}
+
+func (r fdReader) Read(p []byte) (int, error) {
+	n, err := syscall.Read(r.fd, p)
+	if n == 0 && err == nil {
+		return 0, io.EOF
+	}
+	return n, err
+}
+
+type fdWriter struct {
+	fd int
+}
+
+func (w fdWriter) Write(p []byte) (int, error) {
+	return syscall.Write(w.fd, p)
+}
+
+// Stdin exposes process stdin without importing os.
+//
+var Stdin io.Reader = fdReader{fd: 0}
+
+// Stdout exposes process stdout without importing os.
+//
+var Stdout io.Writer = fdWriter{fd: 1}
+
+// Stderr exposes process stderr without importing os.
+//
+var Stderr io.Writer = fdWriter{fd: 2}

internal/ax/stringsx/stringsx.go

@@ -0,0 +1,151 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
+package stringsx
+
+import (
+	"bufio"
+	"bytes"
+	"iter"
+
+	core "dappco.re/go/core"
+)
+
+// Builder provides a strings.Builder-like type without importing strings.
+//
+type Builder = bytes.Buffer
+
+// Contains mirrors strings.Contains.
+//
+func Contains(s, substr string) bool {
+	return core.Contains(s, substr)
+}
+
+// ContainsAny mirrors strings.ContainsAny.
+//
+func ContainsAny(s, chars string) bool {
+	return bytes.IndexAny([]byte(s), chars) >= 0
+}
+
+// EqualFold mirrors strings.EqualFold.
+//
+func EqualFold(s, t string) bool {
+	return bytes.EqualFold([]byte(s), []byte(t))
+}
+
+// Fields mirrors strings.Fields.
+//
+func Fields(s string) []string {
+	scanner := bufio.NewScanner(NewReader(s))
+	scanner.Split(bufio.ScanWords)
+	fields := make([]string, 0)
+	for scanner.Scan() {
+		fields = append(fields, scanner.Text())
+	}
+	return fields
+}
+
+// HasPrefix mirrors strings.HasPrefix.
+//
+func HasPrefix(s, prefix string) bool {
+	return core.HasPrefix(s, prefix)
+}
+
+// HasSuffix mirrors strings.HasSuffix.
+//
+func HasSuffix(s, suffix string) bool {
+	return core.HasSuffix(s, suffix)
+}
+
+// Join mirrors strings.Join.
+//
+func Join(elems []string, sep string) string {
+	return core.Join(sep, elems...)
+}
+
+// LastIndex mirrors strings.LastIndex.
+//
+func LastIndex(s, substr string) int {
+	return bytes.LastIndex([]byte(s), []byte(substr))
+}
+
+// NewReader mirrors strings.NewReader.
+//
+func NewReader(s string) *bytes.Reader {
+	return bytes.NewReader([]byte(s))
+}
+
+// Repeat mirrors strings.Repeat.
+//
+func Repeat(s string, count int) string {
+	if count <= 0 {
+		return ""
+	}
+	return string(bytes.Repeat([]byte(s), count))
+}
+
+// ReplaceAll mirrors strings.ReplaceAll.
+//
+func ReplaceAll(s, old, new string) string {
+	return core.Replace(s, old, new)
+}
+
+// Replace mirrors strings.Replace for replace-all call sites.
+//
+func Replace(s, old, new string, _ int) string {
+	return ReplaceAll(s, old, new)
+}
+
+// Split mirrors strings.Split.
+//
+func Split(s, sep string) []string {
+	return core.Split(s, sep)
+}
+
+// SplitN mirrors strings.SplitN.
+//
+func SplitN(s, sep string, n int) []string {
+	return core.SplitN(s, sep, n)
+}
+
+// SplitSeq mirrors strings.SplitSeq.
+//
+func SplitSeq(s, sep string) iter.Seq[string] {
+	parts := Split(s, sep)
+	return func(yield func(string) bool) {
+		for _, part := range parts {
+			if !yield(part) {
+				return
+			}
+		}
+	}
+}
+
+// ToLower mirrors strings.ToLower.
+//
+func ToLower(s string) string {
+	return core.Lower(s)
+}
+
+// ToUpper mirrors strings.ToUpper.
+//
+func ToUpper(s string) string {
+	return core.Upper(s)
+}
+
+// TrimPrefix mirrors strings.TrimPrefix.
+//
+func TrimPrefix(s, prefix string) string {
+	return core.TrimPrefix(s, prefix)
+}
+
+// TrimSpace mirrors strings.TrimSpace.
+//
+func TrimSpace(s string) string {
+	return core.Trim(s)
+}
+
+// TrimSuffix mirrors strings.TrimSuffix.
+//
+func TrimSuffix(s, suffix string) string {
+	return core.TrimSuffix(s, suffix)
+}

jobrunner/forgejo/signals.go

@@ -1,3 +1,5 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forgejo
 
 import (

jobrunner/forgejo/source.go

@@ -1,27 +1,32 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package forgejo
 
 import (
 	"context"
-	"fmt"
-	"strings"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 
+	"dappco.re/go/core/log"
 	"dappco.re/go/core/scm/forge"
 	"dappco.re/go/core/scm/jobrunner"
-	"dappco.re/go/core/log"
 )
 
 // Config configures a ForgejoSource.
+//
 type Config struct {
 	Repos []string // "owner/repo" format
 }
 
 // ForgejoSource polls a Forgejo instance for pipeline signals from epic issues.
+//
 type ForgejoSource struct {
 	repos []string
 	forge *forge.Client
 }
 
 // New creates a ForgejoSource using the given forge client.
+//
 func New(cfg Config, client *forge.Client) *ForgejoSource {
 	return &ForgejoSource{
 		repos: cfg.Repos,

jobrunner/forgejo/source_test.go

@@ -2,10 +2,10 @@ package forgejo
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -35,7 +35,7 @@ func newTestClient(t *testing.T, url string) *forge.Client {
 	return client
 }
 
-func TestForgejoSource_Name(t *testing.T) {
+func TestForgejoSource_Good_Name(t *testing.T) {
 	s := New(Config{}, nil)
 	assert.Equal(t, "forgejo", s.Name())
 }
@@ -106,7 +106,7 @@ func TestForgejoSource_Poll_Good(t *testing.T) {
 	assert.Equal(t, "abc123", sig.LastCommitSHA)
 }
 
-func TestForgejoSource_Poll_NoEpics(t *testing.T) {
+func TestForgejoSource_Poll_Good_NoEpics(t *testing.T) {
 	srv := httptest.NewServer(withVersion(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		_ = json.NewEncoder(w).Encode([]any{})
@@ -152,18 +152,18 @@ func TestForgejoSource_Report_Good(t *testing.T) {
 	assert.Contains(t, capturedBody, "succeeded")
 }
 
-func TestParseEpicChildren(t *testing.T) {
+func TestParseEpicChildren_Good(t *testing.T) {
 	body := "## Tasks\n- [x] #1\n- [ ] #7\n- [ ] #8\n- [x] #3\n"
 	unchecked, checked := parseEpicChildren(body)
 	assert.Equal(t, []int{7, 8}, unchecked)
 	assert.Equal(t, []int{1, 3}, checked)
 }
 
-func TestFindLinkedPR(t *testing.T) {
+func TestFindLinkedPR_Good(t *testing.T) {
 	assert.Nil(t, findLinkedPR(nil, 7))
 }
 
-func TestSplitRepo(t *testing.T) {
+func TestSplitRepo_Good(t *testing.T) {
 	owner, repo, err := splitRepo("host-uk/core")
 	require.NoError(t, err)
 	assert.Equal(t, "host-uk", owner)

jobrunner/handlers/completion.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	coreerr "dappco.re/go/core/log"
@@ -11,15 +13,18 @@ import (
 )
 
 const (
+	//
 	ColorAgentComplete = "#0e8a16" // Green
 )
 
 // CompletionHandler manages issue state when an agent finishes work.
+//
 type CompletionHandler struct {
 	forge *forge.Client
 }
 
 // NewCompletionHandler creates a handler for agent completion events.
+//
 func NewCompletionHandler(client *forge.Client) *CompletionHandler {
 	return &CompletionHandler{
 		forge: client,

jobrunner/handlers/dispatch.go

@@ -1,11 +1,14 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"bytes"
 	"context"
-	"encoding/json"
-	"fmt"
-	"path/filepath"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	strings "dappco.re/go/core/scm/internal/ax/stringsx"
+	"path"
 	"time"
 
 	coreerr "dappco.re/go/core/log"
@@ -15,17 +18,24 @@ import (
 )
 
 const (
+	//
 	LabelAgentReady = "agent-ready"
+	//
 	LabelInProgress = "in-progress"
+	//
 	LabelAgentFailed = "agent-failed"
+	//
 	LabelAgentComplete = "agent-completed"
 
+	//
 	ColorInProgress = "#1d76db" // Blue
+	//
 	ColorAgentFailed = "#c0392b" // Red
 )
 
 // DispatchTicket is the JSON payload written to the agent's queue.
 // The ForgeToken is transferred separately via a .env file with 0600 permissions.
+//
 type DispatchTicket struct {
 	ID           string `json:"id"`
 	RepoOwner    string `json:"repo_owner"`
@@ -45,6 +55,7 @@ type DispatchTicket struct {
 }
 
 // DispatchHandler dispatches coding work to remote agent machines via SSH.
+//
 type DispatchHandler struct {
 	forge    *forge.Client
 	forgeURL string
@@ -53,6 +64,7 @@ type DispatchHandler struct {
 }
 
 // NewDispatchHandler creates a handler that dispatches tickets to agent machines.
+//
 func NewDispatchHandler(client *forge.Client, forgeURL, token string, spinner *agentci.Spinner) *DispatchHandler {
 	return &DispatchHandler{
 		forge:    client,
@@ -85,6 +97,10 @@ func (h *DispatchHandler) Execute(ctx context.Context, signal *jobrunner.Pipelin
 	if !ok {
 		return nil, coreerr.E("dispatch.Execute", "unknown agent: "+signal.Assignee, nil)
 	}
+	queueDir, err := agentci.ValidateRemoteDir(agent.QueueDir)
+	if err != nil {
+		return nil, coreerr.E("dispatch.Execute", "invalid agent queue dir", err)
+	}
 
 	// Sanitize inputs to prevent path traversal.
 	safeOwner, err := agentci.SanitizePath(signal.RepoOwner)
@@ -184,7 +200,10 @@ func (h *DispatchHandler) Execute(ctx context.Context, signal *jobrunner.Pipelin
 	}
 
 	// Transfer ticket JSON.
-	remoteTicketPath := filepath.Join(agent.QueueDir, ticketName)
+	remoteTicketPath, err := agentci.JoinRemotePath(queueDir, ticketName)
+	if err != nil {
+		return nil, coreerr.E("dispatch.Execute", "ticket path", err)
+	}
 	if err := h.secureTransfer(ctx, agent, remoteTicketPath, ticketJSON, 0644); err != nil {
 		h.failDispatch(signal, fmt.Sprintf("Ticket transfer failed: %v", err))
 		return &jobrunner.ActionResult{
@@ -202,10 +221,13 @@ func (h *DispatchHandler) Execute(ctx context.Context, signal *jobrunner.Pipelin
 
 	// Transfer token via separate .env file with 0600 permissions.
 	envContent := fmt.Sprintf("FORGE_TOKEN=%s\n", h.token)
-	remoteEnvPath := filepath.Join(agent.QueueDir, fmt.Sprintf(".env.%s", ticketID))
+	remoteEnvPath, err := agentci.JoinRemotePath(queueDir, fmt.Sprintf(".env.%s", ticketID))
+	if err != nil {
+		return nil, coreerr.E("dispatch.Execute", "env path", err)
+	}
 	if err := h.secureTransfer(ctx, agent, remoteEnvPath, []byte(envContent), 0600); err != nil {
 		// Clean up the ticket if env transfer fails.
-		_ = h.runRemote(ctx, agent, fmt.Sprintf("rm -f %s", agentci.EscapeShellArg(remoteTicketPath)))
+		_ = h.runRemote(ctx, agent, "rm", "-f", remoteTicketPath)
 		h.failDispatch(signal, fmt.Sprintf("Token transfer failed: %v", err))
 		return &jobrunner.ActionResult{
 			Action:      "dispatch",
@@ -255,8 +277,8 @@ func (h *DispatchHandler) failDispatch(signal *jobrunner.PipelineSignal, reason
 
 // secureTransfer writes data to a remote path via SSH stdin, preventing command injection.
 func (h *DispatchHandler) secureTransfer(ctx context.Context, agent agentci.AgentConfig, remotePath string, data []byte, mode int) error {
-	safeRemotePath := agentci.EscapeShellArg(remotePath)
-	remoteCmd := fmt.Sprintf("cat > %s && chmod %o %s", safeRemotePath, mode, safeRemotePath)
+	safePath := agentci.EscapeShellArg(remotePath)
+	remoteCmd := fmt.Sprintf("cat > %s && chmod %o %s", safePath, mode, safePath)
 
 	cmd := agentci.SecureSSHCommand(agent.Host, remoteCmd)
 	cmd.Stdin = bytes.NewReader(data)
@@ -269,21 +291,55 @@ func (h *DispatchHandler) secureTransfer(ctx context.Context, agent agentci.Agen
 }
 
 // runRemote executes a command on the agent via SSH.
-func (h *DispatchHandler) runRemote(ctx context.Context, agent agentci.AgentConfig, cmdStr string) error {
-	cmd := agentci.SecureSSHCommand(agent.Host, cmdStr)
+func (h *DispatchHandler) runRemote(ctx context.Context, agent agentci.AgentConfig, command string, args ...string) error {
+	remoteCmd := command
+	if len(args) > 0 {
+		escaped := make([]string, 0, 1+len(args))
+		escaped = append(escaped, command)
+		for _, arg := range args {
+			escaped = append(escaped, agentci.EscapeShellArg(arg))
+		}
+		remoteCmd = strings.Join(escaped, " ")
+	}
+
+	cmd := agentci.SecureSSHCommand(agent.Host, remoteCmd)
 	return cmd.Run()
 }
 
 // ticketExists checks if a ticket file already exists in queue, active, or done.
 func (h *DispatchHandler) ticketExists(ctx context.Context, agent agentci.AgentConfig, ticketName string) bool {
-	safeTicket, err := agentci.SanitizePath(ticketName)
+	queueDir, err := agentci.ValidateRemoteDir(agent.QueueDir)
 	if err != nil {
 		return false
 	}
-	qDir := agent.QueueDir
+	safeTicket, err := agentci.ValidatePathElement(ticketName)
+	if err != nil {
+		return false
+	}
+
+	queuePath, err := agentci.JoinRemotePath(queueDir, safeTicket)
+	if err != nil {
+		return false
+	}
+	parentDir := queueDir
+	if queueDir != "/" && queueDir != "~" {
+		parentDir = path.Dir(queueDir)
+	}
+	activePath, err := agentci.JoinRemotePath(parentDir, "active", safeTicket)
+	if err != nil {
+		return false
+	}
+	donePath, err := agentci.JoinRemotePath(parentDir, "done", safeTicket)
+	if err != nil {
+		return false
+	}
+
+	queuePath = agentci.EscapeShellArg(queuePath)
+	activePath = agentci.EscapeShellArg(activePath)
+	donePath = agentci.EscapeShellArg(donePath)
 	checkCmd := fmt.Sprintf(
-		"test -f %s/%s || test -f %s/../active/%s || test -f %s/../done/%s",
-		qDir, safeTicket, qDir, safeTicket, qDir, safeTicket,
+		"test -f %s || test -f %s || test -f %s",
+		queuePath, activePath, donePath,
 	)
 	cmd := agentci.SecureSSHCommand(agent.Host, checkCmd)
 	return cmd.Run() == nil

jobrunner/handlers/dispatch_test.go

@@ -2,9 +2,12 @@ package handlers
 
 import (
 	"context"
-	"encoding/json"
+	filepath "dappco.re/go/core/scm/internal/ax/filepathx"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
+	os "dappco.re/go/core/scm/internal/ax/osx"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"testing"
 
 	"dappco.re/go/core/scm/agentci"
@@ -13,6 +16,18 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+func writeFakeSSHCommand(t *testing.T, outputPath string) string {
+	t.Helper()
+	dir := t.TempDir()
+	script := filepath.Join(dir, "ssh")
+	scriptContent := "#!/bin/sh\n" +
+		"OUT=" + strconv.Quote(outputPath) + "\n" +
+		"printf '%s\n' \"$@\" >> \"$OUT\"\n" +
+		"cat >> \"${OUT}.stdin\"\n"
+	require.NoError(t, os.WriteFile(script, []byte(scriptContent), 0o755))
+	return dir
+}
+
 // newTestSpinner creates a Spinner with the given agents for testing.
 func newTestSpinner(agents map[string]agentci.AgentConfig) *agentci.Spinner {
 	return agentci.NewSpinner(agentci.ClothoConfig{Strategy: "direct"}, agents)
@@ -127,6 +142,29 @@ func TestDispatch_Execute_Bad_UnknownAgent(t *testing.T) {
 	assert.Contains(t, err.Error(), "unknown agent")
 }
 
+func TestDispatch_Execute_Bad_InvalidQueueDir(t *testing.T) {
+	spinner := newTestSpinner(map[string]agentci.AgentConfig{
+		"darbs-claude": {
+			Host:     "localhost",
+			QueueDir: "/tmp/queue; touch /tmp/pwned",
+			Active:   true,
+		},
+	})
+	h := NewDispatchHandler(nil, "", "", spinner)
+
+	sig := &jobrunner.PipelineSignal{
+		NeedsCoding: true,
+		Assignee:    "darbs-claude",
+		RepoOwner:   "host-uk",
+		RepoName:    "core",
+		ChildNumber: 1,
+	}
+
+	_, err := h.Execute(context.Background(), sig)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid agent queue dir")
+}
+
 func TestDispatch_TicketJSON_Good(t *testing.T) {
 	ticket := DispatchTicket{
 		ID:           "host-uk-core-5-1234567890",
@@ -214,6 +252,53 @@ func TestDispatch_TicketJSON_Good_OmitsEmptyModelRunner(t *testing.T) {
 	assert.False(t, hasRunner, "runner should be omitted when empty")
 }
 
+func TestDispatch_runRemote_Good_EscapesPath(t *testing.T) {
+	outputPath := filepath.Join(t.TempDir(), "ssh-output.txt")
+	toolPath := writeFakeSSHCommand(t, outputPath)
+	t.Setenv("PATH", toolPath+":"+os.Getenv("PATH"))
+
+	h := NewDispatchHandler(nil, "", "", newTestSpinner(nil))
+	dangerousPath := "/tmp/queue with spaces; touch /tmp/pwned"
+	err := h.runRemote(
+		context.Background(),
+		agentci.AgentConfig{Host: "localhost"},
+		"rm",
+		"-f",
+		dangerousPath,
+	)
+	require.NoError(t, err)
+
+	output, err := os.ReadFile(outputPath)
+	require.NoError(t, err)
+	assert.Contains(t, string(output), "rm '-f' '"+dangerousPath+"'\n")
+}
+
+func TestDispatch_secureTransfer_Good_EscapesPath(t *testing.T) {
+	outputPath := filepath.Join(t.TempDir(), "ssh-output.txt")
+	toolPath := writeFakeSSHCommand(t, outputPath)
+	t.Setenv("PATH", toolPath+":"+os.Getenv("PATH"))
+
+	h := NewDispatchHandler(nil, "", "", newTestSpinner(nil))
+	dangerousPath := "/tmp/queue with spaces; touch /tmp/pwned"
+	err := h.secureTransfer(
+		context.Background(),
+		agentci.AgentConfig{Host: "localhost"},
+		dangerousPath,
+		[]byte("hello"),
+		0644,
+	)
+	require.NoError(t, err)
+
+	output, err := os.ReadFile(outputPath)
+	require.NoError(t, err)
+	assert.Contains(t, string(output), "cat > '"+dangerousPath+"' && chmod 644 '"+dangerousPath+"'")
+
+	inputPath := outputPath + ".stdin"
+	input, err := os.ReadFile(inputPath)
+	require.NoError(t, err)
+	assert.Equal(t, "hello", string(input))
+}
+
 func TestDispatch_TicketJSON_Good_ModelRunnerVariants(t *testing.T) {
 	tests := []struct {
 		name   string

jobrunner/handlers/enable_auto_merge.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	"dappco.re/go/core/scm/forge"
@@ -10,11 +12,13 @@ import (
 )
 
 // EnableAutoMergeHandler merges a PR that is ready using squash strategy.
+//
 type EnableAutoMergeHandler struct {
 	forge *forge.Client
 }
 
 // NewEnableAutoMergeHandler creates a handler that merges ready PRs.
+//
 func NewEnableAutoMergeHandler(f *forge.Client) *EnableAutoMergeHandler {
 	return &EnableAutoMergeHandler{forge: f}
 }

jobrunner/handlers/enable_auto_merge_test.go

@@ -2,7 +2,7 @@ package handlers
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

jobrunner/handlers/publish_draft.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	"dappco.re/go/core/scm/forge"
@@ -10,11 +12,13 @@ import (
 )
 
 // PublishDraftHandler marks a draft PR as ready for review once its checks pass.
+//
 type PublishDraftHandler struct {
 	forge *forge.Client
 }
 
 // NewPublishDraftHandler creates a handler that publishes draft PRs.
+//
 func NewPublishDraftHandler(f *forge.Client) *PublishDraftHandler {
 	return &PublishDraftHandler{forge: f}
 }

jobrunner/handlers/resolve_threads.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	forgejosdk "codeberg.org/mvdkleijn/forgejo-sdk/forgejo/v2"
@@ -15,11 +17,13 @@ import (
 // DismissReviewsHandler dismisses stale "request changes" reviews on a PR.
 // This replaces the GitHub-only ResolveThreadsHandler because Forgejo does
 // not have a thread resolution API.
+//
 type DismissReviewsHandler struct {
 	forge *forge.Client
 }
 
 // NewDismissReviewsHandler creates a handler that dismisses stale reviews.
+//
 func NewDismissReviewsHandler(f *forge.Client) *DismissReviewsHandler {
 	return &DismissReviewsHandler{forge: f}
 }

jobrunner/handlers/resolve_threads_test.go

@@ -2,7 +2,7 @@ package handlers
 
 import (
 	"context"
-	"encoding/json"
+	json "dappco.re/go/core/scm/internal/ax/jsonx"
 	"net/http"
 	"net/http/httptest"
 	"testing"

jobrunner/handlers/send_fix_command.go

@@ -1,8 +1,10 @@
+// SPDX-Licence-Identifier: EUPL-1.2
+
 package handlers
 
 import (
 	"context"
-	"fmt"
+	fmt "dappco.re/go/core/scm/internal/ax/fmtx"
 	"time"
 
 	"dappco.re/go/core/scm/forge"
@@ -11,11 +13,13 @@ import (
 
 // SendFixCommandHandler posts a comment on a PR asking for conflict or
 // review fixes.
+//
 type SendFixCommandHandler struct {
 	forge *forge.Client
 }
 
 // NewSendFixCommandHandler creates a handler that posts fix commands.
+//
 func NewSendFixCommandHandler(f *forge.Client) *SendFixCommandHandler {
 	return &SendFixCommandHandler{forge: f}
 }