fix: update all stale scripts/ references to bin/

Sweep remaining references to the old scripts/ directory that were
missed when scripts/ was renamed to bin/ in 1.3.6.

Fixes active config (ci.yml, .pre-commit-config.yaml, Justfile) and
documentation (CHECKLIST, INVENTORY, MARKETPLACE, SCRIPTS, REPO).

hooks/scripts/ and skills/unraid/scripts/ are intentional and unchanged.

.github/workflows/ci.yml

@@ -108,8 +108,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Check Dockerfile security
-        run: bash scripts/check-docker-security.sh Dockerfile
+        run: bash bin/check-docker-security.sh Dockerfile
       - name: Check no baked env vars
-        run: bash scripts/check-no-baked-env.sh .
+        run: bash bin/check-no-baked-env.sh .
       - name: Check ignore files
-        run: bash scripts/ensure-ignore-files.sh --check .
+        run: bash bin/ensure-ignore-files.sh --check .

.pre-commit-config.yaml

@@ -8,16 +8,16 @@ repos:
         pass_filenames: false
       - id: docker-security
         name: Docker security check
-        entry: bash scripts/check-docker-security.sh
+        entry: bash bin/check-docker-security.sh
         language: system
         pass_filenames: false
       - id: no-baked-env
         name: No baked env vars
-        entry: bash scripts/check-no-baked-env.sh
+        entry: bash bin/check-no-baked-env.sh
         language: system
         pass_filenames: false
       - id: ensure-ignore-files
         name: Ensure ignore files
-        entry: bash scripts/ensure-ignore-files.sh --check
+        entry: bash bin/ensure-ignore-files.sh --check
         language: system
         pass_filenames: false

CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.3.7] - 2026-04-05
+
+### Fixed
+- **`bin/bump-version.sh`**: Fixed gemini path — always resolved the wrong `.gemini-extension.json` default before the conditional override; now prefers `gemini-extension.json` with dot-prefix as fallback. Added empty-version guard. Merged two `sed -i` calls per file into one with `-e`.
+- **`bin/ensure-ignore-files.sh`**: Fixed `"scripts"` → `"bin"` in `REQUIRED_DOCKER` array (was appending wrong dockerignore entry); fixed stale `scripts/` and `hooks/scripts/` path references in comments.
+- **`bin/validate-marketplace.sh`**: Replaced `eval` with `bash -c`; replaced `python3` subprocess for version read with `jq`.
+- **`bin/check-docker-security.sh`**, **`bin/check-no-baked-env.sh`**, **`bin/check-outdated-deps.sh`**: Fixed stale `scripts/` path references in header comments.
+- **`tests/test_bump_version.bats`**: Renamed `TMPDIR` → `TEST_DIR` to avoid shadowing POSIX system variable; last test now uses an isolated symlinked copy instead of mutating real repo files.
+- **Stale `scripts/` references**: Updated all remaining references from `scripts/` to `bin/` in `.github/workflows/ci.yml`, `.pre-commit-config.yaml`, `Justfile`, `docs/CHECKLIST.md`, `docs/INVENTORY.md`, `docs/MARKETPLACE.md`, `docs/repo/SCRIPTS.md`, and `docs/repo/REPO.md`. The `hooks/scripts/` and `skills/unraid/scripts/` paths are intentional and unchanged.
+
 ## [1.3.6] - 2026-04-05
 
 ### Added

Justfile

@@ -104,9 +104,9 @@ gen-token:
 
 # Run docker security checks
 check-contract:
-    bash scripts/check-docker-security.sh
-    bash scripts/check-no-baked-env.sh
-    bash scripts/ensure-ignore-files.sh --check
+    bash bin/check-docker-security.sh
+    bash bin/check-no-baked-env.sh
+    bash bin/ensure-ignore-files.sh --check
 
 # ── CLI Generation ────────────────────────────────────────────────────────────
 

docs/CHECKLIST.md

@@ -26,9 +26,9 @@ Pre-release and quality checklist. Complete all items before tagging a release.
 - [ ] No credentials in code, docs, or commit history
 - [ ] `~/.unraid-mcp/.env` has `chmod 600` permissions
 - [ ] `~/.unraid-mcp/` directory has `chmod 700` permissions
-- [ ] `scripts/check-docker-security.sh` passes
-- [ ] `scripts/check-no-baked-env.sh` passes
-- [ ] `scripts/ensure-ignore-files.sh --check` passes
+- [ ] `bin/check-docker-security.sh` passes
+- [ ] `bin/check-no-baked-env.sh` passes
+- [ ] `bin/ensure-ignore-files.sh --check` passes
 - [ ] Bearer token uses constant-time comparison (`hmac.compare_digest`)
 - [ ] No sensitive values logged (even at DEBUG level)
 - [ ] `UNRAID_MCP_BEARER_TOKEN` removed from `os.environ` after startup

docs/INVENTORY.md

@@ -89,12 +89,12 @@ Complete listing of all plugin components.
 
 | Script | Purpose |
 | --- | --- |
-| `scripts/check-docker-security.sh` | Dockerfile security audit |
-| `scripts/check-no-baked-env.sh` | Verify no env vars baked into images |
-| `scripts/check-outdated-deps.sh` | Dependency freshness check |
-| `scripts/ensure-ignore-files.sh` | Gitignore/dockerignore alignment |
-| `scripts/generate_unraid_api_reference.py` | Generate canonical API docs and schema change report from GraphQL introspection |
-| `scripts/validate-marketplace.sh` | Marketplace JSON validation |
+| `bin/check-docker-security.sh` | Dockerfile security audit |
+| `bin/check-no-baked-env.sh` | Verify no env vars baked into images |
+| `bin/check-outdated-deps.sh` | Dependency freshness check |
+| `bin/ensure-ignore-files.sh` | Gitignore/dockerignore alignment |
+| `bin/generate_unraid_api_reference.py` | Generate canonical API docs and schema change report from GraphQL introspection |
+| `bin/validate-marketplace.sh` | Marketplace JSON validation |
 
 ## CI/CD workflows
 

docs/MARKETPLACE.md

@@ -25,7 +25,7 @@ The individual plugin configuration for the Unraid MCP server.
 - `mcpServers` block that configures the server to run via `uv run unraid-mcp-server` in stdio mode
 
 ### 3. Validation Script
-- `scripts/validate-marketplace.sh` — Automated validation of marketplace structure
+- `bin/validate-marketplace.sh` — Automated validation of marketplace structure
 
 ## MCP Tools Exposed
 
@@ -123,7 +123,7 @@ unraid-mcp/
 │   ├── config/              # Settings management
 │   ├── core/                # GraphQL client, exceptions, shared types
 │   └── subscriptions/       # Real-time WebSocket subscription manager
-└── scripts/
+└── bin/
     └── validate-marketplace.sh  # Validation tool
 ```
 
@@ -146,7 +146,7 @@ Before publishing to GitHub:
 
 1. **Validate Structure**
    ```bash
-   ./scripts/validate-marketplace.sh
+   ./bin/validate-marketplace.sh
    ```
 
 2. **Update Version Numbers** (must be in sync)
@@ -204,7 +204,7 @@ To release a new version:
 
 1. Make changes to the plugin code
 2. Update version in `pyproject.toml`, `.claude-plugin/plugin.json`, and `.claude-plugin/marketplace.json`
-3. Run validation: `./scripts/validate-marketplace.sh`
+3. Run validation: `./bin/validate-marketplace.sh`
 4. Commit and push
 
 Users with the plugin installed will see the update available and can upgrade:
@@ -223,7 +223,7 @@ Users with the plugin installed will see the update available and can upgrade:
 Run the validation script anytime to ensure marketplace integrity:
 
 ```bash
-./scripts/validate-marketplace.sh
+./bin/validate-marketplace.sh
 ```
 
 This checks:

docs/repo/REPO.md

@@ -87,7 +87,7 @@ unraid-mcp/
 |       +-- ensure-gitignore.sh        # Gitignore-specific checks
 |       +-- sync-env.sh               # Environment file synchronization
 |
-+-- scripts/
++-- bin/
 |   +-- check-docker-security.sh       # Dockerfile security audit
 |   +-- check-no-baked-env.sh          # No baked environment variables
 |   +-- check-outdated-deps.sh         # Dependency freshness

docs/repo/SCRIPTS.md

@@ -1,6 +1,6 @@
 # Scripts Reference -- unraid-mcp
 
-## Quality gate scripts (`scripts/`)
+## Quality gate scripts (`bin/`)
 
 ### check-docker-security.sh
 
@@ -11,7 +11,7 @@ Audits the Dockerfile for security best practices:
 - Minimal base image
 
 ```bash
-bash scripts/check-docker-security.sh Dockerfile
+bash bin/check-docker-security.sh Dockerfile
 ```
 
 ### check-no-baked-env.sh
@@ -21,7 +21,7 @@ Verifies no environment variables are baked into Docker images or committed to v
 - Checks for `.env` files in tracked directories
 
 ```bash
-bash scripts/check-no-baked-env.sh .
+bash bin/check-no-baked-env.sh .
 ```
 
 ### check-outdated-deps.sh
@@ -29,7 +29,7 @@ bash scripts/check-no-baked-env.sh .
 Checks for outdated Python dependencies:
 
 ```bash
-bash scripts/check-outdated-deps.sh
+bash bin/check-outdated-deps.sh
 ```
 
 ### ensure-ignore-files.sh
@@ -42,10 +42,10 @@ Validates `.gitignore` and `.dockerignore` contain required patterns:
 
 ```bash
 # Check mode (CI)
-bash scripts/ensure-ignore-files.sh --check .
+bash bin/ensure-ignore-files.sh --check .
 
 # Fix mode (development)
-bash scripts/ensure-ignore-files.sh .
+bash bin/ensure-ignore-files.sh .
 ```
 
 ### validate-marketplace.sh
@@ -53,7 +53,7 @@ bash scripts/ensure-ignore-files.sh .
 Validates marketplace JSON configuration:
 
 ```bash
-bash scripts/validate-marketplace.sh
+bash bin/validate-marketplace.sh
 ```
 
 ## Utility scripts
@@ -63,7 +63,7 @@ bash scripts/validate-marketplace.sh
 Generates the canonical Unraid API docs from GraphQL schema introspection:
 
 ```bash
-python scripts/generate_unraid_api_reference.py
+python bin/generate_unraid_api_reference.py
 ```
 
 Produces:
@@ -85,7 +85,7 @@ Produces:
 ## CI usage
 
 Scripts are called by CI workflows:
-- `ci.yml` runs `check-docker-security.sh`, `check-no-baked-env.sh`, `ensure-ignore-files.sh --check`
+- `ci.yml` runs `bin/check-docker-security.sh`, `bin/check-no-baked-env.sh`, `bin/ensure-ignore-files.sh --check`
 - `just check-contract` runs all three locally
 
 ## See Also