docs: fix broken file references found by path-existence crosscheck

Ran a doc-vs-filesystem crosscheck: extracted every backtick-quoted
path with a file extension or known directory prefix from docs/*.md
and verified each exists. After filtering false positives
(placeholder paths, config keys mistaken for paths, paths inside
docs that already have historical-status banners), found 4 real
broken references — 3 fixed in docs, 1 fixed by creating the missing
file:

docs/HOW_TO_RUN_TESTS.md:339
- Claimed ".github/workflows/tests.yml" exists and runs pytest on
  multiple Python versions in CI. There is no such workflow.
  The only GitHub Actions file is security-audit.yml (bandit + semgrep).
- Pytest runs locally but is NOT gated on PRs.
- Replaced the fictional CI section with the actual state and a
  note explaining how someone could contribute a real test workflow.

docs/MIGRATION_GUIDE.md:92
- Referenced scripts/fix_perms/README.md "(if exists)" — the
  hedge betrays that the writer wasn't sure. The README didn't
  exist. The 6 scripts in scripts/fix_perms/ were never documented.
- Created the missing scripts/fix_perms/README.md from scratch
  with one-line descriptions of all 6 scripts (fix_assets,
  fix_cache, fix_plugin, fix_web, fix_nhl_cache, safe_plugin_rm)
  + when-to-use-each guidance + usage examples.
- Updated MIGRATION_GUIDE link to drop the "(if exists)" hedge
  since the file now exists.

docs/FONT_MANAGER.md:376
- "See test/font_manager_example.py for a complete working example"
  — that file does not exist. Verified by listing test/ directory.
- Replaced with a pointer to src/font_manager.py itself and the
  existing scoreboard base classes in src/base_classes/ that
  actually use the font manager API in production.

Path-existence check methodology:
- Walked docs/ recursively, regex-extracted backtick-quoted paths
  matching either /\.(py|sh|json|yml|yaml|md|txt|service|html|js|css|ttf|bdf|png)/
  or paths starting with known directory prefixes (scripts/, src/,
  config/, web_interface/, systemd/, assets/, docs/, test/, etc.)
- Filtered out URLs, absolute paths (placeholders), and paths
  without slashes (likely not relative refs).
- Checked existence relative to project root.
- Out of 80 unique relative paths in docs/, 32 didn't exist on
  disk. Most were false positives (configkeys mistaken for paths,
  example placeholders like 'assets/myfont.ttf', historical
  references inside docs that already have status banners). The 4
  above were genuine broken refs.

This pattern is reusable for future iterations and worth wiring
into CI (link checker like lychee, scoped to fenced code paths
rather than just markdown links, would catch the same class).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/FONT_MANAGER.md

@@ -373,5 +373,8 @@ self.font = self.font_manager.resolve_font(
 
 ## Example: Complete Manager Implementation
 
-See `test/font_manager_example.py` for a complete working example.
+For a working example of the font manager API in use, see
+`src/font_manager.py` itself and the bundled scoreboard base classes
+in `src/base_classes/` (e.g., `hockey.py`, `football.py`) which
+register and resolve fonts via the patterns documented above.
 

docs/HOW_TO_RUN_TESTS.md

@@ -336,11 +336,15 @@ pytest --cov=src --cov-report=html
 
 ## Continuous Integration
 
-Tests are configured to run automatically in CI/CD. The GitHub Actions workflow (`.github/workflows/tests.yml`) runs:
+There is currently no CI test workflow in this repo — `pytest` runs
+locally but is not gated on PRs. The only GitHub Actions workflow is
+[`.github/workflows/security-audit.yml`](../.github/workflows/security-audit.yml),
+which runs bandit and semgrep on every push.
 
-- All tests on multiple Python versions (3.10, 3.11, 3.12)
-- Coverage reporting
-- Uploads coverage to Codecov (if configured)
+If you'd like to add a test workflow, the recommended setup is a
+`.github/workflows/tests.yml` that runs `pytest` against the
+supported Python versions (3.10, 3.11, 3.12, 3.13 per
+`requirements.txt`). Open an issue or PR if you want to contribute it.
 
 ## Best Practices
 

docs/MIGRATION_GUIDE.md

@@ -88,8 +88,8 @@ If you encounter issues during migration:
 
 1. Check the [README.md](README.md) for current installation and usage instructions
 2. Review script README files:
-   - `scripts/install/README.md` - Installation scripts documentation
-   - `scripts/fix_perms/README.md` (if exists) - Permission scripts documentation
+   - [`scripts/install/README.md`](../scripts/install/README.md) - Installation scripts documentation
+   - [`scripts/fix_perms/README.md`](../scripts/fix_perms/README.md) - Permission scripts documentation
 3. Check system logs: `journalctl -u ledmatrix -f` or `journalctl -u ledmatrix-web -f`
 4. Review the troubleshooting section in the main README
 

scripts/fix_perms/README.md

@@ -0,0 +1,70 @@
+# Permission Fix Scripts
+
+This directory contains shell scripts for repairing file/directory
+permissions on a LEDMatrix installation. They're typically only needed
+when something has gone wrong — for example, after running parts of the
+install as the wrong user, after a manual file copy that didn't preserve
+ownership, or after a permissions-related error from the display or
+web service.
+
+Most of these scripts require `sudo` since they touch directories
+owned by the `ledmatrix` service user or by `root`.
+
+## Scripts
+
+- **`fix_assets_permissions.sh`** — Fixes ownership and write
+  permissions on the `assets/` tree so plugins can download and cache
+  team logos, fonts, and other static content.
+
+- **`fix_cache_permissions.sh`** — Fixes permissions on every cache
+  directory the project may use (`/var/cache/ledmatrix/`,
+  `~/.cache/ledmatrix/`, `/opt/ledmatrix/cache/`, project-local
+  `cache/`). Also creates placeholder logo subdirectories used by the
+  sports plugins.
+
+- **`fix_plugin_permissions.sh`** — Fixes ownership on the plugins
+  directory so both the root display service and the web service user
+  can read and write plugin files (manifests, configs, requirements
+  installs).
+
+- **`fix_web_permissions.sh`** — Fixes permissions on log files,
+  systemd journal access, and the sudoers entries the web interface
+  needs to control the display service.
+
+- **`fix_nhl_cache.sh`** — Targeted fix for NHL plugin cache issues
+  (clears the NHL cache and restarts the display service).
+
+- **`safe_plugin_rm.sh`** — Validates that a plugin removal path is
+  inside an allowed base directory before deleting it. Used by the web
+  interface (via sudo) when a user clicks **Uninstall** on a plugin —
+  prevents path-traversal abuse from the web UI.
+
+## When to use these
+
+Most users never need to run these directly. The first-time installer
+(`first_time_install.sh`) sets up permissions correctly, and the web
+interface manages plugin install/uninstall through the sudoers entries
+the installer creates.
+
+Run these scripts only when:
+
+- You see "Permission denied" errors in `journalctl -u ledmatrix` or
+  the web UI Logs tab.
+- You manually copied files into the project directory as the wrong
+  user.
+- You restored from a backup that didn't preserve ownership.
+- You moved the LEDMatrix directory and need to re-anchor permissions.
+
+## Usage
+
+```bash
+# Run from the project root
+sudo ./scripts/fix_perms/fix_cache_permissions.sh
+sudo ./scripts/fix_perms/fix_assets_permissions.sh
+sudo ./scripts/fix_perms/fix_plugin_permissions.sh
+sudo ./scripts/fix_perms/fix_web_permissions.sh
+```
+
+If you're not sure which one you need, run `fix_cache_permissions.sh`
+first — it's the most commonly needed and creates several directories
+the other scripts assume exist.