moose-inventory 1.0.8 → 1.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d4c867504f182214f4cb07980133ad5de8a68832
-  data.tar.gz: 99a656d44136b36bb7bd2c7187ec9ff66af51bb5
+SHA256:
+  metadata.gz: bba43a0d585b334c19629209ae0f323d88ac1c618de4a926769765a5146933b7
+  data.tar.gz: 701d64c584a0e0d10266466a94350aa69731a15f623ca37f9edac917c5dd2a38
 SHA512:
-  metadata.gz: 3d1fe423b62518e54affd30939593ce8c8d6b0145424651a35aa30186bedd9ba195025abd7ef04385f082a7fedfb496a0aa75b994f1f52b724438e5b998745b7
-  data.tar.gz: d257057b70e3c25f043d0ae43faac496fe2e5461cf0bcad821196da30c5d86883d1620468bbdef1e6b91ecbb8476459af0eab62c0f0d8cc0d8552dab664aa29b
+  metadata.gz: ef297abb3d7836f1c7f1a20d46a1f79eee14957a74651628fa2fa523ffd5ed26de9f374e551ae861cd8b68d6cc1a646fba52a85209929b2259a078b2409b1a9f
+  data.tar.gz: d9cfa2e8a85065415858a47aa4e2e1878483e8e982bda25a9d37f05f61c0373e7b7b6bd4ec0f1ba9f0ac3dcf9f796b458c96f794f29466e91aed179a0b6293af

data/.github/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['3.2', '3.3', '3.4']
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true
+
+      - name: Install native build dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential default-libmysqlclient-dev libpq-dev libsqlite3-dev
+
+      - name: Run local check gate
+        run: ./scripts/check.sh

data/.gitignore

@@ -1,6 +1,5 @@
 /.bundle/
 /.yardoc
-/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/
@@ -18,3 +17,4 @@ mkmf.log
 *.gem
 /gems/
 moose-inventory.spec
+/.openclaw-security-audit/

data/BACKLOG.md

@@ -0,0 +1,184 @@
+# Moose Inventory Release Readiness Backlog
+
+Release readiness status counts: 5 done / 2 open.
+
+## Open
+
+1. Resolve GitHub Actions Node.js 20 deprecation warning.
+   - Current CI passes, but GitHub warns that `actions/checkout@v4` is running on Node.js 20 and Node.js 24 will become the default.
+   - Review available `actions/checkout` updates or GitHub-recommended configuration, then update the workflow so CI stays warning-free before Node.js 20 removal.
+
+1. Add GitHub Actions RubyGems trusted publishing.
+   - Manual publishing is documented in `docs/release/publishing.md`.
+   - Future improvement: configure RubyGems trusted publishing, publish from reviewed `v*` tags, and avoid long-lived RubyGems API keys on developer machines.
+
+## Done
+
+1. Decide and declare the supported Ruby version floor.
+   - Set `spec.required_ruby_version` to `>= 3.2` in the gemspec.
+   - Updated GitHub Actions CI to test Ruby `3.2`, `3.3`, and `3.4` so the declared floor remains exercised.
+   - Updated release-readiness documentation to describe matrix coverage.
+
+1. Document manual RubyGems publishing.
+   - Added `docs/release/publishing.md` with the current manual release path: verify version, run `./scripts/check.sh`, push and wait for CI, build the gem, `gem push`, verify RubyGems, then tag the release.
+   - Noted that the repo currently has CI but no publishing workflow.
+   - Added the trusted-publishing follow-up as an open release-readiness item.
+
+1. Create a release-readiness backlog.
+   - Added this release-readiness section to track post-modernization packaging/CI hardening separately from the completed modernization and fresh-pass backlogs.
+
+1. Add CI/security gates to prevent regressions.
+   - Added `.github/workflows/ci.yml` for GitHub Actions on `master` pushes and pull requests.
+   - Expanded `./scripts/check.sh` to run the RSpec suite, `git diff --check`, executable-permission checks, OSV dependency advisory checks, and package sanity checks.
+   - Added `scripts/ci/check_permissions.sh` to keep executable bits limited to intentional entrypoints and scripts.
+   - Added `scripts/ci/check_security.sh` to query OSV for locked RubyGems dependency advisories.
+
+1. Do a gem/package sanity pass.
+   - Added `scripts/ci/package_sanity.sh` to build the gem, inspect the packaged payload, verify required files, check executable metadata, and smoke-test the CLI version command.
+   - Documented the release-readiness gate in `docs/release/release-readiness.md`.
+
+---
+
+# Moose Inventory GitHub Issues Backlog
+
+GitHub issues status counts: 0 done / 4 open.
+
+## Open
+
+1. [#14 Passwords in config files](https://github.com/RusDavies/moose-inventory/issues/14)
+   - README examples currently show database passwords stored directly in configuration files.
+   - Determine whether Moose Inventory supports reading credentials from environment variables today.
+   - If not, decide whether to add environment-variable credential support or at least document safer credential-handling guidance.
+   - Update README/config examples so they do not accidentally encourage secret-in-repo bad practice.
+
+1. [#13 Need to refactor](https://github.com/RusDavies/moose-inventory/issues/13)
+   - CLI command modules contain similar methods across host/group operations, for example `GroupAdd` and `HostAdd`-style flows.
+   - Existing code has historically needed complexity metric disables such as `Metrics/AbcSize` and `Metrics/CyclomaticComplexity`.
+   - Evaluate cost/benefit before doing a broad refactor; identify specific low-risk extraction targets and regression coverage needed.
+
+1. [#12 Allow `group rm` to recursively delete orphaned child groups](https://github.com/RusDavies/moose-inventory/issues/12)
+   - Decide product semantics for recursive group deletion: default behavior, explicit switch, safety prompts/flags, and how to distinguish intentional tree deletion from accidental orphan cleanup.
+   - If implemented, add tests for `group rm` and `group rmchild` orphan-child behavior, root-group handling, and host `ungrouped` behavior.
+
+1. [#4 `--trace` doesn't do what it claims](https://github.com/RusDavies/moose-inventory/issues/4)
+   - Reproduce current `--trace` behavior and confirm whether exceptions/backtraces are still truncated.
+   - Fix trace handling so transaction errors emit useful full exception/backtrace information when `--trace` is enabled while preserving concise default errors.
+   - Add regression coverage for both trace and non-trace error output.
+
+## Done
+
+_No GitHub issue backlog items completed yet._
+
+---
+
+# Moose Inventory Fresh Pass Backlog
+
+Fresh pass status counts: 8 done / 0 open.
+
+## Open
+
+_No open fresh-pass items._
+
+## Done
+
+1. Refresh user-facing docs and setup scripts after DB support decisions.
+   - Fixed README typos/stale DB support notes and documented the tested support matrix: SQLite live file coverage plus MySQL/PostgreSQL adapter/error-path smoke coverage.
+   - Updated `scripts/install_dependencies.sh` for current Fedora package names, removing obsolete `mysql-utilities` and using client development headers for SQLite, MariaDB/MySQL, and PostgreSQL.
+   - Verified with full `./scripts/check.sh` and shell syntax check for the install script.
+
+1. Add adapter/error-path smoke tests to the stable QA gate.
+   - Expanded DB specs included by `./scripts/check.sh` to cover documented adapter dispatch for SQLite, MySQL, and PostgreSQL.
+   - Added missing-key error-path smoke coverage for SQLite, MySQL, and PostgreSQL, alongside existing unsupported-adapter and nested SQLite path coverage.
+   - Verified with full `./scripts/check.sh`.
+
+1. Harden YAML config loading.
+   - Replaced `YAML.load_file` with `YAML.safe_load_file` using no permitted classes, no permitted symbols, and aliases disabled.
+   - Added regression coverage ensuring config loading uses the safe YAML loader while preserving existing config fixture behavior.
+   - Verified with full `./scripts/check.sh`.
+
+1. Use recursive directory creation for SQLite database paths.
+   - Replaced single-level `Dir.mkdir` with `FileUtils.mkdir_p` in `init_sqlite3`.
+   - Added regression coverage for nested SQLite database file paths.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix existing-host group association logic in `host add --groups`.
+   - Fixed the association-existence condition so existing hosts can be associated with new groups and true duplicate associations are skipped with the existing warning.
+   - Added regression coverage for adding a new group to an existing host and idempotently skipping an existing association.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix or de-scope PostgreSQL support.
+   - Implemented `init_postgresql` using the existing `pg` dependency and `Sequel.postgres`.
+   - Added regression coverage for PostgreSQL connection option wiring without requiring a live PostgreSQL server.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix MySQL adapter support or remove it from advertised support.
+   - Fixed `DB.connect` to dispatch documented `adapter: mysql` instead of misspelled `msqsql`.
+   - Updated `init_mysql` to require `mysql2` and use `Sequel.mysql2`, matching the project dependency.
+   - Added regression coverage for MySQL adapter dispatch and connection option wiring without requiring a live MySQL server.
+   - Verified with full `./scripts/check.sh`.
+
+1. Initialize/use DB exception classes before connection failures.
+   - Added DB exception initialization before connection setup so unsupported adapters raise `Moose::Inventory::DB::MooseDBException` instead of masking the intended error with `NoMethodError` on nil `@exceptions`.
+   - Added regression coverage for unsupported adapter initialization.
+   - Verified with full `./scripts/check.sh`.
+
+---
+
+# Moose Inventory Modernization Backlog
+
+Status counts: 10 done / 0 open.
+
+## Open
+
+_No open modernization items._
+
+## Done
+
+1. Review old QA tooling (`rubocop ~> 0`, Guard, Coveralls/SimpleCov setup) and decide what still belongs in the project.
+   - Removed obsolete RuboCop/Guard/Coveralls tooling after confirming current `rubocop 0.93.1` fails under Ruby 3.4 with missing bundled/default gems and obsolete config entries.
+   - Kept SimpleCov as the local coverage gate because the RSpec suite still passes with 95.16% line coverage against a 90% minimum.
+   - Added `scripts/check.sh` as the stable local QA entry point for `bundle exec rspec --format progress` and documented it in the README.
+   - Updated `scripts/reports.sh` to open the remaining SimpleCov HTML report only.
+   - Verified with `bundle lock`, `scripts/check.sh`, and `git diff --check`.
+
+1. Modernize remaining stale runtime dependencies with care, especially `mysql2` and `sqlite3`.
+   - `pg` has been moved to a Ruby-3.4-compatible constraint.
+   - `json`, `sequel`, and `thor` have been moved to Ruby-3.4-compatible constraints.
+   - Tightened `mysql2` from `~> 0` to `>= 0.5.7, < 0.6`; Bundler keeps resolving `mysql2 0.5.7`.
+   - Relaxed/modernized `sqlite3` from `~> 1` to `>= 1.7, < 3`; Bundler now resolves `sqlite3 2.9.4`.
+   - Verified with `bundle update sqlite3 mysql2 --conservative` and `bundle exec rspec --format documentation`: 242 examples, 0 failures; line coverage 95.16%.
+
+1. Generate and commit a current `Gemfile.lock` after deciding whether to stop ignoring it.
+   - Removed `/Gemfile.lock` from `.gitignore`.
+   - Generated `Gemfile.lock` with Bundler 2.6.9 under Ruby 3.4.8.
+   - Verified the lockfile baseline with `bundle exec rspec --format documentation`.
+
+1. Update Ruby/Bundler dependency constraints so the project can resolve with current Bundler/Ruby.
+   - Changed the development dependency from `bundler ~> 1` to `bundler >= 1.17, < 3`.
+   - Verified dependency resolution with `bundle lock` under Ruby 3.4.8 / Bundler 2.6.9.
+2. Provide Ruby development headers for native gem compilation.
+   - Russ installed `ruby-devel`; verified `/usr/include/ruby.h` exists.
+   - Full `bundle install` now gets past the Ruby header blocker.
+3. Remove the stale direct `hitimes ~> 1` development dependency.
+   - Removed `spec.add_development_dependency 'hitimes', '~> 1'` from the gemspec.
+   - Removed `rubygem-hitimes` from `scripts/install_dependencies.sh`.
+   - `hitimes 1.3.1` failed to compile against Ruby 3.4 and was only referenced as legacy development tooling.
+   - Verified `bundle lock --print` no longer includes `hitimes`.
+4. Move past missing database client headers.
+   - `bundle install` now builds/installs both `mysql2` and `pg` dependencies in this environment.
+5. Update the stale `pg` dependency for Ruby 3.4 compatibility.
+   - Changed `pg` from `~> 0` to `>= 1.5, < 2`.
+   - Verified Bundler resolves `pg 1.6.3` instead of `pg 0.21.0`.
+   - Verified `bundle install` completes successfully under Ruby 3.4.8 / Bundler 2.6.9.
+6. Run the existing RSpec suite and establish a green modern-Ruby baseline.
+   - Initial baseline exposed startup/runtime incompatibilities in old `thor`, `json`, and `sequel` constraints.
+   - Updated `json` from `~> 1` to `>= 2.7, < 3`.
+   - Updated `thor` from `~> 0` to `>= 1.3, < 2`.
+   - Updated `sequel` from `~> 4` to `>= 5.80, < 6`.
+   - Verified Bundler resolves `json 2.19.5`, `thor 1.5.0`, and `sequel 5.104.0`.
+7. Fix RSpec harness compatibility with the current checkout/test flow.
+   - `spec_helper` now creates `tmp/` before deleting test database files, avoiding `Errno::ENOENT` on fresh clones.
+   - Config specs now pass an explicit fixture config when testing default option values.
+   - Ansible-mode CLI specs now pass the fixture config when invoking the top-level CLI.
+   - Updated the `--list` expectation for Ansible mode, which correctly includes empty `hosts` arrays.
+   - Verified `bundle exec rspec --format documentation`: 242 examples, 0 failures; line coverage 95.16%.

data/Gemfile.lock

@@ -0,0 +1,60 @@
+PATH
+  remote: .
+  specs:
+    moose-inventory (1.0.9)
+      indentation (~> 0)
+      json (>= 2.7, < 3)
+      mysql2 (>= 0.5.7, < 0.6)
+      pg (>= 1.5, < 2)
+      sequel (>= 5.80, < 6)
+      sqlite3 (>= 1.7, < 3)
+      thor (>= 1.3, < 2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bigdecimal (4.1.2)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    indentation (0.1.1)
+    json (2.19.5)
+    mysql2 (0.5.7)
+      bigdecimal
+    pg (1.6.3-x86_64-linux)
+    rake (13.4.2)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    sequel (5.104.0)
+      bigdecimal
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    sqlite3 (2.9.4-x86_64-linux-gnu)
+    thor (1.5.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  bundler (>= 2.2.33, < 3)
+  moose-inventory!
+  rake (>= 13.0, < 14)
+  rspec (~> 3)
+  simplecov (~> 0)
+
+BUNDLED WITH
+   2.6.9

data/README.md

@@ -9,14 +9,13 @@ Note 2: This software is intended for use on UNIX/Linux systems.  It will likely
 
 ## Installation
 
-Note: You may need to install certain development tools (e.g. gcc, postresql-devel, mysql-devel, sqlite-devel) on your system, in order for the gem installation to perform native builds. 
+Note: You may need to install Ruby development headers and database client development packages on your system so native gems can build. On current Fedora releases, the project helper script installs the expected SQLite, MariaDB/MySQL, and PostgreSQL client headers.
 
 The tool is a ruby gem. Assuming that you have ruby on your system, then it can be installed from the command line as follows.
 
     $ gem install moose-inventory
 
-Note: It may be necassary to first install certain development tools (e.g. gcc, postresql-devel, mysql-devel, sqlite-devel), in order for the gem installation to perform nati
-ve builds.
+Note: It may be necessary to first install native build tools and database client development headers before installing the gem or running Bundler.
 
 It can also be installed by adding the following line to a Gemfile and then executing `bundle`:
 
@@ -77,9 +76,9 @@ You may add as many environment sections as you desire. The intention is to enab
 
 At present,  each environment section contains only a **db** subsection, describing database connection parameters.  Additional subsections may be added in the future, as functionality increases. 
 
-Each **db** section must include an **adapter** parameter. Currently supported adapter types are *sqlite3*, *mysql*, and *postresql*.  Note, as a matter of portability, only *sqlite3* is exercised via the test suite. 
+Each **db** section must include an **adapter** parameter. Currently supported adapter types are *sqlite3*, *mysql*, and *postgresql*. The test suite exercises SQLite with a local database file and includes adapter dispatch/error-path smoke coverage for MySQL and PostgreSQL without requiring live database servers.
 
-Additional parameters are also required in the **db** subsection, depending on the adapter type.   For the *sqlite3* adapter only a **file** parameter is required.  For both *mysql* and *postgresql*, then **host**, **database**, **user**, and **password** are the required parameters. 
+Additional parameters are also required in the **db** subsection, depending on the adapter type. For the *sqlite3* adapter only a **file** parameter is required; parent directories are created automatically. For both *mysql* and *postgresql*, **host**, **database**, **user**, and **password** are required.
 
 
 ## Usage
@@ -364,6 +363,16 @@ A useful aspect of dynamic inventories is the possibility of writing data to the
 ```
 
  
+## Development checks
+
+Run the local verification gate before committing changes:
+
+```shell
+./scripts/check.sh
+```
+
+The check script runs the RSpec suite and enforces the SimpleCov coverage minimum.
+
 ## Contributing
 1. Fork it (https://github.com/RusDavies/moose-inventory/fork )
 2. Create your feature branch (git checkout -b my-new-feature`)

data/bin/moose-inventory

@@ -7,4 +7,4 @@ rescue
   require 'moose_inventory'
 end
 
-Moose::Inventory::Cli.start(ARGV) 
+Moose::Inventory::Cli.start(ARGV)

data/docs/release/publishing.md

@@ -0,0 +1,113 @@
+# Publishing to RubyGems
+
+This project has historically been published manually to RubyGems as [`moose-inventory`](https://rubygems.org/gems/moose-inventory).
+
+At the time this document was added:
+
+- The latest published RubyGems version was `1.0.8`.
+- The repository version was `1.0.9` in `lib/moose_inventory/version.rb`.
+- The repository had CI for checks, but no GitHub Actions publishing workflow.
+
+## Release checklist
+
+1. Start from a clean `master` branch.
+
+   ```bash
+   git checkout master
+   git pull --ff-only origin master
+   git status --short --branch
+   ```
+
+2. Confirm the version to publish.
+
+   ```bash
+   ruby -e "require './lib/moose_inventory/version'; puts Moose::Inventory::VERSION"
+   gem info moose-inventory --remote --all
+   ```
+
+   If the repository version is already higher than the latest RubyGems version, you can publish it as-is after checks pass. If not, bump `lib/moose_inventory/version.rb` first and commit that change before publishing.
+
+3. Run the local release gate.
+
+   ```bash
+   ./scripts/check.sh
+   ```
+
+   This runs the spec suite, whitespace checks, executable-permission checks, OSV dependency advisory checks, and gem package sanity checks.
+
+4. Push the release commit and wait for CI to pass.
+
+   ```bash
+   git push origin master
+   ```
+
+   Do not publish to RubyGems until the GitHub Actions CI run for the pushed commit is green.
+
+5. Build the gem from the exact commit you intend to release.
+
+   ```bash
+   rm -rf pkg tmp/pkg tmp/package-sanity
+   gem build moose-inventory.gemspec
+   ```
+
+   The output should be named like `moose-inventory-1.0.9.gem`.
+
+6. Inspect the built gem metadata if desired.
+
+   ```bash
+   gem specification moose-inventory-1.0.9.gem name version executables require_paths files --yaml
+   ```
+
+7. Publish to RubyGems.
+
+   ```bash
+   gem push moose-inventory-1.0.9.gem
+   ```
+
+   If RubyGems auth is not already configured, `gem push` will prompt for credentials or an API key.
+
+8. Verify the published version.
+
+   ```bash
+   gem info moose-inventory --remote --all
+   gem install moose-inventory -v 1.0.9
+   moose-inventory --help
+   ```
+
+9. Tag the release after RubyGems confirms it is live.
+
+   ```bash
+   git tag -a v1.0.9 -m "Release v1.0.9"
+   git push origin v1.0.9
+   ```
+
+## Authentication notes
+
+Prefer a scoped RubyGems API key over an old global key:
+
+- Scope it to pushing gems, ideally only `moose-inventory` if RubyGems permits that for the account.
+- Store it in `~/.gem/credentials` with file mode `0600` if publishing manually.
+- Do not commit RubyGems credentials, `.gem/credentials`, shell history containing tokens, or generated private keys.
+
+Check credential file permissions with:
+
+```bash
+ls -l ~/.gem/credentials
+chmod 0600 ~/.gem/credentials
+```
+
+## Current publishing model
+
+Publishing is manual. There is no automated release workflow in this repository yet.
+
+A future improvement would be to configure RubyGems trusted publishing through GitHub Actions so releases can be published from a tagged, reviewed workflow without long-lived RubyGems API keys on a developer machine.
+
+Suggested future workflow:
+
+1. Add RubyGems trusted publishing for this repository and gem.
+2. Add a GitHub Actions workflow triggered by `v*` tags.
+3. Have the workflow run `./scripts/check.sh`.
+4. Build the gem.
+5. Publish via trusted publishing only if the tag version matches `Moose::Inventory::VERSION`.
+
+Until that is implemented, use the manual process above.

data/docs/release/release-readiness.md

@@ -0,0 +1,41 @@
+# Release readiness notes
+
+This project now has a small release-readiness gate intended to catch the regressions found during the modernization and security-audit passes.
+
+## Local gate
+
+Run:
+
+```bash
+./scripts/check.sh
+```
+
+The gate currently runs:
+
+1. RSpec with coverage via the existing spec helper.
+2. `git diff --check` for whitespace/conflict-marker issues in the working tree.
+3. `scripts/ci/check_permissions.sh` to ensure only intentional tracked repository entrypoints are executable.
+4. `scripts/ci/check_security.sh` to query OSV for locked RubyGems dependency advisories.
+5. `scripts/ci/package_sanity.sh` to build the gem, inspect the packaged payload, and smoke-test the CLI version command.
+
+## CI gate
+
+GitHub Actions workflow: `.github/workflows/ci.yml`.
+
+It installs native headers needed by the DB gems, runs the same `./scripts/check.sh` gate used locally, and tests the maintained Ruby version range through the GitHub Actions matrix.
+
+## Package sanity expectations
+
+`package_sanity.sh` validates that the built gem includes at least:
+
+- `bin/moose-inventory`
+- `lib/moose_inventory.rb`
+- `lib/moose_inventory/version.rb`
+- `README.md`
+- `LICENSE.txt`
+
+It also verifies the gem metadata exposes the `moose-inventory` executable and that `bundle exec ruby -Ilib bin/moose-inventory --config spec/config/config.yml version` returns a version string.
+
+## Dependency advisory expectations
+
+`check_security.sh` reads `Gemfile.lock`, queries OSV's batch API for RubyGems packages, and fails on known vulnerabilities. This is intentionally simple and external-network-dependent; if OSV is unavailable, the gate fails closed so CI does not silently bless an unknown dependency state.

data/docs/security-audit-2026-05-21.md

@@ -0,0 +1,71 @@
+# Security audit — 2026-05-21
+
+Scope: local static/security review of the `moose-inventory` Ruby CLI/gem at commit `ff522502d5981314c451e855be10cbbc7ebeba48`, plus the hardening changes on branch `security-audit-2026-05-21`.
+
+## Executive summary
+
+The audit found one actionable dependency vulnerability and one low-risk repository hygiene issue. Both were remediated in this branch:
+
+1. Development dependency `rake 10.5.0` was affected by CVE-2020-8130 / GHSA-jppv-gw3r-w3q8, an OS command injection issue in `Rake::FileList` for filenames beginning with `|`. The gemspec now requires `rake >= 13.0, < 14`, and `Gemfile.lock` resolves `rake 13.4.2`.
+2. Most source, config, docs, and spec files were executable (`100755`) even though they are not entrypoints. The branch normalizes non-executable files to `100644`, keeping only `bin/moose-inventory` and actual scripts executable.
+
+After the dependency update, an OSV query for locked RubyGems dependencies returned zero known vulnerabilities. Semgrep Ruby rules returned zero findings.
+
+## Surfaces reviewed
+
+- CLI entrypoint: `bin/moose-inventory`
+- Global config parsing and file loading: `lib/moose_inventory/config/config.rb`
+- DB connection and schema creation: `lib/moose_inventory/db/db.rb`
+- Sequel models and associations: `lib/moose_inventory/db/models.rb`
+- CLI command handlers under `lib/moose_inventory/cli/`
+- Packaging metadata: `moose-inventory.gemspec`, `Gemfile`, `Gemfile.lock`
+- Helper scripts under `scripts/`
+- Test fixtures/config under `spec/`
+
+## Findings fixed
+
+### P2 — Vulnerable development dependency: `rake 10.5.0`
+
+- Evidence: `Gemfile.lock` resolved `rake (10.5.0)` and `moose-inventory.gemspec` constrained rake to `~> 10`.
+- Advisory: OSV/GitHub Advisory `GHSA-jppv-gw3r-w3q8`, CVE-2020-8130.
+- Impact: local OS command injection in vulnerable Rake versions when `Rake::FileList` receives a filename beginning with the pipe character (`|`). This is primarily a developer/build-time risk, not a runtime CLI inventory risk.
+- Fix: changed the development dependency to `rake >= 13.0, < 14` and refreshed `Gemfile.lock` to `rake 13.4.2`.
+- Validation: OSV query after the update returned `deps_with_vulns 0`.
+
+### P4 — Over-broad executable bits on repository files
+
+- Evidence: file inventory showed `100755` executable mode on `Gemfile`, `README.md`, library files, specs, config, and other non-entrypoint files.
+- Impact: low. This does not create a direct vulnerability by itself, but it expands accidental execution surface and makes packaging/review noisier than necessary. Tiny footgun, sharp enough to remove.
+- Fix: normalized non-entrypoint files to `100644`; retained executable mode for `bin/moose-inventory` and scripts with shebangs.
+
+## Notable negative findings
+
+- Config deserialization now uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- No shell execution sinks were found in runtime code. The backtick use in `moose-inventory.gemspec` is the normal `git ls-files` packaging pattern.
+- Database access uses Sequel model/hash APIs for user-provided names and variables; no raw SQL interpolation was identified in the reviewed CLI/database paths.
+- No committed secrets were identified outside expected example/test placeholder passwords.
+- No external network-facing service, HTTP route, RPC handler, webhook, queue consumer, or upload parser exists in this repo; the meaningful attack surface is local CLI usage and build/development tooling.
+
+## Tooling evidence
+
+- Inventory: 79 files; Ruby manifests: `Gemfile`, `Gemfile.lock`.
+- Semgrep: `semgrep --config p/ruby --json --quiet .` returned 0 findings.
+- OSV dependency query before fix: 1 vulnerable dependency (`rake 10.5.0`, `GHSA-jppv-gw3r-w3q8`).
+- OSV dependency query after fix: 41 RubyGems dependency records queried, 0 dependencies with known vulnerabilities.
+- `bundle-audit`, `osv-scanner`, `gitleaks`, `trufflehog`, and `brakeman` were not installed in this environment. Brakeman is also Rails-specific and not expected to apply here.
+
+## Residual risks / future hardening
+
+- Consider adding a CI security job for OSV or bundler-audit so dependency advisories are caught before they fossilize in the lockfile like a tiny Jurassic Park exhibit.
+- Consider keeping generated coverage artifacts out of normal grep/scanner paths; they are ignored from this audit because they contain large bundled HTML/CSS assets.
+
+## GitHub Dependabot follow-up after first push
+
+After pushing the audit remediation, GitHub emitted a default-branch warning for 7 Dependabot vulnerabilities. Querying the repository Dependabot alerts through `gh api repos/RusDavies/moose-inventory/dependabot/alerts` showed that all 7 were already in `fixed` state after the modernization/security-audit commits reached GitHub:
+
+- `rake`: GHSA-jppv-gw3r-w3q8 / CVE-2020-8130, fixed by `rake >= 13.0, < 14` and lockfile `rake 13.4.2`.
+- `json`: GHSA-jphg-qwrw-7w9g / CVE-2020-10663, fixed by the existing current constraint `json >= 2.7, < 3` and lockfile `json 2.19.5`.
+- `rubocop`: GHSA-wmjf-jpjj-9f3j / CVE-2017-8418, fixed by removing RuboCop as a development dependency.
+- `bundler`: GHSA-jvgm-pfqv-887x / CVE-2016-7954, GHSA-g98m-96g9-wfjq / CVE-2019-3881, GHSA-fp4w-jxhp-m23p / CVE-2020-36327, and GHSA-fj7f-vq84-fh43 / CVE-2021-43809. GitHub marked these fixed because the lockfile uses Bundler 2.6.9; this follow-up also tightens the gemspec development dependency to `bundler >= 2.2.33, < 3` so fresh development installs cannot select known-vulnerable Bundler 1.x/early 2.x releases.
+
+Follow-up validation: `gh api 'repos/RusDavies/moose-inventory/dependabot/alerts?state=open'` returned no open alerts.