moose-inventory 1.0.8 → 2.0

data/BACKLOG.md

@@ -0,0 +1,290 @@
+# Moose Inventory Release Readiness Backlog
+
+Release readiness status counts: 12 done / 1 open.
+
+## Open
+
+1. Verify RubyGems trusted publishing with the next real release tag.
+   - RubyGems trusted publisher is configured for repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`.
+   - Verify the full trusted-publishing path when publishing the next real version tag.
+   - Do not retag already-published `v1.0.9`.
+
+## Done
+
+1. Align release workflow with required CI security tooling.
+   - Security audit rerun found that `.github/workflows/release.yml` ran `./scripts/check.sh` without installing or requiring the dedicated security tools, meaning tag-based releases could skip `gitleaks`/`osv-scanner` enforcement if those tools were absent.
+   - Added Go setup with cache disabled, installed pinned security tools through `scripts/ci/install_security_tools.sh`, required `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` during the release check gate, and added the same native-dependency timeout used by CI.
+   - Documented the rerun in `docs/security-audit-2026-05-26-rerun.md`; final trusted-publishing proof remains gated on the next real release tag.
+
+1. Add manual GitHub Actions CI trigger and harden CI runner setup.
+   - Added `workflow_dispatch` to `.github/workflows/ci.yml` so CI can be manually triggered when push events fail to enqueue during a GitHub Actions incident.
+   - Verified both push-triggered CI and manual `workflow_dispatch` CI runs succeeded on `master`.
+   - Disabled unused `actions/setup-go` caching for the Go-based security tools so the workflow no longer emits a missing-`go.mod` cache warning.
+   - Added a timeout to the native dependency installation step so runner package-manager stalls fail fast instead of hanging the matrix indefinitely.
+
+1. Diagnose missing GitHub Actions runs after security-tooling merge.
+   - Confirmed the affected commits were pushed and visible on GitHub, with GitHub PushEvents recorded but no check runs created.
+   - Confirmed the workflow was active and visible, and GitHub Actions was degraded during the missing-run window due to platform-side authentication/startup issues.
+   - Conclusion: the missing runs were caused by a GitHub Actions incident, not by the repository workflow configuration.
+
+1. Install optional local/CI security audit tools.
+   - Added `bundler-audit` as a development dependency and wired it into `scripts/ci/check_security.sh`.
+   - Added `scripts/ci/install_security_tools.sh` to install pinned `gitleaks` and `osv-scanner` CLI tools into `tmp/security-tools/bin` when they are not already on `PATH`.
+   - Added `scripts/ci/check_secrets.sh` and `.gitleaks.toml` so generated audit, coverage, and package-sanity artifacts stay out of dedicated secret scans.
+   - Updated GitHub Actions CI to install the Go-based audit tools and require them during `./scripts/check.sh`; local runs skip missing optional tools unless `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` is set.
+
+1. Configure RubyGems trusted publisher for the existing gem.
+   - Repository-side trusted publishing workflow is present in `.github/workflows/release.yml`.
+   - RubyGems trusted publisher is configured for the `moose-inventory` gem with repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`.
+   - Evidence: RubyGems trusted publisher page shows GitHub Actions for `RusDavies/moose-inventory`, workflow `release.yml`, environment `release`.
+
+1. Add GitHub Actions RubyGems trusted publishing.
+   - Added `.github/workflows/release.yml` triggered by `v*` tags.
+   - The workflow verifies the tag matches `Moose::Inventory::VERSION`, runs `./scripts/check.sh`, and publishes with `rubygems/release-gem@v1` using OIDC/trusted publishing.
+   - Updated `docs/release/publishing.md` and `docs/release/release-readiness.md` with trusted publishing release instructions and RubyGems setup requirements.
+
+1. Resolve GitHub Actions Node.js 20 deprecation warning.
+   - Updated the CI workflow to use `actions/checkout@v5`, which runs on the Node.js 24 runtime.
+   - Verified with full `./scripts/check.sh` and a post-merge GitHub Actions run with no Node.js 20 deprecation annotations.
+
+1. Decide and declare the supported Ruby version floor.
+   - Set `spec.required_ruby_version` to `>= 3.2` in the gemspec.
+   - Updated GitHub Actions CI to test Ruby `3.2`, `3.3`, and `3.4` so the declared floor remains exercised.
+   - Updated release-readiness documentation to describe matrix coverage.
+
+1. Document manual RubyGems publishing.
+   - Added `docs/release/publishing.md` with the current manual release path: verify version, run `./scripts/check.sh`, push and wait for CI, build the gem, `gem push`, verify RubyGems, then tag the release.
+   - Noted that the repo currently has CI but no publishing workflow.
+   - Added the trusted-publishing follow-up as an open release-readiness item.
+
+1. Create a release-readiness backlog.
+   - Added this release-readiness section to track post-modernization packaging/CI hardening separately from the completed modernization and fresh-pass backlogs.
+
+1. Add CI/security gates to prevent regressions.
+   - Added `.github/workflows/ci.yml` for GitHub Actions on `master` pushes and pull requests.
+   - Expanded `./scripts/check.sh` to run the RSpec suite, `git diff --check`, executable-permission checks, OSV dependency advisory checks, and package sanity checks.
+   - Added `scripts/ci/check_permissions.sh` to keep executable bits limited to intentional entrypoints and scripts.
+   - Added `scripts/ci/check_security.sh` to query OSV for locked RubyGems dependency advisories.
+
+1. Do a gem/package sanity pass.
+   - Added `scripts/ci/package_sanity.sh` to build the gem, inspect the packaged payload, verify required files, check executable metadata, and smoke-test the CLI version command.
+   - Documented the release-readiness gate in `docs/release/release-readiness.md`.
+
+---
+
+# Moose Inventory GitHub Issues Backlog
+
+GitHub issues status counts: 4 done / 0 open.
+
+## Open
+
+_No open GitHub issue items._
+
+## Done
+
+1. [#13 Need to refactor](https://github.com/RusDavies/moose-inventory/issues/13)
+   - Added shared `Moose::Inventory::Cli::Helpers` for command argument validation, name normalization, CSV option parsing, automatic `ungrouped` validation, association checks, and automatic group membership maintenance.
+   - Refactored representative host/group association commands to use the helper layer while preserving existing CLI output and behavior.
+   - Verified with focused CLI specs and full `./scripts/check.sh`.
+
+1. [#12 Allow `group rm` to recursively delete orphaned child groups](https://github.com/RusDavies/moose-inventory/issues/12)
+   - Kept default deletion conservative: `group rm NAME` removes only the named group and preserves child groups as root groups.
+   - Added explicit `group rm --recursive NAME` to delete descendant groups only when they become orphaned by the removal.
+   - Added explicit `group rmchild --delete-orphans PARENT CHILD...` to remove parent-child associations and delete orphaned child subtrees.
+   - Preserved groups that still have another parent outside the removed edge/subtree.
+   - Preserved host safety by moving hosts whose last group is deleted to `ungrouped`.
+   - Added regression coverage for recursive deletion, shared-parent preservation, and host fallback to `ungrouped`.
+
+1. [#4 `--trace` doesn't do what it claims](https://github.com/RusDavies/moose-inventory/issues/4)
+   - Reproduced the broken trace path: `--trace` attempted to print `$ERROR_INFO.backtrace` without requiring `English`, causing a secondary `NoMethodError` instead of a clean trace dump.
+   - Fixed Moose DB transaction trace handling to emit the actual exception full message/backtrace while preserving concise default errors.
+   - Added regression coverage for both trace and non-trace Moose DB transaction errors.
+   - Verified with full `./scripts/check.sh`.
+
+1. [#14 Passwords in config files](https://github.com/RusDavies/moose-inventory/issues/14)
+   - Added `password_env` support for MySQL and PostgreSQL database configuration while preserving the existing `password` key for compatibility.
+   - Added regression coverage for missing password configuration, unset password environment variables, and environment-backed MySQL/PostgreSQL connection passwords.
+   - Updated README examples to use `password_env` instead of plaintext sample passwords and added credential-handling guidance.
+   - Verified with full `./scripts/check.sh`.
+
+---
+
+# Moose Inventory Fresh Pass Backlog
+
+Fresh pass status counts: 8 done / 0 open.
+
+## Open
+
+_No open fresh-pass items._
+
+## Done
+
+1. Refresh user-facing docs and setup scripts after DB support decisions.
+   - Fixed README typos/stale DB support notes and documented the tested support matrix: SQLite live file coverage plus MySQL/PostgreSQL adapter/error-path smoke coverage.
+   - Updated `scripts/install_dependencies.sh` for current Fedora package names, removing obsolete `mysql-utilities` and using client development headers for SQLite, MariaDB/MySQL, and PostgreSQL.
+   - Verified with full `./scripts/check.sh` and shell syntax check for the install script.
+
+1. Add adapter/error-path smoke tests to the stable QA gate.
+   - Expanded DB specs included by `./scripts/check.sh` to cover documented adapter dispatch for SQLite, MySQL, and PostgreSQL.
+   - Added missing-key error-path smoke coverage for SQLite, MySQL, and PostgreSQL, alongside existing unsupported-adapter and nested SQLite path coverage.
+   - Verified with full `./scripts/check.sh`.
+
+1. Harden YAML config loading.
+   - Replaced `YAML.load_file` with `YAML.safe_load_file` using no permitted classes, no permitted symbols, and aliases disabled.
+   - Added regression coverage ensuring config loading uses the safe YAML loader while preserving existing config fixture behavior.
+   - Verified with full `./scripts/check.sh`.
+
+1. Use recursive directory creation for SQLite database paths.
+   - Replaced single-level `Dir.mkdir` with `FileUtils.mkdir_p` in `init_sqlite3`.
+   - Added regression coverage for nested SQLite database file paths.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix existing-host group association logic in `host add --groups`.
+   - Fixed the association-existence condition so existing hosts can be associated with new groups and true duplicate associations are skipped with the existing warning.
+   - Added regression coverage for adding a new group to an existing host and idempotently skipping an existing association.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix or de-scope PostgreSQL support.
+   - Implemented `init_postgresql` using the existing `pg` dependency and `Sequel.postgres`.
+   - Added regression coverage for PostgreSQL connection option wiring without requiring a live PostgreSQL server.
+   - Verified with full `./scripts/check.sh`.
+
+1. Fix MySQL adapter support or remove it from advertised support.
+   - Fixed `DB.connect` to dispatch documented `adapter: mysql` instead of misspelled `msqsql`.
+   - Updated `init_mysql` to require `mysql2` and use `Sequel.mysql2`, matching the project dependency.
+   - Added regression coverage for MySQL adapter dispatch and connection option wiring without requiring a live MySQL server.
+   - Verified with full `./scripts/check.sh`.
+
+1. Initialize/use DB exception classes before connection failures.
+   - Added DB exception initialization before connection setup so unsupported adapters raise `Moose::Inventory::DB::MooseDBException` instead of masking the intended error with `NoMethodError` on nil `@exceptions`.
+   - Added regression coverage for unsupported adapter initialization.
+   - Verified with full `./scripts/check.sh`.
+
+---
+
+# Moose Inventory Modernization Backlog
+
+Status counts: 10 done / 0 open.
+
+## Open
+
+_No open modernization items._
+
+## Done
+
+1. Review old QA tooling (`rubocop ~> 0`, Guard, Coveralls/SimpleCov setup) and decide what still belongs in the project.
+   - Removed obsolete RuboCop/Guard/Coveralls tooling after confirming current `rubocop 0.93.1` fails under Ruby 3.4 with missing bundled/default gems and obsolete config entries.
+   - Kept SimpleCov as the local coverage gate because the RSpec suite still passes with 95.16% line coverage against a 90% minimum.
+   - Added `scripts/check.sh` as the stable local QA entry point for `bundle exec rspec --format progress` and documented it in the README.
+   - Updated `scripts/reports.sh` to open the remaining SimpleCov HTML report only.
+   - Verified with `bundle lock`, `scripts/check.sh`, and `git diff --check`.
+
+1. Modernize remaining stale runtime dependencies with care, especially `mysql2` and `sqlite3`.
+   - `pg` has been moved to a Ruby-3.4-compatible constraint.
+   - `json`, `sequel`, and `thor` have been moved to Ruby-3.4-compatible constraints.
+   - Tightened `mysql2` from `~> 0` to `>= 0.5.7, < 0.6`; Bundler keeps resolving `mysql2 0.5.7`.
+   - Relaxed/modernized `sqlite3` from `~> 1` to `>= 1.7, < 3`; Bundler now resolves `sqlite3 2.9.4`.
+   - Verified with `bundle update sqlite3 mysql2 --conservative` and `bundle exec rspec --format documentation`: 242 examples, 0 failures; line coverage 95.16%.
+
+1. Generate and commit a current `Gemfile.lock` after deciding whether to stop ignoring it.
+   - Removed `/Gemfile.lock` from `.gitignore`.
+   - Generated `Gemfile.lock` with Bundler 2.6.9 under Ruby 3.4.8.
+   - Verified the lockfile baseline with `bundle exec rspec --format documentation`.
+
+1. Update Ruby/Bundler dependency constraints so the project can resolve with current Bundler/Ruby.
+   - Changed the development dependency from `bundler ~> 1` to `bundler >= 1.17, < 3`.
+   - Verified dependency resolution with `bundle lock` under Ruby 3.4.8 / Bundler 2.6.9.
+2. Provide Ruby development headers for native gem compilation.
+   - Russ installed `ruby-devel`; verified `/usr/include/ruby.h` exists.
+   - Full `bundle install` now gets past the Ruby header blocker.
+3. Remove the stale direct `hitimes ~> 1` development dependency.
+   - Removed `spec.add_development_dependency 'hitimes', '~> 1'` from the gemspec.
+   - Removed `rubygem-hitimes` from `scripts/install_dependencies.sh`.
+   - `hitimes 1.3.1` failed to compile against Ruby 3.4 and was only referenced as legacy development tooling.
+   - Verified `bundle lock --print` no longer includes `hitimes`.
+4. Move past missing database client headers.
+   - `bundle install` now builds/installs both `mysql2` and `pg` dependencies in this environment.
+5. Update the stale `pg` dependency for Ruby 3.4 compatibility.
+   - Changed `pg` from `~> 0` to `>= 1.5, < 2`.
+   - Verified Bundler resolves `pg 1.6.3` instead of `pg 0.21.0`.
+   - Verified `bundle install` completes successfully under Ruby 3.4.8 / Bundler 2.6.9.
+6. Run the existing RSpec suite and establish a green modern-Ruby baseline.
+   - Initial baseline exposed startup/runtime incompatibilities in old `thor`, `json`, and `sequel` constraints.
+   - Updated `json` from `~> 1` to `>= 2.7, < 3`.
+   - Updated `thor` from `~> 0` to `>= 1.3, < 2`.
+   - Updated `sequel` from `~> 4` to `>= 5.80, < 6`.
+   - Verified Bundler resolves `json 2.19.5`, `thor 1.5.0`, and `sequel 5.104.0`.
+7. Fix RSpec harness compatibility with the current checkout/test flow.
+   - `spec_helper` now creates `tmp/` before deleting test database files, avoiding `Errno::ENOENT` on fresh clones.
+   - Config specs now pass an explicit fixture config when testing default option values.
+   - Ansible-mode CLI specs now pass the fixture config when invoking the top-level CLI.
+   - Updated the `--list` expectation for Ansible mode, which correctly includes empty `hosts` arrays.
+   - Verified `bundle exec rspec --format documentation`: 242 examples, 0 failures; line coverage 95.16%.
+
+---
+
+# Moose Inventory Code Quality Backlog
+
+Code quality status counts: 10 done / 0 open.
+
+## Open
+
+_No open code quality items._
+
+
+## Done
+
+1. Extract `group rm` to reuse the new group-cleanup / relation-operation seam.
+   - Added `Moose::Inventory::Operations::RemoveGroups` and reused `GroupCleanup` so top-level group deletion, recursive orphan cleanup, and host `ungrouped` reattachment now run through structured operation events instead of bespoke Thor logic.
+   - Converted `group rm` into a thinner adapter over `InventoryContext`, preserving `--recursive` behavior and existing CLI output.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new removal operation and adapter.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared group-parent/child association flow behind `group addchild` and `group rmchild`.
+   - Added `Moose::Inventory::Operations::GroupChildRelations` and `GroupCleanup` to own parent/child link creation, dissociation, and recursive orphan-group cleanup with structured events.
+   - Converted `group addchild` and `group rmchild` into thinner adapters over `InventoryContext`, including `--delete-orphans` behavior without leaving the recursion logic buried in the CLI layer.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new parent/child relation seam.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared host/group dissociation flow behind `host rmgroup` and `group rmhost`.
+   - Added `Moose::Inventory::Operations::RemoveAssociations` to own shared dissociation, missing-association handling, and automatic `ungrouped` reattachment behavior for existing primary entities.
+   - Converted `host rmgroup` and `group rmhost` into thinner adapters that retrieve the primary entity, delegate through `InventoryContext`, and render structured operation events.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new removal operation plus both adapter commands.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared host/group association flow behind `host addgroup` and `group addhost`.
+   - Added `Moose::Inventory::Operations::AddAssociations` to own the shared association, auto-create, duplicate-check, and `ungrouped` removal behavior for existing primary entities.
+   - Converted `host addgroup` and `group addhost` into thinner adapters that retrieve the primary entity, delegate through `InventoryContext`, and render structured operation events.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new operation plus both adapter commands.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract `group add` into the operation/context/event pattern.
+   - Added `Moose::Inventory::Operations::AddGroups` with structured result/events and warning counts, mirroring the `host add` refactor pattern.
+   - Converted `group add` into a thin Thor adapter that validates input, delegates through `InventoryContext`, and renders operation events without changing CLI behavior.
+   - Added direct operation specs and extended the targeted RuboCop scope to cover the new operation/adapter/spec files.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Reintroduce a small modern lint/complexity gate.
+   - Added RuboCop as a development dependency and a targeted `.rubocop.yml` for the newly refactored seam instead of the whole legacy tree.
+   - Added `scripts/ci/check_rubocop.sh` and wired it into `./scripts/check.sh` so lint/complexity checks run in the standard local and CI gate.
+   - Kept the initial lint scope focused on the context/operation/helper/adapter files and direct operation spec, with thresholds strict enough to catch drift without forcing a repo-wide cleanup right now.
+
+1. Separate first structured operation result from CLI rendering.
+   - Changed `Moose::Inventory::Operations::AddHosts` to return structured `Result`/`Event` objects instead of writing directly to stdout/stderr.
+   - Moved `host add` progress/warning rendering into the Thor adapter while preserving existing user-visible CLI output.
+   - Added direct operation specs proving inventory mutation and event emission without renderer output.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Introduce an inventory context facade around DB access.
+   - Added `Moose::Inventory::InventoryContext` as a thin wrapper over the existing DB singleton for transaction/model operations.
+   - Wired the `AddHosts` operation through the context, reducing direct DB coupling in the first extracted operation while leaving legacy CLI commands stable.
+   - Verified with focused `host add` specs and full `./scripts/check.sh`.
+
+1. Extract first domain operation behind a Thor command.
+   - Added `Moose::Inventory::Operations::AddHosts` as the first operation/service object behind the CLI.
+   - Converted `host add` into a thin adapter that validates/normalizes CLI input and delegates inventory mutation to the operation.
+   - Preserved existing `host add` output and behavior under focused specs and full `./scripts/check.sh`.
+
+1. Extract shared CLI helpers for low-risk issue #13 refactor.
+   - Added helper methods for common validation, normalization, association checks, and automatic `ungrouped` membership handling.
+   - Refactored selected host/group CLI commands without changing user-visible output.

data/Gemfile.lock

@@ -0,0 +1,95 @@
+PATH
+  remote: .
+  specs:
+    moose-inventory (2.0)
+      indentation (~> 0)
+      json (>= 2.7, < 3)
+      mysql2 (>= 0.5.7, < 0.6)
+      pg (>= 1.5, < 2)
+      sequel (>= 5.80, < 6)
+      sqlite3 (>= 1.7, < 3)
+      thor (>= 1.3, < 2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.3)
+    bigdecimal (4.1.2)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
+      thor (~> 1.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    indentation (0.1.1)
+    json (2.19.5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    mysql2 (0.5.7)
+      bigdecimal
+    parallel (1.28.0)
+    parser (3.3.11.1)
+      ast (~> 2.4.1)
+      racc
+    pg (1.6.3-x86_64-linux)
+    prism (1.9.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.4.2)
+    regexp_parser (2.12.0)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rubocop (1.86.2)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (>= 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
+    sequel (5.104.0)
+      bigdecimal
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    sqlite3 (2.9.4-x86_64-linux-gnu)
+    thor (1.5.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  bundler (>= 2.2.33, < 3)
+  bundler-audit (>= 0.9, < 1)
+  moose-inventory!
+  parallel (>= 1.10, < 2.0)
+  rake (>= 13.0, < 14)
+  rspec (~> 3)
+  rubocop (>= 1.72, < 2)
+  simplecov (~> 0)
+
+BUNDLED WITH
+   2.6.9

data/README.md

@@ -9,14 +9,13 @@ Note 2: This software is intended for use on UNIX/Linux systems.  It will likely
 
 ## Installation
 
-Note: You may need to install certain development tools (e.g. gcc, postresql-devel, mysql-devel, sqlite-devel) on your system, in order for the gem installation to perform native builds. 
+Note: You may need to install Ruby development headers and database client development packages on your system so native gems can build. On current Fedora releases, the project helper script installs the expected SQLite, MariaDB/MySQL, and PostgreSQL client headers.
 
 The tool is a ruby gem. Assuming that you have ruby on your system, then it can be installed from the command line as follows.
 
     $ gem install moose-inventory
 
-Note: It may be necassary to first install certain development tools (e.g. gcc, postresql-devel, mysql-devel, sqlite-devel), in order for the gem installation to perform nati
-ve builds.
+Note: It may be necessary to first install native build tools and database client development headers before installing the gem or running Bundler.
 
 It can also be installed by adding the following line to a Gemfile and then executing `bundle`:
 
@@ -57,7 +56,7 @@ moose_ops:
     host:     "localhost"
     database: "water"
     user:     "duck"
-    password: "quack"
+    password_env: "MOOSE_INVENTORY_MYSQL_PASSWORD"
 
 another_example_section:
   db:
@@ -65,7 +64,7 @@ another_example_section:
     host:     "localhost"
     database: "grass"
     user:     "cow"
-    password: "moo"
+    password_env: "MOOSE_INVENTORY_POSTGRES_PASSWORD"
 
 ```
 
@@ -77,9 +76,18 @@ You may add as many environment sections as you desire. The intention is to enab
 
 At present,  each environment section contains only a **db** subsection, describing database connection parameters.  Additional subsections may be added in the future, as functionality increases. 
 
-Each **db** section must include an **adapter** parameter. Currently supported adapter types are *sqlite3*, *mysql*, and *postresql*.  Note, as a matter of portability, only *sqlite3* is exercised via the test suite. 
+Each **db** section must include an **adapter** parameter. Currently supported adapter types are *sqlite3*, *mysql*, and *postgresql*. The test suite exercises SQLite with a local database file and includes adapter dispatch/error-path smoke coverage for MySQL and PostgreSQL without requiring live database servers.
 
-Additional parameters are also required in the **db** subsection, depending on the adapter type.   For the *sqlite3* adapter only a **file** parameter is required.  For both *mysql* and *postgresql*, then **host**, **database**, **user**, and **password** are the required parameters. 
+Additional parameters are also required in the **db** subsection, depending on the adapter type. For the *sqlite3* adapter only a **file** parameter is required; parent directories are created automatically. For both *mysql* and *postgresql*, **host**, **database**, **user**, and either **password_env** or **password** are required.
+
+Prefer **password_env** for MySQL and PostgreSQL configuration. Its value is the name of an environment variable that contains the database password, which keeps reusable configuration files from carrying plaintext credentials:
+
+```sh
+export MOOSE_INVENTORY_MYSQL_PASSWORD='use-a-real-secret-here'
+moose-inventory --env moose_ops host list
+```
+
+The older **password** key is still supported for compatibility, but avoid committing configuration files that contain database passwords. If you must use **password**, keep that configuration file outside version control and restrict its file permissions.
 
 
 ## Usage
@@ -304,10 +312,14 @@ We can also list hosts, to get the host-centric view.
       - group2
       - group3
 
-Removing variables, groups, and hosts is just as easy.  In the following examples, the output is again omitted for compactness; the reader is encouraged to work along to experience the tool.  Note, that although we show how to remove the variables, it is not strictly necessary to do so in this example, since deleting hosts and groups would delete all associated variables anyway. 
+Removing variables, groups, and hosts is just as easy.  In the following examples, the output is again omitted for compactness; the reader is encouraged to work along to experience the tool.  Note, that although we show how to remove the variables, it is not strictly necessary to do so in this example, since deleting hosts and groups would delete all associated variables anyway.
+
+By default, deleting a group preserves its child groups as root groups. Use `group rm --recursive` when child groups that become orphaned should also be deleted. Similarly, `group rmchild --delete-orphans` removes a parent-child association and deletes the child subtree only when it becomes orphaned by that removal. Hosts whose last group is deleted are automatically moved to `ungrouped`.
 
     $ moose-inventory group rmvar group1 location
     $ moose-inventory group rm group1 group2 group3
+    $ moose-inventory group rm --recursive old_parent_group
+    $ moose-inventory group rmchild --delete-orphans parent_group child_group
     $ moose-inventory host rmvar
     $ moose-inventory host rmvar host1 owner id
     $ moose-inventory host rm host1 host2 host3
@@ -364,6 +376,24 @@ A useful aspect of dynamic inventories is the possibility of writing data to the
 ```
 
  
+## Development checks
+
+Run the local verification gate before committing changes:
+
+```shell
+./scripts/check.sh
+```
+
+The check script runs the RSpec suite, enforces the SimpleCov coverage minimum, checks file permissions, queries OSV for locked RubyGems advisories, runs `bundler-audit`, runs `gitleaks` when available, and builds/smoke-tests the packaged gem.
+
+Optional Go-based security tools used by CI can be installed locally with:
+
+```shell
+./scripts/ci/install_security_tools.sh
+```
+
+That installs `gitleaks` and `osv-scanner` into `tmp/security-tools/bin` unless they are already on `PATH`. Fedora users can also run `./scripts/install_dependencies.sh` to install the native build dependencies and packaged `gitleaks`; `bundler-audit` is installed through Bundler.
+
 ## Contributing
 1. Fork it (https://github.com/RusDavies/moose-inventory/fork )
 2. Create your feature branch (git checkout -b my-new-feature`)
@@ -380,4 +410,3 @@ A useful aspect of dynamic inventories is the possibility of writing data to the
 
 
 
-

data/Rakefile

@@ -1 +1 @@
-
+require 'bundler/gem_tasks'

data/bin/moose-inventory

@@ -7,4 +7,4 @@ rescue
   require 'moose_inventory'
 end
 
-Moose::Inventory::Cli.start(ARGV) 
+Moose::Inventory::Cli.start(ARGV)

data/docs/release/publishing.md

@@ -0,0 +1,109 @@
+# Publishing to RubyGems
+
+This project is published to RubyGems as [`moose-inventory`](https://rubygems.org/gems/moose-inventory).
+
+The preferred publishing path is GitHub Actions trusted publishing from reviewed `v*` tags. Manual publishing remains documented as a fallback only.
+
+## Trusted publishing setup
+
+The repository side is `.github/workflows/release.yml`.
+
+RubyGems has a trusted publisher configured for the existing `moose-inventory` gem on RubyGems.org with these values:
+
+- Repository owner: `RusDavies`
+- Repository name: `moose-inventory`
+- Workflow filename: `release.yml`
+- Environment: `release`
+- Workflow repository owner/name: blank, because the workflow lives in this repository
+
+The release workflow requires the GitHub environment name `release`. If that environment has protection rules, approve the deployment when releasing.
+
+## Trusted publishing release checklist
+
+1. Start from a clean `master` branch.
+
+   ```bash
+   git checkout master
+   git pull --ff-only origin master
+   git status --short --branch
+   ```
+
+2. Confirm the version to publish.
+
+   ```bash
+   ruby -e "require './lib/moose_inventory/version'; puts Moose::Inventory::VERSION"
+   gem info moose-inventory --remote --all
+   ```
+
+   If the repository version is not higher than the latest RubyGems version, bump `lib/moose_inventory/version.rb` first and commit that change before releasing.
+
+3. Run the local release gate.
+
+   ```bash
+   ./scripts/check.sh
+   ```
+
+4. Push the release commit and wait for CI to pass.
+
+   ```bash
+   git push origin master
+   ```
+
+5. Create and push the release tag from the exact commit to publish.
+
+   ```bash
+   git tag -a v1.0.10 -m "Release moose-inventory 1.0.10"
+   git push origin v1.0.10
+   ```
+
+6. Watch the `Release gem` workflow.
+
+   ```bash
+   gh run list --workflow release.yml --limit 5
+   gh run watch <run-id> --exit-status
+   ```
+
+The workflow verifies that the pushed tag version matches `Moose::Inventory::VERSION`, runs `./scripts/check.sh`, builds the gem through `rubygems/release-gem@v1`, and publishes using RubyGems trusted publishing/OIDC. No RubyGems API key should be stored in GitHub secrets for this workflow.
+
+## Verify the published version
+
+After the workflow succeeds:
+
+```bash
+gem info moose-inventory --remote --all
+gem install moose-inventory -v 1.0.10
+moose-inventory --help
+```
+
+Use the actual released version in place of `1.0.10`.
+
+## Manual fallback
+
+Manual publishing should only be used if trusted publishing is unavailable and a RubyGems owner explicitly chooses to publish from a local machine.
+
+1. Run `./scripts/check.sh`.
+2. Build the gem from the exact commit intended for release.
+
+   ```bash
+   rm -rf pkg tmp/pkg tmp/package-sanity
+   gem build moose-inventory.gemspec
+   ```
+
+3. Push the built gem.
+
+   ```bash
+   gem push moose-inventory-1.0.10.gem
+   ```
+
+Prefer a scoped RubyGems API key over an old global key:
+
+- Scope it to pushing gems, ideally only `moose-inventory` if RubyGems permits that for the account.
+- Store it in `~/.gem/credentials` with file mode `0600` if publishing manually.
+- Do not commit RubyGems credentials, `.gem/credentials`, shell history containing tokens, or generated private keys.
+
+Check credential file permissions with:
+
+```bash
+ls -l ~/.gem/credentials
+chmod 0600 ~/.gem/credentials
+```

data/docs/release/release-readiness.md

@@ -0,0 +1,55 @@
+# Release readiness notes
+
+This project now has a small release-readiness gate intended to catch the regressions found during the modernization and security-audit passes.
+
+## Local gate
+
+Run:
+
+```bash
+./scripts/check.sh
+```
+
+The gate currently runs:
+
+1. RSpec with coverage via the existing spec helper.
+2. `git diff --check` for whitespace/conflict-marker issues in the working tree.
+3. `scripts/ci/check_permissions.sh` to ensure only intentional tracked repository entrypoints are executable.
+4. `scripts/ci/check_security.sh` to query OSV for locked RubyGems dependency advisories.
+5. `scripts/ci/package_sanity.sh` to build the gem, inspect the packaged payload, and smoke-test the CLI version command.
+
+## CI gate
+
+GitHub Actions workflow: `.github/workflows/ci.yml`.
+
+It installs native headers needed by the DB gems, runs the same `./scripts/check.sh` gate used locally, and tests the maintained Ruby version range through the GitHub Actions matrix.
+
+## Trusted publishing gate
+
+GitHub Actions workflow: `.github/workflows/release.yml`.
+
+The release workflow runs when a `v*` tag is pushed. It:
+
+1. Checks out the repository using `actions/checkout@v5`.
+2. Installs Ruby and native database build dependencies.
+3. Fails if the tag version does not match `Moose::Inventory::VERSION`.
+4. Runs the full local `./scripts/check.sh` gate.
+5. Publishes the gem with `rubygems/release-gem@v1` using RubyGems trusted publishing/OIDC.
+
+RubyGems has a trusted publisher configured for repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`, so the workflow can request a short-lived publish token when a real release tag is pushed.
+
+## Package sanity expectations
+
+`package_sanity.sh` validates that the built gem includes at least:
+
+- `bin/moose-inventory`
+- `lib/moose_inventory.rb`
+- `lib/moose_inventory/version.rb`
+- `README.md`
+- `LICENSE.txt`
+
+It also verifies the gem metadata exposes the `moose-inventory` executable and that `bundle exec ruby -Ilib bin/moose-inventory --config spec/config/config.yml version` returns a version string.
+
+## Dependency advisory expectations
+
+`check_security.sh` reads `Gemfile.lock`, queries OSV's batch API for RubyGems packages, and fails on known vulnerabilities. This is intentionally simple and external-network-dependent; if OSV is unavailable, the gate fails closed so CI does not silently bless an unknown dependency state.