moose-inventory 1.0.8 → 2.0

data/docs/security-audit-2026-05-21.md

@@ -0,0 +1,71 @@
+# Security audit — 2026-05-21
+
+Scope: local static/security review of the `moose-inventory` Ruby CLI/gem at commit `ff522502d5981314c451e855be10cbbc7ebeba48`, plus the hardening changes on branch `security-audit-2026-05-21`.
+
+## Executive summary
+
+The audit found one actionable dependency vulnerability and one low-risk repository hygiene issue. Both were remediated in this branch:
+
+1. Development dependency `rake 10.5.0` was affected by CVE-2020-8130 / GHSA-jppv-gw3r-w3q8, an OS command injection issue in `Rake::FileList` for filenames beginning with `|`. The gemspec now requires `rake >= 13.0, < 14`, and `Gemfile.lock` resolves `rake 13.4.2`.
+2. Most source, config, docs, and spec files were executable (`100755`) even though they are not entrypoints. The branch normalizes non-executable files to `100644`, keeping only `bin/moose-inventory` and actual scripts executable.
+
+After the dependency update, an OSV query for locked RubyGems dependencies returned zero known vulnerabilities. Semgrep Ruby rules returned zero findings.
+
+## Surfaces reviewed
+
+- CLI entrypoint: `bin/moose-inventory`
+- Global config parsing and file loading: `lib/moose_inventory/config/config.rb`
+- DB connection and schema creation: `lib/moose_inventory/db/db.rb`
+- Sequel models and associations: `lib/moose_inventory/db/models.rb`
+- CLI command handlers under `lib/moose_inventory/cli/`
+- Packaging metadata: `moose-inventory.gemspec`, `Gemfile`, `Gemfile.lock`
+- Helper scripts under `scripts/`
+- Test fixtures/config under `spec/`
+
+## Findings fixed
+
+### P2 — Vulnerable development dependency: `rake 10.5.0`
+
+- Evidence: `Gemfile.lock` resolved `rake (10.5.0)` and `moose-inventory.gemspec` constrained rake to `~> 10`.
+- Advisory: OSV/GitHub Advisory `GHSA-jppv-gw3r-w3q8`, CVE-2020-8130.
+- Impact: local OS command injection in vulnerable Rake versions when `Rake::FileList` receives a filename beginning with the pipe character (`|`). This is primarily a developer/build-time risk, not a runtime CLI inventory risk.
+- Fix: changed the development dependency to `rake >= 13.0, < 14` and refreshed `Gemfile.lock` to `rake 13.4.2`.
+- Validation: OSV query after the update returned `deps_with_vulns 0`.
+
+### P4 — Over-broad executable bits on repository files
+
+- Evidence: file inventory showed `100755` executable mode on `Gemfile`, `README.md`, library files, specs, config, and other non-entrypoint files.
+- Impact: low. This does not create a direct vulnerability by itself, but it expands accidental execution surface and makes packaging/review noisier than necessary. Tiny footgun, sharp enough to remove.
+- Fix: normalized non-entrypoint files to `100644`; retained executable mode for `bin/moose-inventory` and scripts with shebangs.
+
+## Notable negative findings
+
+- Config deserialization now uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- No shell execution sinks were found in runtime code. The backtick use in `moose-inventory.gemspec` is the normal `git ls-files` packaging pattern.
+- Database access uses Sequel model/hash APIs for user-provided names and variables; no raw SQL interpolation was identified in the reviewed CLI/database paths.
+- No committed secrets were identified outside expected example/test placeholder passwords.
+- No external network-facing service, HTTP route, RPC handler, webhook, queue consumer, or upload parser exists in this repo; the meaningful attack surface is local CLI usage and build/development tooling.
+
+## Tooling evidence
+
+- Inventory: 79 files; Ruby manifests: `Gemfile`, `Gemfile.lock`.
+- Semgrep: `semgrep --config p/ruby --json --quiet .` returned 0 findings.
+- OSV dependency query before fix: 1 vulnerable dependency (`rake 10.5.0`, `GHSA-jppv-gw3r-w3q8`).
+- OSV dependency query after fix: 41 RubyGems dependency records queried, 0 dependencies with known vulnerabilities.
+- `bundle-audit`, `osv-scanner`, `gitleaks`, `trufflehog`, and `brakeman` were not installed in this environment. Brakeman is also Rails-specific and not expected to apply here.
+
+## Residual risks / future hardening
+
+- Consider adding a CI security job for OSV or bundler-audit so dependency advisories are caught before they fossilize in the lockfile like a tiny Jurassic Park exhibit.
+- Consider keeping generated coverage artifacts out of normal grep/scanner paths; they are ignored from this audit because they contain large bundled HTML/CSS assets.
+
+## GitHub Dependabot follow-up after first push
+
+After pushing the audit remediation, GitHub emitted a default-branch warning for 7 Dependabot vulnerabilities. Querying the repository Dependabot alerts through `gh api repos/RusDavies/moose-inventory/dependabot/alerts` showed that all 7 were already in `fixed` state after the modernization/security-audit commits reached GitHub:
+
+- `rake`: GHSA-jppv-gw3r-w3q8 / CVE-2020-8130, fixed by `rake >= 13.0, < 14` and lockfile `rake 13.4.2`.
+- `json`: GHSA-jphg-qwrw-7w9g / CVE-2020-10663, fixed by the existing current constraint `json >= 2.7, < 3` and lockfile `json 2.19.5`.
+- `rubocop`: GHSA-wmjf-jpjj-9f3j / CVE-2017-8418, fixed by removing RuboCop as a development dependency.
+- `bundler`: GHSA-jvgm-pfqv-887x / CVE-2016-7954, GHSA-g98m-96g9-wfjq / CVE-2019-3881, GHSA-fp4w-jxhp-m23p / CVE-2020-36327, and GHSA-fj7f-vq84-fh43 / CVE-2021-43809. GitHub marked these fixed because the lockfile uses Bundler 2.6.9; this follow-up also tightens the gemspec development dependency to `bundler >= 2.2.33, < 3` so fresh development installs cannot select known-vulnerable Bundler 1.x/early 2.x releases.
+
+Follow-up validation: `gh api 'repos/RusDavies/moose-inventory/dependabot/alerts?state=open'` returned no open alerts.

data/docs/security-audit-2026-05-26-rerun.md

@@ -0,0 +1,75 @@
+# Security Audit Rerun — 2026-05-26
+
+Repository: `RusDavies/moose-inventory`  
+Local path: `/home/skippy/.openclaw/workspace/projects/moose-inventory`  
+Audited commit at start: `a07b5c89214a3cee66170217c5b38e9ad2ae093a`  
+Audit branch: `security-audit-2026-05-26-rerun`  
+Evidence store: `.openclaw-security-audit/audit.sqlite`, audit run `2`
+
+## Executive summary
+
+The rerun found no exploitable application vulnerabilities in the Ruby CLI/config/database code reviewed, and all deterministic dependency, advisory, package, and secret-scanning gates passed.
+
+One release-supply-chain hardening gap was identified and fixed during the audit: the release workflow ran `./scripts/check.sh` without installing or requiring the dedicated security tools, so a tag-based release could publish even if `gitleaks`, `osv-scanner`, or `bundler-audit` coverage was absent from that release job. CI already enforced those tools; release now does too.
+
+## Scope
+
+Reviewed security-relevant surfaces and changes since the prior audit:
+
+- GitHub Actions CI and release workflows.
+- Security-tool installation and enforcement scripts.
+- Ruby CLI entrypoints and Thor command surfaces.
+- YAML configuration loading.
+- SQLite/MySQL/PostgreSQL connection setup and password handling.
+- Recursive group deletion behavior touched by recent issue work.
+- Gem packaging/release path.
+
+## Deterministic results
+
+- Full local required-tool gate: passed.
+  - RSpec: 268 examples, 0 failures.
+  - Coverage: 96.52% line coverage.
+  - Custom OSV dependency check: 45 dependencies queried, 0 vulnerable.
+  - `bundler-audit`: no vulnerabilities found.
+  - `osv-scanner`: no issues found in `Gemfile.lock`.
+  - `gitleaks`: dedicated secret scan passed.
+  - Package sanity: built and inspected `tmp/pkg/moose-inventory.gem` successfully.
+- Semgrep Ruby registry scan: 62 tracked Ruby files scanned with 44 Ruby rules, 0 findings.
+- GitHub Dependabot open alerts: 0.
+- GitHub code scanning alerts: unavailable / no analysis found (`404`).
+- GitHub secret scanning alerts: unavailable because secret scanning is disabled for this repository.
+- Workflow YAML parse check: `ci.yml` and `release.yml` parsed successfully with Ruby Psych.
+- Current GitHub CI before audit branch: latest `master` CI run succeeded for Ruby 3.2, 3.3, and 3.4.
+
+## Finding fixed during audit
+
+### SEC-RERUN-2026-05-26-01 — Release workflow did not require dedicated security tools
+
+- Priority before fix: P2 medium, release supply-chain hardening.
+- Exposure: tag-triggered release workflow.
+- Affected file: `.github/workflows/release.yml`.
+- Evidence: CI installed `gitleaks`/`osv-scanner` and set `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1`, but the release workflow only ran `./scripts/check.sh`. In local mode, `scripts/ci/check_security.sh` and `scripts/ci/check_secrets.sh` intentionally skip missing optional security tools unless `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` is set.
+- Impact: a release tag created from an unexpected commit or during a tooling/path issue could publish without the same dedicated SCA/secret-scan enforcement as CI.
+- Fix applied: release workflow now sets up Go with cache disabled, installs the pinned security CLIs via `scripts/ci/install_security_tools.sh`, runs native dependency installation with a 5-minute timeout, and runs `./scripts/check.sh` with `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1`.
+- Verification: full local required-tool gate passed after the workflow change.
+- Residual risk: release workflow can only be fully proven on the next real release tag because already-published `v1.0.9` must not be retagged.
+
+## Reviewed areas with no actionable finding
+
+- YAML config loading uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- SQLite database path handling creates parent directories with `FileUtils.mkdir_p`; this is local config-driven CLI behavior, not a remotely reachable path traversal surface.
+- MySQL/PostgreSQL password handling supports `password_env`; plaintext `password` remains for compatibility but README guidance discourages committing it.
+- CLI input reaches Sequel model operations rather than shell execution; no shell/eval sink was identified in application code.
+- Recent recursive group deletion is explicit opt-in and keeps host fallback behavior covered by regression tests.
+- GitHub Actions release job uses OIDC/trusted publishing and does not store a RubyGems API key in the workflow.
+
+## Limitations
+
+- This was a local/source and CI/release workflow audit, not an active test against live external databases or RubyGems publishing.
+- GitHub code scanning is not configured, so there were no CodeQL/code-scanning results to review.
+- GitHub secret scanning is disabled for the repository; local `gitleaks` coverage was used instead.
+- The release trusted-publishing path still needs verification on the next real version tag.
+
+## Conclusion
+
+No open exploitable vulnerabilities remain from this rerun. The only identified security gap was release-pipeline parity with CI security tooling, and it was fixed in this audit branch.

data/docs/security-audit-2026-05-26.md

@@ -0,0 +1,63 @@
+# Security audit — 2026-05-26
+
+Scope: local static/security review of the `moose-inventory` Ruby CLI/gem at commit `8c3eaada5d70ef599961b8ca8b78e12ea4ce83c9` on branch `security-audit-2026-05-26`.
+
+## Executive summary
+
+No actionable security vulnerabilities were identified in this pass.
+
+The meaningful attack surface remains local CLI execution, configuration-file loading, database access through Sequel, package/release automation, and developer tooling. There is no HTTP server, RPC endpoint, webhook handler, queue consumer, file upload parser, shell-command execution path, or plugin system in this repository.
+
+The areas remediated in the prior 2026-05-21 audit remain in good shape: YAML config loading uses `YAML.safe_load_file`, DB credentials can be supplied through environment variables, OSV reports no known vulnerable locked RubyGems dependencies, CI/package sanity gates are present, and GitHub Dependabot has no open alerts.
+
+## Surfaces reviewed
+
+- CLI entrypoint: `bin/moose-inventory`
+- Global option parsing and config loading: `lib/moose_inventory/config/config.rb`
+- DB connection/schema/transaction code: `lib/moose_inventory/db/db.rb`
+- Sequel models and associations: `lib/moose_inventory/db/models.rb`
+- CLI command handlers under `lib/moose_inventory/cli/`
+- Formatter/output serialization: `lib/moose_inventory/cli/formatter.rb`
+- Packaging and release metadata: `moose-inventory.gemspec`, `Gemfile`, `Gemfile.lock`, `.github/workflows/ci.yml`, `.github/workflows/release.yml`
+- Helper scripts under `scripts/`
+- Test config/spec fixtures under `spec/`
+
+## Findings
+
+No P0/P1/P2/P3 actionable findings were identified.
+
+## Notable negative findings
+
+- Config deserialization uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- No runtime shell execution sinks were identified.
+- Database access uses Sequel model/dataset/hash APIs for user-controlled names, groups, hosts, and variables; no raw SQL interpolation was identified in reviewed runtime paths.
+- MySQL/PostgreSQL passwords can be supplied via `password_env`, and README guidance prefers environment-backed passwords over plaintext config values.
+- No committed secrets were identified outside expected example/test placeholders.
+- GitHub Actions release publishing uses RubyGems trusted publishing/OIDC rather than a stored RubyGems API key.
+- Dependency advisory gate queried OSV for 41 locked RubyGems dependency records and reported zero known vulnerabilities.
+- GitHub Dependabot open-alert query returned zero open alerts.
+
+## Tooling evidence
+
+- Audit evidence store initialized at `.openclaw-security-audit/audit.sqlite` with `audit_run_id=1`.
+- Inventory: 187 files; Ruby manifests detected: `Gemfile`, `Gemfile.lock`, plus generated package-sanity manifests under `tmp/package-sanity`.
+- Symbol extractor scanned 156 files but did not extract Ruby symbols/surfaces with the current lightweight extractor.
+- Semgrep auto-config failed because metrics are disabled; reran explicit Ruby registry rules instead.
+- Semgrep: `semgrep --config p/ruby --json --metrics=off --exclude .openclaw-security-audit --exclude spec/reports --exclude tmp .` scanned 62 tracked Ruby files with 44 rules and returned 0 findings.
+- Dependency advisory gate: `./scripts/ci/check_security.sh` queried 41 RubyGems dependencies and returned 0 vulnerable dependencies.
+- Full local gate: `./scripts/check.sh` passed with 268 examples, 0 failures, 96.52% line coverage, OSV 0 vulnerabilities, and package sanity passed.
+- GitHub Dependabot: `gh api 'repos/RusDavies/moose-inventory/dependabot/alerts?state=open' --jq 'length'` returned `0`.
+- GitHub code-scanning alerts could not be queried because no code-scanning analysis exists for this repository; GitHub returned `404 no analysis found`.
+
+## Tooling limitations
+
+- `osv-scanner`, `bundler-audit`/`bundle-audit`, `gitleaks`, `trufflehog`, `brakeman`, `flog`, and `reek` were not installed in this environment.
+- `bundle exec rubocop` could not run because RuboCop is not part of the bundle. This is not a security gate failure, but it limits style/static-quality coverage.
+- Secret scanning was limited to tracked-file grep patterns because dedicated secret scanners were unavailable.
+- The audit did not perform active exploitation against external systems or live database servers.
+
+## Residual risks / recommendations
+
+- Consider adding a dedicated secret scanner such as `gitleaks` or `trufflehog` to local/CI security tooling if this project will accept outside contributions.
+- Consider adding `bundler-audit` or `osv-scanner` as an optional developer tool if broader advisory coverage is desired beyond the existing custom OSV gate.
+- Keep generated coverage and package-sanity artifacts excluded from security scans; they are noisy and not part of the runtime gem surface.

data/lib/moose_inventory/cli/formatter.rb

@@ -15,37 +15,37 @@ module Moose
         def self.dump(arg, format = nil)
           out(arg, format)
         end
-        
+
         def self.out(arg, format = nil)
           return if arg.nil?
 
           if format.nil?
             format = Moose::Inventory::Config._confopts[:format].downcase
           end
-          
+
           case format
-          when 'yaml','y'
+          when 'yaml', 'y'
             $stdout.puts arg.to_yaml
 
-          when 'prettyjson','pjson','p'
+          when 'prettyjson', 'pjson', 'p'
             $stdout.puts JSON.pretty_generate(arg)
 
-          when 'json','j'
+          when 'json', 'j'
             $stdout.puts arg.to_json
 
           else
             abort("Output format '#{format}' is not yet supported.")
           end
         end
-        
+
         #---------------
         attr_accessor :indent
 
         def reset_indent
           @indent = 2
         end
-        
-        def puts(indent, msg, stream='STDOUT')
+
+        def puts(indent, msg, stream = 'STDOUT')
           case stream
           when 'STDOUT'
             $stdout.puts msg.indent(indent)
@@ -55,8 +55,8 @@ module Moose
             abort("Output stream '#{stream}' is not known.")
           end
         end
-        
-        def print(indent, msg, stream='STDOUT')
+
+        def print(indent, msg, stream = 'STDOUT')
           case stream
           when 'STDOUT'
             $stdout.print msg.indent(indent)
@@ -67,25 +67,24 @@ module Moose
           end
         end
 
-        def info(indent, msg, stream='STDOUT')
+        def info(_indent, _msg, stream = 'STDOUT')
           case stream
           when 'STDOUT'
-            $stdout.print "INFO: {msg}"
+            $stdout.print 'INFO: {msg}'
           when 'STDERR'
-            $stderr.print "INFO: {msg}"
+            $stderr.print 'INFO: {msg}'
           else
             abort("Output stream '#{stream}' is not known.")
           end
         end
-        
+
         def warn(msg)
-            $stderr.print "WARNING: #{msg}"
+          $stderr.print "WARNING: #{msg}"
         end
 
         def error(msg)
-            $stderr.print "ERROR: #{msg}"
+          $stderr.print "ERROR: #{msg}"
         end
-                        
       end
     end
   end

data/lib/moose_inventory/cli/group.rb

@@ -1,12 +1,15 @@
 require 'thor'
 require_relative './formatter.rb'
+require_relative './helpers.rb'
 
 module Moose
   module Inventory
     module Cli
       ##
       # Class implementing the "group" methods of the CLI
-      class Group < Thor 
+      class Group < Thor
+        include Moose::Inventory::Cli::Helpers
+
         require_relative 'group_add'
         require_relative 'group_get'
         require_relative 'group_list'

data/lib/moose_inventory/cli/group_add.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
 require 'thor'
-require_relative './formatter.rb'
+require_relative 'formatter'
+require_relative '../inventory_context'
+require_relative '../operations/add_groups'
 
 module Moose
   module Inventory
@@ -10,89 +14,99 @@ module Moose
         #==========================
         desc 'add NAME', 'Add a group NAME to the inventory'
         option :hosts
-        # rubocop:disable Metrics/LineLength
-        def add(*argv) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
-          # rubocop:enable Metrics/LineLength
-          if argv.length < 1
-            abort("ERROR: Wrong number of arguments, #{argv.length} for 1 or more.")
-          end
+        def add(*argv)
+          abort_if_missing_args(argv, 1, '1 or more')
 
-          # Arguments
-          names = argv.uniq.map(&:downcase)
-          options[:hosts] = '' if options[:hosts].nil?
-          hosts = options[:hosts].downcase.split(',').uniq
+          names = normalize_names(argv)
+          hosts = csv_option_names(options[:hosts])
 
-          # sanity
-          if names.include?('ungrouped')
-            abort("ERROR: Cannot manually manipulate the automatic group 'ungrouped'\n")
-          end
+          abort_if_automatic_group(
+            names,
+            "ERROR: Cannot manually manipulate the automatic group 'ungrouped'\n"
+          )
+
+          result = Moose::Inventory::Operations::AddGroups
+                   .new(context: Moose::Inventory::InventoryContext.new(db: db))
+                   .call(names: names, hosts: hosts)
+          render_add_groups_events(result.events)
 
-            # Convenience
-            db    = Moose::Inventory::DB
-            fmt = Moose::Inventory::Cli::Formatter
-          
-          # Transaction
-          warn_count = 0
-          db.transaction do # Transaction start
-            names.each do |name|
-              # Add the group
-              puts "Add group '#{name}':"
-              group = db.models[:group].find(name: name)
-              hosts_ds = nil
-              fmt.puts 2, "- create group..."
-              if group.nil?
-                group = db.models[:group].create(name: name)
-                fmt.puts 4, '- OK'
-              else
-                warn_count += 1
-                fmt.warn "Group '#{name}' already exists, skipping creation.\n"
-                fmt.puts 4, "- already exists, skipping."
-                hosts_ds = group.hosts_dataset
-                fmt.puts 4, '- OK'
-              end
-              
-              # Associate with hosts
-              hosts.each do |h|
-                next if h.nil? || h.empty?
-                fmt.puts 2, "- add association {group:#{name} <-> host:#{ h }}..."
-                host = db.models[:host].find(name: h)
-                if host.nil?
-                  warn_count += 1
-                  fmt.warn "Host '#{h}' doesn't exist, but will be created.\n"
-                  fmt.puts 4, "- host doesn't exist, creating now..."
-                  host = db.models[:host].create(name: h)
-                  fmt.puts 6, "- OK"
-                end
-                if !hosts_ds.nil? && !hosts_ds[name: h].nil?
-                  warn_count += 1
-                  fmt.warn "Association {group:#{name} <-> host:#{ h }}"\
-                    " already exists, skipping creation.\n"
-                    fmt.puts 4, "- already exists, skipping."
-                else  
-                  group.add_host(host)
-                end
-                fmt.puts 4, '- OK'
-  
-                # Handle the host's automatic 'ungrouped' group
-                ungrouped = host.groups_dataset[name: 'ungrouped']
-                unless ungrouped.nil?
-                  fmt.puts 2, "- remove automatic association {group:ungrouped"\
-                    " <-> host:#{ h }}..."
-                  host.remove_group( ungrouped ) unless ungrouped.nil?
-                  fmt.puts 4, '- OK'
-                end
-              end
-              fmt.puts 2, '- all OK'
-            end
-          end # Transaction end
-          if warn_count == 0
+          if result.warning_count.zero?
             puts 'Succeeded'
           else
             puts 'Succeeded, with warnings.'
           end
         end
+
+        private
+
+        def render_add_groups_events(events)
+          events.each { |event| render_add_groups_event(event) }
+        end
+
+        def render_add_groups_event(event)
+          payload = event.payload
+
+          return render_add_groups_event_puts(event.type, payload) if puts_event?(event.type)
+          return render_add_groups_event_warn(event.type, payload) if warn_event?(event.type)
+
+          render_add_groups_event_fmt(event.type, payload)
+        end
+
+        def puts_event?(type)
+          type == :group_started
+        end
+
+        def warn_event?(type)
+          %i[group_exists host_missing_created association_exists].include?(type)
+        end
+
+        def render_add_groups_event_puts(type, payload)
+          puts "Add group '#{payload[:name]}':" if type == :group_started
+        end
+
+        def render_add_groups_event_warn(type, payload)
+          case type
+          when :group_exists
+            fmt.warn "Group '#{payload[:name]}' already exists, skipping creation.\n"
+          when :host_missing_created
+            fmt.warn "Host '#{payload[:name]}' doesn't exist, but will be created.\n"
+          when :association_exists
+            fmt.warn(
+              "Association {group:#{payload[:group]} <-> host:#{payload[:host]}} " \
+              "already exists, skipping creation.\n"
+            )
+          end
+        end
+
+        def render_add_groups_event_fmt(type, payload)
+          return render_add_groups_event_status(type, payload) if status_event?(type)
+
+          case type
+          when :creating_group
+            fmt.puts 2, '- create group...'
+          when :adding_association
+            fmt.puts 2, "- add association {group:#{payload[:group]} <-> host:#{payload[:host]}}..."
+          when :host_creating_now
+            fmt.puts 4, '- host doesn\'t exist, creating now...'
+          when :removing_automatic_group
+            fmt.puts 2, "- remove automatic association {group:ungrouped <-> host:#{payload[:host]}}..."
+          when :group_complete
+            fmt.puts 2, '- all OK'
+          end
+        end
+
+        def status_event?(type)
+          %i[already_exists_skipping ok].include?(type)
+        end
+
+        def render_add_groups_event_status(type, payload)
+          if type == :already_exists_skipping
+            fmt.puts payload[:indent], '- already exists, skipping.'
+          else
+            fmt.puts payload[:indent], '- OK'
+          end
+        end
       end
     end
   end
 end
-