moose-inventory 1.0.9 → 2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bba43a0d585b334c19629209ae0f323d88ac1c618de4a926769765a5146933b7
-  data.tar.gz: 701d64c584a0e0d10266466a94350aa69731a15f623ca37f9edac917c5dd2a38
+  metadata.gz: 9740a165b6ef321e367391e80f09876ad3028230b30d27fa62357adeb9cf35ed
+  data.tar.gz: d02659ba937e0bf50f8357803d0f04028da75c7a6e190db3b03119d01b9a461a
 SHA512:
-  metadata.gz: ef297abb3d7836f1c7f1a20d46a1f79eee14957a74651628fa2fa523ffd5ed26de9f374e551ae861cd8b68d6cc1a646fba52a85209929b2259a078b2409b1a9f
-  data.tar.gz: d9cfa2e8a85065415858a47aa4e2e1878483e8e982bda25a9d37f05f61c0373e7b7b6bd4ec0f1ba9f0ac3dcf9f796b458c96f794f29466e91aed179a0b6293af
+  metadata.gz: 8e6c10ad4baa0694035f230787cf564ba95be6eacf17a70c156cdf327cf0cd134b8924d2f5c5427c5f4ed725b46f116e1bcf89f389f8d9f3ce5a2222b6c6d461
+  data.tar.gz: dd88578501502714954c6c4674120e6eeb0b7b05116c9dd78edc97c7abb51a306290bdfc8b7c30caba75464a81315fd294e55c9e16d3b9c696817674a4b68f35

data/.github/workflows/ci.yml

@@ -1,6 +1,7 @@
 name: CI
 
 on:
+  workflow_dispatch:
   push:
     branches: [master]
   pull_request:
@@ -9,6 +10,7 @@ on:
 permissions:
   contents: read
 
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -18,7 +20,7 @@ jobs:
         ruby-version: ['3.2', '3.3', '3.4']
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
@@ -26,10 +28,22 @@ jobs:
           ruby-version: ${{ matrix.ruby-version }}
           bundler-cache: true
 
+      - name: Set up Go for security tools
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.25.x'
+          cache: false
+
       - name: Install native build dependencies
+        timeout-minutes: 5
         run: |
           sudo apt-get update
           sudo apt-get install -y build-essential default-libmysqlclient-dev libpq-dev libsqlite3-dev
 
+      - name: Install security audit tools
+        run: ./scripts/ci/install_security_tools.sh
+
       - name: Run local check gate
+        env:
+          MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS: '1'
         run: ./scripts/check.sh

data/.github/workflows/release.yml

@@ -0,0 +1,58 @@
+name: Release gem
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.4'
+          bundler-cache: true
+
+      - name: Set up Go for security tools
+        uses: actions/setup-go@v6
+        with:
+          go-version: '1.25.x'
+          cache: false
+
+      - name: Install native build dependencies
+        timeout-minutes: 5
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential default-libmysqlclient-dev libpq-dev libsqlite3-dev
+
+      - name: Install security audit tools
+        run: ./scripts/ci/install_security_tools.sh
+
+      - name: Verify tag matches gem version
+        run: |
+          version="$(ruby -e "require './lib/moose_inventory/version'; puts Moose::Inventory::VERSION")"
+          tag="${GITHUB_REF_NAME#v}"
+          if [ "$tag" != "$version" ]; then
+            echo "Tag v$tag does not match gem version $version" >&2
+            exit 1
+          fi
+
+      - name: Run local check gate
+        env:
+          MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS: '1'
+        run: ./scripts/check.sh
+
+      - name: Publish gem to RubyGems
+        uses: rubygems/release-gem@v1

data/.gitleaks.toml

@@ -0,0 +1,9 @@
+title = "moose-inventory gitleaks config"
+
+[allowlist]
+description = "Ignore generated/local audit artifacts that are not part of the packaged source surface."
+paths = [
+  '''^\.openclaw-security-audit/''',
+  '''^spec/reports/''',
+  '''^tmp/''',
+]

data/.rubocop.yml

@@ -0,0 +1,28 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 3.2
+
+Metrics/AbcSize:
+  Max: 32
+
+Metrics/MethodLength:
+  Max: 25
+
+Metrics/CyclomaticComplexity:
+  Max: 7
+
+Metrics/PerceivedComplexity:
+  Max: 8
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/lib/moose_inventory/operations/add_hosts_spec.rb
+    - spec/lib/moose_inventory/operations/add_groups_spec.rb
+    - spec/lib/moose_inventory/operations/add_associations_spec.rb
+    - spec/lib/moose_inventory/operations/remove_associations_spec.rb
+    - spec/lib/moose_inventory/operations/group_child_relations_spec.rb
+    - spec/lib/moose_inventory/operations/remove_groups_spec.rb
+
+Style/Documentation:
+  Enabled: false

data/BACKLOG.md

@@ -1,18 +1,51 @@
 # Moose Inventory Release Readiness Backlog
 
-Release readiness status counts: 5 done / 2 open.
+Release readiness status counts: 12 done / 1 open.
 
 ## Open
 
-1. Resolve GitHub Actions Node.js 20 deprecation warning.
-   - Current CI passes, but GitHub warns that `actions/checkout@v4` is running on Node.js 20 and Node.js 24 will become the default.
-   - Review available `actions/checkout` updates or GitHub-recommended configuration, then update the workflow so CI stays warning-free before Node.js 20 removal.
+1. Verify RubyGems trusted publishing with the next real release tag.
+   - RubyGems trusted publisher is configured for repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`.
+   - Verify the full trusted-publishing path when publishing the next real version tag.
+   - Do not retag already-published `v1.0.9`.
+
+## Done
+
+1. Align release workflow with required CI security tooling.
+   - Security audit rerun found that `.github/workflows/release.yml` ran `./scripts/check.sh` without installing or requiring the dedicated security tools, meaning tag-based releases could skip `gitleaks`/`osv-scanner` enforcement if those tools were absent.
+   - Added Go setup with cache disabled, installed pinned security tools through `scripts/ci/install_security_tools.sh`, required `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` during the release check gate, and added the same native-dependency timeout used by CI.
+   - Documented the rerun in `docs/security-audit-2026-05-26-rerun.md`; final trusted-publishing proof remains gated on the next real release tag.
+
+1. Add manual GitHub Actions CI trigger and harden CI runner setup.
+   - Added `workflow_dispatch` to `.github/workflows/ci.yml` so CI can be manually triggered when push events fail to enqueue during a GitHub Actions incident.
+   - Verified both push-triggered CI and manual `workflow_dispatch` CI runs succeeded on `master`.
+   - Disabled unused `actions/setup-go` caching for the Go-based security tools so the workflow no longer emits a missing-`go.mod` cache warning.
+   - Added a timeout to the native dependency installation step so runner package-manager stalls fail fast instead of hanging the matrix indefinitely.
+
+1. Diagnose missing GitHub Actions runs after security-tooling merge.
+   - Confirmed the affected commits were pushed and visible on GitHub, with GitHub PushEvents recorded but no check runs created.
+   - Confirmed the workflow was active and visible, and GitHub Actions was degraded during the missing-run window due to platform-side authentication/startup issues.
+   - Conclusion: the missing runs were caused by a GitHub Actions incident, not by the repository workflow configuration.
+
+1. Install optional local/CI security audit tools.
+   - Added `bundler-audit` as a development dependency and wired it into `scripts/ci/check_security.sh`.
+   - Added `scripts/ci/install_security_tools.sh` to install pinned `gitleaks` and `osv-scanner` CLI tools into `tmp/security-tools/bin` when they are not already on `PATH`.
+   - Added `scripts/ci/check_secrets.sh` and `.gitleaks.toml` so generated audit, coverage, and package-sanity artifacts stay out of dedicated secret scans.
+   - Updated GitHub Actions CI to install the Go-based audit tools and require them during `./scripts/check.sh`; local runs skip missing optional tools unless `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` is set.
+
+1. Configure RubyGems trusted publisher for the existing gem.
+   - Repository-side trusted publishing workflow is present in `.github/workflows/release.yml`.
+   - RubyGems trusted publisher is configured for the `moose-inventory` gem with repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`.
+   - Evidence: RubyGems trusted publisher page shows GitHub Actions for `RusDavies/moose-inventory`, workflow `release.yml`, environment `release`.
 
 1. Add GitHub Actions RubyGems trusted publishing.
-   - Manual publishing is documented in `docs/release/publishing.md`.
-   - Future improvement: configure RubyGems trusted publishing, publish from reviewed `v*` tags, and avoid long-lived RubyGems API keys on developer machines.
+   - Added `.github/workflows/release.yml` triggered by `v*` tags.
+   - The workflow verifies the tag matches `Moose::Inventory::VERSION`, runs `./scripts/check.sh`, and publishes with `rubygems/release-gem@v1` using OIDC/trusted publishing.
+   - Updated `docs/release/publishing.md` and `docs/release/release-readiness.md` with trusted publishing release instructions and RubyGems setup requirements.
 
-## Done
+1. Resolve GitHub Actions Node.js 20 deprecation warning.
+   - Updated the CI workflow to use `actions/checkout@v5`, which runs on the Node.js 24 runtime.
+   - Verified with full `./scripts/check.sh` and a post-merge GitHub Actions run with no Node.js 20 deprecation annotations.
 
 1. Decide and declare the supported Ruby version floor.
    - Set `spec.required_ruby_version` to `>= 3.2` in the gemspec.
@@ -41,33 +74,38 @@ Release readiness status counts: 5 done / 2 open.
 
 # Moose Inventory GitHub Issues Backlog
 
-GitHub issues status counts: 0 done / 4 open.
+GitHub issues status counts: 4 done / 0 open.
 
 ## Open
 
-1. [#14 Passwords in config files](https://github.com/RusDavies/moose-inventory/issues/14)
-   - README examples currently show database passwords stored directly in configuration files.
-   - Determine whether Moose Inventory supports reading credentials from environment variables today.
-   - If not, decide whether to add environment-variable credential support or at least document safer credential-handling guidance.
-   - Update README/config examples so they do not accidentally encourage secret-in-repo bad practice.
+_No open GitHub issue items._
+
+## Done
 
 1. [#13 Need to refactor](https://github.com/RusDavies/moose-inventory/issues/13)
-   - CLI command modules contain similar methods across host/group operations, for example `GroupAdd` and `HostAdd`-style flows.
-   - Existing code has historically needed complexity metric disables such as `Metrics/AbcSize` and `Metrics/CyclomaticComplexity`.
-   - Evaluate cost/benefit before doing a broad refactor; identify specific low-risk extraction targets and regression coverage needed.
+   - Added shared `Moose::Inventory::Cli::Helpers` for command argument validation, name normalization, CSV option parsing, automatic `ungrouped` validation, association checks, and automatic group membership maintenance.
+   - Refactored representative host/group association commands to use the helper layer while preserving existing CLI output and behavior.
+   - Verified with focused CLI specs and full `./scripts/check.sh`.
 
 1. [#12 Allow `group rm` to recursively delete orphaned child groups](https://github.com/RusDavies/moose-inventory/issues/12)
-   - Decide product semantics for recursive group deletion: default behavior, explicit switch, safety prompts/flags, and how to distinguish intentional tree deletion from accidental orphan cleanup.
-   - If implemented, add tests for `group rm` and `group rmchild` orphan-child behavior, root-group handling, and host `ungrouped` behavior.
+   - Kept default deletion conservative: `group rm NAME` removes only the named group and preserves child groups as root groups.
+   - Added explicit `group rm --recursive NAME` to delete descendant groups only when they become orphaned by the removal.
+   - Added explicit `group rmchild --delete-orphans PARENT CHILD...` to remove parent-child associations and delete orphaned child subtrees.
+   - Preserved groups that still have another parent outside the removed edge/subtree.
+   - Preserved host safety by moving hosts whose last group is deleted to `ungrouped`.
+   - Added regression coverage for recursive deletion, shared-parent preservation, and host fallback to `ungrouped`.
 
 1. [#4 `--trace` doesn't do what it claims](https://github.com/RusDavies/moose-inventory/issues/4)
-   - Reproduce current `--trace` behavior and confirm whether exceptions/backtraces are still truncated.
-   - Fix trace handling so transaction errors emit useful full exception/backtrace information when `--trace` is enabled while preserving concise default errors.
-   - Add regression coverage for both trace and non-trace error output.
-
-## Done
+   - Reproduced the broken trace path: `--trace` attempted to print `$ERROR_INFO.backtrace` without requiring `English`, causing a secondary `NoMethodError` instead of a clean trace dump.
+   - Fixed Moose DB transaction trace handling to emit the actual exception full message/backtrace while preserving concise default errors.
+   - Added regression coverage for both trace and non-trace Moose DB transaction errors.
+   - Verified with full `./scripts/check.sh`.
 
-_No GitHub issue backlog items completed yet._
+1. [#14 Passwords in config files](https://github.com/RusDavies/moose-inventory/issues/14)
+   - Added `password_env` support for MySQL and PostgreSQL database configuration while preserving the existing `password` key for compatibility.
+   - Added regression coverage for missing password configuration, unset password environment variables, and environment-backed MySQL/PostgreSQL connection passwords.
+   - Updated README examples to use `password_env` instead of plaintext sample passwords and added credential-handling guidance.
+   - Verified with full `./scripts/check.sh`.
 
 ---
 
@@ -182,3 +220,71 @@ _No open modernization items._
    - Ansible-mode CLI specs now pass the fixture config when invoking the top-level CLI.
    - Updated the `--list` expectation for Ansible mode, which correctly includes empty `hosts` arrays.
    - Verified `bundle exec rspec --format documentation`: 242 examples, 0 failures; line coverage 95.16%.
+
+---
+
+# Moose Inventory Code Quality Backlog
+
+Code quality status counts: 10 done / 0 open.
+
+## Open
+
+_No open code quality items._
+
+
+## Done
+
+1. Extract `group rm` to reuse the new group-cleanup / relation-operation seam.
+   - Added `Moose::Inventory::Operations::RemoveGroups` and reused `GroupCleanup` so top-level group deletion, recursive orphan cleanup, and host `ungrouped` reattachment now run through structured operation events instead of bespoke Thor logic.
+   - Converted `group rm` into a thinner adapter over `InventoryContext`, preserving `--recursive` behavior and existing CLI output.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new removal operation and adapter.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared group-parent/child association flow behind `group addchild` and `group rmchild`.
+   - Added `Moose::Inventory::Operations::GroupChildRelations` and `GroupCleanup` to own parent/child link creation, dissociation, and recursive orphan-group cleanup with structured events.
+   - Converted `group addchild` and `group rmchild` into thinner adapters over `InventoryContext`, including `--delete-orphans` behavior without leaving the recursion logic buried in the CLI layer.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new parent/child relation seam.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared host/group dissociation flow behind `host rmgroup` and `group rmhost`.
+   - Added `Moose::Inventory::Operations::RemoveAssociations` to own shared dissociation, missing-association handling, and automatic `ungrouped` reattachment behavior for existing primary entities.
+   - Converted `host rmgroup` and `group rmhost` into thinner adapters that retrieve the primary entity, delegate through `InventoryContext`, and render structured operation events.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new removal operation plus both adapter commands.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract the shared host/group association flow behind `host addgroup` and `group addhost`.
+   - Added `Moose::Inventory::Operations::AddAssociations` to own the shared association, auto-create, duplicate-check, and `ungrouped` removal behavior for existing primary entities.
+   - Converted `host addgroup` and `group addhost` into thinner adapters that retrieve the primary entity, delegate through `InventoryContext`, and render structured operation events.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new operation plus both adapter commands.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Extract `group add` into the operation/context/event pattern.
+   - Added `Moose::Inventory::Operations::AddGroups` with structured result/events and warning counts, mirroring the `host add` refactor pattern.
+   - Converted `group add` into a thin Thor adapter that validates input, delegates through `InventoryContext`, and renders operation events without changing CLI behavior.
+   - Added direct operation specs and extended the targeted RuboCop scope to cover the new operation/adapter/spec files.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Reintroduce a small modern lint/complexity gate.
+   - Added RuboCop as a development dependency and a targeted `.rubocop.yml` for the newly refactored seam instead of the whole legacy tree.
+   - Added `scripts/ci/check_rubocop.sh` and wired it into `./scripts/check.sh` so lint/complexity checks run in the standard local and CI gate.
+   - Kept the initial lint scope focused on the context/operation/helper/adapter files and direct operation spec, with thresholds strict enough to catch drift without forcing a repo-wide cleanup right now.
+
+1. Separate first structured operation result from CLI rendering.
+   - Changed `Moose::Inventory::Operations::AddHosts` to return structured `Result`/`Event` objects instead of writing directly to stdout/stderr.
+   - Moved `host add` progress/warning rendering into the Thor adapter while preserving existing user-visible CLI output.
+   - Added direct operation specs proving inventory mutation and event emission without renderer output.
+   - Verified with focused specs and full `./scripts/check.sh`.
+
+1. Introduce an inventory context facade around DB access.
+   - Added `Moose::Inventory::InventoryContext` as a thin wrapper over the existing DB singleton for transaction/model operations.
+   - Wired the `AddHosts` operation through the context, reducing direct DB coupling in the first extracted operation while leaving legacy CLI commands stable.
+   - Verified with focused `host add` specs and full `./scripts/check.sh`.
+
+1. Extract first domain operation behind a Thor command.
+   - Added `Moose::Inventory::Operations::AddHosts` as the first operation/service object behind the CLI.
+   - Converted `host add` into a thin adapter that validates/normalizes CLI input and delegates inventory mutation to the operation.
+   - Preserved existing `host add` output and behavior under focused specs and full `./scripts/check.sh`.
+
+1. Extract shared CLI helpers for low-risk issue #13 refactor.
+   - Added helper methods for common validation, normalization, association checks, and automatic `ungrouped` membership handling.
+   - Refactored selected host/group CLI commands without changing user-visible output.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    moose-inventory (1.0.9)
+    moose-inventory (2.0)
       indentation (~> 0)
       json (>= 2.7, < 3)
       mysql2 (>= 0.5.7, < 0.6)
@@ -13,15 +13,29 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    ast (2.4.3)
     bigdecimal (4.1.2)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
+      thor (~> 1.0)
     diff-lcs (1.6.2)
     docile (1.4.1)
     indentation (0.1.1)
     json (2.19.5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
     mysql2 (0.5.7)
       bigdecimal
+    parallel (1.28.0)
+    parser (3.3.11.1)
+      ast (~> 2.4.1)
+      racc
     pg (1.6.3-x86_64-linux)
+    prism (1.9.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
     rake (13.4.2)
+    regexp_parser (2.12.0)
     rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -35,6 +49,21 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.7)
+    rubocop (1.86.2)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (>= 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
     sequel (5.104.0)
       bigdecimal
     simplecov (0.22.0)
@@ -45,15 +74,21 @@ GEM
     simplecov_json_formatter (0.1.4)
     sqlite3 (2.9.4-x86_64-linux-gnu)
     thor (1.5.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
 
 PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
   bundler (>= 2.2.33, < 3)
+  bundler-audit (>= 0.9, < 1)
   moose-inventory!
+  parallel (>= 1.10, < 2.0)
   rake (>= 13.0, < 14)
   rspec (~> 3)
+  rubocop (>= 1.72, < 2)
   simplecov (~> 0)
 
 BUNDLED WITH

data/README.md

@@ -56,7 +56,7 @@ moose_ops:
     host:     "localhost"
     database: "water"
     user:     "duck"
-    password: "quack"
+    password_env: "MOOSE_INVENTORY_MYSQL_PASSWORD"
 
 another_example_section:
   db:
@@ -64,7 +64,7 @@ another_example_section:
     host:     "localhost"
     database: "grass"
     user:     "cow"
-    password: "moo"
+    password_env: "MOOSE_INVENTORY_POSTGRES_PASSWORD"
 
 ```
 
@@ -78,7 +78,16 @@ At present,  each environment section contains only a **db** subsection, describ
 
 Each **db** section must include an **adapter** parameter. Currently supported adapter types are *sqlite3*, *mysql*, and *postgresql*. The test suite exercises SQLite with a local database file and includes adapter dispatch/error-path smoke coverage for MySQL and PostgreSQL without requiring live database servers.
 
-Additional parameters are also required in the **db** subsection, depending on the adapter type. For the *sqlite3* adapter only a **file** parameter is required; parent directories are created automatically. For both *mysql* and *postgresql*, **host**, **database**, **user**, and **password** are required.
+Additional parameters are also required in the **db** subsection, depending on the adapter type. For the *sqlite3* adapter only a **file** parameter is required; parent directories are created automatically. For both *mysql* and *postgresql*, **host**, **database**, **user**, and either **password_env** or **password** are required.
+
+Prefer **password_env** for MySQL and PostgreSQL configuration. Its value is the name of an environment variable that contains the database password, which keeps reusable configuration files from carrying plaintext credentials:
+
+```sh
+export MOOSE_INVENTORY_MYSQL_PASSWORD='use-a-real-secret-here'
+moose-inventory --env moose_ops host list
+```
+
+The older **password** key is still supported for compatibility, but avoid committing configuration files that contain database passwords. If you must use **password**, keep that configuration file outside version control and restrict its file permissions.
 
 
 ## Usage
@@ -303,10 +312,14 @@ We can also list hosts, to get the host-centric view.
       - group2
       - group3
 
-Removing variables, groups, and hosts is just as easy.  In the following examples, the output is again omitted for compactness; the reader is encouraged to work along to experience the tool.  Note, that although we show how to remove the variables, it is not strictly necessary to do so in this example, since deleting hosts and groups would delete all associated variables anyway. 
+Removing variables, groups, and hosts is just as easy.  In the following examples, the output is again omitted for compactness; the reader is encouraged to work along to experience the tool.  Note, that although we show how to remove the variables, it is not strictly necessary to do so in this example, since deleting hosts and groups would delete all associated variables anyway.
+
+By default, deleting a group preserves its child groups as root groups. Use `group rm --recursive` when child groups that become orphaned should also be deleted. Similarly, `group rmchild --delete-orphans` removes a parent-child association and deletes the child subtree only when it becomes orphaned by that removal. Hosts whose last group is deleted are automatically moved to `ungrouped`.
 
     $ moose-inventory group rmvar group1 location
     $ moose-inventory group rm group1 group2 group3
+    $ moose-inventory group rm --recursive old_parent_group
+    $ moose-inventory group rmchild --delete-orphans parent_group child_group
     $ moose-inventory host rmvar
     $ moose-inventory host rmvar host1 owner id
     $ moose-inventory host rm host1 host2 host3
@@ -371,7 +384,15 @@ Run the local verification gate before committing changes:
 ./scripts/check.sh
 ```
 
-The check script runs the RSpec suite and enforces the SimpleCov coverage minimum.
+The check script runs the RSpec suite, enforces the SimpleCov coverage minimum, checks file permissions, queries OSV for locked RubyGems advisories, runs `bundler-audit`, runs `gitleaks` when available, and builds/smoke-tests the packaged gem.
+
+Optional Go-based security tools used by CI can be installed locally with:
+
+```shell
+./scripts/ci/install_security_tools.sh
+```
+
+That installs `gitleaks` and `osv-scanner` into `tmp/security-tools/bin` unless they are already on `PATH`. Fedora users can also run `./scripts/install_dependencies.sh` to install the native build dependencies and packaged `gitleaks`; `bundler-audit` is installed through Bundler.
 
 ## Contributing
 1. Fork it (https://github.com/RusDavies/moose-inventory/fork )
@@ -389,4 +410,3 @@ The check script runs the RSpec suite and enforces the SimpleCov coverage minimu
 
 
 
-

data/Rakefile

@@ -1 +1 @@
-
+require 'bundler/gem_tasks'

data/docs/release/publishing.md

@@ -1,14 +1,24 @@
 # Publishing to RubyGems
 
-This project has historically been published manually to RubyGems as [`moose-inventory`](https://rubygems.org/gems/moose-inventory).
+This project is published to RubyGems as [`moose-inventory`](https://rubygems.org/gems/moose-inventory).
 
-At the time this document was added:
+The preferred publishing path is GitHub Actions trusted publishing from reviewed `v*` tags. Manual publishing remains documented as a fallback only.
 
-- The latest published RubyGems version was `1.0.8`.
-- The repository version was `1.0.9` in `lib/moose_inventory/version.rb`.
-- The repository had CI for checks, but no GitHub Actions publishing workflow.
+## Trusted publishing setup
 
-## Release checklist
+The repository side is `.github/workflows/release.yml`.
+
+RubyGems has a trusted publisher configured for the existing `moose-inventory` gem on RubyGems.org with these values:
+
+- Repository owner: `RusDavies`
+- Repository name: `moose-inventory`
+- Workflow filename: `release.yml`
+- Environment: `release`
+- Workflow repository owner/name: blank, because the workflow lives in this repository
+
+The release workflow requires the GitHub environment name `release`. If that environment has protection rules, approve the deployment when releasing.
+
+## Trusted publishing release checklist
 
 1. Start from a clean `master` branch.
 
@@ -25,7 +35,7 @@ At the time this document was added:
    gem info moose-inventory --remote --all
    ```
 
-   If the repository version is already higher than the latest RubyGems version, you can publish it as-is after checks pass. If not, bump `lib/moose_inventory/version.rb` first and commit that change before publishing.
+   If the repository version is not higher than the latest RubyGems version, bump `lib/moose_inventory/version.rb` first and commit that change before releasing.
 
 3. Run the local release gate.
 
@@ -33,56 +43,58 @@ At the time this document was added:
    ./scripts/check.sh
    ```
 
-   This runs the spec suite, whitespace checks, executable-permission checks, OSV dependency advisory checks, and gem package sanity checks.
-
 4. Push the release commit and wait for CI to pass.
 
    ```bash
    git push origin master
    ```
 
-   Do not publish to RubyGems until the GitHub Actions CI run for the pushed commit is green.
-
-5. Build the gem from the exact commit you intend to release.
+5. Create and push the release tag from the exact commit to publish.
 
    ```bash
-   rm -rf pkg tmp/pkg tmp/package-sanity
-   gem build moose-inventory.gemspec
+   git tag -a v1.0.10 -m "Release moose-inventory 1.0.10"
+   git push origin v1.0.10
    ```
 
-   The output should be named like `moose-inventory-1.0.9.gem`.
-
-6. Inspect the built gem metadata if desired.
+6. Watch the `Release gem` workflow.
 
    ```bash
-   gem specification moose-inventory-1.0.9.gem name version executables require_paths files --yaml
+   gh run list --workflow release.yml --limit 5
+   gh run watch <run-id> --exit-status
    ```
 
-7. Publish to RubyGems.
+The workflow verifies that the pushed tag version matches `Moose::Inventory::VERSION`, runs `./scripts/check.sh`, builds the gem through `rubygems/release-gem@v1`, and publishes using RubyGems trusted publishing/OIDC. No RubyGems API key should be stored in GitHub secrets for this workflow.
 
-   ```bash
-   gem push moose-inventory-1.0.9.gem
-   ```
+## Verify the published version
 
-   If RubyGems auth is not already configured, `gem push` will prompt for credentials or an API key.
+After the workflow succeeds:
+
+```bash
+gem info moose-inventory --remote --all
+gem install moose-inventory -v 1.0.10
+moose-inventory --help
+```
 
-8. Verify the published version.
+Use the actual released version in place of `1.0.10`.
+
+## Manual fallback
+
+Manual publishing should only be used if trusted publishing is unavailable and a RubyGems owner explicitly chooses to publish from a local machine.
+
+1. Run `./scripts/check.sh`.
+2. Build the gem from the exact commit intended for release.
 
    ```bash
-   gem info moose-inventory --remote --all
-   gem install moose-inventory -v 1.0.9
-   moose-inventory --help
+   rm -rf pkg tmp/pkg tmp/package-sanity
+   gem build moose-inventory.gemspec
    ```
 
-9. Tag the release after RubyGems confirms it is live.
+3. Push the built gem.
 
    ```bash
-   git tag -a v1.0.9 -m "Release v1.0.9"
-   git push origin v1.0.9
+   gem push moose-inventory-1.0.10.gem
    ```
 
-## Authentication notes
-
 Prefer a scoped RubyGems API key over an old global key:
 
 - Scope it to pushing gems, ideally only `moose-inventory` if RubyGems permits that for the account.
@@ -95,19 +107,3 @@ Check credential file permissions with:
 ls -l ~/.gem/credentials
 chmod 0600 ~/.gem/credentials
 ```
-
-## Current publishing model
-
-Publishing is manual. There is no automated release workflow in this repository yet.
-
-A future improvement would be to configure RubyGems trusted publishing through GitHub Actions so releases can be published from a tagged, reviewed workflow without long-lived RubyGems API keys on a developer machine.
-
-Suggested future workflow:
-
-1. Add RubyGems trusted publishing for this repository and gem.
-2. Add a GitHub Actions workflow triggered by `v*` tags.
-3. Have the workflow run `./scripts/check.sh`.
-4. Build the gem.
-5. Publish via trusted publishing only if the tag version matches `Moose::Inventory::VERSION`.
-
-Until that is implemented, use the manual process above.