moose-inventory 1.0.9 → 2.0

data/docs/release/release-readiness.md

@@ -24,6 +24,20 @@ GitHub Actions workflow: `.github/workflows/ci.yml`.
 
 It installs native headers needed by the DB gems, runs the same `./scripts/check.sh` gate used locally, and tests the maintained Ruby version range through the GitHub Actions matrix.
 
+## Trusted publishing gate
+
+GitHub Actions workflow: `.github/workflows/release.yml`.
+
+The release workflow runs when a `v*` tag is pushed. It:
+
+1. Checks out the repository using `actions/checkout@v5`.
+2. Installs Ruby and native database build dependencies.
+3. Fails if the tag version does not match `Moose::Inventory::VERSION`.
+4. Runs the full local `./scripts/check.sh` gate.
+5. Publishes the gem with `rubygems/release-gem@v1` using RubyGems trusted publishing/OIDC.
+
+RubyGems has a trusted publisher configured for repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`, so the workflow can request a short-lived publish token when a real release tag is pushed.
+
 ## Package sanity expectations
 
 `package_sanity.sh` validates that the built gem includes at least:

data/docs/security-audit-2026-05-26-rerun.md

@@ -0,0 +1,75 @@
+# Security Audit Rerun — 2026-05-26
+
+Repository: `RusDavies/moose-inventory`  
+Local path: `/home/skippy/.openclaw/workspace/projects/moose-inventory`  
+Audited commit at start: `a07b5c89214a3cee66170217c5b38e9ad2ae093a`  
+Audit branch: `security-audit-2026-05-26-rerun`  
+Evidence store: `.openclaw-security-audit/audit.sqlite`, audit run `2`
+
+## Executive summary
+
+The rerun found no exploitable application vulnerabilities in the Ruby CLI/config/database code reviewed, and all deterministic dependency, advisory, package, and secret-scanning gates passed.
+
+One release-supply-chain hardening gap was identified and fixed during the audit: the release workflow ran `./scripts/check.sh` without installing or requiring the dedicated security tools, so a tag-based release could publish even if `gitleaks`, `osv-scanner`, or `bundler-audit` coverage was absent from that release job. CI already enforced those tools; release now does too.
+
+## Scope
+
+Reviewed security-relevant surfaces and changes since the prior audit:
+
+- GitHub Actions CI and release workflows.
+- Security-tool installation and enforcement scripts.
+- Ruby CLI entrypoints and Thor command surfaces.
+- YAML configuration loading.
+- SQLite/MySQL/PostgreSQL connection setup and password handling.
+- Recursive group deletion behavior touched by recent issue work.
+- Gem packaging/release path.
+
+## Deterministic results
+
+- Full local required-tool gate: passed.
+  - RSpec: 268 examples, 0 failures.
+  - Coverage: 96.52% line coverage.
+  - Custom OSV dependency check: 45 dependencies queried, 0 vulnerable.
+  - `bundler-audit`: no vulnerabilities found.
+  - `osv-scanner`: no issues found in `Gemfile.lock`.
+  - `gitleaks`: dedicated secret scan passed.
+  - Package sanity: built and inspected `tmp/pkg/moose-inventory.gem` successfully.
+- Semgrep Ruby registry scan: 62 tracked Ruby files scanned with 44 Ruby rules, 0 findings.
+- GitHub Dependabot open alerts: 0.
+- GitHub code scanning alerts: unavailable / no analysis found (`404`).
+- GitHub secret scanning alerts: unavailable because secret scanning is disabled for this repository.
+- Workflow YAML parse check: `ci.yml` and `release.yml` parsed successfully with Ruby Psych.
+- Current GitHub CI before audit branch: latest `master` CI run succeeded for Ruby 3.2, 3.3, and 3.4.
+
+## Finding fixed during audit
+
+### SEC-RERUN-2026-05-26-01 — Release workflow did not require dedicated security tools
+
+- Priority before fix: P2 medium, release supply-chain hardening.
+- Exposure: tag-triggered release workflow.
+- Affected file: `.github/workflows/release.yml`.
+- Evidence: CI installed `gitleaks`/`osv-scanner` and set `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1`, but the release workflow only ran `./scripts/check.sh`. In local mode, `scripts/ci/check_security.sh` and `scripts/ci/check_secrets.sh` intentionally skip missing optional security tools unless `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` is set.
+- Impact: a release tag created from an unexpected commit or during a tooling/path issue could publish without the same dedicated SCA/secret-scan enforcement as CI.
+- Fix applied: release workflow now sets up Go with cache disabled, installs the pinned security CLIs via `scripts/ci/install_security_tools.sh`, runs native dependency installation with a 5-minute timeout, and runs `./scripts/check.sh` with `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1`.
+- Verification: full local required-tool gate passed after the workflow change.
+- Residual risk: release workflow can only be fully proven on the next real release tag because already-published `v1.0.9` must not be retagged.
+
+## Reviewed areas with no actionable finding
+
+- YAML config loading uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- SQLite database path handling creates parent directories with `FileUtils.mkdir_p`; this is local config-driven CLI behavior, not a remotely reachable path traversal surface.
+- MySQL/PostgreSQL password handling supports `password_env`; plaintext `password` remains for compatibility but README guidance discourages committing it.
+- CLI input reaches Sequel model operations rather than shell execution; no shell/eval sink was identified in application code.
+- Recent recursive group deletion is explicit opt-in and keeps host fallback behavior covered by regression tests.
+- GitHub Actions release job uses OIDC/trusted publishing and does not store a RubyGems API key in the workflow.
+
+## Limitations
+
+- This was a local/source and CI/release workflow audit, not an active test against live external databases or RubyGems publishing.
+- GitHub code scanning is not configured, so there were no CodeQL/code-scanning results to review.
+- GitHub secret scanning is disabled for the repository; local `gitleaks` coverage was used instead.
+- The release trusted-publishing path still needs verification on the next real version tag.
+
+## Conclusion
+
+No open exploitable vulnerabilities remain from this rerun. The only identified security gap was release-pipeline parity with CI security tooling, and it was fixed in this audit branch.

data/docs/security-audit-2026-05-26.md

@@ -0,0 +1,63 @@
+# Security audit — 2026-05-26
+
+Scope: local static/security review of the `moose-inventory` Ruby CLI/gem at commit `8c3eaada5d70ef599961b8ca8b78e12ea4ce83c9` on branch `security-audit-2026-05-26`.
+
+## Executive summary
+
+No actionable security vulnerabilities were identified in this pass.
+
+The meaningful attack surface remains local CLI execution, configuration-file loading, database access through Sequel, package/release automation, and developer tooling. There is no HTTP server, RPC endpoint, webhook handler, queue consumer, file upload parser, shell-command execution path, or plugin system in this repository.
+
+The areas remediated in the prior 2026-05-21 audit remain in good shape: YAML config loading uses `YAML.safe_load_file`, DB credentials can be supplied through environment variables, OSV reports no known vulnerable locked RubyGems dependencies, CI/package sanity gates are present, and GitHub Dependabot has no open alerts.
+
+## Surfaces reviewed
+
+- CLI entrypoint: `bin/moose-inventory`
+- Global option parsing and config loading: `lib/moose_inventory/config/config.rb`
+- DB connection/schema/transaction code: `lib/moose_inventory/db/db.rb`
+- Sequel models and associations: `lib/moose_inventory/db/models.rb`
+- CLI command handlers under `lib/moose_inventory/cli/`
+- Formatter/output serialization: `lib/moose_inventory/cli/formatter.rb`
+- Packaging and release metadata: `moose-inventory.gemspec`, `Gemfile`, `Gemfile.lock`, `.github/workflows/ci.yml`, `.github/workflows/release.yml`
+- Helper scripts under `scripts/`
+- Test config/spec fixtures under `spec/`
+
+## Findings
+
+No P0/P1/P2/P3 actionable findings were identified.
+
+## Notable negative findings
+
+- Config deserialization uses `YAML.safe_load_file` with aliases disabled and no permitted classes/symbols.
+- No runtime shell execution sinks were identified.
+- Database access uses Sequel model/dataset/hash APIs for user-controlled names, groups, hosts, and variables; no raw SQL interpolation was identified in reviewed runtime paths.
+- MySQL/PostgreSQL passwords can be supplied via `password_env`, and README guidance prefers environment-backed passwords over plaintext config values.
+- No committed secrets were identified outside expected example/test placeholders.
+- GitHub Actions release publishing uses RubyGems trusted publishing/OIDC rather than a stored RubyGems API key.
+- Dependency advisory gate queried OSV for 41 locked RubyGems dependency records and reported zero known vulnerabilities.
+- GitHub Dependabot open-alert query returned zero open alerts.
+
+## Tooling evidence
+
+- Audit evidence store initialized at `.openclaw-security-audit/audit.sqlite` with `audit_run_id=1`.
+- Inventory: 187 files; Ruby manifests detected: `Gemfile`, `Gemfile.lock`, plus generated package-sanity manifests under `tmp/package-sanity`.
+- Symbol extractor scanned 156 files but did not extract Ruby symbols/surfaces with the current lightweight extractor.
+- Semgrep auto-config failed because metrics are disabled; reran explicit Ruby registry rules instead.
+- Semgrep: `semgrep --config p/ruby --json --metrics=off --exclude .openclaw-security-audit --exclude spec/reports --exclude tmp .` scanned 62 tracked Ruby files with 44 rules and returned 0 findings.
+- Dependency advisory gate: `./scripts/ci/check_security.sh` queried 41 RubyGems dependencies and returned 0 vulnerable dependencies.
+- Full local gate: `./scripts/check.sh` passed with 268 examples, 0 failures, 96.52% line coverage, OSV 0 vulnerabilities, and package sanity passed.
+- GitHub Dependabot: `gh api 'repos/RusDavies/moose-inventory/dependabot/alerts?state=open' --jq 'length'` returned `0`.
+- GitHub code-scanning alerts could not be queried because no code-scanning analysis exists for this repository; GitHub returned `404 no analysis found`.
+
+## Tooling limitations
+
+- `osv-scanner`, `bundler-audit`/`bundle-audit`, `gitleaks`, `trufflehog`, `brakeman`, `flog`, and `reek` were not installed in this environment.
+- `bundle exec rubocop` could not run because RuboCop is not part of the bundle. This is not a security gate failure, but it limits style/static-quality coverage.
+- Secret scanning was limited to tracked-file grep patterns because dedicated secret scanners were unavailable.
+- The audit did not perform active exploitation against external systems or live database servers.
+
+## Residual risks / recommendations
+
+- Consider adding a dedicated secret scanner such as `gitleaks` or `trufflehog` to local/CI security tooling if this project will accept outside contributions.
+- Consider adding `bundler-audit` or `osv-scanner` as an optional developer tool if broader advisory coverage is desired beyond the existing custom OSV gate.
+- Keep generated coverage and package-sanity artifacts excluded from security scans; they are noisy and not part of the runtime gem surface.

data/lib/moose_inventory/cli/group.rb

@@ -1,5 +1,6 @@
 require 'thor'
 require_relative './formatter.rb'
+require_relative './helpers.rb'
 
 module Moose
   module Inventory
@@ -7,6 +8,8 @@ module Moose
       ##
       # Class implementing the "group" methods of the CLI
       class Group < Thor
+        include Moose::Inventory::Cli::Helpers
+
         require_relative 'group_add'
         require_relative 'group_get'
         require_relative 'group_list'

data/lib/moose_inventory/cli/group_add.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
 require 'thor'
-require_relative './formatter.rb'
+require_relative 'formatter'
+require_relative '../inventory_context'
+require_relative '../operations/add_groups'
 
 module Moose
   module Inventory
@@ -10,86 +14,98 @@ module Moose
         #==========================
         desc 'add NAME', 'Add a group NAME to the inventory'
         option :hosts
-        # rubocop:disable Metrics/LineLength
-        def add(*argv) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
-          # rubocop:enable Metrics/LineLength
-          if argv.empty?
-            abort("ERROR: Wrong number of arguments, #{argv.length} for 1 or more.")
-          end
+        def add(*argv)
+          abort_if_missing_args(argv, 1, '1 or more')
 
-          # Arguments
-          names = argv.uniq.map(&:downcase)
-          options[:hosts] = '' if options[:hosts].nil?
-          hosts = options[:hosts].downcase.split(',').uniq
+          names = normalize_names(argv)
+          hosts = csv_option_names(options[:hosts])
 
-          # sanity
-          if names.include?('ungrouped')
-            abort("ERROR: Cannot manually manipulate the automatic group 'ungrouped'\n")
-          end
+          abort_if_automatic_group(
+            names,
+            "ERROR: Cannot manually manipulate the automatic group 'ungrouped'\n"
+          )
+
+          result = Moose::Inventory::Operations::AddGroups
+                   .new(context: Moose::Inventory::InventoryContext.new(db: db))
+                   .call(names: names, hosts: hosts)
+          render_add_groups_events(result.events)
 
-          # Convenience
-          db = Moose::Inventory::DB
-          fmt = Moose::Inventory::Cli::Formatter
-
-          # Transaction
-          warn_count = 0
-          db.transaction do # Transaction start
-            names.each do |name|
-              # Add the group
-              puts "Add group '#{name}':"
-              group = db.models[:group].find(name: name)
-              hosts_ds = nil
-              fmt.puts 2, '- create group...'
-              if group.nil?
-                group = db.models[:group].create(name: name)
-                fmt.puts 4, '- OK'
-              else
-                warn_count += 1
-                fmt.warn "Group '#{name}' already exists, skipping creation.\n"
-                fmt.puts 4, '- already exists, skipping.'
-                hosts_ds = group.hosts_dataset
-                fmt.puts 4, '- OK'
-              end
-
-              # Associate with hosts
-              hosts.each do |h|
-                next if h.nil? || h.empty?
-                fmt.puts 2, "- add association {group:#{name} <-> host:#{h}}..."
-                host = db.models[:host].find(name: h)
-                if host.nil?
-                  warn_count += 1
-                  fmt.warn "Host '#{h}' doesn't exist, but will be created.\n"
-                  fmt.puts 4, "- host doesn't exist, creating now..."
-                  host = db.models[:host].create(name: h)
-                  fmt.puts 6, '- OK'
-                end
-                if !hosts_ds.nil? && !hosts_ds[name: h].nil?
-                  warn_count += 1
-                  fmt.warn "Association {group:#{name} <-> host:#{h}}"\
-                    " already exists, skipping creation.\n"
-                  fmt.puts 4, '- already exists, skipping.'
-                else
-                  group.add_host(host)
-                end
-                fmt.puts 4, '- OK'
-
-                # Handle the host's automatic 'ungrouped' group
-                ungrouped = host.groups_dataset[name: 'ungrouped']
-                next if ungrouped.nil?
-                fmt.puts 2, '- remove automatic association {group:ungrouped'\
-                  " <-> host:#{h}}..."
-                host.remove_group(ungrouped) unless ungrouped.nil?
-                fmt.puts 4, '- OK'
-              end
-              fmt.puts 2, '- all OK'
-            end
-          end # Transaction end
-          if warn_count == 0
+          if result.warning_count.zero?
             puts 'Succeeded'
           else
             puts 'Succeeded, with warnings.'
           end
         end
+
+        private
+
+        def render_add_groups_events(events)
+          events.each { |event| render_add_groups_event(event) }
+        end
+
+        def render_add_groups_event(event)
+          payload = event.payload
+
+          return render_add_groups_event_puts(event.type, payload) if puts_event?(event.type)
+          return render_add_groups_event_warn(event.type, payload) if warn_event?(event.type)
+
+          render_add_groups_event_fmt(event.type, payload)
+        end
+
+        def puts_event?(type)
+          type == :group_started
+        end
+
+        def warn_event?(type)
+          %i[group_exists host_missing_created association_exists].include?(type)
+        end
+
+        def render_add_groups_event_puts(type, payload)
+          puts "Add group '#{payload[:name]}':" if type == :group_started
+        end
+
+        def render_add_groups_event_warn(type, payload)
+          case type
+          when :group_exists
+            fmt.warn "Group '#{payload[:name]}' already exists, skipping creation.\n"
+          when :host_missing_created
+            fmt.warn "Host '#{payload[:name]}' doesn't exist, but will be created.\n"
+          when :association_exists
+            fmt.warn(
+              "Association {group:#{payload[:group]} <-> host:#{payload[:host]}} " \
+              "already exists, skipping creation.\n"
+            )
+          end
+        end
+
+        def render_add_groups_event_fmt(type, payload)
+          return render_add_groups_event_status(type, payload) if status_event?(type)
+
+          case type
+          when :creating_group
+            fmt.puts 2, '- create group...'
+          when :adding_association
+            fmt.puts 2, "- add association {group:#{payload[:group]} <-> host:#{payload[:host]}}..."
+          when :host_creating_now
+            fmt.puts 4, '- host doesn\'t exist, creating now...'
+          when :removing_automatic_group
+            fmt.puts 2, "- remove automatic association {group:ungrouped <-> host:#{payload[:host]}}..."
+          when :group_complete
+            fmt.puts 2, '- all OK'
+          end
+        end
+
+        def status_event?(type)
+          %i[already_exists_skipping ok].include?(type)
+        end
+
+        def render_add_groups_event_status(type, payload)
+          if type == :already_exists_skipping
+            fmt.puts payload[:indent], '- already exists, skipping.'
+          else
+            fmt.puts payload[:indent], '- OK'
+          end
+        end
       end
     end
   end

data/lib/moose_inventory/cli/group_addchild.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
 require 'thor'
-require_relative './formatter.rb'
+require_relative 'formatter'
+require_relative '../inventory_context'
+require_relative '../operations/group_child_relations'
 
 module Moose
   module Inventory
@@ -10,78 +14,91 @@ module Moose
         #==========================
         desc 'addchild PARENTGROUP CHILDGROUP_1 [CHILDGROUP_2 ... ]',
              'Associate one or more child-groups CHILDGROUP_n with PARENTGROUP'
-        def addchild(*_argv)
-          # Sanity check
-          if args.length < 2
-            abort("ERROR: Wrong number of arguments, #{args.length} "\
-              'for 2 or more.')
-          end
+        def addchild(*argv)
+          abort_if_missing_args(argv, 2, '2 or more')
+
+          pname = argv[0].downcase
+          cnames = normalize_names(argv.slice(1, argv.length - 1))
+
+          abort_if_automatic_group([pname] + cnames)
 
-          # Arguments
-          pname = args[0].downcase
-          cnames = args.slice(1, args.length - 1).uniq.map(&:downcase)
+          result = add_children_to_group(pname, cnames)
 
-          # Sanity
-          if pname == 'ungrouped' || cnames.include?('ungrouped')
-            abort("ERROR: Cannot manually manipulate the automatic group 'ungrouped'.")
+          if result.warning_count.zero?
+            puts 'Succeeded.'
+          else
+            puts 'Succeeded, with warnings.'
           end
+        end
+
+        private
 
-          # Convenience
-          db = Moose::Inventory::DB
-          fmt = Moose::Inventory::Cli::Formatter
+        def add_children_to_group(parent_name, child_names)
+          context = Moose::Inventory::InventoryContext.new(db: db)
+          operation = Moose::Inventory::Operations::GroupChildRelations.new(context: context)
 
-          # Transaction
-          warn_count = 0
           begin
-            db.transaction do # Transaction start
-              puts "Associate parent group '#{pname}' with child group(s) '#{cnames.join(',')}':"
-              # Get the target group
-              fmt.puts 2, "- retrieve group '#{pname}'..."
-              pgroup = db.models[:group].find(name: pname)
-              if pgroup.nil?
-                abort("ERROR: The group '#{pname}' does not exist.")
-              end
-              fmt.puts 4, '- OK'
-
-              # Associate parent group with the child groups
-
-              groups_ds = pgroup.children_dataset
-              cnames.each do |cname|
-                fmt.puts 2, "- add association {group:#{pname} <-> group:#{cname}}..."
-
-                # Check against existing associations
-                unless groups_ds[name: cname].nil?
-                  warn_count += 1
-                  fmt.warn "Association {group:#{pname} <-> group:#{cname}}}"\
-                    " already exists, skipping.\n"
-                  fmt.puts 4, '- already exists, skipping.'
-                  fmt.puts 4, '- OK'
-                  next
-                 end
-
-                # Add new association
-                cgroup = db.models[:group].find(name: cname)
-                if cgroup.nil?
-                  warn_count += 1
-                  fmt.warn "Group '#{cname}' does not exist and will be created.\n"
-                  fmt.puts 4, '- child group does not exist, creating now...'
-                  cgroup = db.models[:group].create(name: cname)
-                  fmt.puts 6, '- OK'
-                end
-                pgroup.add_child(cgroup)
-                fmt.puts 4, '- OK'
-              end
+            db.transaction do
+              puts "Associate parent group '#{parent_name}' with child group(s) '#{child_names.join(',')}':"
+              parent_group = fetch_existing_group_for_child_relation(context, parent_name)
+              result = operation.add_children(
+                parent_group: parent_group,
+                parent_name: parent_name,
+                child_names: child_names
+              )
+              render_addchild_events(result.events)
               fmt.puts 2, '- all OK'
-            end # Transaction end
+              return result
+            end
           rescue db.exceptions[:moose] => e
             abort("ERROR: #{e}")
           end
-          if warn_count == 0
-            puts 'Succeeded.'
+        end
+
+        def fetch_existing_group_for_child_relation(context, name)
+          fmt.puts 2, "- retrieve group '#{name}'..."
+          group = context.find_group(name)
+          abort("ERROR: The group '#{name}' does not exist.") if group.nil?
+
+          fmt.puts 4, '- OK'
+          group
+        end
+
+        def render_addchild_events(events)
+          events.each { |event| render_addchild_event(event) }
+        end
+
+        def render_addchild_event(event)
+          payload = event.payload
+
+          return render_addchild_warning(event.type, payload) if addchild_warning?(event.type)
+          return render_addchild_existing(payload) if event.type == :already_exists_skipping
+
+          case event.type
+          when :adding_child_association
+            fmt.puts 2, "- add association {group:#{payload[:parent]} <-> group:#{payload[:child]}}..."
+          when :child_group_creating_now
+            fmt.puts 4, '- child group does not exist, creating now...'
+          when :ok
+            fmt.puts payload[:indent], '- OK'
+          end
+        end
+
+        def addchild_warning?(type)
+          %i[child_association_exists child_group_missing].include?(type)
+        end
+
+        def render_addchild_warning(type, payload)
+          if type == :child_association_exists
+            fmt.warn "Association {group:#{payload[:parent]} <-> group:#{payload[:child]}}} already exists, skipping.\n"
           else
-            puts 'Succeeded, with warnings.'
+            fmt.warn "Group '#{payload[:name]}' does not exist and will be created.\n"
           end
         end
+
+        def render_addchild_existing(payload)
+          fmt.puts payload[:indent], '- already exists, skipping.'
+        end
       end
     end
   end