moose-inventory 1.0.9 → 2.1

data/scripts/ci/check_generated_artifacts.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -euo pipefail
+
+# Generated/local artifacts are useful during development but must not become
+# source inputs, package contents, or review noise. Keep this list aligned with
+# .gitignore and scanner excludes.
+generated_paths=(
+  ".openclaw-security-audit"
+  "coverage"
+  "pkg"
+  "spec/reports"
+  "tmp"
+)
+
+tracked=()
+for path in "${generated_paths[@]}"; do
+  while IFS= read -r file; do
+    tracked+=("$file")
+  done < <(git ls-files "$path" "$path/**")
+done
+
+if (( ${#tracked[@]} > 0 )); then
+  echo "Generated artifact paths are tracked and must be removed from source commits:" >&2
+  printf '  %s\n' "${tracked[@]}" >&2
+  exit 1
+fi
+
+ignored_failures=()
+for path in "${generated_paths[@]}"; do
+  if ! git check-ignore -q "$path/placeholder"; then
+    ignored_failures+=("$path/")
+  fi
+done
+
+if (( ${#ignored_failures[@]} > 0 )); then
+  echo "Generated artifact paths are not ignored:" >&2
+  printf '  %s\n' "${ignored_failures[@]}" >&2
+  exit 1
+fi
+
+echo "Generated artifact guard passed."

data/scripts/ci/check_permissions.sh

@@ -3,9 +3,14 @@ set -euo pipefail
 
 allowed_executables=(
   "bin/moose-inventory"
+  "examples/ci/scripts/validate-inventory-snapshot.sh"
   "scripts/check.sh"
   "scripts/ci/check_permissions.sh"
+  "scripts/ci/check_rubocop.sh"
+  "scripts/ci/check_secrets.sh"
+  "scripts/ci/check_generated_artifacts.sh"
   "scripts/ci/check_security.sh"
+  "scripts/ci/install_security_tools.sh"
   "scripts/ci/package_sanity.sh"
   "scripts/files.rb"
   "scripts/install_dependencies.sh"

data/scripts/ci/check_rubocop.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -euo pipefail
+
+repo_root="$(git rev-parse --show-toplevel)"
+cd "$repo_root"
+
+rubocop_files=(
+  Gemfile
+  Rakefile
+)
+
+while IFS= read -r -d '' file; do
+  rubocop_files+=("$file")
+done < <(find bin -maxdepth 1 -type f -print0 | sort -z)
+
+while IFS= read -r -d '' file; do
+  rubocop_files+=("$file")
+done < <(
+  find \
+    lib \
+    scripts \
+    spec \
+    -path 'spec/reports' -prune -o \
+    -path 'spec/reports/*' -prune -o \
+    -type f \( -name '*.rb' -o -name '*.gemspec' \) \
+    -print0 | sort -z
+)
+
+while IFS= read -r -d '' file; do
+  rubocop_files+=("$file")
+done < <(find . -maxdepth 1 -type f -name '*.gemspec' -print0 | sort -z)
+
+bundle exec rubocop "${rubocop_files[@]}"

data/scripts/ci/check_secrets.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+if command -v gitleaks >/dev/null 2>&1; then
+  GITLEAKS=(gitleaks)
+elif [ -x "$BIN_DIR/gitleaks" ]; then
+  GITLEAKS=("$BIN_DIR/gitleaks")
+else
+  if [ "${MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS:-0}" = "1" ]; then
+    echo "gitleaks is required but was not found. Run scripts/ci/install_security_tools.sh first." >&2
+    exit 2
+  fi
+  echo "gitleaks not found; skipping dedicated secret scan."
+  exit 0
+fi
+
+"${GITLEAKS[@]}" detect \
+  --no-git \
+  --source . \
+  --config .gitleaks.toml \
+  --redact \
+  --no-banner \
+  --log-level warn
+
+echo "Gitleaks secret scan passed."

data/scripts/ci/check_security.sh

@@ -48,3 +48,21 @@ if findings:
         print(f'- {name} {version}: {vuln_id} {summary}', file=sys.stderr)
     sys.exit(1)
 PY
+
+bundle exec bundle-audit check --update
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+if command -v osv-scanner >/dev/null 2>&1; then
+  OSV_SCANNER=(osv-scanner)
+elif [ -x "$BIN_DIR/osv-scanner" ]; then
+  OSV_SCANNER=("$BIN_DIR/osv-scanner")
+else
+  if [ "${MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS:-0}" = "1" ]; then
+    echo "osv-scanner is required but was not found. Run scripts/ci/install_security_tools.sh first." >&2
+    exit 2
+  fi
+  echo "osv-scanner not found; skipping osv-scanner lockfile scan."
+  exit 0
+fi
+
+"${OSV_SCANNER[@]}" scan source --lockfile Gemfile.lock .

data/scripts/ci/install_security_tools.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -euo pipefail
+
+# Installs optional security audit CLIs used by CI. They are kept out of the
+# gem runtime/development bundle because they are Go command-line tools, not
+# Ruby dependencies.
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+GITLEAKS_VERSION="${GITLEAKS_VERSION:-v8.30.0}"
+OSV_SCANNER_VERSION="${OSV_SCANNER_VERSION:-v2.2.3}"
+
+mkdir -p "$BIN_DIR"
+
+if ! command -v go >/dev/null 2>&1; then
+  echo "Go is required to install gitleaks/osv-scanner. Install Go or use a prebuilt package." >&2
+  exit 2
+fi
+
+install_go_tool() {
+  local name="$1"
+  local module="$2"
+  local version="$3"
+
+  if command -v "$name" >/dev/null 2>&1; then
+    echo "$name already available at $(command -v "$name")"
+    return
+  fi
+
+  if [ -x "$BIN_DIR/$name" ]; then
+    echo "$name already installed at $BIN_DIR/$name"
+    return
+  fi
+
+  echo "Installing $name $version into $BIN_DIR"
+  GOBIN="$BIN_DIR" go install "$module@$version"
+}
+
+install_go_tool gitleaks github.com/zricethezav/gitleaks/v8 "$GITLEAKS_VERSION"
+install_go_tool osv-scanner github.com/google/osv-scanner/v2/cmd/osv-scanner "$OSV_SCANNER_VERSION"
+
+if [ -n "${GITHUB_PATH:-}" ]; then
+  echo "$BIN_DIR" >> "$GITHUB_PATH"
+fi
+
+export PATH="$BIN_DIR:$PATH"
+gitleaks version || true
+osv-scanner --version

data/scripts/files.rb

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'yaml'
 
@@ -8,8 +9,8 @@ test_files    = files.grep(%r{^(test|spec|features)/})
 require_paths = ['lib']
 
 out = {}
-out['Executables'.to_sym] = executables
-out['Test_Files'.to_sym] = test_files
-out['Require_Paths'.to_sym] = require_paths
+out[:Executables] = executables
+out[:Test_Files] = test_files
+out[:Require_Paths] = require_paths
 
-puts out.to_yaml.to_s
+puts out.to_yaml

data/scripts/install_dependencies.sh

@@ -4,6 +4,8 @@ set -euo pipefail
 sudo dnf groupinstall -y "C Development Tools and Libraries" "Development Tools"
 sudo dnf install -y \
             ansible \
+            gitleaks \
+            golang \
             ruby \
             ruby-devel \
             rubygem-bundler \

data/spec/examples/ci_examples_spec.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'spec_helper'
+require 'tmpdir'
+require 'yaml'
+
+RSpec.describe 'CI/CD examples' do
+  it 'ships parseable inventory and GitHub Actions examples' do
+    expect(YAML.safe_load_file('examples/ci/inventory/example-snapshot.yml')).to include('version' => 1)
+    workflow = YAML.safe_load_file('examples/ci/github-actions/inventory-review.yml')
+
+    expect(workflow).to include('name' => 'Inventory review example')
+  end
+
+  it 'keeps the snapshot validation script syntax-valid' do
+    expect(system('bash', '-n', 'examples/ci/scripts/validate-inventory-snapshot.sh')).to eq(true)
+  end
+
+  it 'validates a snapshot and writes review artifacts without production credentials' do
+    Dir.mktmpdir do |dir|
+      command = 'bundle exec ruby -Ilib bin/moose-inventory'
+      result = system(
+        { 'MOOSE_INVENTORY_CMD' => command },
+        'examples/ci/scripts/validate-inventory-snapshot.sh',
+        'examples/ci/inventory/example-snapshot.yml',
+        dir
+      )
+
+      expect(result).to eq(true)
+      expect(File).to exist(File.join(dir, 'doctor.txt'))
+      expect(YAML.safe_load_file(File.join(dir, 'inventory.yml'))).to include('hosts')
+      expect(JSON.parse(File.read(File.join(dir, 'hosts.json')))).to include('web01')
+      expect(JSON.parse(File.read(File.join(dir, 'ansible-inventory.json')))).to include('web')
+    end
+  end
+end

data/spec/lib/moose_inventory/ansible_plugin_examples_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'yaml'
+
+RSpec.describe 'Ansible inventory plugin examples' do
+  it 'ships a plugin, inventory source, and ansible.cfg example' do
+    expect(File).to exist('examples/ansible/inventory_plugins/moose_inventory.py')
+    expect(File).to exist('examples/ansible/inventory/moose_inventory.yml')
+    expect(File).to exist('examples/ansible/ansible.cfg')
+  end
+
+  it 'uses the moose_inventory plugin in the example inventory source' do
+    config = YAML.safe_load_file('examples/ansible/inventory/moose_inventory.yml')
+
+    expect(config).to include(
+      'plugin' => 'moose_inventory',
+      'executable' => 'moose-inventory',
+      'config' => './example.conf',
+      'env' => 'dev'
+    )
+  end
+
+  it 'keeps the plugin source syntax-valid' do
+    result = system('python3', '-m', 'py_compile', 'examples/ansible/inventory_plugins/moose_inventory.py')
+
+    expect(result).to eq(true)
+  end
+end

data/spec/lib/moose_inventory/cli/application_doctor_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/BlockLength
+require 'spec_helper'
+
+RSpec.describe Moose::Inventory::Cli::Application do
+  before(:all) do
+    setup_cli_harness(command_class: described_class)
+  end
+
+  before(:each) do
+    reset_cli_harness
+  end
+
+  it 'prints a human success report when no issues are found' do
+    web = @db.models[:group].create(name: 'web')
+    host = @db.models[:host].create(name: 'web01')
+    host.add_group(web)
+
+    actual = runner { @app.start(%w[doctor]) }
+
+    expected(actual, aborted: false, STDOUT: "Inventory doctor found no issues.\n", STDERR: '')
+  end
+
+  it 'prints a human report and exits nonzero when issues are found' do
+    @db.models[:group].create(name: 'ungrouped')
+    host = @db.models[:host].create(name: 'lonely')
+    host.add_group(@db.models[:group].find(name: 'ungrouped'))
+
+    actual = runner { @app.start(%w[doctor]) }
+
+    expect(actual[:aborted]).to eq(true)
+    expect(actual[:STDOUT]).to include('Inventory doctor found')
+    expect(actual[:STDOUT]).to include('host_only_in_ungrouped')
+  end
+
+  it 'prints a machine-readable report when requested' do
+    @db.models[:group].create(name: 'ungrouped')
+    host = @db.models[:host].create(name: 'lonely')
+    host.add_group(@db.models[:group].find(name: 'ungrouped'))
+
+    actual = runner { @app.start(%w[doctor --format json]) }
+
+    expect(actual[:aborted]).to eq(true)
+    report = JSON.parse(actual[:STDOUT])
+    expect(report['ok']).to eq(false)
+    expect(report['issues'].map { |issue| issue['id'] }).to include('host_only_in_ungrouped')
+  end
+end
+# rubocop:enable Metrics/BlockLength

data/spec/lib/moose_inventory/cli/application_import_export_spec.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/BlockLength
+require 'spec_helper'
+require 'tmpdir'
+
+RSpec.describe Moose::Inventory::Cli::Application do
+  before(:all) do
+    setup_cli_harness(command_class: described_class)
+  end
+
+  before(:each) do
+    reset_cli_harness
+  end
+
+  it 'exports the current inventory snapshot as yaml' do
+    runner { @app.start(%w[host add web01]) }
+    runner { @app.start(%w[group add web]) }
+    runner { @app.start(%w[host addgroup web01 web]) }
+
+    actual = runner { @app.start(%w[export]) }
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:aborted]).to eq(false)
+    expect(actual[:STDERR]).to eq('')
+    snapshot = YAML.safe_load(actual[:STDOUT])
+    expect(snapshot['version']).to eq(1)
+    expect(snapshot.dig('hosts', 'web01', 'groups')).to include('web')
+    expect(snapshot['groups']).to have_key('web')
+  end
+
+  it 'imports a validated inventory snapshot file' do
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, 'inventory.yml')
+      File.write(
+        path,
+        {
+          'version' => 1,
+          'hosts' => { 'web01' => { 'groups' => ['web'], 'tags' => [], 'vars' => { 'env' => 'prod' } } },
+          'groups' => { 'web' => { 'children' => [], 'tags' => [], 'vars' => { 'role' => 'frontend' } } }
+        }.to_yaml
+      )
+
+      actual = runner { @app.start(['import', path]) }
+
+      expect(actual[:unexpected]).to eq(false)
+      expect(actual[:aborted]).to eq(false)
+      expect(actual[:STDERR]).to eq('')
+      expect(actual[:STDOUT]).to include("Imported inventory snapshot from #{path}.")
+      host = @db.models[:host].find(name: 'web01')
+      expect(host.groups_dataset[name: 'web']).not_to be_nil
+      expect(host.hostvars_dataset[name: 'env'][:value]).to eq('prod')
+    end
+  end
+
+  it 'previews an inventory snapshot import without writing' do
+    runner { @app.start(%w[group add web]) }
+
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, 'inventory.yml')
+      File.write(
+        path,
+        {
+          'version' => 1,
+          'hosts' => { 'web01' => { 'groups' => ['web'], 'tags' => [], 'vars' => { 'env' => 'prod' } } },
+          'groups' => { 'web' => { 'children' => [], 'tags' => [], 'vars' => {} } }
+        }.to_yaml
+      )
+
+      actual = runner { @app.start(['import', path, '--preview', '--preview-format', 'json']) }
+
+      expect(actual[:unexpected]).to eq(false)
+      expect(actual[:aborted]).to eq(false)
+      expect(actual[:STDERR]).to eq('')
+      preview = JSON.parse(actual[:STDOUT])
+      expect(preview['schema_version']).to eq('snapshot-import-preview-v1')
+      expect(preview['changes_applied']).to eq(false)
+      expect(preview.dig('summary', 'hosts_created')).to eq(1)
+      expect(preview.dig('creates', 'hosts')).to eq(['web01'])
+      expect(@db.models[:host].find(name: 'web01')).to be_nil
+    end
+  end
+
+  it 'aborts on invalid snapshot input without writing' do
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, 'inventory.yml')
+      File.write(
+        path,
+        { 'version' => 1, 'hosts' => { 'web01' => { 'groups' => ['missing'], 'vars' => {} } }, 'groups' => {} }.to_yaml
+      )
+
+      actual = runner { @app.start(['import', path]) }
+
+      expect(actual[:aborted]).to eq(true)
+      expect(actual[:STDERR]).to include("Invalid inventory snapshot: host 'web01' references unknown group 'missing'.")
+      expect(@db.models[:host].count).to eq(0)
+    end
+  end
+end
+# rubocop:enable Metrics/BlockLength

data/spec/lib/moose_inventory/cli/application_spec.rb

@@ -1,15 +1,25 @@
-# require 'spec_helper'
-#
-# RSpec.describe Moose::Inventory::Cli::Group do
-#  before do
-#    # Set up the configuration object
-#    mockargs = "--format yaml --env testing --config ./test.config"
-#    Moose::Inventory::Config
-#  end
-#
-#  describe ".add" do
-#    it '"add test" should add a group called test' do
-#      expect(["group","add","test").to_eq(2)
-#    end
-#  end
-# end
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Moose::Inventory::Cli::Application do
+  describe 'version' do
+    it 'prints the current Moose Inventory version' do
+      output = capture(:STDOUT) do
+        described_class.start(%w[version])
+      end
+
+      expect(output).to eq("Version #{Moose::Inventory::VERSION}\n")
+    end
+  end
+
+  describe 'subcommands' do
+    it 'registers the group subcommand' do
+      expect(described_class.subcommands).to include('group')
+    end
+
+    it 'registers the host subcommand' do
+      expect(described_class.subcommands).to include('host')
+    end
+  end
+end

data/spec/lib/moose_inventory/cli/audit_spec.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'spec_helper'
+
+# rubocop:disable Metrics/BlockLength
+RSpec.describe Moose::Inventory::Cli::Audit do
+  before(:all) do
+    setup_cli_harness(command_class: Moose::Inventory::Cli::Audit)
+  end
+
+  before(:each) do
+    reset_cli_harness
+  end
+
+  it 'starts with an empty audit log' do
+    actual = runner { @app.start(%w[audit list]) }
+
+    expected(actual, aborted: false, STDOUT: "No audit events recorded.\n", STDERR: '')
+  end
+
+  it 'records successful mutating host commands' do
+    add = runner { @app.start(%w[host add app01]) }
+    expect(add[:unexpected]).to eq(false)
+
+    event = @db.models[:audit_event].last
+    expect(event.command).to eq('host add')
+    expect(event.action).to eq('add')
+    expect(event.entity_type).to eq('host')
+    expect(event.entity_name).to eq('app01')
+    expect(JSON.parse(event.details)).to include('events')
+  end
+
+  it 'does not record dry-run commands' do
+    actual = runner { @app.start(%w[host add --dry-run app01]) }
+    expect(actual[:unexpected]).to eq(false)
+
+    expect(@db.models[:audit_event].count).to eq(0)
+  end
+
+  it 'lists audit events as machine-readable JSON' do
+    runner { @app.start(%w[group add web]) }
+
+    actual = runner { @app.start(%w[audit list --format json]) }
+    parsed = JSON.parse(actual[:STDOUT])
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(parsed.first).to include(
+      'command' => 'group add',
+      'action' => 'add',
+      'entity_type' => 'group',
+      'entity_name' => 'web'
+    )
+  end
+end
+# rubocop:enable Metrics/BlockLength

data/spec/lib/moose_inventory/cli/cli_spec.rb

@@ -1,25 +1,21 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
-RSpec.describe Moose::Inventory::Cli::Application do
-  before do
-    @app = Moose::Inventory::Cli::Application
-  end
+RSpec.describe Moose::Inventory::Cli do
+  describe '.start' do
+    it 'wires config, db, and application explicitly' do
+      args = ['--format', 'yaml']
+      config = instance_double('Config')
+      db = instance_double('DB')
+      application = class_double('Application')
 
-  describe '.version' do
-    # --------------------
-    it 'method should be responsive' do
-      result = @app.instance_methods(false).include?(:version)
-      expect(result).to eq(true)
-    end
+      expect(config).to receive(:init).with(args).ordered
+      expect(db).to receive(:init).ordered
+      expect(config).to receive(:application_args).ordered.and_return(['version'])
+      expect(application).to receive(:start).with(['version']).ordered
 
-    # --------------------
-    #    it 'should output version information' do
-    #      actual = runner { @app.version }
-    #
-    #      desired = {}
-    #      desired[:STDERR] = "Version #{Moose::Inventory::VERSION}"
-    #
-    #      expected(actual, desired)
-    #    end
+      described_class.start(args, config: config, db: db, application: application)
+    end
   end
 end

data/spec/lib/moose_inventory/cli/console_spec.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'stringio'
+
+# rubocop:disable Metrics/BlockLength
+RSpec.describe Moose::Inventory::Cli::Console do
+  before(:all) do
+    setup_cli_harness(command_class: Moose::Inventory::Cli::Application)
+  end
+
+  before(:each) do
+    reset_cli_harness
+  end
+
+  def run_console(input)
+    original_stdin = $stdin
+    $stdin = StringIO.new(input)
+    runner { @app.start(%w[console]) }
+  ensure
+    $stdin = original_stdin
+  end
+
+  it 'prints help and exits' do
+    actual = run_console("help\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Moose Inventory console (read-only). Type help or quit.')
+    expect(actual[:STDOUT]).to include('- hosts')
+    expect(actual[:STDOUT]).to include('- group NAME')
+    expect(actual[:STDOUT]).to include('Goodbye.')
+  end
+
+  it 'browses hosts, groups, tags, and entity detail without mutating' do
+    runner { @app.start(%w[group add web]) }
+    runner { @app.start(%w[host add web01 --groups web]) }
+    runner { @app.start(%w[host addtag web01 prod]) }
+    before_audit_count = @db.models[:audit_event].count
+
+    actual = run_console("hosts\ngroups\nhost web01\ntags host web01\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Hosts: web01')
+    expect(actual[:STDOUT]).to include('Groups: web')
+    expect(actual[:STDOUT]).to include('Host: web01')
+    expect(actual[:STDOUT]).to include('Tags: prod')
+    expect(@db.models[:audit_event].count).to eq(before_audit_count)
+  end
+
+  it 'reports unknown and missing entities safely' do
+    actual = run_console("nonsense\nhost missing\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Unknown command: nonsense')
+    expect(actual[:STDOUT]).to include("Host 'missing' not found.")
+  end
+
+  it 'supports quoted read-only entity names' do
+    group = @db.models[:group].create(name: 'prod group')
+    host = @db.models[:host].create(name: 'web 01')
+    tag = @db.models[:tag].create(name: 'critical host')
+    host.add_group(group)
+    host.add_tag(tag)
+    before_audit_count = @db.models[:audit_event].count
+
+    actual = run_console("host \"web 01\"\ntags host \"web 01\"\ngroup 'prod group'\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Host: web 01')
+    expect(actual[:STDOUT]).to include('Groups: prod group')
+    expect(actual[:STDOUT]).to include('critical host')
+    expect(actual[:STDOUT]).to include('Group: prod group')
+    expect(actual[:STDOUT]).to include('Hosts: web 01')
+    expect(@db.models[:audit_event].count).to eq(before_audit_count)
+  end
+
+  it 'reports command-specific usage for extra or invalid arguments' do
+    actual = run_console("host one two\ntags host\naudit nope\naudit 0\nhelp extra\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Usage: host NAME')
+    expect(actual[:STDOUT]).to include('Usage: tags host|group NAME')
+    expect(actual[:STDOUT].scan('Usage: audit [LIMIT]').length).to eq(2)
+    expect(actual[:STDOUT]).to include('Usage: help')
+  end
+
+  it 'reports unclosed quoted input without leaving read-only mode' do
+    before_audit_count = @db.models[:audit_event].count
+
+    actual = run_console("host \"unterminated\nquit\n")
+
+    expect(actual[:unexpected]).to eq(false)
+    expect(actual[:STDOUT]).to include('Invalid command syntax:')
+    expect(actual[:STDOUT]).to include('Goodbye.')
+    expect(@db.models[:audit_event].count).to eq(before_audit_count)
+  end
+end
+# rubocop:enable Metrics/BlockLength