moose-inventory 2.0 → 2.1

data/BACKLOG.md

@@ -1,21 +1,391 @@
+# Moose Inventory Process Conformance Backlog
+
+Process conformance status counts: 16 done / 0 open.
+
+## Open
+
+_No open process conformance items._
+
+## Done
+
+1. Approve the package maintenance and AI-agent operation-boundary baseline.
+   - Russ approved `docs/maintenance/package-maintenance-and-agent-boundaries.md` as the package maintenance and AI-agent operation-boundary baseline on 2026-05-29.
+   - Recorded approval as `GOV-MAINT-001` in `docs/governance/approval-register.md`.
+   - Approval covers routine package-maintenance process, release-readiness stewardship, and AI-agent boundaries only.
+   - Approval does not approve publishing, yanking/deprecating RubyGems versions, changing GitHub/RubyGems settings, accepting risk, public/compliance claims, external disclosures, or future RubyGems publishing.
+
+1. Add package maintenance runbook and AI-agent operation boundaries.
+   - Added `docs/maintenance/package-maintenance-and-agent-boundaries.md` with routine maintenance cadence, standard maintenance workflow, dependency/Ruby/CI action update runbooks, vulnerability triage, GitHub/RubyGems release-infrastructure stewardship, release recovery, AI-agent permitted actions, approval-required actions, no-go zones, report template, and current operational follow-ups.
+   - Linked the maintenance runbook from release-readiness and publishing docs.
+   - Process conformance backlog is now fully burned down; follow-up implementation work remains in the architecture, UX, and code-improvement backlog sections.
+
+1. Add QA, documentation QA, and release gate templates.
+   - Added `docs/qa/qa-documentation-and-release-gates.md` with reusable QA, documentation-QA, release-readiness, release-security, accepted-risk disposition, yank/deprecation/rollback, and post-release review templates.
+   - Mapped `scripts/check.sh` gate steps to requirement/release criteria and release interpretation.
+   - Updated `docs/release/release-readiness.md` to include the full current gate including RuboCop, secret scan, and required-security-tools release invocation.
+   - Updated `docs/release/publishing.md` to require the security-tools gate and QA/release templates during trusted-publishing releases.
+
+1. Approve the accepted-risk register baseline.
+   - Russ approved `docs/security/accepted-risk-register.md` as the maintained accepted-risk register baseline on 2026-05-29.
+   - Recorded approval as `GOV-RISK-REG-001` in `docs/governance/approval-register.md`.
+   - Approval covers the risk-register document, structure, rules, review cadence, and current proposed/monitored-risk evidence.
+   - Approval does not accept any proposed/monitored risk; current accepted-risk register still records no approved accepted risks.
+
+1. Review and approve, revise, or reject the draft security and privacy process baseline.
+   - Russ approved `docs/security/security-privacy-process.md` as the security and privacy process baseline on 2026-05-29.
+   - Recorded approval as `GOV-SEC-001` in `docs/governance/approval-register.md`.
+   - Approval includes the accepted-risk register structure/evidence location, but does not approve any proposed/monitored accepted risk.
+   - Current accepted-risk register still records no approved accepted risks.
+   - Approval does not approve release, public/compliance claims, future RubyGems publishing, or hosted-service operation.
+
+1. Add maintained security/privacy process docs.
+   - Added `docs/security/security-privacy-process.md` as a draft security and privacy process baseline.
+   - Covered data classification and flows for local DB/config/audit logs/snapshots/artifacts, threat and abuse cases, authentication/access boundaries, secrets handling, logging/audit expectations, privacy posture, vulnerability intake/security patch policy, security acceptance criteria, current limitations, and review cadence.
+   - Added `docs/security/accepted-risk-register.md` with no currently approved accepted risks, monitored/proposed risks for GitHub secret-scanning limitation, signed provenance hardening, vulnerability intake formality, and destructive-command confirmation.
+   - Recorded pending approval as `GOV-SEC-001`; the security/privacy baseline and accepted risks remain draft/unapproved until explicitly approved.
+
+1. Review and approve, revise, or reject the draft architecture and trust-boundary baseline.
+   - Russ approved `docs/architecture/architecture-and-trust-boundaries.md` as the architecture and trust-boundary baseline on 2026-05-28.
+   - Recorded approval as `GOV-ARCH-001` in `docs/governance/approval-register.md`.
+   - Approval covers architecture and trust boundaries only; security/privacy design, release, accepted risk, public/compliance claims, future RubyGems publishing, architecture follow-up implementation, and repository/package account-management design remain separate/non-approved scopes.
+
+1. Add architecture and trust-boundary documentation.
+   - Added `docs/architecture/architecture-and-trust-boundaries.md` as a draft architecture and trust-boundary baseline.
+   - Covered high-level architecture, CLI/config/operation/DB/release layers, runtime data model, trust boundaries, data flows, maintainer ownership boundaries, architecture decisions, and open architecture questions.
+   - Recorded pending approval as `GOV-ARCH-001`; the baseline remains draft until explicitly approved, revised, or rejected.
+
+1. Review and approve, revise, or reject the draft CLI UX/workflow baseline.
+   - Russ approved `docs/ux/cli-workflow-notes.md` as the CLI UX/workflow baseline on 2026-05-28.
+   - Recorded approval as `GOV-UX-001` in `docs/governance/approval-register.md`.
+   - Approval covers command-line workflows and interaction conventions only; architecture, security/privacy design, release, accepted risk, public/compliance claims, future RubyGems publishing, and implementation of UX follow-up backlog items still require separate work/approval where applicable.
+
+1. Add lightweight CLI UX/workflow notes.
+   - Added `docs/ux/cli-workflow-notes.md` as a draft CLI UX/workflow baseline.
+   - Covered user personas, core workflows, destructive/high-risk operations, dry-run/trust behavior, doctor/import/export/audit flows, machine-readable output conventions, error states, accessibility/readability expectations, compatibility conventions, UX acceptance checklist, and open UX questions.
+   - Recorded pending approval as `GOV-UX-001`; the baseline remains draft until explicitly approved, revised, or rejected.
+
+1. Review and approve, revise, or reject the draft requirements and acceptance criteria baseline.
+   - Russ approved `docs/product/requirements-baseline.md` as the requirements and acceptance criteria baseline on 2026-05-28.
+   - Recorded approval as `GOV-REQ-001` in `docs/governance/approval-register.md`.
+   - Approval covers the requirements baseline only; CLI UX, architecture, security/privacy design, release, accepted risk, public/compliance claims, future RubyGems publishing, and open requirements questions still require separate decisions where applicable.
+
+1. Create requirements and acceptance criteria baseline.
+   - Added `docs/product/requirements-baseline.md` as a draft requirements and acceptance criteria baseline.
+   - Covered CLI behavior, configuration/environment selection, DB adapters/lifecycle/schema migrations, inventory mutations, dry-run/plan output, snapshots, doctor, audit log, tags, Ansible integration, CI examples, release/package integrity, security/privacy expectations, compatibility, documentation, and release acceptance.
+   - Recorded pending approval as `GOV-REQ-001`; the baseline remains draft until explicitly approved, revised, or rejected.
+
+1. Review and approve, revise, or reject the draft product brief.
+   - Russ approved `docs/product/product-brief.md` as the product-framing baseline on 2026-05-28.
+   - Recorded approval as `GOV-PRODUCT-001` in `docs/governance/approval-register.md`.
+   - Approval covers product framing only; detailed requirements, CLI UX, architecture, security/privacy design, release, accepted risk, public/compliance claims, and future RubyGems publishing still require separate approval.
+
+1. Create a product brief / framing baseline.
+   - Added `docs/product/product-brief.md` as a draft product-framing baseline.
+   - Covered target users, user problems, use cases, product goals, non-goals, security-sensitive inventory/Ansible implications, compatibility expectations, assumptions, success criteria, and open product questions.
+   - Recorded pending approval as `GOV-PRODUCT-001`; the brief remains draft until explicitly approved, revised, or rejected.
+
+1. Record and approve or revise the process tailoring decision.
+   - Russ approved the target class/profile as Class 4 with target profile Software Library / Package on 2026-05-28.
+   - Recorded approval in `docs/governance/approval-register.md` as `GOV-TAILOR-001` with explicit scope limits.
+   - Approval covers project class and target profile only; it does not approve product brief, requirements, CLI UX, architecture, security/privacy design, release, accepted risk, public/compliance claims, or future RubyGems publishing.
+
+1. Re-read updated `SOFTWARE_PRODUCT_DEVELOPMENT_PROCESS.md`, perform a repository gap analysis, and propose a conformance plan.
+   - Compared Moose Inventory against updated process/tailoring/governance plus requirements, architecture, security, QA, release, operations, and documentation guidance.
+   - Added `docs/process/conformance-gap-analysis-2026-05-28.md` with current evidence, approval-vs-document distinctions, recommended Class 4 + Software Library / Package tailoring, gaps, and remediation phases.
+   - Added `docs/governance/approval-register.md` seeded with pending tailoring approval and explicit approval rules.
+   - Added follow-up backlog items for tailoring approval, product/requirements/UX/architecture/security/QA/release/maintenance/agent-boundary remediation.
+
+---
+
+# Moose Inventory Architecture Follow-up Backlog
+
+Architecture follow-up status counts: 4 done / 1 open.
+
+## Open
+
+1. Verify GitHub `release` environment custom `v*` policy behavior on the next real release.
+   - GitHub accepted a custom deployment policy named `v*`, but the API reports the policy object as `type: branch`.
+   - On the next intentional `v*` tag release, verify that the release job can deploy to the `release` environment after required approval.
+   - If GitHub treats the policy as branch-only and blocks tag deployments, adjust the environment policy or document the limitation and rely on the workflow trigger plus tag/version check for tag control.
+
+## Done
+
+1. Expand user database backup/restore guidance beyond SQLite.
+   - Added `docs/maintenance/database-backup-restore-guidance.md` documenting SQLite, MySQL/MariaDB, and PostgreSQL backup/restore boundaries.
+   - Clarified that Moose Inventory can inspect status, run migrations, run doctor checks, back up SQLite files, and export snapshots, but does not run server-backed dump/restore commands, manage grants/users, or implement destructive restore/sync semantics.
+   - Documented native-tool guidance for `mysqldump`/`mariadb-dump`, `pg_dump`/`pg_restore`, managed-service snapshots, disposable restore verification, and explicit approval boundaries for destructive or credentialed restore work.
+   - Updated README, requirements, architecture, and security/privacy process evidence.
+
+1. Evaluate signed package provenance as future hardening.
+   - Added `docs/release/package-provenance-hardening.md` evaluating checksums, GitHub artifact attestations, Sigstore/cosign-style signatures, RubyGems certificate signing, and SBOM publication.
+   - Kept RubyGems trusted publishing/OIDC as the current architectural baseline and release requirement.
+   - Documented that additional provenance is not a current release blocker and should be revisited only if consumers, release policy, or supply-chain requirements justify it.
+   - Preferred future first step, if needed: GitHub artifact attestation plus a published SHA-256 checksum for the exact built `.gem`.
+
+1. Configure GitHub `release` environment protection rules.
+   - Configured required deployment reviewer `RusDavies` for the `release` environment.
+   - Disabled self-review prevention because OpenClaw/automation pushes use Russ's GitHub account, and `RusDavies` is currently the only required reviewer.
+   - Disabled admin bypass for the `release` environment.
+   - Enabled custom deployment policies and added policy name `v*`.
+   - Updated release, architecture, accepted-risk, and backlog evidence to reflect configured protections and residual next-release verification.
+
+1. Document confirmed GitHub release environment protection rules.
+   - Confirmed via `gh api repos/RusDavies/moose-inventory/environments/release --jq '.'` on 2026-05-29.
+   - Added `docs/release/release-environment-protection.md` documenting current `release` environment settings.
+   - Current GitHub `release` environment has no required deployment reviewers, no wait timer, and no deployment branch/tag policy; admin bypass is enabled.
+   - Updated publishing, release-readiness, architecture, and accepted-risk evidence to reflect the confirmed state.
+   - Added follow-up backlog item to decide whether to add release environment protection rules before relying on environment protection as a release control.
+
+---
+
+# Moose Inventory UX Implementation Backlog
+
+UX implementation status counts: 4 done / 0 open.
+
+## Open
+
+_No open UX implementation items._
+
+## Done
+
+1. Add snapshot import preview/diff mode.
+   - Added `import FILE --preview` for non-mutating validated snapshot import previews.
+   - Added `--preview-format yaml|json|pjson` machine-readable output using `snapshot-import-preview-v1`.
+   - Preview reports creates, variable updates, association additions, unchanged items, ignored existing records absent from the snapshot, and destructive-change count while preserving additive import semantics.
+   - Added operation and CLI coverage, plus README, requirements, and UX notes.
+
+
+1. Define and document output compatibility versioning.
+   - Added `docs/compatibility/cli-output-compatibility.md` defining the `CLI-OUTPUT-v1` baseline for Moose Inventory 2.x.
+   - Documented that compatibility version identifiers live in the policy document, release notes/release evidence, and backlog/approval evidence for breaking changes rather than retrofitting existing JSON/YAML shapes.
+   - Updated requirements, UX notes, and README so machine-readable and protected human-readable output changes require compatibility review, tests, docs, and release notes when breaking.
+
+1. Add explicit confirmation for destructive commands.
+   - Added `--yes` acknowledgement gates for destructive removal commands while preserving `--dry-run` preview without confirmation.
+   - Covered host/group deletion, variable removal, host/group association removal, child-group dissociation, and host/group tag removal paths.
+   - Kept validation/error paths ahead of writes and documented confirmation behavior in README and UX workflow notes.
+
+1. Prioritize read-only console quoted-name parsing and richer validation.
+   - Replaced whitespace splitting with `Shellwords.split` so quoted host/group names work in the read-only console.
+   - Added command-specific usage validation for extra arguments, invalid tag commands, invalid audit limits, and malformed quotes.
+   - Added regression coverage for quoted names and validation behavior while preserving the console's read-only boundary.
+
+
+---
+
+# Moose Inventory Code Improvement Analysis Backlog
+
+Code improvement analysis status counts: 10 done / 0 open.
+
+## Open
+
+_No open code-improvement-analysis items._
+
+## Done
+
+1. Keep generated coverage reports out of source-oriented scans and commits.
+   - Added `scripts/ci/check_generated_artifacts.sh` to fail if generated/local paths are tracked or no longer ignored.
+   - Wired the guard into `./scripts/check.sh` after tests create coverage output and before source/security/package checks.
+   - Kept `spec/reports`, `coverage`, `tmp`, `pkg`, and `.openclaw-security-audit` out of source/package review by ignore and tracking checks.
+   - Documented the new gate in README, release-readiness, QA, and requirements docs.
+
+1. Normalize tag casing consistently across snapshot import and CLI tag commands.
+   - Confirmed tags are case-insensitive operational metadata.
+   - Centralized tag normalization through `InventoryContext`: lowercase, strip surrounding whitespace, reject empty values, and deduplicate.
+   - Applied the same rule to CLI tag commands and snapshot import validation/application.
+   - Documented the normalization rule in README and product requirements.
+   - Added regression coverage for mixed-case CLI tags and mixed-case snapshot-import tags.
+
+1. Improve read-only console parsing and validation.
+   - Replaced blunt whitespace splitting with `Shellwords.split` for shell-style quoted names.
+   - Added command-specific usage validation for `help`, `hosts`, `groups`, `host`, `group`, `tags`, and `audit` commands.
+   - Invalid audit limits now report usage instead of silently defaulting to 10.
+   - Malformed quoted input is reported safely and the console remains read-only.
+   - Added regression coverage for quoted host/group names, invalid arguments, invalid audit limits, malformed quotes, and no audit mutation.
+
+1. Push host list filters into database-backed queries when inventory size justifies it.
+   - Reworked `HostQueries#list_hosts` to build a filtered Sequel dataset instead of loading every host and checking group/tag/variable filters in Ruby.
+   - Added `InventoryContext#hosts_dataset`, `#db_dataset`, and `#find_tag` as narrow DB-backed query seams.
+   - Preserved AND-style filter behavior for multiple groups/tags/variables, missing-filter empty results, insertion-order output, and existing CLI output shape.
+   - Added regression coverage proving filtered host listing does not call `all_hosts`, handles missing group/tag filters, and treats multiple group filters as AND predicates.
+
+1. Refactor inventory snapshot import into validation and application components.
+   - Extracted `InventorySnapshotValidator` for normalization, shape checks, reference validation, duplicate normalized-key detection, whitespace-only entity/variable name rejection, and group-cycle detection.
+   - Extracted `InventorySnapshotApplier` for additive entity creation, variable create/update behavior, tag joins, group-child joins, and host-group joins.
+   - Reduced `ImportInventorySnapshot` to orchestration: validate first, then apply inside the existing transaction.
+   - Added regression coverage for whitespace-only names and duplicate normalized keys before any DB writes.
+
+1. Split DB connection, schema, migration, lifecycle, and retry responsibilities out of `Moose::Inventory::DB`.
+   - Extracted schema definitions, ordered migration metadata, index definitions, migration execution, schema version recording, future-schema refusal, duplicate cleanup, index creation, and table creation helpers into `Moose::Inventory::DB::SchemaMigrations`.
+   - Kept public DB constants and methods available through `Moose::Inventory::DB` for existing callers and specs.
+   - Left connection setup, retry handling, model binding, reset/purge, backup, and adapter lifecycle in `db.rb` for later smaller splits.
+   - Added regression coverage proving DB-level schema constants expose the extracted module definitions.
+
+1. Add database uniqueness constraints and indexes for relationship and variable tables.
+   - Bumped schema to version 4 and added an ordered v4 migration for uniqueness and lookup indexes.
+   - Added DB-level unique indexes for per-owner host/group variables, host-group joins, group-child joins, host-tag joins, and group-tag joins.
+   - Added reverse lookup indexes for association/tag query paths.
+   - Added migration cleanup for exact duplicate join/variable rows and a clear refusal path for conflicting duplicate variable values.
+   - Added specs for v4 indexes, uniqueness enforcement, duplicate cleanup, and conflicting duplicate refusal.
+
+1. Replace version bumping with explicit ordered migrations.
+   - Added `SCHEMA_MIGRATIONS` with ordered migration versions 1, 2, and 3.
+   - Version 1 creates core inventory tables plus `schema_info`, version 2 creates `audit_events`, and version 3 creates tag metadata tables.
+   - Replaced startup/reset/`db migrate` schema bootstrapping with `migrate_schema!`, which applies migration steps in version order and records each completed schema version.
+   - Preserved additive compatibility by creating missing tables for an already-recorded migration version while retaining future-schema refusal.
+   - Added specs proving migration version order and documented the migration chain in README.md.
+
+1. Add regression coverage for existing-database upgrade behavior.
+   - Added SQLite fixture coverage for pre-`schema_info`, schema version 1, schema version 2, current schema, future schema, and dirty/partial schema states.
+   - Proved old additive schemas are brought to the current schema version while known tables are created.
+   - Added future-schema guards so startup and `db migrate` refuse databases newer than the supported schema version instead of downgrading `schema_info` by accident.
+   - Added `db doctor` coverage for dirty partial schemas with missing known tables and documented future-schema refusal / dirty-schema diagnosis in README.md.
+
+1. Replace the hand-maintained RuboCop file list with dynamic Ruby file discovery.
+   - Replaced the explicit RuboCop file list with repository-rooted discovery for `bin/*`, `lib/**/*.rb`, `scripts/**/*.rb`, `spec/**/*.rb`, root gemspecs, `Gemfile`, and `Rakefile`.
+   - Pruned generated coverage reports under `spec/reports` from source-oriented lint discovery.
+   - Verified the dynamic gate still inspects 129 files and reports no offenses.
+
+---
+
+# Moose Inventory Feature Value Backlog
+
+Feature value status counts: 12 done / 0 open.
+
+## Open
+
+_No open feature-value items._
+
+## Done
+
+1. Add CI/CD integration examples.
+   - Added `examples/ci/inventory/example-snapshot.yml`, `examples/ci/scripts/validate-inventory-snapshot.sh`, and `examples/ci/github-actions/inventory-review.yml`.
+   - The validation script imports a proposed snapshot into a temporary SQLite database, runs `doctor`, exports a canonical snapshot, lists hosts, and emits an Ansible-compatible inventory artifact.
+   - Added `examples/ci/README.md` and README.md documentation for adapting the pattern safely before enabling it in CI.
+   - Added specs that parse the examples, syntax-check the script, and run it against the sample snapshot without production credentials.
+
+1. Add a human-friendly interactive shell or TUI.
+   - Added `console`, a small read-only interactive browsing shell.
+   - Console commands include `help`, `hosts`, `groups`, `host NAME`, `group NAME`, `tags host NAME`, `tags group NAME`, `audit [LIMIT]`, and `quit`/`exit`.
+   - The console intentionally avoids mutation in this slice; future guided edits should preserve confirmation, dry-run, and audit semantics.
+   - Documented console behavior in README.md.
+
+1. Add query/filter support for inventory listing.
+   - Added `host list --group`, `host list --tag`, and `host list --var key=value` filters.
+   - Filters are AND-style and support comma-separated group, tag, and variable filters.
+   - Host list output now includes `tags` only when present, preserving compact output for untagged hosts.
+   - Group-side relationship/parent-child filters remain future expansion if needed.
+   - Documented host-list query filters in README.md.
+
+1. Add tagging / metadata support for hosts and groups.
+   - Added portable `tags`, `hosts_tags`, and `groups_tags` tables and schema version bump to 3.
+   - Added `host addtag`, `host rmtag`, `host listtags`, `group addtag`, `group rmtag`, and `group listtags`.
+   - Tag names are normalized to lowercase and deduplicated per host/group.
+   - Snapshot import/export now includes host/group tags.
+   - Tag add/remove changes are audited.
+   - Filtering by tag remains in the query/filter backlog item.
+
+1. Add audit log / change history.
+   - Added append-only `audit_events` table and schema version bump to 2.
+   - Recorded successful mutating host/group/import commands with actor, command, action, entity type/name, and structured operation details.
+   - Added `audit list` with human-readable and yaml/json/pjson output.
+   - Dry-run commands are intentionally not recorded because they do not mutate inventory state.
+   - Documented audit behavior in README.md.
+
+1. Add schema/versioned migrations and database lifecycle commands.
+   - Added schema metadata table with current schema version tracking.
+   - Added `db status`, `db doctor`, `db migrate`, and SQLite-only `db backup FILE`.
+   - Documented current migration/recovery expectations and explicit SQLite-vs-MySQL/PostgreSQL backup behavior in README.md.
+   - Left destructive restore semantics out of this slice pending a safer design.
+
+1. Add first-class Ansible inventory plugin mode.
+   - Added `examples/ansible/inventory_plugins/moose_inventory.py` as a modern Ansible inventory plugin that shells out to `moose-inventory` for group and host data.
+   - Added example `examples/ansible/ansible.cfg` and `examples/ansible/inventory/moose_inventory.yml`.
+   - Preserved existing CLI/shim inventory behavior and documented both the plugin path and legacy shim path in README.md.
+
+1. [HIGH] Add inventory doctor/lint checks.
+   - Added top-level `doctor` command with human-readable default output and non-zero exit status when findings are present.
+   - Added `doctor --format yaml|json|pjson` for CI-friendly machine-readable reports.
+   - Checks cover missing DB config, plaintext DB passwords, hosts only in `ungrouped`, orphaned groups, empty groups, duplicate-ish names, invalid variable records, and circular child-group relationships.
+   - Documented the new command in README.md per the project documentation rule.
+
+1. [HIGH] Add bulk import/export with validation.
+   - Added top-level `export [FILE]` for canonical YAML/JSON/pjson snapshots containing version, hosts, host variables, memberships, groups, group variables, and child relationships.
+   - Added top-level `import FILE` for additive/update-oriented YAML or JSON snapshot import.
+   - Import validates structure, references, variable maps, unsupported fields, and circular child-group relationships before writing.
+   - Documented the new commands in README.md per the project documentation rule.
+
+1. [HIGH] Document new dry-run and machine-readable plan features in README.md.
+   - Added README coverage for `--dry-run` across mutating command families, including host/group lifecycle commands, variables, host-group associations, and child-group relationships.
+   - Documented `--plan-format yaml|json|pjson`, the `--dry-run` requirement, and the structured event output shape.
+   - Kept examples in the existing README style with copy/paste-friendly command blocks.
+
+1. [HIGH] Add machine-readable plan output and/or a dedicated `plan` command.
+   - Added `--plan-format yaml|json|pjson` support to all dry-run mutating command families so operators can emit structured dry-run event plans for CI/review automation.
+   - Machine-readable plan output is pure serialized output with command name, `dry_run`, `changes_applied: false`, and ordered event records.
+   - Guarded `--plan-format` so it aborts before writes unless `--dry-run` is present.
+   - Chose the lower-friction `--plan-format` path instead of adding a separate top-level `plan` command for now.
+
+1. [HIGH] Add inventory dry-run / plan mode.
+   - Added `--dry-run` support for all mutating command families: host/group add/remove, host-group association add/remove, child-group relation add/remove, and host/group variable add/remove.
+   - Dry-run output preserves existing command progress rendering and adds `Dry run complete. No changes applied.`
+   - Focused operation and CLI specs prove dry-run does not create, update, delete, or reassociate records, including automatic `ungrouped` maintenance and recursive orphan cleanup paths.
+   - Remaining follow-up was split into a separate high-priority machine-readable plan output / dedicated `plan` command item.
+
+---
+
 # Moose Inventory Release Readiness Backlog
 
-Release readiness status counts: 12 done / 1 open.
+Release readiness status counts: 14 done / 0 open.
 
 ## Open
 
-1. Verify RubyGems trusted publishing with the next real release tag.
-   - RubyGems trusted publisher is configured for repository `RusDavies/moose-inventory`, workflow `release.yml`, and environment `release`.
-   - Verify the full trusted-publishing path when publishing the next real version tag.
-   - Do not retag already-published `v1.0.9`.
+_No open release-readiness items._
 
 ## Done
 
+1. Clean `group_add_spec.rb` RuboCop hygiene.
+   - Normalized the large group add CLI spec for frozen string literals, literal style, Thor member checks, legacy line continuations, interpolation style, redundant assignments, and scoped block-length handling.
+   - Preserved spec-sensitive command output exactly, including the known `Succeeded` punctuation split and trace fixture behavior.
+   - Added the cleaned spec to `scripts/ci/check_rubocop.sh`.
+
+1. Clean `host_add_spec.rb` RuboCop hygiene.
+   - Normalized the large host add CLI spec for frozen string literals, literal style, Thor member checks, legacy line continuations, interpolation style, spacing, and scoped block-length handling.
+   - Preserved spec-sensitive command output exactly, especially warning/success summary formatting.
+   - Added the cleaned spec to `scripts/ci/check_rubocop.sh`.
+
+1. Clean `group_rm_spec.rb` RuboCop hygiene.
+   - Normalized the group remove CLI spec for frozen string literals, literal style, Thor member checks, legacy line continuations, interpolation style, and scoped block-length handling.
+   - Preserved spec-sensitive command output exactly, including warning/success punctuation.
+   - Added the cleaned spec to `scripts/ci/check_rubocop.sh`.
+
+1. Clean `host_rmgroup_spec.rb` RuboCop hygiene.
+   - Normalized the host remove-group CLI spec for frozen string literals, literal style, Thor member checks, stale line-length directives, escaped strings, redundant assignments, and continuation formatting.
+   - Preserved spec-sensitive command output exactly while adding scoped block-length disables around the legacy command-spec structure.
+   - Added the cleaned spec to `scripts/ci/check_rubocop.sh`.
+
+1. Clean `host_addgroup_spec.rb` RuboCop hygiene.
+   - Normalized the host add-group CLI spec for frozen string literals, literal style, Thor member checks, stale line-length directives, escaped strings, and continuation formatting.
+   - Preserved spec-sensitive command output exactly while adding scoped block-length disables around the legacy command-spec structure.
+   - Added the cleaned spec to `scripts/ci/check_rubocop.sh`.
+
+1. Stop `release.yml` from reporting failure when RubyGems full-index propagation lags after a successful publish.
+   - Release tag `v2.0` verified RubyGems trusted publishing end-to-end: RubyGems registered `moose-inventory` `2.0`, remote install worked, and the workflow used OIDC/trusted publishing.
+   - `rubygems/release-gem@v1` defaulted `await-release: true`, and its `rubygems-await` post-publish wait timed out on the RubyGems full index even though the gem was already published and installable.
+   - Set `await-release: false` in `.github/workflows/release.yml` so future successful publishes do not surface as failed releases because of RubyGems full-index propagation lag.
+   - Direct RubyGems verification remains documented in `docs/release/publishing.md`.
+
 1. Align release workflow with required CI security tooling.
    - Security audit rerun found that `.github/workflows/release.yml` ran `./scripts/check.sh` without installing or requiring the dedicated security tools, meaning tag-based releases could skip `gitleaks`/`osv-scanner` enforcement if those tools were absent.
    - Added Go setup with cache disabled, installed pinned security tools through `scripts/ci/install_security_tools.sh`, required `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1` during the release check gate, and added the same native-dependency timeout used by CI.
    - Documented the rerun in `docs/security-audit-2026-05-26-rerun.md`; final trusted-publishing proof remains gated on the next real release tag.
 
+1. Verify RubyGems trusted publishing with the next real release tag.
+   - Published `moose-inventory` `2.0` from tag `v2.0` through GitHub Actions trusted publishing/OIDC.
+   - Release workflow initially failed because the repo lacked a `rake release` task; fixed by adding `require 'bundler/gem_tasks'` to `Rakefile`, then re-pointed `v2.0` to the corrected commit because the first tag attempt had not published a gem.
+   - Verified the published gem directly with `gem info moose-inventory --remote --all`, `gem install moose-inventory -v 2.0 --install-dir tmp/release-smoke --no-document`, and `moose-inventory --config spec/config/config.yml version` returning `Version 2.0`.
+   - Remaining workflow false-negative is tracked as a separate open release-readiness item.
+
 1. Add manual GitHub Actions CI trigger and harden CI runner setup.
    - Added `workflow_dispatch` to `.github/workflows/ci.yml` so CI can be manually triggered when push events fail to enqueue during a GitHub Actions incident.
    - Verified both push-triggered CI and manual `workflow_dispatch` CI runs succeeded on `master`.
@@ -225,15 +595,267 @@ _No open modernization items._
 
 # Moose Inventory Code Quality Backlog
 
-Code quality status counts: 10 done / 0 open.
+Code quality status counts: 66 done / 0 open.
 
 ## Open
 
-_No open code quality items._
-
+_No open code-quality items._
 
 ## Done
 
+1. Add focused specs for `OperationEventSupport` result defaults and event construction.
+   - Added direct unit coverage for default empty event payloads, explicit payload preservation, event emission, default `warning_count: 0`, and explicit warning counts.
+   - Added the new helper spec to the targeted RuboCop gate.
+
+1. Split `Host#render_add_hosts_event` into smaller rendering helpers.
+   - Replaced the single complex case statement with an event-to-renderer dispatch table and small private rendering methods.
+   - Removed the scoped `Metrics/CyclomaticComplexity` disable while preserving existing add-host output strings.
+
+1. Extract shared Ansible single-target `listvars` argument handling.
+   - Added `ListvarsSupport` for shared listvars argument validation and Ansible missing-entity warnings.
+   - Refactored `host listvars` and `group listvars` to use the shared helper while preserving the existing host/group warning text and newline contracts.
+
+1. Align `host addgroup` and `host rmgroup` with shared relation transaction helpers.
+   - Added `RelationTransactionSupport` for shared host/group relation transaction wrappers and existing-entity fetch helpers.
+   - Refactored `host addgroup` and `host rmgroup` toward the same operation/result flow as `group addhost` / `group rmhost`, while preserving existing output strings and warning summaries.
+
+1. Extract a small shared operation event emitter/result helper.
+   - Added `OperationEventSupport` for shared structured event/result construction and array event emission.
+   - Refactored operation classes and variable-operation support to use the shared helper without changing CLI rendering or event payload contracts.
+
+1. Clarify the empty-hosts shape for `group get` output.
+   - Kept the existing default output contract: `group get` omits empty relationship collections such as `hosts: []` for compact human/data output.
+   - Documented the distinction from Ansible group listing, where `hosts: []` remains explicit for inventory consumers, and added focused query coverage for the omitted-empty-collections shape.
+
+1. Resolve the missing-parent behavior question for `group addchild`.
+   - Kept the existing contract: `group addchild PARENT CHILD` requires the parent group to already exist, while missing child groups may be auto-created.
+   - Replaced the stale TODO with a contract note and asserted that missing-parent aborts do not create either parent or child groups.
+
+1. Audit the `host rm` Moose-exception rescue branch.
+   - Confirmed the branch was stale defensive code; `RemoveHosts` does not raise Moose DB exceptions directly and DB transaction handling owns Moose-exception rollback/abort behavior centrally.
+   - Removed the unreachable command-level rescue so `host_rm.rb` no longer carries an untestable abort path.
+
+1. Clean the duplicated `## Open` heading drift in `BACKLOG.md`.
+   - Reconciled the code-quality backlog open section now that it has no remaining active items.
+   - Preserved the backlog section structure and moved the cleanup item to done.
+
+1. Add focused helper-branch coverage in `lib/moose_inventory/db/db.rb`.
+   - Covered busy vs non-busy transaction retry branches, the busy-error helper, and the non-sqlite purge/drop-table path.
+   - Kept behavior unchanged and re-ran the focused DB slice plus the full gate.
+
+1. Add direct Ansible missing-entity coverage for `host listvars` and `group listvars`.
+   - Covered the warning branches for nonexistent host/group lookups in Ansible mode.
+   - Kept the slice test-only and re-ran the full gate.
+
+1. Cover `group addchild` duplicate-association warning/rendering path.
+   - Added direct CLI coverage for the duplicate child-association branch in `ChildRelationRendering`.
+   - The new spec exposed and fixed a real rendering typo: an extra `}` in the duplicate-association warning.
+   - Re-ran the focused spec slice and the full gate.
+
+1. Extract a tiny shared operations event helper/base for repeated event plumbing.
+   - Added `EntityVariableOperationSupport` as a bounded shared helper for the variable-operation family, consolidating shared entity lookup, missing-entity errors, and event emission plumbing.
+   - Refactored `AddVariables` and `RemoveVariables` to use the shared support without changing their emitted event contract.
+   - Added focused operation coverage for shared missing-entity and unsupported-entity-type behavior, then re-ran the targeted/full gates.
+
+1. Remove stale CLI spec TODO noise around Thor responder comments.
+   - Deleted the repeated obsolete comments about `respond_to?` on Thor objects now that the spec pattern is established.
+   - Kept the remaining behavior-question TODO comments intact.
+   - Re-ran the targeted/full gates.
+
+1. Narrow production `rescue Exception` handling in `lib/moose_inventory/db/db.rb`.
+   - Replaced the broad catch-all with `StandardError` handling so fatal control-flow exceptions are not swallowed.
+   - Added focused DB transaction specs covering generic StandardError re-raise behavior and non-StandardError passthrough.
+   - Re-ran the focused DB slice and the full gate.
+
+1. Add direct `Cli::Helpers` coverage for helper-only branches.
+   - Covered `run_group_relation_transaction` rescue handling, automatic-group helper methods, `association_exists?`, and small wrapper helpers, raising `lib/moose_inventory/cli/helpers.rb` to 100% coverage.
+   - Kept the slice test-only and added a dedicated `helpers_spec` to the targeted RuboCop gate.
+   - Re-ran the focused helper spec slice and the full gate.
+
+1. Harden config flag parsing for missing option values.
+   - Made `--config`, `--env`, and `--format` fail explicitly when a value is missing or when the next token is another flag.
+   - Preserved valid-argument behavior while preventing silent command-token consumption.
+   - Added focused config specs and re-ran the full gate.
+
+1. Add formatter branch coverage for STDERR and invalid stream paths.
+   - Covered `Formatter#print`, `Formatter#puts`, `Formatter#info`, `Formatter#warn`, and `Formatter#error` branches for STDERR and invalid-stream behavior.
+   - Kept output formatting and abort text exact while raising `lib/moose_inventory/cli/formatter.rb` coverage to 100%.
+   - Re-ran the focused formatter spec slice and the full gate.
+
+1. Close the remaining full-RuboCop gap in spec support helpers.
+   - Cleaned `spec/spec_helper.rb` and `spec/shared/shared_config_setup.rb` so full `bundle exec rubocop` is green, including extracting helper modules and moving DB cleanup to a `before(:suite)` hook.
+   - Added those two support files to `scripts/ci/check_rubocop.sh`, bringing the targeted gate into line with the current full RuboCop surface.
+   - Preserved existing spec harness behavior while reducing setup noise in the shared helpers.
+
+1. Clean group host-association CLI spec RuboCop hygiene.
+   - Normalized `group addhost` and `group rmhost` specs for frozen string literals, literal style, Thor member checks, stale line-length directives, escaped strings, and continuation formatting.
+   - Kept command behavior unchanged while adding scoped block-length disables around the legacy command-spec structures.
+   - Added the cleaned group host-association specs to the targeted RuboCop gate.
+
+1. Clean host variable CLI spec RuboCop hygiene.
+   - Normalized `host addvar` and `host rmvar` specs for frozen string literals, literal style, Thor member checks, map-style construction, and continuation formatting.
+   - Kept command behavior unchanged while adding scoped block-length disables around the legacy command-spec structures.
+   - Added the cleaned host variable specs to the targeted RuboCop gate.
+
+1. Clean group variable CLI spec RuboCop hygiene.
+   - Normalized `group addvar` and `group rmvar` specs for frozen string literals, literal style, Thor member checks, map-style construction, and continuation formatting.
+   - Kept command behavior unchanged while adding scoped block-length disables around the legacy command-spec structures.
+   - Added the cleaned group variable specs to the targeted RuboCop gate.
+
+1. Clean group child CLI spec RuboCop hygiene.
+   - Normalized `group addchild` and `group rmchild` specs for frozen string literals, literal style, Thor member checks, hash alignment, and continuation formatting.
+   - Kept command behavior unchanged while adding scoped block-length disables around the legacy command-spec structures.
+   - Added the cleaned group child specs to the targeted RuboCop gate.
+
+1. Clean get/list CLI spec RuboCop hygiene.
+   - Normalized host/group get, list, and listvars specs for frozen string literals, literal style, member checks, and minor legacy lint issues.
+   - Kept focused get/list behavior unchanged while adding scoped block-length disables around the legacy command-spec structures.
+   - Added the cleaned get/list specs to the targeted RuboCop gate.
+
+1. Clean spec entrypoint RuboCop hygiene.
+   - Replaced the stale fully commented `application_spec` scaffold with direct specs for the application version command and registered Thor subcommands.
+   - Added frozen string literal coverage to the host/group aggregate spec entrypoints.
+   - Brought `models_spec` into the targeted RuboCop gate with scoped block-length disables for the legacy integration-style model coverage.
+   - Added these spec entrypoints to the targeted RuboCop gate.
+
+1. Clean build/support RuboCop hygiene.
+   - Added frozen string literal comments to `Gemfile`, `Rakefile`, and `scripts/files.rb`.
+   - Simplified `scripts/files.rb` symbol/hash output and removed redundant string coercion.
+   - Added the build/support files to the targeted RuboCop gate.
+
+1. Clean CLI loader and gemspec hygiene.
+   - Normalized small CLI loader files for frozen string literals and idiomatic `require_relative` paths.
+   - Updated gemspec metadata to require RubyGems MFA, removed deprecated `test_files`, and corrected dependency/API/style issues while preserving the project's Gemfile-through-gemspec setup.
+   - Added the cleaned CLI loader files and gemspec to the targeted RuboCop gate.
+
+1. Replace randomized SQLite busy retry sleeps with deterministic capped backoff.
+   - Added named retry constants and a testable `busy_retry_delay` helper for database lock retries.
+   - Replaced `sleep rand` with deterministic capped exponential backoff while preserving the existing retry limit and trace warning behavior.
+   - Added DB specs for retry delays, sleeper injection, and retry-limit exhaustion.
+
+1. Clean tiny production entrypoints and Moose DB exception behavior.
+   - Updated `MooseDBException` to initialize through `RuntimeError#initialize` instead of overriding `message`, preserving default-message behavior while avoiding non-idiomatic exception state.
+   - Cleaned the CLI executable, top-level require file, DB model file, and version file so they pass the targeted RuboCop gate.
+   - Added direct exception specs and expanded the targeted RuboCop gate to cover the cleaned entrypoint/exception files.
+
+1. Expand shared CLI spec harness adoption across host/group add/remove command specs.
+   - Extended the shared CLI harness to support extra CLI args for specs that intentionally alter bootstrap flags.
+   - Migrated `host add`, `host rm`, `group add`, and `group rm` specs to use the shared harness while preserving the `group add` trace fixture.
+   - Verified focused add/remove CLI specs and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Expand shared CLI spec harness adoption across host/group association command specs.
+   - Extended the shared CLI harness to support optional secondary command-class fixtures for specs that need both host and group command objects.
+   - Migrated `host addgroup`, `host rmgroup`, `group addhost`, and `group rmhost` specs to use the shared harness.
+   - Verified focused association CLI specs and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Expand shared CLI spec harness adoption across variable mutating command specs.
+   - Migrated `host addvar`, `host rmvar`, `group addvar`, and `group rmvar` specs to use the shared CLI harness for config/DB/application setup and per-example DB reset.
+   - Verified focused variable CLI specs and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Extract shared CLI spec harness for repeated command specs.
+   - Added `spec/support/cli_harness.rb` for shared CLI fixture argument construction, config/DB/application setup, optional top-level CLI wiring, and per-example reset behavior.
+   - Included the helper from `spec/spec_helper.rb` and migrated representative host/group `get`, `list`, and `listvars` specs to use it.
+   - Added the new support helper to the targeted RuboCop gate.
+   - Verified focused migrated specs, targeted RuboCop for the helper, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated fixed-success tail boilerplate across the variable CLI adapters.
+   - Added `print_success_summary` as the no-warning fixed-success helper and routed `print_warning_summary` through it for the success path.
+   - Refactored `host addvar`, `host rmvar`, `group addvar`, and `group rmvar` to use the helper while preserving the exact legacy `Succeeded.` output.
+   - The host association adapters had already been handled by the previous warning-summary slice, so no additional association changes were needed here.
+
+1. Reduce repeated final success-summary boilerplate across the remaining host mutating CLI adapters.
+   - Extended `print_warning_summary` into `host add`, `host addgroup`, and `host rmgroup`, preserving the legacy behavior that these commands always end with plain `Succeeded` even when warnings are emitted.
+   - Adjusted the helper to tolerate result objects without a `warning_count` field so `Moose::Inventory::Operations::AddHosts::Result` stayed API-compatible.
+   - Verified with focused host CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated final success-summary boilerplate across the remaining mutating CLI adapters.
+   - Extended `print_warning_summary` into `group add`, `group rm`, and `host rm`, preserving the exact wording quirks including `group add` using `Succeeded` without a period on the no-warning path.
+   - Verified with focused `group add`/`group rm`/`host rm` specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated final success-summary boilerplate across the group relation adapters.
+   - Added `print_warning_summary` to `Moose::Inventory::Cli::Helpers` to centralize the shared `Succeeded.` vs `Succeeded, with warnings.` tail output.
+   - Refactored `group addhost`, `group rmhost`, `group addchild`, and `group rmchild` to use the shared helper while preserving exact wording and punctuation.
+   - Verified with focused group-relation CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated transaction/result wrapper boilerplate across the group relation adapters.
+   - Added `run_group_relation_transaction` to `Moose::Inventory::Cli::Helpers` to centralize the shared transaction/rescue/result wrapper, including the common `- all OK` line and Moose-exception abort path.
+   - Refactored `group addhost`, `group rmhost`, `group addchild`, and `group rmchild` to use the shared helper while preserving exact command headings, error ordering, and the child-relation `ERROR: #{e}` behavior via an explicit formatter hook.
+   - Verified with focused group-relation CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated parent-group lookup/bootstrap boilerplate across the group relation adapters.
+   - Added `fetch_existing_group_or_abort` to `Moose::Inventory::Cli::Helpers` to centralize the shared retrieve/look-up/missing-group/OK bootstrap flow.
+   - Refactored `group addhost`, `group rmhost`, `group addchild`, and `group rmchild` to use the shared helper while preserving the exact existing output strings and error ordering.
+   - Verified with focused group-relation CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated event-rendering boilerplate across child-group relation CLI adapters.
+   - Added `Moose::Inventory::Cli::ChildRelationRendering` to centralize the shared event-emitter and render-path logic for `group addchild` and `group rmchild`.
+   - Refactored both child-relation adapters to delegate through the shared helper while preserving the exact existing CLI output strings, warning wording, recursive orphan-cleanup progress lines, status text, and even the legacy extra-`}` duplicate-association warning quirk.
+   - Extended the targeted RuboCop gate to cover the new rendering helper and verified with focused child-relation CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated event-rendering boilerplate across host/group association CLI adapters.
+   - Added `Moose::Inventory::Cli::AssociationRendering` plus `AssociationRenderingSupport` to centralize the shared event-emitter and string-building logic for `host addgroup`, `host rmgroup`, `group addhost`, and `group rmhost`.
+   - Refactored the four association adapters to delegate through the shared helper while preserving the exact existing CLI output strings, capitalization, warning newlines, automatic `ungrouped` association wording, and success markers.
+   - Extended the targeted RuboCop gate to cover the new rendering helpers and verified with focused association CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce repeated event-rendering boilerplate across the variable CLI adapters.
+   - Added `Moose::Inventory::Cli::VariableRendering` to centralize the shared event-emitter and render-path logic for `host/group addvar` and `host/group rmvar`.
+   - Refactored the four variable adapters to delegate through the shared helper while preserving the exact existing CLI output strings for add/remove headings, retrieval lines, variable mutation lines, update notices, and success markers.
+   - Extended the targeted RuboCop gate to cover the new rendering helper and verified with focused variable CLI/operation specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Introduce a small CLI operation/query factory to reduce adapter boilerplate.
+   - Added `Moose::Inventory::Cli::Factory` as a tiny shared seam for building context-backed operations and the memoized inventory query wrapper.
+   - Updated `Moose::Inventory::Cli::Helpers` to expose `build_operation` and `inventory_query`, so refactored Thor adapters stop repeating near-identical operation/query construction glue.
+   - Simplified host/group get/list/listvars plus the refactored association/variable/removal adapters to use the shared factory seam while preserving existing CLI behavior.
+   - Added direct regression coverage in `spec/lib/moose_inventory/cli/factory_spec.rb`, extended the targeted RuboCop gate to lint the new factory and spec, and verified with focused specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Reduce remaining DB singleton leakage behind `InventoryContext` and CLI bootstrap.
+   - Removed the hidden default DB dependency from `Moose::Inventory::InventoryContext`; callers must now supply the DB explicitly.
+   - Centralized CLI context construction in `Moose::Inventory::Cli::Helpers#inventory_context`, so refactored commands stop repeatedly open-coding `InventoryContext.new(db: db)` and automatic-group helpers also route through the same context seam.
+   - Updated `Moose::Inventory::Cli.start` to accept injected `config`, `db`, and `application` dependencies, making bootstrap wiring explicit and directly specable instead of hard-binding startup to module globals.
+   - Added regression coverage in `spec/lib/moose_inventory/cli/cli_spec.rb` and `spec/lib/moose_inventory/inventory_context_spec.rb`, extended the targeted RuboCop gate to include those specs, and verified with focused specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Split `QueryInventory` before it grew into a new monolith.
+   - Broke `lib/moose_inventory/operations/query_inventory.rb` into a thin delegator plus focused host/group query helpers under `lib/moose_inventory/operations/query_inventory/`.
+   - Kept the public operation API unchanged for `host get/list/listvars` and `group get/list/listvars`, preserving existing YAML/JSON/Ansible output behavior.
+   - Removed the temporary targeted RuboCop `Metrics/ClassLength` exclusion for `QueryInventory` and extended the lint gate to cover the new helper files.
+   - Verified with focused query specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Fix formatter output bug and make output format explicit at command call sites.
+   - Fixed `Moose::Inventory::Cli::Formatter.info` so it prints the provided message instead of the literal placeholder string `INFO: {msg}`.
+   - Removed the formatter's implicit reach-in to global config for output format; query-style CLI commands now pass the resolved output format explicitly when calling `fmt.dump`.
+   - Added regression coverage in `spec/lib/moose_inventory/cli/formatter_spec.rb` and extended the targeted RuboCop gate to cover the formatter and its spec.
+   - Verified with focused formatter/query CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Extract `host rm` into the operation/context/event seam.
+   - Added `Moose::Inventory::Operations::RemoveHosts` to own host lookup, warning accounting, removal, and structured event emission.
+   - Converted `host rm` into a thinner Thor adapter that validates input, delegates through `InventoryContext`, renders structured events, and preserves existing CLI output.
+   - Added direct operation coverage in `spec/lib/moose_inventory/operations/remove_hosts_spec.rb` and expanded the targeted RuboCop scope accordingly.
+   - Verified with focused `host rm`/operation specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Introduce a small runtime-options object for resolved CLI state.
+   - Added `Moose::Inventory::RuntimeOptions` so resolved argv/format/ansible/trace state is represented as a value object instead of the last few command/query paths reaching directly into `Config._confopts`.
+   - Updated `Moose::Inventory::Config` to expose `runtime_options`, `application_args`, `output_format`, `ansible?`, `trace_enabled?`, and `db_settings`, and rewired CLI/DB call sites to use those methods.
+   - Updated the top-level CLI entrypoint to launch Thor using `Config.application_args` instead of directly reading `Config._argv`.
+   - Verified with focused config/query/CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Tame remaining global DB/config singleton complexity.
+   - Refactored `Moose::Inventory::Config` to reset runtime state explicitly on `init`, factor default options / flag parsing / config-path resolution / environment selection into smaller helper methods, and expose more explicit configuration-loading behavior without changing CLI semantics.
+   - Refactored `Moose::Inventory::DB` to centralize table definitions, model binding, adapter normalization, required-key validation, and busy-transaction retry handling, while adding `reset_runtime_state` so tests no longer have to manually juggle as much module instance state.
+   - Expanded regression coverage in `spec/lib/moose_inventory/config/config_spec.rb` and `spec/lib/moose_inventory/db/db_spec.rb`, and extended the targeted RuboCop gate to cover these files with narrow legacy-file exclusions for module/spec length and existing help-formatting patterns.
+   - Verified with focused config/DB specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Extract read-only host/group query commands behind a thin query seam.
+   - Added `Moose::Inventory::Operations::QueryInventory` as a context-backed read layer for `host get`, `group get`, `host list`, `group list`, `host listvars`, and `group listvars`.
+   - Converted those CLI commands into thinner adapters that normalize input, delegate query shaping, preserve the existing YAML/JSON/Ansible output, and keep warnings/argument errors spec-compatible.
+   - Added direct query operation coverage in `spec/lib/moose_inventory/operations/query_inventory_spec.rb` and expanded the targeted RuboCop scope for the new seam.
+   - Verified with focused query/CLI specs, targeted RuboCop, and full `MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS=1 ./scripts/check.sh`.
+
+1. Extract host/group variable mutation commands into operations.
+   - Added `Moose::Inventory::Operations::AddVariables` and `RemoveVariables` to own shared host/group variable validation, lookup, create/update/delete behavior, and structured event emission.
+   - Converted `host addvar`, `host rmvar`, `group addvar`, and `group rmvar` into thinner Thor adapters over `InventoryContext` that render operation events while preserving existing CLI output and transaction rollback behavior.
+   - Added direct operation specs and expanded the targeted RuboCop gate to cover the new operation/adapter/spec seam.
+   - Verified with focused CLI/operation specs and full `./scripts/check.sh`.
+
 1. Extract `group rm` to reuse the new group-cleanup / relation-operation seam.
    - Added `Moose::Inventory::Operations::RemoveGroups` and reused `GroupCleanup` so top-level group deletion, recursive orphan cleanup, and host `ungrouped` reattachment now run through structured operation events instead of bespoke Thor logic.
    - Converted `group rm` into a thinner adapter over `InventoryContext`, preserving `--recursive` behavior and existing CLI output.