style: tidy mysqltuner.pl

Author: jmrenouard

.agent/README.md

@@ -55,4 +55,4 @@ This directory contains the project's technical constitution, specialized skills
 
 
 ---
-*Generated automatically by `/doc-sync` on Sat Feb 14 11:35:52 CET 2026*
+*Generated automatically by `/doc-sync` on Sat Feb 14 23:44:09 CET 2026*

.agent/skills/cli-execution-mastery/SKILL.md

@@ -49,6 +49,35 @@ If connection fails, use these flags to diagnose:
 - `--dbgpattern='.*'`: Filters debug information with regex.
 - Verify `mysqlcmd` path if custom binaries are used: `--mysqlcmd=/usr/local/bin/mysql`.
 
+### 5. MariaDB InnoDB Variable Compatibility
+
+As MariaDB evolves, several InnoDB system variables have been removed or deprecated. `mysqltuner.pl` detects these to avoid legacy configuration overhead.
+
+| Parameter | Removed/Deprecated In | Note/Replacement |
+| :--- | :--- | :--- |
+| `have_innodb` | Removed 10.0 | Use `SHOW ENGINES` or `I_S.PLUGINS`. |
+| `innodb_adaptive_flushing_method` | Removed 10.0 | Replaced by MySQL 5.6 flushing logic. |
+| `innodb_checksums` | Removed 10.0 | Use `innodb_checksum_algorithm`. |
+| `innodb_stats_sample_pages` | Removed 10.5.0 | Use `innodb_stats_transient_sample_pages`. |
+| `innodb_file_format` / `_check` / `_max` | Removed 10.6.0 | Antelope and Barracuda are legacy concepts. |
+| `innodb_large_prefix` | Removed 10.6.0 | Always enabled in newer versions. |
+| `innodb_locks_unsafe_for_binlog` | Removed 10.6.0 | No longer supported. |
+| `innodb_prefix_index_cluster_optimization` | Deprecated 10.10 | Always enabled now. |
+
+### 6. MySQL InnoDB Variable Compatibility
+
+| Parameter | Removed/Deprecated In | Note/Replacement |
+| :--- | :--- | :--- |
+| `innodb_locks_unsafe_for_binlog` | Removed 8.0 | Use `READ COMMITTED` isolation level instead. |
+| `innodb_support_xa` | Removed 8.0 | XA support is now always enabled. |
+| `innodb_file_format` family | Removed 8.0 | `Barracuda` is the only supported format. |
+| `innodb_large_prefix` | Removed 8.0 | Always enabled for `Barracuda`. |
+| `tx_isolation` / `tx_read_only` | Removed 8.0 | Use `transaction_isolation` / `transaction_read_only`. |
+| `innodb_undo_logs` | Removed 8.0 | Replaced by `innodb_rollback_segments`. |
+| `innodb_undo_tablespaces` | Removed 9.0 | Managed automatically now. |
+| `innodb_log_file_size` | Removed 9.0 | Replaced by `innodb_redo_log_capacity`. |
+| `innodb_api_...` variables | Removed 8.4 | Memcached-related variables removed. |
+
 ## ✅ Verification
 
 - Run `perl mysqltuner.pl --help` to confirm availability of these options.

.agent/workflows/doc-sync.md

@@ -6,11 +6,24 @@ category: tool
 
 # Documentation Synchronization Workflow
 
-1. Execute the documentation synchronization script:
+1. Execute the documentation synchronization script to update `.agent/README.md`:
 // turbo
 
 ```bash
 python3 build/doc_sync.py
 ```
 
-1. Review the updated summary in [.agent/README.md](file://.agent/README.md).
+1. **Full Documentation Review Checklist**:
+    - [ ] **READMEs**: Verify `README.md` and translations are up-to-date with new features.
+    - [ ] **Usage**: Ensure `mysqltuner.pl --help` output matches `CLI_METADATA` in script.
+    - [ ] **ROADMAP.md**: Move completed items from Phase 2/3 to COMPLETED.
+    - [ ] **POTENTIAL_ISSUES**: Audit and resolve found anomalies.
+    - [ ] **Script Comments**: Verify internal documentation matches logic changes.
+
+2. **Version Consistency Audit**:
+    - [ ] `CURRENT_VERSION.txt` matches `$tunerversion` in `mysqltuner.pl`.
+    - [ ] Script header and POD documentation reflect the current version.
+    - [ ] `Changelog` contains a section for the current version with correct date.
+    - [ ] `releases/v[VERSION].md` exists and is synchronized with `Changelog`.
+
+3. Review the updated summary in [.agent/README.md](file://.agent/README.md).

Changelog

@@ -1,15 +1,26 @@
 2.8.38 2026-02-14
 
+- feat: implement authentication plugin security checks to detect insecure or deprecated plugins like mysql_native_password and sha256_password.
+- feat: add MySQL 9.x readiness diagnostics for eliminated authentication methods.
+- feat: update MariaDB recommendations to suggest ed25519 and unix_socket for enhanced security.
+- test: add integrated test suite for authentication plugin auditing (tests/auth_plugin_checks.t).
+- feat: detect removed InnoDB variables in MariaDB and MySQL and provide actionable recommendations.
+- test: add regression test for MariaDB and MySQL removed InnoDB variables (tests/removed_innodb_vars.t).
 - fix: prevent creation of unauthorized directory "0" when --dumpdir is not explicitly set or set to 0 (Issue #20).
 - fix: robust, version-agnostic detection of password column in mysql.user via schema inspection (Issue #22).
+- fix: refactor mysql_setup to correctly handle --defaults-file and --defaults-extra-file with credentials (Issue #605).
+- fix: resolve MariaDB socket authentication regression and restore automatic credential discovery (Issue #875).
+- fix: remediate Prototype Pollution vulnerability in lodash (CVE-2021-23341) by forcing update to 4.17.23.
 - refactor: replace massive system calls (awk, grep, uname, getconf, sysctl) with native Core Perl functions for Linux.
 - feat: implement native parsing for /proc/cpuinfo, /proc/meminfo, /proc/sys/vm/swappiness and /etc/resolv.conf.
+- feat: add support for --login-path in CLI metadata and mysql_setup for enhanced authentication flexibility.
 - refactor: optimize CPU core count, logical CPU detection, and OS memory setup for local environments.
 - refactor: use POSIX::uname and POSIX::sysconf for standardized system and architecture reporting.
-- fix: resolve MariaDB socket authentication regression and restore automatic credential discovery (Issue #875).
-- fix: remediate Prototype Pollution vulnerability in lodash (CVE-2021-23341) by forcing update to 4.17.23.
 - test: add reproduction test for authentication discovery chain (tests/issue_875_regression.t).
 - test: add comprehensive test suite for password column detection (tests/repro_issue_22.t).
+- test: add reproduction test for credentials and defaults files handling (tests/repro_issue_605.t).
+- feat: add automatic detection of systemd journal and syslog fallbacks for MariaDB/MySQL logs (Issue #440).
+- test: add verification suite for syslog and systemd journal detection (tests/syslog_journal_detection.t).
 - chore: bump version to 2.8.38.
 
 2.8.36 2026-02-13

POTENTIAL_ISSUES

@@ -83,3 +83,14 @@ The following external commands are currently used via `execute_system_command`
   - **Replacement**: Native Perl parsing of `/proc/cpuinfo`.
 - [x] **Command**: `sysctl -n vm.swappiness` (line 3052)
   - **Replacement**: Native Perl parsing of `/proc/sys/vm/swappiness`.
+
+## [2026-02-14 Audit] Release v2.8.38
+
+### Environment/Lab Issues
+
+- [ ] **SQL Execution Failure (return code 256)**: Persistent across MySQL 8.x and 9.x in laboratory reports.
+  - Found in: `examples/20260214_224108_mysql96/`, `examples/20260214_224539_mysql84/`.
+  - Symptom: `✘ FAIL Execute SQL / return code: 256`.
+  - Investigation: Containers startup as expected but some SQL queries (potentially PFS related) fail on newer versions.
+- [ ] **Container Startup Failure**: `mysql96` failed to start during `make test-all`.
+  - Found in: `examples/20260214_234142_mysql96/`.

ROADMAP.md

@@ -28,18 +28,22 @@ To ensure consistency and high-density development, the following roles are defi
 * [x] **Structured Error Log Ingestion**: Supported `performance_schema.error_log` for diagnostic ingestion (MySQL 8.0+).
 * [x] **Refined Reporting**: Improved data richness in the "Modeling Analysis" tab.
 
-### Phase 2: Advanced Diagnostics [IN PROGRESS]
+### Phase 2: Advanced Diagnostics (v2.8.34 - v2.8.38) [COMPLETED]
 
-* **Plugin & Hook Stability**: Formalize the custom hook mechanism (verified for MySQL and SSL) to enable scalable third-party integrations.
-* **Compliance Awareness Framework**: Specialized audit profiles (`--audit-pci`, `--audit-hipaa`, `--audit-gdpr`) to verify regulatory configuration requirements.
-* **Index Audit 2.0**: Integrate `performance_schema` to detect redundant and unused indexes.
-* **Transactional Contention Analysis**: Detect patterns leading to deadlocks and high lock wait times.
-* **Buffer Pool Advisory**: More granular analysis of InnoDB Buffer Pool usage and resizing recommendations.
-* **Kernel & Architecture Health**: Implement `io_uring` support detection and kernel setting verification.
+| Item | Status |
+| :--- | :--- |
+| **System Call Optimization** | [x] Replaced `awk`, `grep`, `hostname`, `uname`, `sysctl` with native Perl. |
+| **Native /proc Parsing** | [x] Implemented native parsing for `cpuinfo`, `meminfo`, `swappiness`. |
+| **Index Audit 2.0** | [x] Integrated `performance_schema` for redundant/unused index detection. |
+| **Observability Log Ingestion** | [x] Support for `syslog`, `journald`, and `performance_schema.error_log`. |
+| **Transactional Contention** | [x] Detect isolation levels and long-running transactions. |
+| **Buffer Pool Advisory** | [ ] More granular analysis of InnoDB Buffer Pool usage. |
 
-### Phase 3: Automation & Ecosystem
+### Phase 3: Automation & Ecosystem [IN PROGRESS]
 
 * **Infrastructure-Aware Tuning**: Detect storage types (NVMe/SSD) and hardware architectures (ARM64/Graviton).
+* **MySQL 9.x Full Compatibility**: Support for removed variables and `mysql_native_password` elimination.
+* **Authentication Plugin Auditing**: Detect insecure plugins (SHA-1 based `mysql_native_password`) and recommend migration paths (`caching_sha2_password`, `ed25519`).
 * **Sysbench Metrics Integration**: Automated baseline capture and performance comparison within the report.
 * **Multi-Cloud Autodiscovery**: Automated detection of RDS, GCP, and Azure specific performance flags and optimizations.
 * **Query Anti-Pattern Detection**: Use `performance_schema` to identify non-SARGable queries and `SELECT *` abuse.

documentation/specifications/auth_plugin_security_checks.md

@@ -0,0 +1,46 @@
+# Specification: Authentication Plugin Security Checks
+
+## Feature Name: Authentication Plugin Auditing
+
+**Status**: Draft
+**Created Date**: 2026-02-14
+
+## Goal
+
+Implement diagnostic checks in `mysqltuner.pl` to identify insecure or deprecated authentication plugins used by database users.
+
+## Insecure/Deprecated Plugins by Version
+
+### MySQL
+
+| Plugin | Status in 8.0 | Status in 8.4 LTS | Status in 9.0 | Risk | Recommendation |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| `mysql_native_password` | Deprecated | Disabled by default | **REMOVED** | SHA-1, no salt | Migrate to `caching_sha2_password` |
+| `sha256_password` | Deprecated (8.0.16) | Deprecated | Deprecated | Lower perf than caching | Migrate to `caching_sha2_password` |
+| `mysql_old_password` | Removed | Removed | Removed | Pre-4.1, very weak | Already handled by `secure_auth` |
+
+### MariaDB
+
+| Plugin | Recommended | Risk | Recommendation |
+| :--- | :--- | :--- | :--- |
+| `mysql_native_password` | No | SHA-1 | Use `ed25519` or `unix_socket` |
+| `unix_socket` | **Yes** (Local) | N/A | Best for local OS-level auth |
+| `ed25519` | **Yes** | N/A | Standard for high security |
+
+## User Scenarios
+
+1. **Scenario 1**: User has legacy accounts still using `mysql_native_password` on MySQL 8.0. MySQLTuner should warn that these will break in MySQL 9.0 and are less secure.
+2. **Scenario 2**: User is on MariaDB and using default `mysql_native_password`. MySQLTuner should suggest `ed25519` for better security.
+
+## User Stories
+
+| Title | Priority | Description | Rationale | Test Case |
+| :--- | :--- | :--- | :--- | :--- |
+| Detect Insecure Plugins | P1 | As a DBA, I want to see a list of users using insecure plugins. | To prevent security breaches and future breakage. | GIVEN users with `mysql_native_password`, WHEN I run MySQLTuner, THEN it shows a warning. |
+| MySQL 9.0 Readiness | P1 | As a DBA, I want to know if my users are ready for MySQL 9.0. | `mysql_native_password` is removed in 9.0. | GIVEN MySQL 8.x, WHEN I run MySQLTuner, THEN it flags accounts needing migration for 9.0. |
+
+## Implementation Plan
+
+1. Query `mysql.user` (or `information_schema.USER_PRIVILEGES` / `information_schema.applicable_roles` depending on version).
+2. For each account, check `plugin` column.
+3. Aggregate findings and display in "Security Recommendations".

documentation/specifications/doc_sync_enhancement.md

@@ -0,0 +1,38 @@
+---
+title: Documentation Synchronization Enhancement
+status: draft
+project: MySQLTuner-perl
+---
+
+# Documentation Synchronization Enhancement
+
+## 🧠 Rationale
+
+To maintain high-quality, professional standards, all project documentation (READMEs, Roadmaps, Potential Issues, and internal script comments) must be synchronized with the latest functional changes and versioning. This prevents "documentation rot" and ensures users and contributors always have the most accurate information.
+
+## 🛠️ Implementation
+
+### 1. Workflow Update
+
+The `/doc-sync` workflow in `.agent/workflows/doc-sync.md` will be expanded to include explicit steps for:
+
+- Updating English and international `README.md` files.
+- Synchronizing usage information with `CLI_METADATA`.
+- Updating `ROADMAP.md` based on completed features in `Changelog`.
+- Auditing `POTENTIAL_ISSUES` to ensure resolved items are marked or removed.
+- Ensuring script comments (internal documentation) accurately reflect logic changes.
+
+### 2. Synchronization Checklist
+
+A new "Synchronization Checklist" will be added to the workflow to ensure:
+
+- `CURRENT_VERSION.txt` matches `mysqltuner.pl` `$tunerversion`.
+- `Changelog` header matches the current version and date.
+- `releases/v[VERSION].md` exists and summarizes the release correctly.
+- All versioned POD documentation in `mysqltuner.pl` is updated.
+
+## ✅ Verification
+
+- Manual verification of documentation consistency.
+- Successful execution of `doc_sync.py`.
+- Validation of version strings across all 5 mandatory locations (CURRENT_VERSION.txt, script header, $VERSION variable, POD, Changelog).

documentation/specifications/mysql_9_x_support.md

@@ -0,0 +1,35 @@
+# Specification: MySQL 9.x Support
+
+## Feature Name: MySQL 9.x Ecosystem Support
+
+**Status**: Draft
+**Created Date**: 2026-02-14
+
+## Goal
+
+Ensure `mysqltuner.pl` is fully compatible with MySQL 9.x, handling removed variables and new defaults.
+
+## Key Changes in MySQL 9.x
+
+### Removed Components
+
+- `mysql_native_password` authentication plugin.
+- Many deprecated system variables from 8.x.
+
+### New Features to Support
+
+- New performance_schema tables for monitoring.
+- Updates to InnoDB defaults and internal structures.
+
+## User Stories
+
+| Title | Priority | Description | Rationale | Test Case |
+| :--- | :--- | :--- | :--- | :--- |
+| Version Detection | P1 | As a user, I want MySQLTuner to correctly recognize MySQL 9.x. | To ensure version-specific advice is correct. | GIVEN MySQL 9.0, WHEN I run MySQLTuner, THEN it identifies the version correctly. |
+| Handle Removals | P1 | As a user, I want MySQLTuner to NOT try and use removed features. | To avoid SQL errors or crashes. | GIVEN MySQL 9.0, WHEN I run MySQLTuner, THEN it skips checks for `mysql_native_password`. |
+
+## Implementation Plan
+
+1. Update version detection logic in `mysqltuner.pl`.
+2. Audit all existing checks for features removed in 9.x.
+3. Add specific advice for 9.x performance optimizations.

documentation/specifications/syslog_systemd_support.md

@@ -0,0 +1,35 @@
+# Specification - Syslog and Systemd Journal Support for MariaDB/MySQL
+
+## 🧠 Rationale
+
+On modern Linux distributions (like Ubuntu 18.04+), MariaDB and MySQL often default to logging via the systemd journal or syslog instead of a traditional error log file. When `log_error` is not set or points to an unreadable file, MySQLTuner currently fails to analyze logs. This feature adds automatic detection of systemd journal and syslog as fallback sources for error logs.
+
+## User Scenarios
+
+- **Scenario 1**: A user installs MariaDB 10.3 on Ubuntu 18.04. The default configuration logs to systemd. MySQLTuner detects that the traditional log file is missing or empty and automatically switches to `journalctl` to fetch logs.
+- **Scenario 2**: A user has a legacy system where logs are directed to `/var/log/syslog`. MySQLTuner checks this file as a last resort if other methods fail.
+
+## User Stories
+
+| Title | Priority | Description | Rationale | Test Case |
+| :--- | :--- | :--- | :--- | :--- |
+| Systemd Detection | P1 | As a script, I want to automatically detect if MariaDB/MySQL logs are in the systemd journal. | Simplify log analysis on modern systems. | GIVEN a system with `journalctl` and `mariadb.service`, WHEN `log_error` is missing, THEN use `journalctl`. |
+| Syslog Fallback | P2 | As a script, I want to check `/var/log/syslog` if no other log source is found. | Provide a fallback for systems using traditional syslog. | GIVEN `/var/log/syslog` exists and contains `mysqld` entries, WHEN other logs fail, THEN use syslog. |
+| Automatic Prefixing | P1 | As a script, I want to automatically use `systemd:<service>` prefix for log analysis. | Leverage existing systemd journal reading logic. | GIVEN `mariadb` service is active, WHEN log analysis starts, THEN `log_error` is set to `systemd:mariadb`. |
+
+## Technical Implementation Details
+
+- **Service Detection**: Check for `mariadb.service` or `mysql.service` using `systemctl` if available.
+- **Fallback Logic in `log_file_recommendations`**:
+    1. Check `log_error` variable.
+    2. Check Performance Schema `error_log` table.
+    3. Check traditional file paths (existing logic).
+    4. **NEW**: Check `journalctl` for `mariadb` or `mysql` units.
+    5. **NEW**: Check `/var/log/syslog` if it contains `mysqld` or `mariadb` entries.
+- **Command Abstraction**: Use `execute_system_command` for all external calls.
+
+## Verification
+
+- Simulate systemd logs in a test environment.
+- Verify that `systemd:` prefix correctly triggers `journalctl` calls.
+- Verify that syslog fallback works when files are readable.