diff --git a/.claude/settings.json b/.claude/settings.json index b39e710..513546b 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -21,7 +21,7 @@ "vergil-marketplace": { "source": { "source": "github", - "repo": "vergil-project/vergil-plugin" + "repo": "vergil-project/vergil-claude-plugin" } } }, diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 1efe496..4726dea 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -30,6 +30,4 @@ jobs: language: java container-tag: "17" registry-publish: true - secrets: - APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} - APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} + secrets: inherit diff --git a/.gitignore b/.gitignore index 900d3d6..0b0522c 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,6 @@ __pycache__/ .mq-rest-admin-common docs/site/site/ .worktrees/ + +# Vergil tooling scratch (PR/session working dir) +.vergil/ diff --git a/CLAUDE.md b/CLAUDE.md index 5d887ab..8ad7e64 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -36,19 +36,19 @@ on-ramp. ### Structure ```text -~/dev/github/mq-rest-admin-java/ ← sessions ALWAYS start here +/ ← sessions ALWAYS start here .git/ - CLAUDE.md, src/, … ← main worktree (usually `develop`) - .worktrees/ ← container for parallel worktrees - issue-261-adopt-worktree-convention/ ← worktree on feature/261-... + CLAUDE.md, … ← main worktree (usually `develop`) + .worktrees/ ← container for parallel worktrees + issue--/ ← worktree on feature/- … ``` ### Rules 1. **Sessions always start at the project root.** - `cd ~/dev/github/mq-rest-admin-java && claude` — never from inside - `.worktrees//`. This keeps the memory-path slug stable and shared. + Never start Claude from inside `.worktrees//`. This keeps the + memory-path slug stable and shared. 2. **Each parallel agent is assigned exactly one worktree.** The session prompt names the worktree (see Agent prompt contract below). - For Read / Edit / Write tools: use the worktree's absolute path. @@ -56,7 +56,7 @@ on-ramp. or use absolute paths. 3. **The main worktree is read-only.** All edits flow through a worktree on a feature branch — the logical endpoint of the standing - "no direct commits to `develop`" policy. + "no direct commits to develop" policy. 4. **One worktree per issue.** Don't stack in-flight issues. When a branch lands, remove the worktree before starting the next. 5. **Naming: `issue--`.** `` is the GitHub issue @@ -70,22 +70,44 @@ placeholders): ```text You are working on issue #: . -Your worktree is: /Users/pmoore/dev/github/mq-rest-admin-java/.worktrees/issue--/ +Your worktree is: /.worktrees/issue--/ Your branch is: feature/- Rules for this session: - Do all git operations from inside your worktree: - cd && git + cd && vrg-git - For Read / Edit / Write tools, use the absolute worktree path. - For Bash commands that touch files, cd into the worktree first or use absolute paths. - Do not edit files at the project root. The main worktree is read-only — all changes flow through your worktree on your feature branch. +- When you need to run validation, run it from inside your worktree + (vrg-container-run mounts the current directory). ``` All fields are required. +## Shell command policy + +Use `vrg-git` instead of `git` for all git operations. Use `vrg-gh` +instead of `gh` for all GitHub CLI operations. These wrappers enforce +subcommand allowlists, flag deny lists, and credential selection. + +Raw `git` and `gh` are denied by the permission model. If a command +is not available through the wrappers, explain the situation to the +human who can run it directly via `! ` in the prompt. + +## Validation + +```bash +vrg-container-run -- vrg-validate +``` + +This is the **only** validation command. Do not run individual linters, +formatters, or other tools outside of `vrg-validate`. If a tool is not +invoked by `vrg-validate`, it is not part of the validation pipeline. + ## Project Overview Java wrapper for the IBM MQ administrative REST API, ported from `pymqrest` (Python). Provides method-per-command API (`displayQueue()`, `defineQlocal()`, etc.) with attribute mapping between snake_case and MQSC parameter names. @@ -118,7 +140,7 @@ Workflow: `.github/workflows/ci.yml`. ### Validation ```bash -vrg-docker-run -- vrg-validate # Full validation (runs in dev container) +vrg-container-run -- vrg-validate # Full validation (runs in dev container) ``` ### Build and Validate diff --git a/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java b/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java index de56292..baeda43 100644 --- a/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java +++ b/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java @@ -673,7 +673,8 @@ REST_BASE_URL, QM1_NAME, new LtpaAuth(ADMIN_USER, ADMIN_PASSWORD)) // ------------------------------------------------------------------------- private static void runScript(Path script) throws IOException, InterruptedException { - ProcessBuilder pb = new ProcessBuilder("bash", script.toString()); + // Absolute path avoids PATH-hijack (CodeQL java/relative-path-command). + ProcessBuilder pb = new ProcessBuilder("/bin/bash", script.toString()); pb.inheritIO(); pb.directory(REPO_ROOT.toFile()); int exitCode = pb.start().waitFor();