From 4677be940ced7f3ea8750e175bfc4fe8cb35a190 Mon Sep 17 00:00:00 2001 From: Phillip Moore Date: Tue, 2 Jun 2026 08:17:04 -0400 Subject: [PATCH 1/3] chore(tooling): refresh managed config to current Vergil tooling/actions Items 1/3/6/7 of the fleet refresh (epic mq-rest-admin-project/.github#14): marketplace -> vergil-claude-plugin; embed canonical CLAUDE.md template (+ vrg-docker-run -> vrg-container-run); ignore .vergil/; cd.yml release uses secrets: inherit (fixes CD startup_failure). Hook guard (item 2) already landed via #312. audit COMPLIANT; vrg-validate passes. Refs #313. --- .claude/settings.json | 2 +- .github/workflows/cd.yml | 4 +--- .gitignore | 3 +++ CLAUDE.md | 42 ++++++++++++++++++++++++++++++---------- 4 files changed, 37 insertions(+), 14 deletions(-) diff --git a/.claude/settings.json b/.claude/settings.json index b39e710..513546b 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -21,7 +21,7 @@ "vergil-marketplace": { "source": { "source": "github", - "repo": "vergil-project/vergil-plugin" + "repo": "vergil-project/vergil-claude-plugin" } } }, diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 1efe496..4726dea 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -30,6 +30,4 @@ jobs: language: java container-tag: "17" registry-publish: true - secrets: - APP_CLIENT_ID: ${{ secrets.APP_CLIENT_ID }} - APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} + secrets: inherit diff --git a/.gitignore b/.gitignore index 900d3d6..0b0522c 100644 --- a/.gitignore +++ b/.gitignore @@ -89,3 +89,6 @@ __pycache__/ .mq-rest-admin-common docs/site/site/ .worktrees/ + +# Vergil tooling scratch (PR/session working dir) +.vergil/ diff --git a/CLAUDE.md b/CLAUDE.md index 5d887ab..8ad7e64 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -36,19 +36,19 @@ on-ramp. ### Structure ```text -~/dev/github/mq-rest-admin-java/ ← sessions ALWAYS start here +/ ← sessions ALWAYS start here .git/ - CLAUDE.md, src/, … ← main worktree (usually `develop`) - .worktrees/ ← container for parallel worktrees - issue-261-adopt-worktree-convention/ ← worktree on feature/261-... + CLAUDE.md, … ← main worktree (usually `develop`) + .worktrees/ ← container for parallel worktrees + issue--/ ← worktree on feature/- … ``` ### Rules 1. **Sessions always start at the project root.** - `cd ~/dev/github/mq-rest-admin-java && claude` — never from inside - `.worktrees//`. This keeps the memory-path slug stable and shared. + Never start Claude from inside `.worktrees//`. This keeps the + memory-path slug stable and shared. 2. **Each parallel agent is assigned exactly one worktree.** The session prompt names the worktree (see Agent prompt contract below). - For Read / Edit / Write tools: use the worktree's absolute path. @@ -56,7 +56,7 @@ on-ramp. or use absolute paths. 3. **The main worktree is read-only.** All edits flow through a worktree on a feature branch — the logical endpoint of the standing - "no direct commits to `develop`" policy. + "no direct commits to develop" policy. 4. **One worktree per issue.** Don't stack in-flight issues. When a branch lands, remove the worktree before starting the next. 5. **Naming: `issue--`.** `` is the GitHub issue @@ -70,22 +70,44 @@ placeholders): ```text You are working on issue #: . -Your worktree is: /Users/pmoore/dev/github/mq-rest-admin-java/.worktrees/issue--/ +Your worktree is: /.worktrees/issue--/ Your branch is: feature/- Rules for this session: - Do all git operations from inside your worktree: - cd && git + cd && vrg-git - For Read / Edit / Write tools, use the absolute worktree path. - For Bash commands that touch files, cd into the worktree first or use absolute paths. - Do not edit files at the project root. The main worktree is read-only — all changes flow through your worktree on your feature branch. +- When you need to run validation, run it from inside your worktree + (vrg-container-run mounts the current directory). ``` All fields are required. +## Shell command policy + +Use `vrg-git` instead of `git` for all git operations. Use `vrg-gh` +instead of `gh` for all GitHub CLI operations. These wrappers enforce +subcommand allowlists, flag deny lists, and credential selection. + +Raw `git` and `gh` are denied by the permission model. If a command +is not available through the wrappers, explain the situation to the +human who can run it directly via `! ` in the prompt. + +## Validation + +```bash +vrg-container-run -- vrg-validate +``` + +This is the **only** validation command. Do not run individual linters, +formatters, or other tools outside of `vrg-validate`. If a tool is not +invoked by `vrg-validate`, it is not part of the validation pipeline. + ## Project Overview Java wrapper for the IBM MQ administrative REST API, ported from `pymqrest` (Python). Provides method-per-command API (`displayQueue()`, `defineQlocal()`, etc.) with attribute mapping between snake_case and MQSC parameter names. @@ -118,7 +140,7 @@ Workflow: `.github/workflows/ci.yml`. ### Validation ```bash -vrg-docker-run -- vrg-validate # Full validation (runs in dev container) +vrg-container-run -- vrg-validate # Full validation (runs in dev container) ``` ### Build and Validate From 38f2826a227b4ddb8538c77b1e8c9bdf8ac14bb3 Mon Sep 17 00:00:00 2001 From: Phillip Moore Date: Tue, 2 Jun 2026 08:21:31 -0400 Subject: [PATCH 2/3] fix(security): invoke bash by absolute path in integration test CodeQL java/relative-path-command flagged ProcessBuilder("bash", ...) in MqRestSessionIT (relative command name is PATH-hijackable). Use the absolute /bin/bash. Refs #313. --- .../mqrestadminproject/mq/rest/admin/MqRestSessionIT.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java b/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java index de56292..baeda43 100644 --- a/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java +++ b/src/test/java/io/github/mqrestadminproject/mq/rest/admin/MqRestSessionIT.java @@ -673,7 +673,8 @@ REST_BASE_URL, QM1_NAME, new LtpaAuth(ADMIN_USER, ADMIN_PASSWORD)) // ------------------------------------------------------------------------- private static void runScript(Path script) throws IOException, InterruptedException { - ProcessBuilder pb = new ProcessBuilder("bash", script.toString()); + // Absolute path avoids PATH-hijack (CodeQL java/relative-path-command). + ProcessBuilder pb = new ProcessBuilder("/bin/bash", script.toString()); pb.inheritIO(); pb.directory(REPO_ROOT.toFile()); int exitCode = pb.start().waitFor(); From 6d75a039a81a9096a870b528744190e8686c4529 Mon Sep 17 00:00:00 2001 From: Phillip Moore Date: Tue, 2 Jun 2026 08:24:29 -0400 Subject: [PATCH 3/3] chore(ci): re-trigger CI after transient maven-central resolution flake Empty commit to re-run CI. A prior run failed in checkstyle:check with a transient 'Failed to read artifact descriptor for maven-reporting-api:jar:4.0.0' (Maven Central fetch hiccup), unrelated to the changes here. Refs #313.