Goal
Refresh checked-in managed config to current Vergil tooling (v2.0.76) /
actions (v2.0.26) and get the repo green-and-clean, per the fleet refresh epic
mq-rest-admin-project/.github#14. Mirrors the completed go and rust repos.
Live non-conformance (verified on re-synced develop)
- Item 1 — marketplace rename.
.claude/settings.json marketplace repo is
vergil-project/vergil-plugin; must be vergil-project/vergil-claude-plugin.
- Item 3 — CLAUDE.md canonical template.
CLAUDE.md does not contain the
current canonical consumer template verbatim. Embed it and refresh stale prose
(vrg-docker-run → vrg-container-run if present).
- Item 6 —
.gitignore. .vergil/ is not ignored.
- Item 7 — CD
startup_failure. cd.yml release job passes the removed
APP_CLIENT_ID/APP_PRIVATE_KEY secrets to cd-release.yml@v2.0; replace
with secrets: inherit.
Item 2 (hook guard) already landed via mq-rest-admin-python#509.
Scanner findings (CodeQL/Semgrep ruleset drift — to be driven to green)
Updated scanner rulesets now flag hard-coded test/example credentials. Resolve
all of them (the goal is fully green, including these):
- Unit tests:
TEST_PASSWORD = "secret" (tests/pymqrest/test_auth.py) and
TEST_PASSWORD = "pass" (tests/pymqrest/test_session.py) → source from env.
- Examples:
getenv("MQ_ADMIN_PASSWORD", "mqadmin") defaults in the
__main__ blocks → require from env (no shipped default credential).
- Integration tests /
test_examples.py: same mqadmin default pattern — to be
resolved as CI surfaces them (needs a coordinated CI env so the integration
job keeps its credentials).
Acceptance
audit_local_config → COMPLIANT.vrg-container-run -- vrg-validate → all checks pass.- CI green and PR
mergeStateStatus: CLEAN (verified directly, not via the
exit code of vrg-wait-until-green — see vergil-tooling#1345).
- Post-merge develop
cd.yml run reaches docs with no startup_failure.
References
Goal
Refresh checked-in managed config to current Vergil tooling (v2.0.76) /
actions (v2.0.26) and get the repo green-and-clean, per the fleet refresh epic
mq-rest-admin-project/.github#14. Mirrors the completed go and rust repos.Live non-conformance (verified on re-synced develop)
.claude/settings.jsonmarketplace repo isvergil-project/vergil-plugin; must bevergil-project/vergil-claude-plugin.CLAUDE.mddoes not contain thecurrent canonical consumer template verbatim. Embed it and refresh stale prose
(
vrg-docker-run→vrg-container-runif present)..gitignore..vergil/is not ignored.startup_failure.cd.ymlrelease job passes the removedAPP_CLIENT_ID/APP_PRIVATE_KEYsecrets tocd-release.yml@v2.0; replacewith
secrets: inherit.Item 2 (hook guard) already landed via
mq-rest-admin-python#509.Scanner findings (CodeQL/Semgrep ruleset drift — to be driven to green)
Updated scanner rulesets now flag hard-coded test/example credentials. Resolve
all of them (the goal is fully green, including these):
TEST_PASSWORD = "secret"(tests/pymqrest/test_auth.py) andTEST_PASSWORD = "pass"(tests/pymqrest/test_session.py) → source from env.getenv("MQ_ADMIN_PASSWORD", "mqadmin")defaults in the__main__blocks → require from env (no shipped default credential).test_examples.py: samemqadmindefault pattern — to beresolved as CI surfaces them (needs a coordinated CI env so the integration
job keeps its credentials).
Acceptance
audit_local_config→ COMPLIANT.vrg-container-run -- vrg-validate→ all checks pass.mergeStateStatus: CLEAN(verified directly, not via theexit code of
vrg-wait-until-green— seevergil-tooling#1345).cd.ymlrun reachesdocswith nostartup_failure.References
mq-rest-admin-project/.github#14mq-rest-admin-go#307/release: 1.1.7 #308,#309/release: 1.1.7 #310;mq-rest-admin-rust#111/review: audit qualifier-specific attribute mappings for correctness #112