Merge pull request 'Poetry update' (#7 ) from poetry-update-2.3.3 into main

Reviewed-on: #7
Version bump
2026-04-03 07:24:44 +00:00 · 2026-04-03 08:21:12 +01:00 · 2026-04-03 08:19:40 +01:00 · 2026-04-03 08:16:56 +01:00 · 2026-04-03 08:14:37 +01:00 · 2026-03-25 16:31:27 +00:00
8 changed files with 447 additions and 75 deletions
@@ -0,0 +1,188 @@
+name: Security Scan
+
+on:
+  schedule:
+    - cron: 27 8 * * *
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    runs-on: running-man
+
+    env:
+      TARGET_DIR: .
+      COSIGN_VERSION: v3.0.5
+      SYFT_VERSION: v1.42.3
+      GRYPE_VERSION: v0.110.0
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Cosign (bootstrap)
+        run: |
+          set -euo pipefail
+
+          FILE="cosign-linux-amd64"
+
+          curl -fLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}
+
+          chmod +x ${FILE}
+          mv ${FILE} /usr/local/bin/cosign
+
+          cosign version
+
+      - name: Install Syft (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${SYFT_VERSION#v}"
+          FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature syft_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate syft_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/syft" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            syft_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv syft /usr/local/bin/
+
+          syft version
+
+      - name: Install Grype (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${GRYPE_VERSION#v}"
+          FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature grype_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate grype_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/grype" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            grype_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv grype /usr/local/bin/
+
+          grype version
+
+      - name: Generate SBOM
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          syft dir:. -o json > sbom.json
+
+      - name: Show SBOM contents
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Packages discovered by Syft:"
+          jq -r '.artifacts[] | "\(.name)@\(.version) [\(.type)]"' sbom.json | sort
+
+      - name: Run Grype scan (JSON)
+        id: audit
+        continue-on-error: true
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          grype sbom:sbom.json -o json > grype.json
+
+          echo "Vulnerabilities (fixable only):"
+          jq -r '
+            .matches[]
+            | select((.vulnerability.fix.versions | length) > 0)
+            | "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
+          ' grype.json
+
+          # Fail only on fixable MEDIUM/HIGH/CRITICAL
+          jq -e '
+            [
+              .matches[]?
+              | select(
+                  (
+                    .vulnerability.severity == "Medium" or
+                    .vulnerability.severity == "High" or
+                    .vulnerability.severity == "Critical"
+                  )
+                  and
+                  (
+                    (.vulnerability.fix.versions | length) > 0
+                  )
+                )
+            ]
+            | length == 0
+          ' grype.json
+
+      - name: Show full Grype table
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Full Grype report:"
+          grype sbom:sbom.json -o table
+
+      - name: Notify Node-RED on vulnerabilities
+        if: steps.audit.outcome == 'failure'
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          jq '
+          {
+            repo: "guardutils/chguard",
+            summary: (
+              "Total: " +
+              (
+                [
+                  .matches[]
+                  | select((.vulnerability.fix.versions | length) > 0)
+                ] | length | tostring
+              )
+            ),
+            vulnerabilities: [
+              .matches[]
+              | select((.vulnerability.fix.versions | length) > 0)
+              | {
+                library: .artifact.name,
+                cve: .vulnerability.id,
+                severity: .vulnerability.severity,
+                installed: .artifact.version,
+                fixed: (.vulnerability.fix.versions[0]),
+                title: .vulnerability.description,
+                url: .vulnerability.dataSource
+              }
+            ]
+          }
+          ' grype.json \
+          | curl -s -X POST https://nodered.sysmd.uk/vulns-alert \
+              -H "Content-Type: application/json" \
+              --data-binary @-
+
+      - name: Fail workflow if vulnerabilities found
+        if: steps.audit.outcome == 'failure'
+        run: exit 1
@@ -85,7 +85,7 @@ ipython_config.py
 # pyenv
 #   For a library or package, you might want to ignore these files since the code is
 #   intended to run in multiple environments; otherwise, check them in:
-# .python-version
+.python-version

 # pipenv
 #   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
@@ -1,19 +1,19 @@
 repos:
  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.9
+    rev: 1.9.4
    hooks:
      - id: bandit
        files: ^src/mirro/
        args: ["-lll", "-iii", "-s", "B110,B112"]

  - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.3.1
    hooks:
      - id: black
        language_version: python3.13

  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
@@ -5,7 +5,7 @@
 # chguard

 <div align="center">
-  <img src="chguard.png" alt="chguard logo" width="256" />
+  <img src="https://git.sysmd.uk/guardutils/chguard/raw/branch/main/chguard.png" alt="chguard logo" width="256" />
 </div>


@@ -30,6 +30,31 @@ A single confirmation prompt at the end of a restore (default: **No**).
 ### Dry-run mode
 Preview restore operations without prompting or applying changes.

+### Wrapper mode (automatic snapshots)
+
+`chguard` can also run as a wrapper around ownership and permission commands.
+In this mode, `chguard` automatically saves a snapshot before the command runs, so the user can easily restore the previous state if needed.
+
+#### Supported commands
+
+Wrapper mode is intentionally limited to commands that modify filesystem metadata only:
+
+* `chown`
+* `chmod`
+* `chgrp`
+
+Other commands are rejected to avoid giving a _false sense of protection_.
+
+#### Automatic snapshot names
+
+Snapshots created in wrapper mode are named automatically, for example:
+
+```
+auto-20251230-161301
+```
+
+Auto-generated snapshots are visually distinguished in the output so they are easy to identify.
+
 ### Scope control
 Restore:
 * both ownership and permissions (default)
@@ -55,7 +80,6 @@ Restore:

 It only concerns itself with **ownership** and **permissions**.

-
 ## Installation

 ### From GuardUtils package repo
@@ -179,6 +203,16 @@ chguard --restore app-baseline --permissions
 chguard --restore app-baseline --owner
 ```

+### Wrapper mode
+
+Use `--` to separate `chguard` arguments from the wrapped command:
+
+```
+chguard -- chown user:group file
+chguard -- chmod 755 file
+chguard -- chgrp staff file
+```
+
 ## Privilege model

 `chguard` never escalates privileges automatically
@@ -8,6 +8,7 @@ import sys
 import stat
 import pwd
 import grp
+import subprocess
 from collections import Counter, defaultdict
 from pathlib import Path
 from datetime import datetime
@@ -37,7 +38,6 @@ def get_version():


 def _uid_to_name(uid: int) -> str:
-    """Return username for uid, or uid as string if unknown."""
    try:
        return pwd.getpwuid(uid).pw_name
    except KeyError:
@@ -45,7 +45,6 @@ def _uid_to_name(uid: int) -> str:


 def _gid_to_name(gid: int) -> str:
-    """Return group name for gid, or gid as string if unknown."""
    try:
        return grp.getgrgid(gid).gr_name
    except KeyError:
@@ -53,12 +52,10 @@ def _gid_to_name(gid: int) -> str:


 def _format_owner(uid: int, gid: int) -> str:
-    """Format uid/gid as username:group."""
    return f"{_uid_to_name(uid)}:{_gid_to_name(gid)}"


 def _mode_to_rwx(mode: int) -> str:
-    """Convert numeric mode to rwx-style permissions."""
    bits = (
        stat.S_IRUSR,
        stat.S_IWUSR,
@@ -88,7 +85,6 @@ def _mode_to_rwx(mode: int) -> str:


 def _is_root() -> bool:
-    """Return True if running as root."""
    return os.geteuid() == 0


@@ -105,6 +101,17 @@ def complete_state_names(prefix, parsed_args, **kwargs):
        return []


+def _extract_paths_from_command(cmd: list[str]) -> list[Path]:
+    paths = []
+    for arg in cmd:
+        if arg.startswith("-"):
+            continue
+        p = Path(arg)
+        if p.exists():
+            paths.append(p.resolve())
+    return paths
+
+
 def main() -> None:
    """
    Entry point for the CLI.
@@ -116,12 +123,33 @@ def main() -> None:
    - Symlinks are skipped during scanning
    """

+    wrapper_cmd = None
+    if "--" in sys.argv:
+        idx = sys.argv.index("--")
+        wrapper_cmd = sys.argv[idx + 1 :]
+        sys.argv = sys.argv[:idx]
+
    parser = argparse.ArgumentParser(
        prog="chguard",
        description="Snapshot and restore filesystem ownership and permissions.",
    )

-    actions = parser.add_mutually_exclusive_group(required=True)
+    parser = argparse.ArgumentParser(
+        prog="chguard",
+        description="Snapshot and restore filesystem ownership and permissions.",
+        epilog=(
+            "Wrapper mode:\n"
+            "  chguard -- chown [OPTIONS] PATH...\n"
+            "  chguard -- chmod [OPTIONS] PATH...\n"
+            "  chguard -- chgrp [OPTIONS] PATH...\n\n"
+            "In wrapper mode, chguard automatically saves a snapshot of ownership\n"
+            "and permissions for the affected paths before running the command.\n"
+            "Only chown, chmod, and chgrp are supported."
+        ),
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+    )
+
+    actions = parser.add_mutually_exclusive_group(required=wrapper_cmd is None)

    parser.add_argument(
        "--version",
@@ -216,11 +244,84 @@ def main() -> None:

    argcomplete.autocomplete(parser)
    args = parser.parse_args()
+
+    if wrapper_cmd is not None:
+        if not wrapper_cmd:
+            raise SystemExit("No command provided after '--'")
+
+        cmd = Path(wrapper_cmd[0]).name
+
+        if cmd not in ("chown", "chmod", "chgrp"):
+            raise SystemExit(
+                "Wrapper mode only supports chown, chmod, and chgrp"
+            )
+
    console = Console()

    conn = connect(Path(args.db).expanduser().resolve() if args.db else None)
    init_db(conn)

+    if wrapper_cmd:
+        paths = _extract_paths_from_command(wrapper_cmd)
+        if paths:
+            auto_name = f"auto-{datetime.now().strftime('%Y%m%d-%H%M%S')}"
+            with conn:
+                root_path = str(Path(paths[0]).resolve())
+                state_id = create_state(
+                    conn, auto_name, root_path, os.getuid(), commit=False
+                )
+
+                for path in paths:
+                    if path.is_dir():
+                        for entry in scan_tree(path):
+                            if entry.uid == 0 and not _is_root():
+                                raise SystemExit(
+                                    "This command affects root-owned files.\n"
+                                    "Please re-run with sudo."
+                                )
+                            conn.execute(
+                                """
+                                INSERT INTO entries (state_id, path, type, mode, uid, gid)
+                                VALUES (?, ?, ?, ?, ?, ?)
+                                """,
+                                (
+                                    state_id,
+                                    entry.path,
+                                    entry.type,
+                                    entry.mode,
+                                    entry.uid,
+                                    entry.gid,
+                                ),
+                            )
+                    else:
+                        st = path.lstat()
+                        if st.st_uid == 0 and not _is_root():
+                            raise SystemExit(
+                                "This command affects root-owned files.\n"
+                                "Please re-run with sudo."
+                            )
+                        conn.execute(
+                            """
+                            INSERT INTO entries (state_id, path, type, mode, uid, gid)
+                            VALUES (?, ?, ?, ?, ?, ?)
+                            """,
+                            (
+                                state_id,
+                                str(path),
+                                "file",
+                                stat.S_IMODE(st.st_mode),
+                                st.st_uid,
+                                st.st_gid,
+                            ),
+                        )
+
+            console.print(
+                f"Saved pre-command snapshot: [cyan]{auto_name}[/cyan]"
+            )
+
+        proc = subprocess.run(wrapper_cmd)
+        sys.exit(proc.returncode)
+
    if args.list:
        rows = conn.execute(
            "SELECT name, root_path, created_at FROM states ORDER BY created_at DESC"
@@ -230,11 +331,31 @@ def main() -> None:
            console.print("No saved states.")
            return

+        table = Table(box=box.SIMPLE, header_style="bold")
+
+        table.add_column("State")
+        table.add_column("Root path")
+        table.add_column("Created")
+
        for name, root, created in rows:
            dt = datetime.fromisoformat(created)
            ts = dt.strftime("%Y-%m-%d %H:%M:%S %z")
-            console.print(f"{name}\t{root}\t[dim]{ts}[/dim]")
-        return
+
+            state_name = (
+                f"[bright_cyan]{name}[/bright_cyan]"
+                if name.startswith("auto-")
+                else name
+            )
+            root = f"[bright_magenta]{root}[/bright_magenta]"
+            ts = f"[bright_cyan]{created}[/bright_cyan]"
+
+            table.add_row(
+                state_name,
+                root,
+                ts,
+            )
+
+        console.print(table)

    if args.delete:
        if delete_state(conn, args.delete) == 0:
@@ -248,42 +369,49 @@ def main() -> None:

        root = normalize_root(args.save)

-        if state_exists(conn, args.name):
-            if not args.overwrite:
-                raise SystemExit(
-                    f"State '{args.name}' already exists (use --overwrite)"
-                )
-            delete_state(conn, args.name)
+        try:
+            with conn:  # start transaction
+                if state_exists(conn, args.name):
+                    if not args.overwrite:
+                        raise SystemExit(
+                            f"State '{args.name}' already exists (use --overwrite)"
+                        )
+                    # if the new save fails, this delete_state step will also roll back
+                    delete_state(conn, args.name, commit=False)

-        state_id = create_state(conn, args.name, str(root), os.getuid())
-
-        # Abort early if root-owned files exist and user is not root.
-        # This prevents creating snapshots that cannot be meaningfully restored.
-        for entry in scan_tree(root, excludes=args.exclude):
-            if entry.uid == 0 and not _is_root():
-                raise SystemExit(
-                    "This path contains root-owned files.\n"
-                    "Saving this state requires sudo."
+                state_id = create_state(
+                    conn, args.name, str(root), os.getuid(), commit=False
                )

-            conn.execute(
-                """
-                INSERT INTO entries (state_id, path, type, mode, uid, gid)
-                VALUES (?, ?, ?, ?, ?, ?)
-                """,
-                (
-                    state_id,
-                    entry.path,
-                    entry.type,
-                    entry.mode,
-                    entry.uid,
-                    entry.gid,
-                ),
-            )
+                # Abort early if root-owned files exist and user is not root.
+                # This prevents creating snapshots that cannot be meaningfully restored.
+                for entry in scan_tree(root, excludes=args.exclude):
+                    if entry.uid == 0 and not _is_root():
+                        raise SystemExit(
+                            "This path contains root-owned files.\n"
+                            "Saving this state requires sudo."
+                        )

-        conn.commit()
-        console.print(f"Saved state '{args.name}' for {root}")
-        return
+                    conn.execute(
+                        """
+                        INSERT INTO entries (state_id, path, type, mode, uid, gid)
+                        VALUES (?, ?, ?, ?, ?, ?)
+                        """,
+                        (
+                            state_id,
+                            entry.path,
+                            entry.type,
+                            entry.mode,
+                            entry.uid,
+                            entry.gid,
+                        ),
+                    )
+
+            console.print(f"Saved state '{args.name}' for {root}")
+            return
+
+        except SystemExit:
+            raise

    if args.restore:
        if not args.state:
@@ -339,7 +467,7 @@ def main() -> None:
                ] = f"{_format_owner(bu, bg)} → {_format_owner(au, ag)}"
                counts["owner"] += 1

-                if au != current_uid:
+                if ch.path.stat().st_uid != current_uid:
                    needs_root = True

            elif ch.kind == "mode" and restore_permissions:
@@ -6,7 +6,6 @@ from datetime import datetime, timezone
 from pathlib import Path
 from platformdirs import user_data_dir

-
 APP_NAME = "chguard"


@@ -24,8 +23,7 @@ def connect(db_path: Path | None = None) -> sqlite3.Connection:


 def init_db(conn: sqlite3.Connection) -> None:
-    conn.executescript(
-        """
+    conn.executescript("""
        CREATE TABLE IF NOT EXISTS states (
            id INTEGER PRIMARY KEY,
            name TEXT UNIQUE NOT NULL,
@@ -46,8 +44,7 @@ def init_db(conn: sqlite3.Connection) -> None:
        );

        CREATE INDEX IF NOT EXISTS idx_entries_state_id ON entries(state_id);
-        """
-    )
+        """)
    conn.commit()


@@ -61,19 +58,28 @@ def state_exists(conn: sqlite3.Connection, name: str) -> bool:


 def create_state(
-    conn: sqlite3.Connection, name: str, root_path: str, created_by_uid: int
+    conn: sqlite3.Connection,
+    name: str,
+    root_path: str,
+    created_by_uid: int,
+    *,
+    commit: bool = True,
 ) -> int:
    cur = conn.execute(
        "INSERT INTO states (name, root_path, created_at, created_by_uid) VALUES (?, ?, ?, ?)",
        (name, root_path, utc_now_iso(), created_by_uid),
    )
-    conn.commit()
+    if commit:
+        conn.commit()
    return int(cur.lastrowid)


-def delete_state(conn: sqlite3.Connection, name: str) -> int:
+def delete_state(
+    conn: sqlite3.Connection, name: str, commit: bool = True
+) -> int:
    cur = conn.execute("DELETE FROM states WHERE name = ?", (name,))
-    conn.commit()
+    if commit:
+        conn.commit()
    return cur.rowcount


@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.3 and should not be changed by hand.

 [[package]]
 name = "argcomplete"
@@ -6,6 +6,7 @@ version = "3.6.3"
 description = "Bash tab completion for argparse"
 optional = false
 python-versions = ">=3.8"
+groups = ["main"]
 files = [
    {file = "argcomplete-3.6.3-py3-none-any.whl", hash = "sha256:f5007b3a600ccac5d25bbce33089211dfd49eab4a7718da3f10e3082525a92ce"},
    {file = "argcomplete-3.6.3.tar.gz", hash = "sha256:62e8ed4fd6a45864acc8235409461b72c9a28ee785a2011cc5eb78318786c89c"},
@@ -20,6 +21,7 @@ version = "3.5.0"
 description = "Validate configuration and produce human readable error messages."
 optional = false
 python-versions = ">=3.10"
+groups = ["dev"]
 files = [
    {file = "cfgv-3.5.0-py2.py3-none-any.whl", hash = "sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0"},
    {file = "cfgv-3.5.0.tar.gz", hash = "sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132"},
@@ -31,6 +33,7 @@ version = "0.4.0"
 description = "Distribution utilities"
 optional = false
 python-versions = "*"
+groups = ["dev"]
 files = [
    {file = "distlib-0.4.0-py2.py3-none-any.whl", hash = "sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16"},
    {file = "distlib-0.4.0.tar.gz", hash = "sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d"},
@@ -38,13 +41,14 @@ files = [

 [[package]]
 name = "filelock"
-version = "3.20.1"
+version = "3.20.3"
 description = "A platform independent file lock."
 optional = false
 python-versions = ">=3.10"
+groups = ["main", "dev"]
 files = [
-    {file = "filelock-3.20.1-py3-none-any.whl", hash = "sha256:15d9e9a67306188a44baa72f569d2bfd803076269365fdea0934385da4dc361a"},
-    {file = "filelock-3.20.1.tar.gz", hash = "sha256:b8360948b351b80f420878d8516519a2204b07aefcdcfd24912a5d33127f188c"},
+    {file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
+    {file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
 ]

 [[package]]
@@ -53,6 +57,7 @@ version = "2.6.15"
 description = "File identification library for Python"
 optional = false
 python-versions = ">=3.9"
+groups = ["dev"]
 files = [
    {file = "identify-2.6.15-py2.py3-none-any.whl", hash = "sha256:1181ef7608e00704db228516541eb83a88a9f94433a8c80bb9b5bd54b1d81757"},
    {file = "identify-2.6.15.tar.gz", hash = "sha256:e4f4864b96c6557ef2a1e1c951771838f4edc9df3a72ec7118b338801b11c7bf"},
@@ -67,6 +72,7 @@ version = "4.0.0"
 description = "Python port of markdown-it. Markdown parsing, done right!"
 optional = false
 python-versions = ">=3.10"
+groups = ["main"]
 files = [
    {file = "markdown_it_py-4.0.0-py3-none-any.whl", hash = "sha256:87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147"},
    {file = "markdown_it_py-4.0.0.tar.gz", hash = "sha256:cb0a2b4aa34f932c007117b194e945bd74e0ec24133ceb5bac59009cda1cb9f3"},
@@ -90,6 +96,7 @@ version = "0.1.2"
 description = "Markdown URL utilities"
 optional = false
 python-versions = ">=3.7"
+groups = ["main"]
 files = [
    {file = "mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8"},
    {file = "mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"},
@@ -101,6 +108,7 @@ version = "1.10.0"
 description = "Node.js virtual environment builder"
 optional = false
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
+groups = ["dev"]
 files = [
    {file = "nodeenv-1.10.0-py2.py3-none-any.whl", hash = "sha256:5bb13e3eed2923615535339b3c620e76779af4cb4c6a90deccc9e36b274d3827"},
    {file = "nodeenv-1.10.0.tar.gz", hash = "sha256:996c191ad80897d076bdfba80a41994c2b47c68e224c542b48feba42ba00f8bb"},
@@ -112,6 +120,7 @@ version = "4.5.1"
 description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`."
 optional = false
 python-versions = ">=3.10"
+groups = ["main", "dev"]
 files = [
    {file = "platformdirs-4.5.1-py3-none-any.whl", hash = "sha256:d03afa3963c806a9bed9d5125c8f4cb2fdaf74a55ab60e5d59b3fde758104d31"},
    {file = "platformdirs-4.5.1.tar.gz", hash = "sha256:61d5cdcc6065745cdd94f0f878977f8de9437be93de97c1c12f853c9c0cdcbda"},
@@ -128,6 +137,7 @@ version = "3.8.0"
 description = "A framework for managing and maintaining multi-language pre-commit hooks."
 optional = false
 python-versions = ">=3.9"
+groups = ["dev"]
 files = [
    {file = "pre_commit-3.8.0-py2.py3-none-any.whl", hash = "sha256:9a90a53bf82fdd8778d58085faf8d83df56e40dfe18f45b19446e26bf1b3a63f"},
    {file = "pre_commit-3.8.0.tar.gz", hash = "sha256:8bb6494d4a20423842e198980c9ecf9f96607a07ea29549e180eef9ae80fe7af"},
@@ -142,13 +152,14 @@ virtualenv = ">=20.10.0"

 [[package]]
 name = "pygments"
-version = "2.19.2"
+version = "2.20.0"
 description = "Pygments is a syntax highlighting package written in Python."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
+groups = ["main"]
 files = [
-    {file = "pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b"},
-    {file = "pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887"},
+    {file = "pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176"},
+    {file = "pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f"},
 ]

 [package.extras]
@@ -160,6 +171,7 @@ version = "6.0.3"
 description = "YAML parser and emitter for Python"
 optional = false
 python-versions = ">=3.8"
+groups = ["dev"]
 files = [
    {file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"},
    {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"},
@@ -242,6 +254,7 @@ version = "14.2.0"
 description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
 optional = false
 python-versions = ">=3.8.0"
+groups = ["main"]
 files = [
    {file = "rich-14.2.0-py3-none-any.whl", hash = "sha256:76bc51fe2e57d2b1be1f96c524b890b816e334ab4c1e45888799bfaab0021edd"},
    {file = "rich-14.2.0.tar.gz", hash = "sha256:73ff50c7c0c1c77c8243079283f4edb376f0f6442433aecb8ce7e6d0b92d1fe4"},
@@ -260,6 +273,8 @@ version = "4.15.0"
 description = "Backported and Experimental Type Hints for Python 3.9+"
 optional = false
 python-versions = ">=3.9"
+groups = ["dev"]
+markers = "python_version == \"3.10\""
 files = [
    {file = "typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548"},
    {file = "typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466"},
@@ -267,26 +282,27 @@ files = [

 [[package]]
 name = "virtualenv"
-version = "20.35.4"
+version = "20.36.1"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
+groups = ["dev"]
 files = [
-    {file = "virtualenv-20.35.4-py3-none-any.whl", hash = "sha256:c21c9cede36c9753eeade68ba7d523529f228a403463376cf821eaae2b650f1b"},
-    {file = "virtualenv-20.35.4.tar.gz", hash = "sha256:643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c"},
+    {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
+    {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
 ]

 [package.dependencies]
 distlib = ">=0.3.7,<1"
-filelock = ">=3.12.2,<4"
+filelock = {version = ">=3.20.1,<4", markers = "python_version >= \"3.10\""}
 platformdirs = ">=3.9.1,<5"
 typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""}

 [package.extras]
 docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"]
-test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"]
+test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8) ; platform_python_implementation == \"PyPy\" or platform_python_implementation == \"GraalVM\" or platform_python_implementation == \"CPython\" and sys_platform == \"win32\" and python_version >= \"3.13\"", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10) ; platform_python_implementation == \"CPython\""]

 [metadata]
-lock-version = "2.0"
+lock-version = "2.1"
 python-versions = ">=3.10,<4.0"
-content-hash = "4a5c993fcc16fe3739c43eb00bed750ce0803d45e37c7a786aa0b83bb4930267"
+content-hash = "c1c99dd4ff6557dd08b58f3a8c50b893e68acabcb8b08a48ca78f7319a361635"
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "chguard"
-version = "0.2.1"
+version = "0.3.4"
 description = "Safety-first tool to snapshot and restore filesystem ownership and permissions."
 authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
 license = "GPL-3.0-or-later"
@@ -12,13 +12,13 @@ repository = "https://git.sysmd.uk/guardutils/chguard"
 python = ">=3.10,<4.0"
 rich = ">=12"
 argcomplete = ">=2"
-platformdirs = ">=4.5.1"
-filelock = ">=3.20.1"
+platformdirs = ">=4.2.2"
+filelock = ">=3.15.4"

 [tool.poetry.scripts]
 chguard = "chguard.cli:main"

-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 pre-commit = "^3.8"

 [tool.black]
Author	SHA1	Message	Date
mdaleo404	88b2dfd1a5	Merge pull request 'Poetry update' (#7 ) from poetry-update-2.3.3 into main Security Scan / security-scan (push) Successful in 1m20s Details Reviewed-on: #7	2026-04-03 07:24:44 +00:00
mdaleo404	ee80306d9a	Version bump Lint & Security / precommit-and-security (pull_request) Successful in 1m2s Details	2026-04-03 08:21:12 +01:00
mdaleo404	cc97d3d7f1	Update Pygments Lint & Security / precommit-and-security (pull_request) Successful in 1m1s Details	2026-04-03 08:19:40 +01:00
mdaleo404	9bf5ef1d7d	Black formatting Lint & Security / precommit-and-security (pull_request) Failing after 1m1s Details	2026-04-03 08:16:56 +01:00
mdaleo404	24696af083	Poetry update Lint & Security / precommit-and-security (pull_request) Failing after 44s Details	2026-04-03 08:14:37 +01:00
mdaleo404	fcef549eba	Exclude unfixed vulnerabilities from security workflow results Security Scan / security-scan (push) Successful in 1m17s Details	2026-03-25 16:31:27 +00:00
mdaleo404	049273a13c	Switch Trivy scan to Syft and Grype	2026-03-25 16:10:01 +00:00
mdaleo404	d00407bb33	Disable trivy scan workflow	2026-03-23 08:02:12 +00:00
mdaleo404	a8dbe675f5	Update pre-commit hooks version Trivy Scan / security-scan (push) Successful in 27s Details	2026-03-21 07:25:11 +00:00
mdaleo404	cc2b1fe791	Ping Trivy docker image to 0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c	2026-03-21 07:05:33 +00:00
mdaleo404	db60b4e42b	Merge pull request 'Fix list view to be a rich table' (#6 ) from fix_list_view into main Trivy Scan / security-scan (push) Successful in 27s Details Reviewed-on: #6	2026-01-24 09:24:39 +00:00
mdaleo404	afc964a076	Fix list view to be a rich table Lint & Security / precommit-and-security (pull_request) Successful in 1m50s Details	2026-01-24 09:21:51 +00:00
mdaleo404	d42f6d5fe1	Merge pull request 'Relax dependencies to match Fedora 42 packages' (#5 ) from fix_filelock_platformdird_deps into main Trivy Scan / security-scan (push) Successful in 28s Details Reviewed-on: #5	2026-01-17 16:44:06 +00:00
mdaleo404	103d6159d1	Relax dependencies to match Fedora 42 packages Lint & Security / precommit-and-security (pull_request) Successful in 1m56s Details	2026-01-17 16:41:08 +00:00
mdaleo404	2ee9588fb9	Update filelock and virtualenv Trivy Scan / security-scan (push) Successful in 26s Details	2026-01-15 17:06:08 +00:00
mdaleo404	a2720e245f	Change trivy.json output path	2026-01-15 16:47:54 +00:00
mdaleo404	8e3404bd51	Rework the trivy scan job	2026-01-15 16:45:21 +00:00
mdaleo404	5ff1e935a3	Fix trivy scan volume path to be explicit	2026-01-15 16:39:40 +00:00
mdaleo404	7fafb1fa8e	Fix trivy scan volume path	2026-01-15 16:36:23 +00:00
mdaleo404	f87eb5f438	Fix trivy scan volume path	2026-01-15 16:22:47 +00:00
mdaleo404	1c3025b2d6	Fix docker command to trivy scan	2026-01-15 16:19:08 +00:00
mdaleo404	4980903572	Fix trivy.json output path	2026-01-15 16:13:48 +00:00
mdaleo404	a7183b3286	Fix trivy.json output path	2026-01-15 16:09:17 +00:00
mdaleo404	984aeccfdd	Fix trivy fs path	2026-01-15 16:05:51 +00:00
mdaleo404	dc6e7840c7	Modify severity level on trivy-scan workflow	2026-01-15 15:48:41 +00:00
mdaleo404	0464982b94	Add trivy-scan workflow	2026-01-15 15:41:29 +00:00
mdaleo404	4a4cb8183f	Merge pull request 'Add wrapper mode' (#4 ) from ch_wrapper into main Reviewed-on: #4	2025-12-30 17:31:45 +00:00
mdaleo404	20a0dca080	Add wrapper mode, update README, version bump 0.3.0 Lint & Security / precommit-and-security (pull_request) Successful in 2m7s Details	2025-12-30 17:27:15 +00:00
mdaleo404	7c391b8dbc	Fix logo path in README	2025-12-23 16:18:18 +00:00
mdaleo404	aafad81bb6	Merge pull request 'Make save operation transactional' (#3 ) from transaction_patch into main Reviewed-on: #3	2025-12-23 16:15:46 +00:00
mdaleo404	9658f534ea	Run save inside a single transaction to avoid partial writes when permission checks fail or state creation errors occur Lint & Security / precommit-and-security (pull_request) Successful in 59s Details	2025-12-23 16:07:46 +00:00
mdaleo404	5af28d21ca	Add .python-version to .gitignore	2025-12-21 14:03:52 +00:00