Exclude unfixed vulnerabilities from security workflow results

Reviewed-on: #25

.gitea/workflows/lint-and-security.yml

@@ -0,0 +1,36 @@
+name: Lint & Security
+
+on:
+  pull_request:
+
+jobs:
+  precommit-and-security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install pre-commit
+        run: pip install pre-commit
+
+      - name: Run pre-commit hooks
+        run: pre-commit run --all-files --color always
+
+      - name: Install Poetry
+        run: |
+          pip install poetry
+          poetry self add poetry-plugin-export
+
+      - name: Install pip-audit
+        run: pip install pip-audit
+
+      - name: Audit dependencies (Poetry lockfile)
+        run: |
+          poetry export -f requirements.txt --without-hashes \
+            | pip-audit -r /dev/stdin

.gitea/workflows/security-scan.yml

@@ -0,0 +1,188 @@
+name: Security Scan
+
+on:
+  schedule:
+    - cron: 27 8 * * *
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    runs-on: running-man
+
+    env:
+      TARGET_DIR: .
+      COSIGN_VERSION: v3.0.5
+      SYFT_VERSION: v1.42.3
+      GRYPE_VERSION: v0.110.0
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Cosign (bootstrap)
+        run: |
+          set -euo pipefail
+
+          FILE="cosign-linux-amd64"
+
+          curl -fLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}
+
+          chmod +x ${FILE}
+          mv ${FILE} /usr/local/bin/cosign
+
+          cosign version
+
+      - name: Install Syft (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${SYFT_VERSION#v}"
+          FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature syft_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate syft_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/syft" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            syft_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv syft /usr/local/bin/
+
+          syft version
+
+      - name: Install Grype (verified)
+        run: |
+          set -euo pipefail
+
+          VERSION_NO_V="${GRYPE_VERSION#v}"
+          FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
+          BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
+
+          curl -fLO ${BASE_URL}/${FILE}
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
+          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
+
+          cosign verify-blob \
+            --signature grype_${VERSION_NO_V}_checksums.txt.sig \
+            --certificate grype_${VERSION_NO_V}_checksums.txt.pem \
+            --certificate-identity-regexp "https://github.com/anchore/grype" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            grype_${VERSION_NO_V}_checksums.txt
+
+          CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
+          if [ -z "$CHECKSUM_LINE" ]; then
+            echo "Missing checksum entry for ${FILE}"
+            exit 1
+          fi
+
+          echo "$CHECKSUM_LINE" | sha256sum -c -
+
+          tar -xzf ${FILE}
+          mv grype /usr/local/bin/
+
+          grype version
+
+      - name: Generate SBOM
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          syft dir:. -o json > sbom.json
+
+      - name: Show SBOM contents
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Packages discovered by Syft:"
+          jq -r '.artifacts[] | "\(.name)@\(.version) [\(.type)]"' sbom.json | sort
+
+      - name: Run Grype scan (JSON)
+        id: audit
+        continue-on-error: true
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          grype sbom:sbom.json -o json > grype.json
+
+          echo "Vulnerabilities (fixable only):"
+          jq -r '
+            .matches[]
+            | select((.vulnerability.fix.versions | length) > 0)
+            | "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
+          ' grype.json
+
+          # Fail only on fixable MEDIUM/HIGH/CRITICAL
+          jq -e '
+            [
+              .matches[]?
+              | select(
+                  (
+                    .vulnerability.severity == "Medium" or
+                    .vulnerability.severity == "High" or
+                    .vulnerability.severity == "Critical"
+                  )
+                  and
+                  (
+                    (.vulnerability.fix.versions | length) > 0
+                  )
+                )
+            ]
+            | length == 0
+          ' grype.json
+
+      - name: Show full Grype table
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          echo "Full Grype report:"
+          grype sbom:sbom.json -o table
+
+      - name: Notify Node-RED on vulnerabilities
+        if: steps.audit.outcome == 'failure'
+        working-directory: ${{ env.TARGET_DIR }}
+        run: |
+          jq '
+          {
+            repo: "guardutils/resrm",
+            summary: (
+              "Total: " +
+              (
+                [
+                  .matches[]
+                  | select((.vulnerability.fix.versions | length) > 0)
+                ] | length | tostring
+              )
+            ),
+            vulnerabilities: [
+              .matches[]
+              | select((.vulnerability.fix.versions | length) > 0)
+              | {
+                library: .artifact.name,
+                cve: .vulnerability.id,
+                severity: .vulnerability.severity,
+                installed: .artifact.version,
+                fixed: (.vulnerability.fix.versions[0]),
+                title: .vulnerability.description,
+                url: .vulnerability.dataSource
+              }
+            ]
+          }
+          ' grype.json \
+          | curl -s -X POST https://nodered.sysmd.uk/vulns-alert \
+              -H "Content-Type: application/json" \
+              --data-binary @-
+
+      - name: Fail workflow if vulnerabilities found
+        if: steps.audit.outcome == 'failure'
+        run: exit 1

.gitignore

@@ -1,3 +1,4 @@
 __pycache__
 .pytest_cache
 dist
+.coverage

.pre-commit-config.yaml

@@ -1,19 +1,21 @@
 repos:
   - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.9
+    rev: 1.9.4
     hooks:
       - id: bandit
         files: ^src/resrm/
         args: ["-lll", "-iii", "-s", "B110,B112"]
 
   - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.3.1
     hooks:
       - id: black
         language_version: python3.13
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml

README.md

@@ -1,5 +1,13 @@
+[![Licence](https://img.shields.io/badge/GPL--3.0-orange?label=Licence)](https://git.sysmd.uk/guardutils/resrm/src/branch/main/LICENCE)
+[![Gitea Release](https://img.shields.io/gitea/v/release/guardutils/resrm?gitea_url=https%3A%2F%2Fgit.sysmd.uk%2F&style=flat&color=orange&logo=gitea)](https://git.sysmd.uk/guardutils/resrm/releases)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-blue?logo=pre-commit&style=flat)](https://git.sysmd.uk/guardutils/resrm/src/branch/main/.pre-commit-config.yaml)
+
 # resrm
 
+<div align="center">
+  <img src="resrm.png" alt="resrm logo" width="256" />
+</div>
+
 **resrm** is a safe, drop-in replacement for the Linux `rm` command with **undo/restore support**.
 It moves files to a per-user _trash_ instead of permanently deleting them, while still allowing full `sudo` support for root-owned files.
 
@@ -13,42 +21,91 @@ It moves files to a per-user _trash_ instead of permanently deleting them, while
 - Supports `-r`, `-f`, `-i`, `--skip-trash` options
 - Works with `sudo` for root-owned files
 - Automatically prunes Trash entries older than `$RESRM_TRASH_LIFE` days (default **7**, minimum **1**)
-  > Note: if you need immediate deletion, use the regular `rm` command instead.
 
----
+  > Note: if you need immediate deletion, use the `--skip-trash` flag.
 
-## Configuration
-
-To control how long trashed files are kept, add this line to your shell configuration (e.g. `~/.bashrc`):
-
-```bash
-export RESRM_TRASH_LIFE=10
-```
-
----
 
 ## Installation
 
+### From GuardUtils package repo
+
+This is the preferred method of installation.
+
+### Debian/Ubuntu
+
+#### 1) Import the GPG key
+
+```bash
+sudo mkdir -p /usr/share/keyrings
+curl -fsSL https://repo.sysmd.uk/guardutils/guardutils.gpg | sudo gpg --dearmor -o /usr/share/keyrings/guardutils.gpg
+```
+
+The GPG fingerprint is `0032C71FA6A11EF9567D4434C5C06BD4603C28B1`.
+
+#### 2) Add the APT source
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/guardutils.gpg] https://repo.sysmd.uk/guardutils/debian stable main" | sudo tee /etc/apt/sources.list.d/guardutils.list
+```
+
+#### 3) Update and install
+
+```
+sudo apt update
+sudo apt install resrm
+```
+
+### Fedora/RHEL
+
+#### 1) Import the GPG key
+
+```
+sudo rpm --import https://repo.sysmd.uk/guardutils/guardutils.gpg
+```
+
+#### 2) Add the repository configuration
+
+```
+sudo tee /etc/yum.repos.d/guardutils.repo > /dev/null << 'EOF'
+[guardutils]
+name=GuardUtils Repository
+baseurl=https://repo.sysmd.uk/guardutils/rpm/$basearch
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=https://repo.sysmd.uk/guardutils/guardutils.gpg
+EOF
+```
+
+#### 4) Update and install
+
+```
+sudo dnf upgrade --refresh
+sudo dnf install resrm
+```
+
+### From PyPI
+
 **NOTE:** To use `resrm` with `sudo`, the path to `resrm` must be in the `$PATH` seen by `root`.\
 Either:
 
- * install `resrm` as `root` (_preferred_), or
+ * install `resrm` as `root`, or
  * add the path to `resrm` to the `secure_path` parameter in `/etc/sudoers`. For example, where `/home/user/.local/bin` is where `resrm` is:
 
 ``` bash
 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/user/.local/bin"
 ```
 
-Install via PyPI (_preferred_):
+Install with:
 
 ```bash
 pip install resrm
 ```
 
-Or clone the repo and install locally:
+### From this repository
 
 ```bash
-git clone https://github.com/mdaleo404/resrm.git
+git clone https://git.sysmd.uk/guardutils/resrm.git
 cd resrm/
 poetry install
 ```
@@ -77,16 +134,38 @@ resrm -l
 # Restore a file by ID or basename
 resrm --restore <id|name>
 
+# Show full details of trashed item
+resrm --inspect <id|name>
+
 # Empty the trash permanently
 resrm --empty
 ```
 
+
 ## Trash Location
 
 Normal users: `~/.local/share/resrm/files`
 
 Root user: `/root/.local/share/resrm/files`
 
+## Configuration
+
+To control how long trashed files are kept, add this line to your shell configuration (e.g. `~/.bashrc`):
+
+```bash
+export RESRM_TRASH_LIFE=10
+```
+
+### TAB completion
+Add this to your `.bashrc`
+```
+eval "$(register-python-argcomplete resrm)"
+```
+And then
+```
+source ~/.bashrc
+```
+
 ## pre-commit
 This project uses [**pre-commit**](https://pre-commit.com/) to run automatic formatting and security checks before each commit (Black, Bandit, and various safety checks).
 

poetry.lock

@@ -1,5 +1,19 @@
 # This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
 
+[[package]]
+name = "argcomplete"
+version = "3.6.3"
+description = "Bash tab completion for argparse"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "argcomplete-3.6.3-py3-none-any.whl", hash = "sha256:f5007b3a600ccac5d25bbce33089211dfd49eab4a7718da3f10e3082525a92ce"},
+    {file = "argcomplete-3.6.3.tar.gz", hash = "sha256:62e8ed4fd6a45864acc8235409461b72c9a28ee785a2011cc5eb78318786c89c"},
+]
+
+[package.extras]
+test = ["coverage", "mypy", "pexpect", "ruff", "wheel"]
+
 [[package]]
 name = "cfgv"
 version = "3.4.0"
@@ -24,13 +38,13 @@ files = [
 
 [[package]]
 name = "filelock"
-version = "3.20.0"
+version = "3.20.3"
 description = "A platform independent file lock."
 optional = false
 python-versions = ">=3.10"
 files = [
-    {file = "filelock-3.20.0-py3-none-any.whl", hash = "sha256:339b4732ffda5cd79b13f4e2711a31b0365ce445d95d243bb996273d072546a2"},
-    {file = "filelock-3.20.0.tar.gz", hash = "sha256:711e943b4ec6be42e1d4e6690b48dc175c822967466bb31c0c293f34334c13f4"},
+    {file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
+    {file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
 ]
 
 [[package]]
@@ -174,21 +188,33 @@ files = [
     {file = "pyyaml-6.0.3.tar.gz", hash = "sha256:d76623373421df22fb4cf8817020cbb7ef15c725b9d5e45f17e189bfc384190f"},
 ]
 
+[[package]]
+name = "typing-extensions"
+version = "4.15.0"
+description = "Backported and Experimental Type Hints for Python 3.9+"
+optional = false
+python-versions = ">=3.9"
+files = [
+    {file = "typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548"},
+    {file = "typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466"},
+]
+
 [[package]]
 name = "virtualenv"
-version = "20.35.4"
+version = "20.36.1"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "virtualenv-20.35.4-py3-none-any.whl", hash = "sha256:c21c9cede36c9753eeade68ba7d523529f228a403463376cf821eaae2b650f1b"},
-    {file = "virtualenv-20.35.4.tar.gz", hash = "sha256:643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c"},
+    {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
+    {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
 ]
 
 [package.dependencies]
 distlib = ">=0.3.7,<1"
-filelock = ">=3.12.2,<4"
+filelock = {version = ">=3.20.1,<4", markers = "python_version >= \"3.10\""}
 platformdirs = ">=3.9.1,<5"
+typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""}
 
 [package.extras]
 docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"]
@@ -196,5 +222,5 @@ test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess
 
 [metadata]
 lock-version = "2.0"
-python-versions = "^3.13"
-content-hash = "0863809e99ebce15ac434c3d43856decb487945ff712f83073c120ee4dc7b850"
+python-versions = ">=3.10,<4.0"
+content-hash = "7f8ea4efe2d270a676fdd9c882c02f43b4b118bfe7a5fd6da1098ff4ec84ce3d"

pyproject.toml

@@ -1,16 +1,17 @@
 [tool.poetry]
 name = "resrm"
-version = "0.3.1"
+version = "0.4.1"
 description = "drop-in replacement for rm with undo/restore built-in."
 authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
 license = "GPL-3.0-or-later"
 readme = "README.md"
-homepage = "https://github.com/mdaleo404/resrm"
-repository = "https://github.com/mdaleo404/resrm"
+homepage = "https://git.sysmd.uk/guardutils/resrm"
+repository = "https://git.sysmd.uk/guardutils/resrm"
 packages = [{include = "resrm", from = "src"}]
 
 [tool.poetry.dependencies]
-python = "^3.13"
+python = ">=3.10,<4.0"
+argcomplete = ">=2"
 
 [tool.poetry.dev-dependencies]
 pre-commit = "^3.8"
@@ -20,7 +21,6 @@ resrm = "resrm.cli:main"
 
 [tool.black]
 line-length = 79
-target-version = ["py313"]
 
 [build-system]
 requires = ["poetry-core"]

src/resrm/core.py

@@ -8,13 +8,15 @@ Basic usage:
   resrm -f file               # ignore nonexistent, no prompt
   resrm -i file               # interactive prompt before removal
   resrm --skip-trash file     # permanent delete (bypass trash)
-  resrm -l                    # list trash entries (neat table)
+  resrm -l|--list             # list trash entries (neat table)
   resrm --restore <id|name>   # restore by short-id (8 chars) or exact basename
+  resrm --inspect <id|name>   # output full detail list of trashed item
   resrm --empty               # empty trash entries (permanent)
 """
 
 from __future__ import annotations
 import argparse
+import argcomplete
 import json
 import os
 import shutil
@@ -267,20 +269,23 @@ def restore(identifier: str):
 
 def empty_trash():
     """Permanently remove all trashed files and clear metadata."""
+
+    # Remove everything inside the trash directory
     count = 0
-    for entry in list(meta):
-        f = TRASH_DIR / entry["id"]
+    for item in TRASH_DIR.iterdir():
         try:
-            if f.exists():
-                if f.is_dir():
-                    shutil.rmtree(f, ignore_errors=True)
+            if item.is_dir():
+                shutil.rmtree(item, ignore_errors=True)
             else:
-                    f.unlink(missing_ok=True)
-            meta.remove(entry)
+                item.unlink(missing_ok=True)
             count += 1
         except Exception as e:
-            print(f"Failed to remove {f}: {e}")
+            print(f"Failed to remove {item}: {e}")
+
+    # Clear metadata
+    meta.clear()
     save_meta(meta)
+
     print(f"Trash emptied ({count} entries removed).")
 
 
@@ -373,6 +378,79 @@ def move_to_trash(
     print(f"Removed '{path}' -> trash id {short_id(uid)}")
 
 
+def inspect_entry(identifier: str):
+    """Show full information about trash entries matching the identifier."""
+    candidates = find_candidates(identifier)
+
+    if not candidates:
+        print(f"No match found for '{identifier}'")
+        return
+
+    for entry in candidates:
+
+        # Validate entry structure
+        if not isinstance(entry, dict):
+            print(f"Invalid metadata entry (not a dict): {entry!r}")
+            print()
+            continue
+
+        entry_id = entry.get("id")
+        orig_path = entry.get("orig_path", "?")
+        timestamp = entry.get("timestamp", "?")
+
+        if not entry_id:
+            print(f"Invalid metadata entry (missing id): {entry}")
+            continue
+
+        trash_path = TRASH_DIR / entry_id
+
+        print(f"ID:            {short_id(entry_id)}")
+        print(f"Original:      {orig_path}")
+        print(f"Deleted at:    {human_time(timestamp)}")
+        print(f"Stored at:     {trash_path}")
+
+        try:
+            st = trash_path.lstat()  # preserves symlink info
+            import stat, pwd, grp
+
+            # Type detection
+            if stat.S_ISDIR(st.st_mode):
+                ftype = "directory"
+            elif stat.S_ISLNK(st.st_mode):
+                try:
+                    target = os.readlink(trash_path)
+                    ftype = f"symlink → {target}"
+                except Exception:
+                    ftype = "symlink"
+            else:
+                ftype = "file"
+
+            # Permissions
+            perms = stat.filemode(st.st_mode)
+
+            # Ownership
+            try:
+                user = pwd.getpwuid(st.st_uid).pw_name
+            except Exception:
+                user = st.st_uid
+            try:
+                group = grp.getgrgid(st.st_gid).gr_name
+            except Exception:
+                group = st.st_gid
+            owner = f"{user}:{group}"
+
+            # Size (bytes for file, recursive for directories)
+            size = st.st_size
+
+            print(f"Type:          {ftype}")
+            print(f"Size:          {size} bytes")
+            print(f"Permissions:   {perms}")
+            print(f"Ownership:     {owner}")
+
+        except Exception as e:
+            print(f"Unknown stats for {e}")
+
+
 def main(argv: Optional[List[str]] = None):
     if argv is None:
         argv = sys.argv[1:]
@@ -385,13 +463,37 @@ def main(argv: Optional[List[str]] = None):
     parser.add_argument(
         "--skip-trash", action="store_true", help="permanent delete"
     )
-    parser.add_argument(
+
+    inspect_arg = parser.add_argument(
+        "--inspect",
+        "-I",
+        nargs="+",
+        metavar="item",
+        help="show full metadata and original path for this trash entry",
+    )
+
+    restore_arg = parser.add_argument(
         "--restore",
         nargs="+",
         metavar="item",
         help="restore by id or basename",
     )
-    parser.add_argument("-l", action="store_true", help="list trash")
+
+    # completer
+    def id_name_completer(prefix, parsed_args, **kwargs):
+        return [
+            short_id(m["id"])
+            for m in meta
+            if short_id(m["id"]).startswith(prefix)
+        ] + [
+            Path(m["orig_path"]).name
+            for m in meta
+            if Path(m["orig_path"]).name.startswith(prefix)
+        ]
+
+    restore_arg.completer = id_name_completer
+    inspect_arg.completer = id_name_completer
+    parser.add_argument("-l", "--list", action="store_true", help="list trash")
     parser.add_argument(
         "--empty", action="store_true", help="empty the trash permanently"
     )
@@ -399,6 +501,9 @@ def main(argv: Optional[List[str]] = None):
     parser.add_argument(
         "-V", "--version", action="version", version=f"resrm {get_version()}"
     )
+
+    argcomplete.autocomplete(parser)
+
     args = parser.parse_args(argv)
 
     # Always print docstring if -h or --help
@@ -406,15 +511,22 @@ def main(argv: Optional[List[str]] = None):
         print(__doc__)
         return
 
-    if not args.paths and not (args.l or args.empty or args.restore):
+    if not args.paths and not (
+        args.list or args.empty or args.restore or args.inspect
+    ):
         print("resrm: missing operand")
         print("Try 'resrm --help' for more information.")
         return
 
-    if args.l:
+    if args.list:
         list_trash()
         return
 
+    if args.inspect:
+        for item in args.inspect:
+            inspect_entry(item)
+        return
+
     if args.empty:
         empty_trash()
         return
@@ -432,7 +544,7 @@ def main(argv: Optional[List[str]] = None):
         pth = Path(p)
         # simplistic recursive handling: if -r not given and it's a directory, mimic rm behavior: error unless -r
         if pth.is_dir() and not args.r:
-            if args.f:
+            if args.force:
                 continue
             print(f"resrm: cannot remove '{pth}': Is a directory")
             continue