Merge pull request #14 from TwilightCoders/release/v0.4.0

🚀 Modern Security & Configuration Overhaul (v0.4.0)

Complete modernization (2025) with security fixes, flexible configuration system, Ruby 3.2+ compatibility, and automated CI/CD publishing to both RubyGems.org and GitHub Packages.

Key improvements: command injection prevention, global/per-wrapper configuration, graphical sudo prompts, comprehensive test coverage (78%), and GitHub Actions with branch-specific version publishing.

Ready for production use with significant security and usability improvements while maintaining backward compatibility for core functionality.

Author: voltechs

.github/workflows/ci.yml

@@ -0,0 +1,115 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop, 'release/**']
+  pull_request:
+    branches: [main, develop]
+
+permissions:
+  actions: write
+  contents: read
+  id-token: write
+  packages: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ["2.7", "3.0", "3.1", "3.2", "3.3"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true
+
+      - name: Run tests with coverage
+        run: bundle exec rspec
+
+      - name: Upload coverage to Qlty
+        if: matrix.ruby-version == '3.3'
+        uses: qltysh/qlty-action/coverage@v1
+        continue-on-error: true
+        env:
+          QLTY_COVERAGE_TOKEN: ${{ secrets.QLTY_COVERAGE_TOKEN }}
+        with:
+          oidc: true
+          files: coverage/coverage.json
+
+      - name: Run Qlty code quality checks
+        if: matrix.ruby-version == '3.3'
+        run: |
+          curl -sSfL https://qlty.sh | sh
+          echo "$HOME/.qlty/bin" >> $GITHUB_PATH
+          ~/.qlty/bin/qlty check || true
+        continue-on-error: true
+
+      - name: Run RuboCop (Ruby 3.3 only)
+        if: matrix.ruby-version == '3.3'
+        run: bundle exec rubocop || true
+        continue-on-error: true
+
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.3"
+          bundler-cache: true
+
+      - name: Run bundle audit
+        run: |
+          gem install bundler-audit
+          bundle audit --update || true
+        continue-on-error: true
+
+  publish:
+    runs-on: ubuntu-latest
+    needs: [test, security]
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/'))
+    
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.3"
+          bundler-cache: true
+
+      - name: Modify version for develop branch
+        if: github.ref == 'refs/heads/develop'
+        run: |
+          sed -i "s/VERSION = '\([^']*\)'/VERSION = '\1.dev'/" lib/sudo/constants.rb
+
+      - name: Modify version for release branch
+        if: startsWith(github.ref, 'refs/heads/release/')
+        run: |
+          sed -i "s/VERSION = '\([^']*\)'/VERSION = '\1.rc'/" lib/sudo/constants.rb
+
+      - name: Build gem
+        run: gem build sudo.gemspec
+
+      - name: Publish to GitHub Packages
+        run: |
+          mkdir -p ~/.gem
+          cat << EOF > ~/.gem/credentials
+          ---
+          :github: Bearer ${{ secrets.GITHUB_TOKEN }}
+          EOF
+          chmod 600 ~/.gem/credentials
+          # Temporarily remove allowed_push_host restriction for GitHub Packages
+          sed -i "s/spec.metadata\['allowed_push_host'\].*$//" sudo.gemspec
+          gem build sudo.gemspec
+          gem push --key github --host https://rubygems.pkg.github.com/TwilightCoders *.gem

.gitignore

@@ -33,6 +33,8 @@
 .rvmrc
 .env
 .ruby-version
+.claude
+spec/results.txt
 
 # Compiled source #
 ###################
@@ -56,6 +58,7 @@
 *.rar
 *.tar
 *.zip
+*.gem
 
 # Logs and databases #
 ######################

.qlty/.gitignore

@@ -0,0 +1,7 @@
+*
+!configs
+!configs/**
+!hooks
+!hooks/**
+!qlty.toml
+!.gitignore

.qlty/configs/.yamllint.yaml

@@ -0,0 +1,8 @@
+rules:
+  document-start: disable
+  quoted-strings:
+    required: only-when-needed
+    extra-allowed: ["{|}"]
+  key-duplicates: {}
+  octal-values:
+    forbid-implicit-octal: true

.qlty/qlty.toml

@@ -0,0 +1,94 @@
+# This file was automatically generated by `qlty init`.
+# You can modify it to suit your needs.
+# We recommend you to commit this file to your repository.
+#
+# This configuration is used by both Qlty CLI and Qlty Cloud.
+#
+#     Qlty CLI -- Code quality toolkit for developers
+#     Qlty Cloud -- Fully automated Code Health Platform
+#
+# Try Qlty Cloud: https://qlty.sh
+#
+# For a guide to configuration, visit https://qlty.sh/d/config
+# Or for a full reference, visit https://qlty.sh/d/qlty-toml
+config_version = "0"
+
+exclude_patterns = [
+  "*_min.*",
+  "*-min.*",
+  "*.min.*",
+  "**/.yarn/**",
+  "**/*.d.ts",
+  "**/assets/**",
+  "**/bower_components/**",
+  "**/build/**",
+  "**/cache/**",
+  "**/config/**",
+  "**/db/**",
+  "**/deps/**",
+  "**/dist/**",
+  "**/extern/**",
+  "**/external/**",
+  "**/generated/**",
+  "**/Godeps/**",
+  "**/gradlew/**",
+  "**/mvnw/**",
+  "**/node_modules/**",
+  "**/protos/**",
+  "**/seed/**",
+  "**/target/**",
+  "**/templates/**",
+  "**/testdata/**",
+  "**/vendor/**",
+]
+
+test_patterns = [
+  "**/test/**",
+  "**/spec/**",
+  "**/*.test.*",
+  "**/*.spec.*",
+  "**/*_test.*",
+  "**/*_spec.*",
+  "**/test_*.*",
+  "**/spec_*.*",
+]
+
+[smells]
+mode = "comment"
+
+[[source]]
+name = "default"
+default = true
+
+
+[[plugin]]
+name = "actionlint"
+
+[[plugin]]
+name = "checkov"
+
+[[plugin]]
+name = "markdownlint"
+mode = "comment"
+
+[[plugin]]
+name = "prettier"
+
+[[plugin]]
+name = "ripgrep"
+mode = "comment"
+
+[[plugin]]
+name = "rubocop"
+
+[[plugin]]
+name = "trivy"
+drivers = [
+  "config",
+]
+
+[[plugin]]
+name = "trufflehog"
+
+[[plugin]]
+name = "yamllint"

.travis.yml

@@ -1,19 +1,64 @@
 # Sudo
 
-## 0.3.0 _(July 04, 2023)_
-- Works on ruby 3.2
+<!--
+Emoji Legend:
+🎉 Initial Release   ✨ Feature         🐛 Bug Fix        🔒 Security
+🚀 Compatibility    💥 Breaking        🔧 Internal       ✅ Testing
+📚 Documentation    📄 License         🗑️ Removed
+-->
 
-## 0.2.0 _(November 05, 2018)_
-- Modernized
-- Tests
-- Works on ruby 2.3 - 2.5
-- More robust dependency loading
+## `v0.4.0` _(July 23, 2025)_
 
-## 0.0.3 _(October 25, 2010)_
--
+- 🔒 **Security**: Fix command injection vulnerabilities in system calls
+- 🔒 **Security**: Use SecureRandom for socket paths instead of predictable object_id
+- ✨ **Feature**: Add configuration system with global defaults
+- ✨ **Feature**: Implement sudo -A flag support for graphical password prompts
+- ✨ **Feature**: Add Sudo.as_root convenience method for better DSL
+- ✨ **Feature**: Add configurable timeouts
+- ✨ **Feature**: Add respond_to_missing? for proper method reflection
+- 💥 **Breaking**: Minimum Ruby version bumped to 2.7+ (EOL compliance)
+- 🔧 **Internal**: Modernize Ruby code with keyword arguments and array-form system calls
+- 🔧 **Internal**: Improve test coverage and add configuration tests
 
-## 0.0.2 _(October 22, 2010)_
--
+<details>
+<summary>📜 Historical Releases</summary>
 
-## 0.0.1 _(October 22, 2010)_
--
+## `v0.3.0` _(July 04, 2023)_
+
+- 🚀 **Compatibility**: Add Ruby 3.2 support
+- 🐛 **Fix**: Resolve Bundler::StubSpecification marshaling issues
+
+## `v0.2.0` _(November 05, 2018)_
+
+- 🔧 **Internal**: Complete code modernization and cleanup
+- ✅ **Testing**: Add comprehensive RSpec test suite (98%+ coverage)
+- 🚀 **Compatibility**: Support Ruby 2.3, 2.4, and 2.5
+- 🐛 **Fix**: Improve gem and dependency loading robustness
+- 🐛 **Fix**: Ensure sudo process properly stops when run block ends
+- 🐛 **Fix**: Fix Wrapper.run to properly return values
+- 🐛 **Fix**: Resolve infinite recursion under Bundler
+- 🔒 **Security**: Restrict DRb access to localhost only
+- 📚 **Documentation**: Extensive README and code documentation improvements
+
+## `v0.1.0` _(October 25, 2010)_
+
+- 📄 **License**: Switch to MIT license
+- ✨ **Feature**: Add auto-require and autoload support
+- 🔧 **Internal**: Modularize codebase architecture
+- 📚 **Documentation**: Extensive documentation improvements
+- 🗑️ **Removed**: Remove confusing DSL features (temporarily)
+
+## `v0.0.2` _(October 22, 2010)_
+
+- 📚 **Documentation**: Correct RDoc options in gemspec
+- 🔧 **Internal**: Minor packaging improvements
+
+## `v0.0.1` _(October 22, 2010)_
+
+- 🎉 **Initial**: First public release
+- ✨ **Feature**: Core sudo wrapper functionality with DRb
+- ✨ **Feature**: Unix domain socket communication
+- ✨ **Feature**: Process spawning and management
+- ✨ **Feature**: Basic object proxying through sudo
+
+</details>

CHANGELOG.md

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec

Gemfile

@@ -1,6 +1,7 @@
 (The MIT License)
 
-Copyright (c) 2010-2023 Guido De Rosa
+Copyright (c) 2010-2018 Guido De Rosa
+Copyright (c) 2018-2025 Twilight Coders
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the