TL;DR

Three audit-batch PRs that landed in main recently — #7747 (CWE-78 allowExecuteCommand), #7748 (CWE-470 allowCustomChange), #7750 (CWE-22 allowParentDirectoryReferences) — each added a new GlobalConfiguration.builder.define() entry that picocli auto-renders into --help output. None of those PRs updated the byte-exact expectedHelpOutput snapshot in LiquibaseCommandLineTest.groovy. This PR adds the three missing stanzas at the alphabetical positions picocli actually emits.

Captured the stanzas verbatim from a local mvn test -Dtest='LiquibaseCommandLineTest#help output' run; not hand-written, so the wrap points exactly match what picocli renders.

Why this regression wasn't caught at PR-author time

picocli reflects over LiquibaseConfiguration.getRegisteredDefinitions() at CLI startup (see LiquibaseCommandLine.addGlobalArguments line 1203) and adds an OptionSpec per registered definition automatically. Authors of new flags get the --help rendering "for free" without touching CLI code, which is exactly when it's easy to forget there's a downstream snapshot test pinning every byte of that output.

The snapshot is a single ~691-line inline string literal in LiquibaseCommandLineTest, which doesn't show up in IDE call-graphs of GlobalConfiguration.ALLOW_CUSTOM_CHANGE (it's literally just a string). Each of the three authors (same author, three different PRs) missed the linkage three times in a row.

Why it surfaced in CI now, not before

Maven's reactor stops at the first module-level test failure. On the liquibase-pro subtree-sync runs, liquibase-standard's MSSQLDatabaseTest.getTargetUniquenessAttributes_allAuthMethods_produceSameUrl was failing first (the regression fixed in #7756). The reactor never advanced to liquibase-cli, so this fixture gap stayed invisible. After #7756 merged and the subtree-sync was retried, the reactor advanced past liquibase-standard, and LiquibaseCommandLineTest.'help output':854 immediately tripped.

The fix

Three new stanzas inserted at the alphabetical positions picocli emits:

Alphabetical ordering rationale:

• Within allow-*: c < d < e < i < p — so custom-change comes first, parent-directory-references comes last.
• allow-* (a-l-l-o-w) < always-* (a-l-w-a-y-s) because l < w at position 2 of the suffix.

Each stanza is the verbatim output of picocli's .usage() renderer for that flag, including picocli's specific line-wrap points. The stanzas are NOT hand-written. Hand-editing risks drifting from picocli's rendering on the next build — capturing them as picocli emits them is the only way to keep this snapshot stable.

Captured-output methodology (for future fixture updates)

For anyone adding a new GlobalConfiguration flag and needing to update this fixture:

1. Temporarily add new File("target/help-output-actual.txt").text = bytes.toString() to the 'help output' test's when: block.
2. Run mvn test -Dtest='LiquibaseCommandLineTest#help output' — it'll fail, but target/help-output-actual.txt will contain the full picocli output.
3. Extract the new flag's stanza from that file verbatim (option header + description + DEFAULT + defaults-file/env-var trailer).
4. Insert at the alphabetical position in expectedHelpOutput.
5. Revert the diagnostic line.
6. Re-run the test to confirm green.

This is the procedure I used to generate this PR.

Test plan

[INFO] Tests run: 115, Failures: 0, Errors: 0, Skipped: 0
[INFO] BUILD SUCCESS  (liquibase-cli reactor)

Full liquibase-cli reactor passes (115/115 specs across ParameterUtilTest, CommandLineArgumentValueProviderTest, LiquibaseCommandLineProCommandTest, LiquibaseCommandLineTest 40 incl. 'help output', LiquibaseCommandLineThreadingTest, LiquibaseLauncherTest, ProCommandErrorMessageTest).

Things to be aware of

• Fixture-only change. No production behaviour change. The three flags themselves (their actual gating logic) were merged via CWE-78: opt-in restricted mode for executeCommand changelog change #7747/CWE-470: opt-in restricted mode for customChange changelog change #7748/CWE-22 deprecation flag: opt-in path containment via liquibase.allowParentDirectoryReferences #7750.

• No new tests. This PR adds 71 lines to the existing snapshot literal; it doesn't add new specs. The existing 'help output' spec is the only consumer of expectedHelpOutput.

• Forward-looking risk: the same fixture-drift gap will reappear when the remaining audit-batch PRs land in main, because each introduces a new GlobalConfiguration entry:

  • CWE-470: opt-in restricted mode for customPrecondition changelog element #7749 (B3 customPrecondition) — updates description of existing ALLOW_CUSTOM_CHANGE, will drift the stanza I added in this PR
  • CWE-89: opt-in restricted mode for sqlCheck changelog precondition #7753 (B4 sqlCheck → ALLOW_SQL_PRECONDITION)
  • CWE-470: opt-in restricted mode for includeAll resourceFilter and resourceComparator classes #7754 (B5 includeAll filter/comparator → ALLOW_INCLUDE_ALL_CLASSES)
  • CWE-22: opt-in restricted mode for absolute and classpath: paths in changelog includes #7755 (B6 absolute/classpath: paths → ALLOW_EXTERNAL_CHANGELOG_PATHS)

  Each should ideally include its own fixture update before merging. If any merge without one, a follow-up of this PR's shape will be needed for it. Adding a release-process note / PR-template checkbox to enforce this is filed as a separate TECHOPS follow-up.

Coordination

• liquibase-pro#3860 (the subtree-sync PR currently red on this test) will go green on LiquibaseCommandLineTest.'help output' after this PR merges and a follow-up subtree-sync pulls it in.
• The remaining red check on Upgrade installer JVM to 17.0.6+10  #3860 (PostgreSQLIntegrationTest.testStatusRunDuringUpdate NPE in AlternateConnectionExecutor.<init>) is a pre-existing test-fixture wiring issue, unrelated to this PR.

Related

• PR CWE-78: opt-in restricted mode for executeCommand changelog change #7747 — allowExecuteCommand (the original PR that should have updated the fixture)
• PR CWE-470: opt-in restricted mode for customChange changelog change #7748 — allowCustomChange (same)
• PR CWE-22 deprecation flag: opt-in path containment via liquibase.allowParentDirectoryReferences #7750 — allowParentDirectoryReferences (same)
• PR liquibase/liquibase-pro#3860 — subtree-sync currently red on this fixture gap
• CWE-693 follow-up: scope generic JDBC userinfo matcher to authority-position only #7756 — the upstream-most MSSQL regression that was hiding this issue until reactor advanced
• Sibling regression-fix tickets: DAT-23090 (PR AbstractPathResourceAccessor: confine path resolution to configured root (CWE-22) #7729 over-restriction), DAT-23093 (PR CWE-693: add generic JDBC userinfo fallback to sanitizeUrl coverage #7740 MSSQL Azure-AD over-strip). Pattern across the three: each May-2026 audit fix that touched externally-observable behaviour introduced a downstream test/fixture gap. Worth a retro on the audit-batch process before the remaining tickets in DAT-23006 land.

Part of the May-2026 OSS credential-handling-and-changelog-injection audit slice (sdou label).