…w allowExternalChangelogPaths flag

This PR introduces ALLOW_EXTERNAL_CHANGELOG_PATHS in GlobalConfiguration
(allowExternalChangelogPaths=true by default). The help-output snapshot
reflects over all registered config definitions, so the new flag appears in
--help and the fixture needs the matching block.

Block captured byte-exact from picocli's actual --help output. Mirrors the
#7760 pattern for the three already-merged ALLOW_* audit flags (this branch's
merge from origin/main brought those in; this commit adds the fourth).

Note on the UNC double-backslash: the description references the leading
'\\' UNC path prefix. In Groovy triple-quoted source the inserted text is
escaped as '\\\\' (four source backslashes → two runtime backslashes) so
the runtime fixture matches picocli's literal output. The other 35 block
lines apply verbatim.

LiquibaseCommandLineTest 40/40 green locally.

…put for the new allowIncludeAllClasses flag

This PR introduces ALLOW_INCLUDE_ALL_CLASSES in GlobalConfiguration
(allowIncludeAllClasses=true by default), governing the includeAll
resourceFilter/resourceComparator class-name attributes. The help-output
snapshot reflects over all registered config definitions, so the new flag
appears in --help and the fixture needs the matching block.

Block captured byte-exact from picocli's actual --help output, inserted
alphabetically between --allow-execute-command and --allow-inherit-logical-
file-path. Mirrors the #7760 pattern for the three already-merged ALLOW_*
audit flags (the merge from origin/main brought those in; this commit adds
the fourth).

LiquibaseCommandLineTest 40/40 green locally.

…w allowSqlPrecondition flag

This PR introduces ALLOW_SQL_PRECONDITION in GlobalConfiguration
(allowSqlPrecondition=true by default), governing the <sqlCheck> changelog
precondition. The help-output snapshot reflects over all registered config
definitions, so the new flag appears in --help and the fixture needs the
matching block.

Block captured byte-exact from picocli's actual --help output, inserted
alphabetically after --allow-parent-directory-references and before
--always-drop-instead-of-replace. Mirrors the #7760 pattern for the three
already-merged ALLOW_* audit flags (merge from origin/main brought those in;
this commit adds the fourth).

LiquibaseCommandLineTest 40/40 green locally.

…7761) (#7764)

* CWE-316: make CommandScope.clearCredentialArguments() opt-in — fixes #7761

The original CWE-316 fix (PR #7741, commit 4850342) added a
`finally { clearCredentialArguments(); }` block at the end of
CommandScope.execute() to overwrite credential-bearing argument values
with "*****" so the original Strings would become GC-eligible after the
command ran.

That broke every caller that calls execute() more than once on the same
CommandScope: the second call reads "*****" from argumentValues, passes
it to the JDBC driver, and the driver rejects the connection with
"FATAL: password authentication failed for user '<lbuser>'".

Surfaced by liquibase.dbtest.pgsql.PostgreSQLIntegrationTest
.testStatusRunDuringUpdate, which executes the same CommandScope three
times (before / during / after a concurrent liquibase.update()). The
first execution succeeded, the second failed with the password auth
error.  Upstream main has been red on this test since PR #7741 landed
(2026-05-21 12:15 UTC); the regression became visible after the May-22+
subtree-sync attempts into liquibase-pro PR #3860 and again on upstream
main after PR #7760 landed and freed the reactor to advance past
liquibase-standard.

Why the regression sat in main for four days
============================================

PR #7741 was authored from a fork. Upstream's run-tests.yml workflow
gates its `authorize` job on `environment: external` whenever the PR's
head repo differs from github.repository. That gate requires a
maintainer to click "Review deployments → Approve and run" before the
workflow can proceed. The gate was never approved on #7741's pre-merge
build; the workflow sat in `status: waiting`; no Run Test for (Java N
<OS>) or Integration Test (<db>) job ever materialised; the PR's 9
green checks were all from non-gated workflows (CodeQL / label /
claude-review). The merge button did not block on a workflow that
never produced any check at all.

After merge, the post-merge `push` to main triggered the workflow with
the `internal` environment (no manual approval needed). By that point
the merge was already in. Same shape for PR #7760 (the DAT-23096
fixture fix that finally let the reactor advance past liquibase-cli to
liquibase-integration-tests on the subtree-sync).

Option A — opt-in clearing
==========================

Three options were discussed in the upstream issue:

  A. Make the clearing opt-in: add clearCredentialArguments() as a
     public method on CommandScope; remove the finally block; call it
     explicitly at single-use call sites (e.g. Main's CLI runners).
     Preserves CWE-316 intent for CLI sessions without breaking long-
     lived / re-used scopes elsewhere. Recommended.

  B. Gate the clearing on a markSingleUse() flag (backwards-compatible
     default). Possible, but adds API surface and a state machine
     that's easy to forget.

  C. Clear on scope close rather than per-execute. Requires
     CommandScope to be AutoCloseable; bigger refactor; same forget-
     to-close risk as B.

This PR implements Option A. The other two are not pursued.

Changes
=======

1) CommandScope.java

   - Removed the outer `finally { clearCredentialArguments(); }` block
     from execute() (between the second-to-last catch and the closing
     brace at the method's bottom).

   - Changed clearCredentialArguments() from package-private to public
     so external callers can invoke it explicitly.

   - Updated both the CREDENTIAL_KEY_TOKENS doc comment and the
     clearCredentialArguments() method doc to document the new
     caller-invoked contract, including the specific re-use scenario
     that the auto-finally broke and the recommended try-finally
     pattern for single-use callers.

2) Main.java

   - Added a private static helper executeAndClearCredentials(CommandScope)
     that wraps execute() in try-finally + clearCredentialArguments()
     and returns CommandResults. Used in place of bare execute() at
     every CLI command-runner site (15 sites: snapshotCommand,
     dropAllCommand, calculateChecksumCommand, historyCommand,
     diffCommand, diffChangelogCommand, updateCommand,
     rollbackOneChangeSet (x2), rollbackOneUpdate (x2),
     executeSql, three bare commandScope.execute() sites).

   - Net effect: CLI users get the same CWE-316 protection they had
     before #7741's regression-causing fix landed, but the protection
     now lives at the call site (where the single-use assumption is
     true) rather than inside execute() (where the assumption was
     false for the integration tests and any library / programmatic
     caller that re-uses a scope).

3) CommandScopeTest.groovy

   - Updated the two existing specs that asserted auto-clearing in
     execute()'s finally to assert the new opt-in semantics (execute()
     alone does NOT touch credential values; explicit
     clearCredentialArguments() does).

   - Added a new regression spec
     "execute called twice on the same scope reads original credentials
     both times — regression for PostgreSQLIntegrationTest
     .testStatusRunDuringUpdate" that calls execute() three times on
     the same scope and uses a MockCommandStep that captures
     argumentValues["password"] each time the pipeline runs. All three
     captured values must equal the original credential. This is the
     unit-level regression coverage for the integration-test scenario
     that surfaced the bug — running it at unit speed means future
     re-introductions are caught at PR-author time without needing a
     live postgres in the loop.

   - Added a new spec
     "caller-invoked try-finally pattern around execute clears
     credentials post-execution (CWE-316 wiring documented for CLI
     integrators)" that demonstrates and pins the recommended usage
     pattern: the pipeline sees the original credential during
     execute(), and the credential is wiped immediately after the call
     returns. This is what Main.executeAndClearCredentials() does
     internally; the spec documents the contract so external callers
     have a reference.

Tests
=====

All passing locally on this branch:

  CommandScopeTest                      22 / 22  (3 new specs)
  LiquibaseCommandLineTest              40 / 40  (incl. 'help output')
  liquibase-cli full reactor           115 / 115
  liquibase-standard Command*-related  204 / 204
  MainTest                              32 / 32

(Total 413 specs across the directly-impacted set. Did not run the live-
postgres integration tests locally — Docker not available; see the
"Validation" section in the PR description.)

Validation
==========

Per the validation checklist filed alongside this fix (Pro internal
DAT-23097 last comment, mirrored into the upstream issue), this PR
needs explicit confirmation that the run-tests.yml workflow actually
ran pre-merge. If reviewers see the workflow stuck in `status: waiting`
on the `authorize` job, please click "Review deployments → Approve and
run" before merging — that's the gate that previously hid both PR #7741
and PR #7760 regressions for days.

Closes #7761.

* CWE-316: empty commit to re-trigger gated CI workflows after maintainer review approval (#7763)

* CWE-316: fix pre-existing no-op in runGenerateChangelogCommandStep

`Main.runGenerateChangelogCommandStep()` built the CommandScope for the
legacy CLI `generateChangelog` command but never called .execute() on it,
making the command a silent no-op via the Main.java entry point. The bug
predates this PR (also present on upstream main at 8ed8669) but CodeRabbit
flagged it while reviewing the executeAndClearCredentials helper this PR
introduces, so applying the fix here with that helper is the natural
landing place.

…put for the new allowIncludeAllClasses flag

This PR introduces ALLOW_INCLUDE_ALL_CLASSES in GlobalConfiguration
(allowIncludeAllClasses=true by default), governing the includeAll
resourceFilter/resourceComparator class-name attributes. The help-output
snapshot reflects over all registered config definitions, so the new flag
appears in --help and the fixture needs the matching block.

Block captured byte-exact from picocli's actual --help output, inserted
alphabetically between --allow-execute-command and --allow-inherit-logical-
file-path. Mirrors the #7760 pattern for the three already-merged ALLOW_*
audit flags (the merge from origin/main brought those in; this commit adds
the fourth).

LiquibaseCommandLineTest 40/40 green locally.

…w allowSqlPrecondition flag

This PR introduces ALLOW_SQL_PRECONDITION in GlobalConfiguration
(allowSqlPrecondition=true by default), governing the <sqlCheck> changelog
precondition. The help-output snapshot reflects over all registered config
definitions, so the new flag appears in --help and the fixture needs the
matching block.

Block captured byte-exact from picocli's actual --help output, inserted
alphabetically after --allow-parent-directory-references and before
--always-drop-instead-of-replace. Mirrors the #7760 pattern for the three
already-merged ALLOW_* audit flags (merge from origin/main brought those in;
this commit adds the fourth).

LiquibaseCommandLineTest 40/40 green locally.