@build-astron-co/nimbus 0.4.2 → 0.4.3

package/dist/src/auth/store.js

@@ -1,13 +1,15 @@
 /**
  * AuthStore - Credential Persistence Manager
  * Manages storage and retrieval of authentication credentials at ~/.nimbus/auth.json
- * API keys and access tokens are encrypted at rest using AES-256-GCM.
+ * Credentials are stored as plain JSON with 0600 file permissions (industry standard).
  */
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import * as crypto from 'crypto';
 const AUTH_FILE_VERSION = 1;
+/** Legacy encryption prefix — used only for one-time migration of old files. */
+const ENC_PREFIX = 'enc:';
 /**
  * Default empty auth file structure
  */
@@ -22,125 +24,78 @@ function createEmptyAuthFile() {
     };
 }
 // ---------------------------------------------------------------------------
-// Encryption constants and helpers (AES-256-GCM)
+// Legacy decryption — used ONLY during one-time migration of enc:-prefixed values.
+// This function is intentionally kept minimal; it is removed from the hot path.
 // ---------------------------------------------------------------------------
-const ENCRYPTION_ALGORITHM = 'aes-256-gcm';
-const KEY_LENGTH = 32;
-const IV_LENGTH = 16;
-const AUTH_TAG_LENGTH = 16;
-const SALT = 'nimbus-auth-v1';
-const ENC_PREFIX = 'enc:';
-/**
- * Build a machine-specific fingerprint from hostname, homedir, and username.
- * This is not cryptographically perfect, but it prevents casual copy-paste of
- * the auth file between machines.
- */
-function getMachineFingerprint() {
-    const hostname = os.hostname();
-    const homedir = os.homedir();
-    const username = os.userInfo().username;
-    return `${hostname}${homedir}${username}`;
-}
-/**
- * Derive a 256-bit encryption key from the machine fingerprint using PBKDF2.
- */
-function deriveKey() {
-    return crypto.pbkdf2Sync(getMachineFingerprint(), SALT, 100000, KEY_LENGTH, 'sha256');
-}
-/**
- * Encrypt a plaintext string with AES-256-GCM.
- * Returns a base64-encoded blob containing iv + authTag + ciphertext.
- */
-function encryptValue(plaintext) {
-    try {
-        const key = deriveKey();
-        const iv = crypto.randomBytes(IV_LENGTH);
-        const cipher = crypto.createCipheriv(ENCRYPTION_ALGORITHM, key, iv, {
-            authTagLength: AUTH_TAG_LENGTH,
-        });
-        const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-        const authTag = cipher.getAuthTag();
-        // Layout: iv (16) + authTag (16) + ciphertext (variable)
-        const combined = Buffer.concat([iv, authTag, encrypted]);
-        return ENC_PREFIX + combined.toString('base64');
-    }
-    catch {
-        // On any encryption error, return the original value so the system
-        // can continue to operate.
-        return plaintext;
-    }
+const _LEGACY_ALGORITHM = 'aes-256-gcm';
+const _LEGACY_KEY_LENGTH = 32;
+const _LEGACY_IV_LENGTH = 16;
+const _LEGACY_AUTH_TAG_LENGTH = 16;
+const _LEGACY_SALT = 'nimbus-auth-v1';
+function _legacyDeriveKey() {
+    const fingerprint = `${os.hostname()}${os.homedir()}${os.userInfo().username}`;
+    return crypto.pbkdf2Sync(fingerprint, _LEGACY_SALT, 100000, _LEGACY_KEY_LENGTH, 'sha256');
 }
 /**
- * Decrypt an encrypted value produced by encryptValue().
- * If decryption fails (e.g. wrong machine, corrupted data, or the value was
- * never encrypted), the original string is returned for backward compatibility.
+ * Attempt to decrypt a value that was encrypted with the old AES-256-GCM scheme.
+ * Returns null if decryption fails (wrong machine, corrupted, etc.).
  */
-function decryptValue(encrypted) {
+function _legacyDecrypt(encrypted) {
     try {
-        // Strip the enc: prefix
         const payload = encrypted.slice(ENC_PREFIX.length);
         const combined = Buffer.from(payload, 'base64');
-        if (combined.length < IV_LENGTH + AUTH_TAG_LENGTH) {
-            // Too short to be a valid encrypted payload -- return as-is
-            return encrypted;
+        if (combined.length < _LEGACY_IV_LENGTH + _LEGACY_AUTH_TAG_LENGTH) {
+            return null;
         }
-        const iv = combined.subarray(0, IV_LENGTH);
-        const authTag = combined.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
-        const ciphertext = combined.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
-        const key = deriveKey();
-        const decipher = crypto.createDecipheriv(ENCRYPTION_ALGORITHM, key, iv, {
-            authTagLength: AUTH_TAG_LENGTH,
+        const iv = combined.subarray(0, _LEGACY_IV_LENGTH);
+        const authTag = combined.subarray(_LEGACY_IV_LENGTH, _LEGACY_IV_LENGTH + _LEGACY_AUTH_TAG_LENGTH);
+        const ciphertext = combined.subarray(_LEGACY_IV_LENGTH + _LEGACY_AUTH_TAG_LENGTH);
+        const key = _legacyDeriveKey();
+        const decipher = crypto.createDecipheriv(_LEGACY_ALGORITHM, key, iv, {
+            authTagLength: _LEGACY_AUTH_TAG_LENGTH,
         });
         decipher.setAuthTag(authTag);
-        const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-        return decrypted.toString('utf8');
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString('utf8');
     }
     catch {
-        // Decryption failed -- could be a plain-text value from before encryption
-        // was introduced, or the file was moved between machines.
-        return encrypted;
+        return null;
     }
 }
-// ---------------------------------------------------------------------------
-// Encryption helpers for the AuthFile structure
-// ---------------------------------------------------------------------------
-/**
- * Deep-clone the auth file and encrypt sensitive fields before persistence.
- */
-function encryptAuthFile(authFile) {
-    const clone = JSON.parse(JSON.stringify(authFile));
-    // Encrypt provider API keys
-    for (const providerName of Object.keys(clone.providers)) {
-        const cred = clone.providers[providerName];
-        if (cred?.apiKey && cred.apiKey.length > 0 && !cred.apiKey.startsWith(ENC_PREFIX)) {
-            cred.apiKey = encryptValue(cred.apiKey);
-        }
-    }
-    // Encrypt GitHub access token
-    if (clone.identity.github?.accessToken &&
-        clone.identity.github.accessToken.length > 0 &&
-        !clone.identity.github.accessToken.startsWith(ENC_PREFIX)) {
-        clone.identity.github.accessToken = encryptValue(clone.identity.github.accessToken);
-    }
-    return clone;
-}
 /**
- * Decrypt sensitive fields in an auth file that was loaded from disk.
- * Plain-text values (from before encryption was added) pass through unchanged.
+ * One-time migration: if any sensitive fields in the loaded auth file still carry
+ * the old `enc:` prefix, attempt to decrypt them.  On success the plain-text value
+ * is kept in memory and will be written back as plain JSON on the next save().
+ * On failure the field is cleared and a warning is printed.
  */
-function decryptAuthFile(authFile) {
-    // Decrypt provider API keys
+function migrateEncryptedFields(authFile) {
+    // Provider API keys
     for (const providerName of Object.keys(authFile.providers)) {
         const cred = authFile.providers[providerName];
-        if (cred?.apiKey && cred.apiKey.startsWith(ENC_PREFIX)) {
-            cred.apiKey = decryptValue(cred.apiKey);
+        if (cred?.apiKey?.startsWith(ENC_PREFIX)) {
+            const decrypted = _legacyDecrypt(cred.apiKey);
+            if (decrypted !== null) {
+                cred.apiKey = decrypted;
+            }
+            else {
+                process.stderr.write(`[nimbus] Warning: could not decrypt stored API key for provider "${providerName}". ` +
+                    'The key has been cleared — please run `nimbus login` to re-enter it.\n');
+                delete cred.apiKey;
+            }
         }
     }
-    // Decrypt GitHub access token
+    // GitHub access token
     if (authFile.identity.github?.accessToken?.startsWith(ENC_PREFIX)) {
-        authFile.identity.github.accessToken = decryptValue(authFile.identity.github.accessToken);
+        const decrypted = _legacyDecrypt(authFile.identity.github.accessToken);
+        if (decrypted !== null) {
+            authFile.identity.github.accessToken = decrypted;
+        }
+        else {
+            process.stderr.write('[nimbus] Warning: could not decrypt stored GitHub access token. ' +
+                'The token has been cleared — please run `nimbus connect github` to re-authenticate.\n');
+            // Clear the github identity since accessToken is required (not optional in the type)
+            delete authFile.identity.github;
+        }
     }
-    return authFile;
 }
 /**
  * AuthStore class for credential persistence
@@ -169,8 +124,8 @@ export class AuthStore {
     }
     /**
      * Load auth file from disk, creating if necessary.
-     * Encrypted values are transparently decrypted so all public accessors
-     * return plain-text credentials.
+     * Stored as plain JSON (industry standard: gh, terraform, AWS CLI all do this).
+     * Performs a one-time migration for legacy enc:-prefixed values from older versions.
      */
     load() {
         if (this.authFile) {
@@ -192,8 +147,19 @@ export class AuthStore {
             // Ensure required fields exist
             parsed.identity = parsed.identity || {};
             parsed.providers = parsed.providers || {};
-            // Decrypt sensitive fields (backward-compatible with plain-text files)
-            this.authFile = decryptAuthFile(parsed);
+            // One-time migration: decrypt any legacy enc:-prefixed fields and save back as plain text
+            const hasLegacyEncryption = Object.values(parsed.providers).some(c => c?.apiKey?.startsWith(ENC_PREFIX))
+                || parsed.identity.github?.accessToken?.startsWith(ENC_PREFIX);
+            if (hasLegacyEncryption) {
+                migrateEncryptedFields(parsed);
+                // Persist the decrypted values immediately so migration only runs once
+                this.authFile = parsed;
+                try {
+                    this.save(parsed);
+                }
+                catch { /* non-critical — in-memory values are still correct */ }
+            }
+            this.authFile = parsed;
             return this.authFile;
         }
         catch {
@@ -204,8 +170,7 @@ export class AuthStore {
     }
     /**
      * Save auth file to disk with secure permissions (0600).
-     * Sensitive fields are encrypted before writing so they are never stored
-     * in plain text.
+     * Credentials are stored as plain JSON — file permissions provide the security boundary.
      */
     save(authFile) {
         this.ensureDirectory();
@@ -215,9 +180,7 @@ export class AuthStore {
         }
         fileToSave.updatedAt = new Date().toISOString();
         this.authFile = fileToSave;
-        // Encrypt sensitive fields in a deep clone before writing to disk
-        const encrypted = encryptAuthFile(fileToSave);
-        const content = JSON.stringify(encrypted, null, 2);
+        const content = JSON.stringify(fileToSave, null, 2);
         fs.writeFileSync(this.authPath, content, { mode: 0o600 });
         // Ensure permissions are set correctly even if file already existed
         fs.chmodSync(this.authPath, 0o600);

package/dist/src/cli/init.js

@@ -299,8 +299,9 @@ export async function discoverInfraContext(dir) {
             let match;
             while ((match = profileRegex.exec(awsConfig)) !== null) {
                 const profileName = match[1];
-                if (profileName === 'default')
-                    continue; // handled separately
+                if (profileName === 'default') {
+                    continue;
+                } // handled separately
                 // Extract region from the profile block
                 const blockStart = match.index + match[0].length;
                 const nextBlock = awsConfig.indexOf('\n[', blockStart);
@@ -308,8 +309,9 @@ export async function discoverInfraContext(dir) {
                 const regionMatch = block.match(/^\s*region\s*=\s*(.+)$/m);
                 profiles.push({ profile: profileName, region: regionMatch?.[1]?.trim() });
             }
-            if (profiles.length > 0)
-                ctx.awsProfiles = profiles.slice(0, 10); // max 10 profiles
+            if (profiles.length > 0) {
+                ctx.awsProfiles = profiles.slice(0, 10);
+            } // max 10 profiles
         }
     }
     catch { /* ignore */ }
@@ -318,8 +320,9 @@ export async function discoverInfraContext(dir) {
         const proj = execFileSync('gcloud', ['config', 'get-value', 'project'], {
             encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'],
         }).trim();
-        if (proj && proj !== '(unset)')
+        if (proj && proj !== '(unset)') {
             ctx.gcpProject = proj;
+        }
     }
     catch { /* ignore */ }
     // G16: Count K8s namespaces and deployments
@@ -364,21 +367,27 @@ export async function discoverInfraContext(dir) {
  */
 export function formatInfraContext(ctx) {
     const parts = [];
-    if (ctx.terraformWorkspace)
+    if (ctx.terraformWorkspace) {
         parts.push(`tf-workspace: ${ctx.terraformWorkspace}`);
-    if (ctx.kubectlContext)
+    }
+    if (ctx.kubectlContext) {
         parts.push(`k8s-context: ${ctx.kubectlContext}`);
+    }
     if (ctx.helmReleases && ctx.helmReleases.length > 0) {
         parts.push(`helm-releases: ${ctx.helmReleases.slice(0, 3).join(', ')}${ctx.helmReleases.length > 3 ? ` +${ctx.helmReleases.length - 3} more` : ''}`);
     }
-    if (ctx.awsAccount)
+    if (ctx.awsAccount) {
         parts.push(`aws-account: ${ctx.awsAccount}`);
-    if (ctx.awsRegion)
+    }
+    if (ctx.awsRegion) {
         parts.push(`aws-region: ${ctx.awsRegion}`);
-    if (ctx.gcpProject)
+    }
+    if (ctx.gcpProject) {
         parts.push(`gcp-project: ${ctx.gcpProject}`);
-    if (ctx.cicdPipeline)
+    }
+    if (ctx.cicdPipeline) {
         parts.push(`cicd: ${ctx.cicdPipeline}`);
+    }
     return parts.length > 0 ? parts.join(' | ') : 'no infra context detected';
 }
 /**
@@ -730,7 +739,7 @@ export function generateNimbusMd(detection, _dir, infraCtx) {
         }
     }
     const runbookSection = foundRunbooks.length > 0
-        ? foundRunbooks.join('\n') + '\n\nRefer to these runbooks for incident response and operational procedures.'
+        ? `${foundRunbooks.join('\n')}\n\nRefer to these runbooks for incident response and operational procedures.`
         : '<!-- Add runbook references, e.g.:\n- docs/runbooks/cert-rotation.md -->';
     lines.push('## Runbooks');
     lines.push('');
@@ -884,10 +893,12 @@ export async function runInit(options) {
         for (let idx = 0; idx < maxLen; idx++) {
             const o = oldLines[idx];
             const n = newLines[idx];
-            if (o === undefined)
+            if (o === undefined) {
                 diffLines.push(`+ ${n}`);
-            else if (n === undefined)
+            }
+            else if (n === undefined) {
                 diffLines.push(`- ${o}`);
+            }
             else if (o !== n) {
                 diffLines.push(`- ${o}`);
                 diffLines.push(`+ ${n}`);
@@ -896,15 +907,19 @@ export async function runInit(options) {
         if (diffLines.length > 0) {
             log('\nNIMBUS.md changes:');
             for (const dl of diffLines.slice(0, 50)) {
-                if (dl.startsWith('+'))
+                if (dl.startsWith('+')) {
                     log(`  \x1b[32m${dl}\x1b[0m`);
-                else if (dl.startsWith('-'))
+                }
+                else if (dl.startsWith('-')) {
                     log(`  \x1b[31m${dl}\x1b[0m`);
-                else
+                }
+                else {
                     log(`  ${dl}`);
+                }
             }
-            if (diffLines.length > 50)
+            if (diffLines.length > 50) {
                 log(`  ... and ${diffLines.length - 50} more changes`);
+            }
             log('');
             log('Apply these changes? [y/N]');
             // Synchronous readline for non-quiet mode
@@ -1006,8 +1021,9 @@ export async function runInit(options) {
         for (const sub of subdirs.slice(0, 20)) {
             const subPath = path.join(dir, sub);
             const hasTf = fs.readdirSync(subPath).some(f => f.endsWith('.tf'));
-            if (hasTf)
+            if (hasTf) {
                 tfRoots.push(sub);
+            }
         }
         if (tfRoots.length > 1) {
             monorepoSection = `\n## Terraform Modules (Monorepo)\n\nThis is a monorepo with multiple Terraform roots:\n${tfRoots.map(r => `- \`./${r}/\``).join('\n')}\n\nTo target a specific root, \`cd\` into the directory or specify the path.\n`;

package/dist/src/cli/run.js

@@ -153,7 +153,7 @@ export async function executeRun(router, options) {
             },
             required: ['success', 'output', 'cost', 'turns', 'toolCalls', 'errors'],
         };
-        process.stdout.write(JSON.stringify(schema, null, 2) + '\n');
+        process.stdout.write(`${JSON.stringify(schema, null, 2)}\n`);
         return {
             success: true,
             output: '',
@@ -164,12 +164,15 @@ export async function executeRun(router, options) {
         };
     }
     // H3: Inject context/workspace/namespace into environment before agent loop
-    if (options.context)
+    if (options.context) {
         process.env.KUBECTL_CONTEXT = options.context;
-    if (options.workspace)
+    }
+    if (options.workspace) {
         process.env.TF_WORKSPACE = options.workspace;
-    if (options.namespace)
+    }
+    if (options.namespace) {
         process.env.K8S_NAMESPACE = options.namespace;
+    }
     // Get prompt from stdin if requested
     let prompt = options.prompt;
     if (options.stdin && !prompt) {
@@ -178,17 +181,21 @@ export async function executeRun(router, options) {
         if (options.stdinJson && stdinContent) {
             try {
                 const config = JSON.parse(stdinContent);
-                if (typeof config.prompt === 'string')
+                if (typeof config.prompt === 'string') {
                     prompt = config.prompt;
+                }
                 if (config.mode === 'plan' || config.mode === 'build' || config.mode === 'deploy') {
                     options = { ...options, mode: config.mode };
                 }
-                if (typeof config.model === 'string')
+                if (typeof config.model === 'string') {
                     options = { ...options, model: config.model };
-                if (typeof config.autoApprove === 'boolean')
+                }
+                if (typeof config.autoApprove === 'boolean') {
                     options = { ...options, autoApprove: config.autoApprove };
-                if (typeof config.maxTurns === 'number')
+                }
+                if (typeof config.maxTurns === 'number') {
                     options = { ...options, maxTurns: config.maxTurns };
+                }
             }
             catch {
                 // If JSON parse fails, treat stdin as raw prompt text
@@ -406,8 +413,9 @@ export async function executeRun(router, options) {
         console.log(divider);
         console.log('');
         // Also print final text output
-        if (output)
-            process.stdout.write(output + '\n');
+        if (output) {
+            process.stdout.write(`${output}\n`);
+        }
     }
     const runResult = {
         success: !result.interrupted,

package/dist/src/cli/serve.js

@@ -191,10 +191,12 @@ export async function serveCommand(options) {
         const nimbusDir = join(homedir(), '.nimbus');
         mkdirSync(nimbusDir, { recursive: true });
         const childArgs = [process.argv[1], 'serve', '--port', String(port)];
-        if (options.host)
+        if (options.host) {
             childArgs.push('--host', options.host);
-        if (options.auth)
+        }
+        if (options.auth) {
             childArgs.push('--auth', options.auth);
+        }
         const child = spawn(process.execPath, childArgs, {
             detached: true,
             stdio: 'ignore',

package/dist/src/cli.js

@@ -94,7 +94,7 @@ async function showSubcommandHelp(command, _args) {
     };
     const help = COMMAND_HELP[command];
     if (help) {
-        process.stdout.write(help + '\n');
+        process.stdout.write(`${help}\n`);
     }
     else {
         await helpCommand({});
@@ -250,6 +250,16 @@ export async function runCommand(args) {
         await onboardingCommand({});
         return;
     }
+    // nimbus connect <provider>
+    if (command === 'connect') {
+        if (subcommand === 'github') {
+            const { connectGitHubCommand } = await import('./commands/connect-github');
+            await connectGitHubCommand();
+            return;
+        }
+        process.stderr.write(`Unknown connect target: ${subcommand || '(none)'}. Supported: nimbus connect github\n`);
+        process.exit(1);
+    }
     // nimbus version
     if (command === 'version' || command === '-v' || command === '--version') {
         const options = {};
@@ -499,6 +509,27 @@ export async function runCommand(args) {
             else if (arg === '--mock') {
                 options.mock = true;
             }
+            else if (arg === '--yes' || arg === '-y') {
+                options.yes = true;
+            }
+            else if (arg === '--provider' && args[i + 1]) {
+                options.provider = args[++i];
+            }
+            else if (arg === '--gcp-project' && args[i + 1]) {
+                options.gcpProject = args[++i];
+            }
+            else if (arg === '--azure-subscription' && args[i + 1]) {
+                options.azureSubscription = args[++i];
+            }
+            else if (arg === '--json') {
+                options.jsonOutput = true;
+            }
+            else if (arg === '--questionnaire') {
+                options.questionnaire = true;
+            }
+            else if (arg === '--conversational') {
+                options.conversational = true;
+            }
         }
         await generateTerraformCommand(options);
         return;
@@ -1393,8 +1424,9 @@ export async function runCommand(args) {
     if (command === 'status') {
         const statusOptions = {};
         for (let i = 1; i < args.length; i++) {
-            if (args[i] === '--json')
+            if (args[i] === '--json') {
                 statusOptions.json = true;
+            }
         }
         await statusCommand(statusOptions);
         return;
@@ -1403,8 +1435,9 @@ export async function runCommand(args) {
     if (command === 'context') {
         const contextOptions = { verbose: true };
         for (let i = 1; i < args.length; i++) {
-            if (args[i] === '--json')
+            if (args[i] === '--json') {
                 contextOptions.json = true;
+            }
         }
         await statusCommand(contextOptions);
         return;
@@ -1419,10 +1452,12 @@ export async function runCommand(args) {
         const rolloutOptions = { deployment };
         for (let i = 1; i < args.length; i++) {
             const arg = args[i];
-            if ((arg === '--namespace' || arg === '-n') && args[i + 1])
+            if ((arg === '--namespace' || arg === '-n') && args[i + 1]) {
                 rolloutOptions.namespace = args[++i];
-            else if (arg === '--timeout' && args[i + 1])
+            }
+            else if (arg === '--timeout' && args[i + 1]) {
                 rolloutOptions.timeout = args[++i];
+            }
         }
         await rolloutCommand(rolloutOptions);
         return;
@@ -1432,18 +1467,24 @@ export async function runCommand(args) {
         const rollbackOptions = {};
         for (let i = 1; i < args.length; i++) {
             const arg = args[i];
-            if (arg === '--helm' && args[i + 1])
+            if (arg === '--helm' && args[i + 1]) {
                 rollbackOptions.helm = args[++i];
-            else if (arg === '--k8s' && args[i + 1])
+            }
+            else if (arg === '--k8s' && args[i + 1]) {
                 rollbackOptions.k8s = args[++i];
-            else if (arg === '--namespace' && args[i + 1])
+            }
+            else if (arg === '--namespace' && args[i + 1]) {
                 rollbackOptions.namespace = args[++i];
-            else if (arg === '--tf')
+            }
+            else if (arg === '--tf') {
                 rollbackOptions.tf = true;
-            else if (arg === '--terraform')
+            }
+            else if (arg === '--terraform') {
                 rollbackOptions.terraform = true;
-            else if (arg === '--tf-dir' && args[i + 1])
+            }
+            else if (arg === '--tf-dir' && args[i + 1]) {
                 rollbackOptions.tfDir = args[++i];
+            }
         }
         await rollbackCommand(rollbackOptions);
         return;

package/dist/src/commands/alias.js

@@ -31,12 +31,14 @@ function saveAliases(aliases) {
  * Returns the original args unchanged if no alias matches.
  */
 export function resolveAlias(args) {
-    if (!args.length)
+    if (!args.length) {
         return args;
+    }
     const aliases = loadAliases();
     const expanded = aliases[args[0]];
-    if (!expanded)
+    if (!expanded) {
         return args;
+    }
     // Split the alias value on spaces and prepend to remaining args
     return [...expanded.split(' '), ...args.slice(1)];
 }
@@ -73,7 +75,7 @@ export async function aliasCommand(subcommand, args) {
         return;
     }
     // Create alias: subcommand is "<name>=<rest>" or subcommand is the name and args hold the expansion
-    const raw = subcommand + (args.length ? ' ' + args.join(' ') : '');
+    const raw = subcommand + (args.length ? ` ${args.join(' ')}` : '');
     const eqIdx = raw.indexOf('=');
     if (eqIdx === -1) {
         ui.error('Usage: nimbus alias <name>=<command>  or  nimbus alias list  or  nimbus alias remove <name>');

package/dist/src/commands/audit/index.js

@@ -252,8 +252,9 @@ export async function auditScanCommand(options) {
                     ? 'yellow'
                     : 'white';
             ui.print(`[${ui.color(finding.severity, severityColor)}] ${finding.id}: ${finding.title}`);
-            if (finding.file)
+            if (finding.file) {
                 ui.dim(`  File: ${finding.file}${finding.line ? `:${finding.line}` : ''}`);
+            }
             ui.dim(`  ${finding.recommendation}`);
             ui.newLine();
         }