@pagopa/dx-cli 0.20.2 → 0.21.1

package/README.md

@@ -184,9 +184,10 @@ dx savemoney [options]
 | `--format`   | `-f`  | Report format: `table`, `json`, `detailed-json`, or `lint`.                                                                                  | `table`      |
 | `--days`     | `-d`  | Metric analysis period in days (overrides config file).                                                                                      | `30`         |
 | `--location` | `-l`  | Preferred Azure location for resources (overrides config file).                                                                              | `italynorth` |
-| `--verbose`  | `-v`  | Enable verbose mode with detailed logging for each resource analyzed.                                                                        | `false`      |
 | `--tags`     | `-t`  | Filter resources by tags (`key=value key2=value2`). Only resources matching **all** specified tags are analyzed (variadic: space-separated). | N/A          |
 
+> `--verbose` / `-v` is inherited from the root command. See [Global Options](#global-options).
+
 **Example usage:**
 
 ```bash
@@ -245,9 +246,19 @@ azure:
 
 ### Global Options
 
+These options are available on every subcommand:
+
+- `--verbose, -v`: Enable verbose output. Lowers the log level to `debug` so that detailed progress information is emitted, and — when a command fails — prints the full error details, including the underlying `cause` chain and stack trace, instead of only the top-level message. Defaults to `false`.
 - `--version, -V`: Display version number
 - `--help, -h`: Display help information
 
+**Example:**
+
+```bash
+# Re-run a failing command with full diagnostics
+dx --verbose init project
+```
+
 ---
 
 <div align="center">

package/bin/index.js

@@ -1,26 +1,6 @@
 #!/usr/bin/env node
 
-import { configure, getConsoleSink } from "@logtape/logtape";
 import { runCli } from "../dist/index.js";
 import packageJson from "../package.json" with { type: "json" };
 
-await configure({
-  loggers: [
-    { category: ["dx-cli"], lowestLevel: "info", sinks: ["console"] },
-    { category: ["savemoney"], lowestLevel: "debug", sinks: ["console"] },
-    { category: ["json"], lowestLevel: "info", sinks: ["rawJson"] },
-    {
-      category: ["logtape", "meta"],
-      lowestLevel: "warning",
-      sinks: ["console"],
-    },
-  ],
-  sinks: {
-    console: getConsoleSink(),
-    rawJson(record) {
-      console.log(record.rawMessage);
-    },
-  },
-});
-
 runCli(packageJson.version).catch((error) => console.error(error.message));

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -241,7 +241,10 @@ describe("isInitialized", () => {
     });
 });
 describe("initialize", () => {
-    test("assigns bootstrap roles to the bootstrap identity", async ({ cloudAccountService, }) => {
+    test("assigns bootstrap roles and creates bootstrap environment secrets", async ({ cloudAccountService, }) => {
+        const createOrUpdateEnvironmentSecret = vi
+            .fn()
+            .mockResolvedValue(undefined);
         await cloudAccountService.initialize({
             csp: "azure",
             defaultLocation: "italynorth",
@@ -259,7 +262,7 @@ describe("initialize", () => {
             repo: "dx",
         }, {
             createBranch: vi.fn(),
-            createOrUpdateEnvironmentSecret: vi.fn().mockResolvedValue(undefined),
+            createOrUpdateEnvironmentSecret,
             createPullRequest: vi.fn(),
             getFileContent: vi.fn(),
             getRepository: vi.fn(),
@@ -286,5 +289,48 @@ describe("initialize", () => {
             issuer: "https://token.actions.githubusercontent.com",
             subject: "repo:pagopa/dx:environment:bootstrapper-dev-cd",
         });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledTimes(6);
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_CLIENT_ID",
+            secretValue: "client-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_TENANT_ID",
+            secretValue: "tenant-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "ARM_SUBSCRIPTION_ID",
+            secretValue: "sub-1",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_ID",
+            secretValue: "app-id",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_INSTALLATION_ID",
+            secretValue: "installation-id",
+        });
+        expect(createOrUpdateEnvironmentSecret).toHaveBeenCalledWith({
+            environmentName: "bootstrapper-dev-cd",
+            owner: "pagopa",
+            repo: "dx",
+            secretName: "GH_APP_KEY",
+            secretValue: "private-key",
+        });
     });
 });

package/dist/adapters/azure/cloud-account-service.js

@@ -169,6 +169,7 @@ export class AzureCloudAccountService {
         const parameters = {
             location: cloudAccount.defaultLocation,
             tags: {
+                CreatedBy: "DX CLI",
                 Environment: name,
                 ...tags,
             },
@@ -185,6 +186,10 @@ export class AzureCloudAccountService {
             const identityClientId = identity.clientId;
             logger.debug("Created identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
             const authorizationManagementClient = new AuthorizationManagementClient(this.#credential, cloudAccount.id);
+            const subscriptionClient = new SubscriptionClient(this.#credential);
+            const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
+            assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
+            const tenantId = subscription.tenantId;
             const subscriptionScope = `/subscriptions/${cloudAccount.id}`;
             // Grant the bootstrap identity the Azure permissions it needs to operate autonomously in the bootstrap workflow.
             await Promise.all(bootstrapIdentityRoleDefinitionIds.map((roleDefinitionId) => authorizationManagementClient.roleAssignments.create(subscriptionScope, this.#createRoleAssignmentName(subscriptionScope, identityPrincipalId, roleDefinitionId), {
@@ -205,25 +210,14 @@ export class AzureCloudAccountService {
                 identityName,
                 subscriptionId: cloudAccount.id,
             });
-            // These secrets let the GitHub workflow target the bootstrap identity and subscription without extra setup.
-            await Promise.all([
-                gitHubService.createOrUpdateEnvironmentSecret({
-                    environmentName: githubEnvironmentName,
-                    owner: github.owner,
-                    repo: github.repo,
-                    secretName: "ARM_CLIENT_ID",
-                    secretValue: identityClientId,
-                }),
-                gitHubService.createOrUpdateEnvironmentSecret({
-                    environmentName: githubEnvironmentName,
-                    owner: github.owner,
-                    repo: github.repo,
-                    secretName: "ARM_SUBSCRIPTION_ID",
-                    secretValue: cloudAccount.id,
-                }),
-            ]);
-            logger.debug("Set GitHub environment secrets for {environmentName}", {
-                environmentName: githubEnvironmentName,
+            await this.#storeBootstrapperEnvironmentSecrets({
+                cloudAccountId: cloudAccount.id,
+                github,
+                githubEnvironmentName,
+                gitHubService,
+                identityClientId,
+                runnerAppCredentials,
+                tenantId,
             });
             const keyVaultName = await this.#createCommonKeyVault({
                 cloudAccount,
@@ -233,6 +227,7 @@ export class AzureCloudAccountService {
                 shortEnv: short.env,
                 shortLocation: short.location,
                 tags,
+                tenantId,
             });
             await this.#storeRunnerAppSecrets({
                 cloudAccountId: cloudAccount.id,
@@ -348,11 +343,8 @@ export class AzureCloudAccountService {
         }));
         return results.every(Boolean);
     }
-    async #createCommonKeyVault({ cloudAccount, name, prefix, resourceGroupName, shortEnv, shortLocation, tags, }) {
+    async #createCommonKeyVault({ cloudAccount, name, prefix, resourceGroupName, shortEnv, shortLocation, tags, tenantId, }) {
         const logger = getLogger(["gen", "env"]);
-        const subscriptionClient = new SubscriptionClient(this.#credential);
-        const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
-        assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
         const kvClient = new KeyVaultManagementClient(this.#credential, cloudAccount.id);
         const keyVaultName = `${prefix}-${shortEnv}-${shortLocation}-common-kv-01`;
         const secretsProtectionEnabled = shortEnv === "p";
@@ -372,7 +364,7 @@ export class AzureCloudAccountService {
                     name: "standard",
                 },
                 softDeleteRetentionInDays: secretsProtectionEnabled ? 14 : 7,
-                tenantId: subscription.tenantId,
+                tenantId,
             },
             tags: {
                 Environment: name,
@@ -437,6 +429,57 @@ export class AzureCloudAccountService {
         }));
         logger.info("All resource providers registered on subscription {subscriptionId}", { subscriptionId });
     }
+    async #storeBootstrapperEnvironmentSecrets({ cloudAccountId, github, githubEnvironmentName, gitHubService, identityClientId, runnerAppCredentials, tenantId, }) {
+        const logger = getLogger(["gen", "env"]);
+        await Promise.all([
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_CLIENT_ID",
+                secretValue: identityClientId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_TENANT_ID",
+                secretValue: tenantId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "ARM_SUBSCRIPTION_ID",
+                secretValue: cloudAccountId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_ID",
+                secretValue: runnerAppCredentials.id,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_INSTALLATION_ID",
+                secretValue: runnerAppCredentials.installationId,
+            }),
+            gitHubService.createOrUpdateEnvironmentSecret({
+                environmentName: githubEnvironmentName,
+                owner: github.owner,
+                repo: github.repo,
+                secretName: "GH_APP_KEY",
+                secretValue: runnerAppCredentials.key.trimEnd(),
+            }),
+        ]);
+        logger.debug("Set GitHub environment secrets for {environmentName}", {
+            environmentName: githubEnvironmentName,
+            subscriptionId: cloudAccountId,
+        });
+    }
     async #storeRunnerAppSecrets({ cloudAccountId, keyVaultName, runnerAppCredentials, }) {
         const logger = getLogger(["gen", "env"]);
         const secretClient = new SecretClient(`https://${keyVaultName}.vault.azure.net/`, this.#credential);

package/dist/adapters/commander/__tests__/error-reporting.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/adapters/commander/__tests__/error-reporting.test.js

@@ -0,0 +1,63 @@
+import { ExecaError } from "execa";
+import { describe, expect, it } from "vitest";
+import { formatErrorDetailed, toErrorMessage } from "../error-reporting.js";
+describe("toErrorMessage", () => {
+    it("returns the string as-is when given a string", () => {
+        expect(toErrorMessage("oops")).toBe("oops");
+    });
+    it("returns 'Unknown error' for null/undefined", () => {
+        expect(toErrorMessage(null)).toBe("Unknown error");
+        expect(toErrorMessage(undefined)).toBe("Unknown error");
+    });
+    it("returns Error.message when given a plain Error", () => {
+        expect(toErrorMessage(new Error("boom"))).toBe("boom");
+    });
+    it("prefers ExecaError.shortMessage over message", () => {
+        const execaError = Object.assign(Object.create(ExecaError.prototype), {
+            message: "long noisy message with stderr",
+            shortMessage: "Command failed: terraform init",
+        });
+        expect(toErrorMessage(execaError)).toBe("Command failed: terraform init");
+    });
+    it("flattens AggregateError into a bulleted message", () => {
+        const aggregate = new AggregateError([new Error("first"), new Error("second")], "parent");
+        expect(toErrorMessage(aggregate)).toBe("parent\n  - first\n  - second");
+    });
+    it("extracts `message` property from plain objects when present", () => {
+        expect(toErrorMessage({ message: "from object" })).toBe("from object");
+    });
+    it("falls back to JSON.stringify for objects without message", () => {
+        expect(toErrorMessage({ code: 42 })).toBe('{"code":42}');
+    });
+});
+describe("formatErrorDetailed", () => {
+    it("renders name, message and stack for a single error", () => {
+        const err = new Error("top");
+        const formatted = formatErrorDetailed(err);
+        expect(formatted).toContain("Error: top");
+        expect(formatted).toContain("at ");
+    });
+    it("walks the cause chain", () => {
+        const root = new Error("root failure");
+        const middle = new Error("middle", { cause: root });
+        const top = new Error("top", { cause: middle });
+        const formatted = formatErrorDetailed(top);
+        expect(formatted).toContain("Error: top");
+        expect(formatted).toContain("Caused by: Error: middle");
+        expect(formatted).toContain("Caused by: Error: root failure");
+    });
+    it("terminates when encountering a cycle in the cause chain", () => {
+        const a = new Error("a");
+        const b = new Error("b", { cause: a });
+        a.cause = b;
+        const formatted = formatErrorDetailed(a);
+        expect(formatted).toContain("Error: a");
+        expect(formatted).toContain("Caused by: Error: b");
+    });
+    it("handles non-Error causes gracefully", () => {
+        const err = new Error("wrapped", { cause: "raw string cause" });
+        const formatted = formatErrorDetailed(err);
+        expect(formatted).toContain("Error: wrapped");
+        expect(formatted).toContain("Caused by: raw string cause");
+    });
+});

package/dist/adapters/commander/__tests__/exit-with-error.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/adapters/commander/__tests__/exit-with-error.test.js

@@ -0,0 +1,92 @@
+import { Command } from "commander";
+import { describe, expect, it } from "vitest";
+import { exitWithError, isVerbose } from "../index.js";
+/**
+ * Builds a parent command that exposes the global `--verbose` flag so that
+ * `optsWithGlobals()` behaves the same way it does on the real CLI.
+ */
+const makeProgramWith = (child, argv) => {
+    const program = new Command()
+        .name("dx")
+        .option("-v, --verbose", "verbose output", false)
+        .exitOverride()
+        .configureOutput({
+        writeErr: () => {
+            /* silence stderr in tests */
+        },
+        writeOut: () => {
+            /* silence stdout in tests */
+        },
+    });
+    child.exitOverride().configureOutput({
+        writeErr: () => {
+            /* silence */
+        },
+        writeOut: () => {
+            /* silence */
+        },
+    });
+    program.addCommand(child);
+    program.parse(argv, { from: "user" });
+    return program;
+};
+/**
+ * `exitWithError` always throws (Commander's `exitOverride()` converts the
+ * process.exit call into a CommanderError throw). This helper captures that
+ * throw so tests can assert on the thrown payload without putting `expect`
+ * inside a `catch` block (which vitest/no-conditional-expect disallows).
+ */
+const captureThrown = (fn) => {
+    try {
+        fn();
+    }
+    catch (error) {
+        return error;
+    }
+    throw new Error("expected the callback to throw");
+};
+describe("isVerbose", () => {
+    it("is false when --verbose is not provided", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["run"]);
+        expect(isVerbose(cmd)).toBe(false);
+    });
+    it("is true when -v is provided at the root", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["-v", "run"]);
+        expect(isVerbose(cmd)).toBe(true);
+    });
+    it("is true when --verbose is provided at the root", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["--verbose", "run"]);
+        expect(isVerbose(cmd)).toBe(true);
+    });
+});
+describe("exitWithError", () => {
+    it("reports only the message in normal mode", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["run"]);
+        const err = new Error("outer", { cause: new Error("inner secret") });
+        expect(() => exitWithError(cmd)(err)).toThrow(/outer/);
+        const thrown = captureThrown(() => exitWithError(cmd)(err));
+        const message = String(thrown?.message ?? thrown);
+        expect(message).not.toContain("Caused by");
+        expect(message).not.toContain("inner secret");
+    });
+    it("includes the cause chain and stack trace in verbose mode", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["--verbose", "run"]);
+        const root = new Error("root cause");
+        const err = new Error("surface", { cause: root });
+        const thrown = captureThrown(() => exitWithError(cmd)(err));
+        const message = String(thrown?.message ?? thrown);
+        expect(message).toContain("Error: surface");
+        expect(message).toContain("Caused by: Error: root cause");
+        expect(message).toContain("at ");
+    });
+    it("works with non-Error values", () => {
+        const cmd = new Command("run").action(() => undefined);
+        makeProgramWith(cmd, ["run"]);
+        expect(() => exitWithError(cmd)("plain string failure")).toThrow(/plain string failure/);
+    });
+});

package/dist/adapters/commander/commands/__tests__/preconditions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/adapters/commander/commands/__tests__/preconditions.test.js

@@ -0,0 +1,32 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+const mocks = vi.hoisted(() => ({
+    oraPromise: vi.fn((promise) => promise),
+    tf$: vi.fn(async (...args) => {
+        void args;
+        return { stdout: '{"user":{"name":"test@example.com"}}' };
+    }),
+}));
+vi.mock("ora", () => ({ oraPromise: mocks.oraPromise }));
+vi.mock("../../../execa/terraform.js", () => ({ tf$: mocks.tf$ }));
+import { checkAddEnvironmentPreconditions, checkInitPreconditions, } from "../init.js";
+const calledCommands = () => mocks.tf$.mock.calls.map(([strings, ...values]) => strings.reduce((command, part, index) => command + part + String(values[index] ?? ""), ""));
+describe("init preconditions", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    it("checkInitPreconditions does not require Azure login", async () => {
+        const result = await checkInitPreconditions();
+        expect(result.isOk()).toBe(true);
+        expect(calledCommands()).toEqual(["terraform -version", "corepack -v"]);
+    });
+    it("checkAddEnvironmentPreconditions requires Azure login", async () => {
+        const result = await checkAddEnvironmentPreconditions();
+        expect(result.isOk()).toBe(true);
+        expect(calledCommands()).toEqual([
+            "terraform -version",
+            "az account show",
+            "az group list",
+            "corepack -v",
+        ]);
+    });
+});

package/dist/adapters/commander/commands/add.js

@@ -15,7 +15,8 @@ import { requestAuthorizationInputSchema, } from "../../../domain/authorization.
 import { environmentShort } from "../../../domain/environment.js";
 import { isAzureLocation, locationShort } from "../../azure/locations.js";
 import { getPlopInstance, runDeploymentEnvironmentGenerator, } from "../../plop/index.js";
-import { checkPreconditions } from "./init.js";
+import { exitWithError } from "../index.js";
+import { checkAddEnvironmentPreconditions } from "./init.js";
 /**
  * Authorize a Cloud Account (Azure Subscription, AWS Account, ...), creating a Pull Request for each account that requires authorization.
  */
@@ -69,9 +70,11 @@ const displaySummary = (result) => {
     }
     console.log(`${step}. Visit ${chalk.underline("https://dx.pagopa.it/getting-started")} to deploy your first project\n`);
 };
-const addEnvironmentAction = (authorizationService, gitHubService) => checkPreconditions()
-    .andThen(() => ResultAsync.fromPromise(getPlopInstance(), () => new Error("Failed to initialize plop")))
-    .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop, gitHubService), () => new Error("Failed to run the deployment environment generator")))
+const addEnvironmentAction = (authorizationService, gitHubService) => checkAddEnvironmentPreconditions()
+    .andThen(() => ResultAsync.fromPromise(getPlopInstance(), (cause) => new Error("Failed to initialize plop", { cause })))
+    .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop, gitHubService), (cause) => new Error("Failed to run the deployment environment generator", {
+    cause,
+})))
     .andThen((payload) => authorizeCloudAccounts(authorizationService)(payload).map((authorizationPrs) => ({
     authorizationPrs,
 })));
@@ -83,7 +86,7 @@ export const makeAddCommand = (deps) => new Command()
     .action(async function () {
     const result = await addEnvironmentAction(deps.authorizationService, deps.gitHubService);
     if (result.isErr()) {
-        this.error(result.error.message);
+        exitWithError(this)(result.error);
     }
     else {
         displaySummary(result.value);

package/dist/adapters/commander/commands/codemod.js

@@ -1,5 +1,6 @@
 import { getLogger } from "@logtape/logtape";
 import { Command } from "commander";
+import { exitWithError } from "../index.js";
 export const makeCodemodCommand = ({ applyCodemodById, listCodemods, }) => new Command("codemod")
     .description("Manage and apply migration scripts to the repository")
     .addCommand(new Command("list")
@@ -7,7 +8,7 @@ export const makeCodemodCommand = ({ applyCodemodById, listCodemods, }) => new C
     .action(async function () {
     await listCodemods()
         .andTee((codemods) => console.table(codemods, ["id", "description"]))
-        .orTee((error) => this.error(error.message));
+        .orTee(exitWithError(this));
 }))
     .addCommand(new Command("apply")
     .argument("<id>", "The id of the codemod to apply")
@@ -18,5 +19,5 @@ export const makeCodemodCommand = ({ applyCodemodById, listCodemods, }) => new C
         .andTee(() => {
         logger.info("Codemod applied ✅");
     })
-        .orTee((error) => this.error(error.message));
+        .orTee(exitWithError(this));
 }));

package/dist/adapters/commander/commands/init.d.ts

@@ -1,7 +1,15 @@
 import { Command } from "commander";
 import { ResultAsync } from "neverthrow";
 import { GitHubService } from "../../../domain/github.js";
-export declare const checkPreconditions: () => ResultAsync<import("execa").Result<{
+export declare const checkInitPreconditions: () => ResultAsync<import("execa").Result<{
+    environment: {
+        NO_COLOR: string;
+        TF_IN_AUTOMATION: string;
+        TF_INPUT: string;
+    };
+    shell: true;
+}>, Error>;
+export declare const checkAddEnvironmentPreconditions: () => ResultAsync<import("execa").Result<{
     environment: {
         NO_COLOR: string;
         TF_IN_AUTOMATION: string;

package/dist/adapters/commander/commands/init.js

@@ -54,7 +54,8 @@ const ensureAzLogin = async () => {
 };
 const checkAzLogin = () => withSpinner("Check Azure login status...", (userName) => `You are logged in to Azure (${userName})`, "Please log in to Azure CLI using `az login` before running this command.", ensureAzLogin());
 // TODO(CES-1810): Make these checks concurrent to speed up the preconditions check phase
-export const checkPreconditions = () => checkTerraformCliIsInstalled()
+export const checkInitPreconditions = () => checkTerraformCliIsInstalled().andThen(() => checkCorepackIsInstalled());
+export const checkAddEnvironmentPreconditions = () => checkTerraformCliIsInstalled()
     .andThen(() => checkAzLogin())
     .andThen(() => checkCorepackIsInstalled());
 const createRemoteRepository = ({ repoName, repoOwner, }) => {
@@ -115,14 +116,14 @@ const handleGeneratorError = (err) => {
     if (err instanceof Error) {
         logger.error(err.message);
     }
-    return new Error("Failed to run the generator");
+    return new Error("Failed to run the generator", { cause: err });
 };
 export const makeInitCommand = ({ gitHubService, }) => new Command()
     .name("init")
     .description("Initialize a new DX workspace")
     .action(async function () {
-    await checkPreconditions()
-        .andThen(() => ResultAsync.fromPromise(getPlopInstance(), () => new Error("Failed to initialize plop")))
+    await checkInitPreconditions()
+        .andThen(() => ResultAsync.fromPromise(getPlopInstance(), (cause) => new Error("Failed to initialize plop", { cause })))
         .andThen((plop) => ResultAsync.fromPromise(runMonorepoGenerator(plop, gitHubService), handleGeneratorError))
         .andTee((payload) => {
         process.chdir(payload.repoName);

package/dist/adapters/commander/commands/savemoney.js

@@ -1,14 +1,15 @@
 import { azure, loadConfig } from "@pagopa/dx-savemoney";
 import { Command } from "commander";
+import { exitWithError } from "../index.js";
 export const makeSavemoneyCommand = () => new Command("savemoney")
     .description("Analyze Azure subscriptions and report unused or inefficient resources")
     .option("-c, --config <path>", "Path to YAML configuration file")
     .option("-f, --format <format>", "Report format: json, table, detailed-json, or lint (default: table)", "table")
     .option("-l, --location <string>", "Preferred Azure location for resources (overrides config file)", "italynorth")
     .option("-d, --days <number>", "Number of days for metrics analysis (overrides config file)", "30")
-    .option("-v, --verbose", "Enable verbose logging")
     .option("-t, --tags <tags...>", "Filter resources by tags (key=value key2=value2). Only resources matching ALL specified tags are analyzed.")
     .action(async function (options) {
+    const { verbose } = this.optsWithGlobals();
     try {
         // Load configuration from YAML (includes subscriptionIds, location, timespanDays, thresholds)
         const config = await loadConfig(options.config);
@@ -19,13 +20,15 @@ export const makeSavemoneyCommand = () => new Command("savemoney")
             filterTags,
             preferredLocation: options.location || config.preferredLocation,
             timespanDays: Number.parseInt(options.days, 10) || config.timespanDays,
-            verbose: options.verbose || false,
+            verbose: verbose ?? false,
         };
         // Run analysis
         await azure.analyzeAzureResources(finalConfig, options.format);
     }
     catch (error) {
-        this.error(`Analysis failed: ${error instanceof Error ? error.message : error}`);
+        exitWithError(this)(error instanceof Error
+            ? new Error(`Analysis failed: ${error.message}`, { cause: error })
+            : new Error(`Analysis failed: ${String(error)}`));
     }
 });
 /**

package/dist/adapters/commander/error-reporting.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Safely converts an unknown value to a human-readable error message.
+ * Preserves ExecaError.shortMessage when available and flattens AggregateError.
+ */
+export declare const toErrorMessage: (value: unknown) => string;
+/**
+ * Builds a detailed, multi-line representation of an error suitable for
+ * `--verbose` output: includes the full `cause` chain and stack traces.
+ */
+export declare const formatErrorDetailed: (value: unknown) => string;

package/dist/adapters/commander/error-reporting.js

@@ -0,0 +1,68 @@
+import { ExecaError } from "execa";
+/**
+ * Safely converts an unknown value to a human-readable error message.
+ * Preserves ExecaError.shortMessage when available and flattens AggregateError.
+ */
+export const toErrorMessage = (value) => {
+    if (value === null || value === undefined) {
+        return "Unknown error";
+    }
+    if (typeof value === "string") {
+        return value;
+    }
+    if (value instanceof ExecaError) {
+        return value.shortMessage || value.message || String(value);
+    }
+    if (value instanceof AggregateError) {
+        const parts = value.errors.map((inner) => toErrorMessage(inner));
+        return [value.message, ...parts].filter(Boolean).join("\n  - ");
+    }
+    if (value instanceof Error) {
+        return value.message || value.name || "Error";
+    }
+    if (typeof value === "object") {
+        const maybeMessage = value.message;
+        if (typeof maybeMessage === "string" && maybeMessage.length > 0) {
+            return maybeMessage;
+        }
+        try {
+            return JSON.stringify(value);
+        }
+        catch {
+            return String(value);
+        }
+    }
+    return String(value);
+};
+/**
+ * Builds a detailed, multi-line representation of an error suitable for
+ * `--verbose` output: includes the full `cause` chain and stack traces.
+ */
+export const formatErrorDetailed = (value) => {
+    const lines = [];
+    const seen = new Set();
+    let current = value;
+    let depth = 0;
+    while (current !== undefined && current !== null && !seen.has(current)) {
+        seen.add(current);
+        const prefix = depth === 0 ? "" : "Caused by: ";
+        if (current instanceof Error) {
+            lines.push(`${prefix}${current.name}: ${toErrorMessage(current)}`);
+            if (current.stack) {
+                // `stack` usually starts with "Name: message"; drop the first line to
+                // avoid duplication with the header we just printed.
+                const stackBody = current.stack.split("\n").slice(1).join("\n");
+                if (stackBody.trim().length > 0) {
+                    lines.push(stackBody);
+                }
+            }
+            current = current.cause;
+        }
+        else {
+            lines.push(`${prefix}${toErrorMessage(current)}`);
+            current = undefined;
+        }
+        depth += 1;
+    }
+    return lines.join("\n");
+};

package/dist/adapters/commander/index.d.ts

@@ -3,5 +3,21 @@ import { Config } from "../../config.js";
 import { Dependencies } from "../../domain/dependencies.js";
 import { CodemodCommandDependencies } from "./commands/codemod.js";
 export type CliDependencies = CodemodCommandDependencies;
+export type GlobalOptions = {
+    verbose?: boolean;
+};
+/**
+ * Returns true when the global `--verbose` flag is active on the closest
+ * ancestor command that defines it (the root `dx` program in our CLI).
+ */
+export declare const isVerbose: (command: Command) => boolean;
 export declare const makeCli: (deps: Dependencies, config: Config, cliDeps: CliDependencies, version: string) => Command;
-export declare const exitWithError: (command: Command) => (error: Error) => never;
+/**
+ * Builds a failure handler that ends the command via Commander's
+ * `Command#error`, with an output tailored to the active verbosity.
+ *
+ * - In normal mode, a single meaningful line is printed.
+ * - When `--verbose` is active, the full cause chain and stack trace are
+ *   included so users can diagnose the underlying failure.
+ */
+export declare const exitWithError: (command: Command) => (error: unknown) => never;

package/dist/adapters/commander/index.js

@@ -5,9 +5,19 @@ import { makeDoctorCommand } from "./commands/doctor.js";
 import { makeInfoCommand } from "./commands/info.js";
 import { makeInitCommand } from "./commands/init.js";
 import { makeSavemoneyCommand } from "./commands/savemoney.js";
+import { formatErrorDetailed, toErrorMessage } from "./error-reporting.js";
+/**
+ * Returns true when the global `--verbose` flag is active on the closest
+ * ancestor command that defines it (the root `dx` program in our CLI).
+ */
+export const isVerbose = (command) => command.optsWithGlobals().verbose === true;
 export const makeCli = (deps, config, cliDeps, version) => {
     const program = new Command();
-    program.name("dx").description("The CLI for DX-Platform").version(version);
+    program
+        .name("dx")
+        .description("The CLI for DX-Platform")
+        .version(version)
+        .option("-v, --verbose", "Enable verbose output: debug-level logs and full error chain (with stack traces) when a command fails", false);
     program.addCommand(makeDoctorCommand(deps, config));
     program.addCommand(makeCodemodCommand(cliDeps));
     program.addCommand(makeInitCommand(deps));
@@ -16,6 +26,17 @@ export const makeCli = (deps, config, cliDeps, version) => {
     program.addCommand(makeAddCommand(deps));
     return program;
 };
+/**
+ * Builds a failure handler that ends the command via Commander's
+ * `Command#error`, with an output tailored to the active verbosity.
+ *
+ * - In normal mode, a single meaningful line is printed.
+ * - When `--verbose` is active, the full cause chain and stack trace are
+ *   included so users can diagnose the underlying failure.
+ */
 export const exitWithError = (command) => (error) => {
-    command.error(error.message);
+    const message = isVerbose(command)
+        ? formatErrorDetailed(error)
+        : toErrorMessage(error);
+    command.error(message);
 };

package/dist/adapters/plop/__tests__/run-actions.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/adapters/plop/__tests__/run-actions.test.js

@@ -0,0 +1,68 @@
+/**
+ * Tests for the internal `runActions` helper that coordinates plop's
+ * generator execution and surfaces meaningful error messages (CES-1923).
+ */
+import { describe, expect, it } from "vitest";
+import { mock } from "vitest-mock-extended";
+import { runActions } from "../index.js";
+const makeGenerator = (result) => {
+    const generator = mock();
+    generator.runActions.mockResolvedValue(result);
+    return generator;
+};
+describe("runActions", () => {
+    it("resolves silently when there are no failures", async () => {
+        const generator = makeGenerator({ changes: [], failures: [] });
+        await expect(runActions(generator, {})).resolves.toBeUndefined();
+    });
+    it("ignores 'Aborted due to previous action failure' entries", async () => {
+        const generator = makeGenerator({
+            changes: [],
+            failures: [
+                {
+                    error: "Aborted due to previous action failure",
+                    path: "",
+                    type: "add",
+                },
+            ],
+        });
+        await expect(runActions(generator, {})).resolves.toBeUndefined();
+    });
+    it("surfaces the original failure message (no more 'undefined')", async () => {
+        const generator = makeGenerator({
+            changes: [],
+            failures: [
+                {
+                    error: "Failed to create the key vault: quota exceeded",
+                    path: "",
+                    type: "initCloudAccounts",
+                },
+            ],
+        });
+        await expect(runActions(generator, {})).rejects.toThrow(/initCloudAccounts.*Failed to create the key vault: quota exceeded/);
+    });
+    it("aggregates multiple failures into the thrown message", async () => {
+        const generator = makeGenerator({
+            changes: [],
+            failures: [
+                { error: "Missing template", path: "", type: "add" },
+                {
+                    error: "Aborted due to previous action failure",
+                    path: "",
+                    type: "modify",
+                },
+                { error: "Permission denied", path: "", type: "initCloudAccounts" },
+            ],
+        });
+        await expect(runActions(generator, {})).rejects.toThrow(/add: Missing template.*initCloudAccounts: Permission denied/s);
+    });
+    it("falls back to 'unknown error' when plop provides no error string", async () => {
+        const generator = makeGenerator({
+            changes: [],
+            failures: [
+                { error: undefined, path: "", type: "add" },
+            ],
+        });
+        await expect(runActions(generator, {})).rejects.toThrow(/unknown error/);
+    });
+});

package/dist/adapters/plop/index.d.ts

@@ -1,10 +1,12 @@
-import type { NodePlopAPI } from "plop";
+import type { NodePlopAPI, PlopGenerator } from "plop";
+import { Answers } from "inquirer";
 import { GitHubRepo } from "../../domain/github-repo.js";
 import { GitHubService } from "../../domain/github.js";
 import { Payload as EnvironmentPayload } from "../plop/generators/environment/index.js";
 import { Payload as MonorepoPayload } from "../plop/generators/monorepo/index.js";
 export declare const setMonorepoGenerator: (plop: NodePlopAPI) => void;
 export declare const getPlopInstance: () => Promise<NodePlopAPI>;
+export declare const runActions: (generator: PlopGenerator, payload: Answers) => Promise<void>;
 export declare const runMonorepoGenerator: (plop: NodePlopAPI, githubService: GitHubService) => Promise<MonorepoPayload>;
 /**
  * Run the deployment environment generator

package/dist/adapters/plop/index.js

@@ -26,19 +26,27 @@ const validatePayload = async (payload, github) => {
     }
 };
 export const getPlopInstance = async () => nodePlop();
-const runActions = async (generator, payload) => {
+export const runActions = async (generator, payload) => {
     const logger = getLogger(["dx-cli", "init"]);
     const result = await generator.runActions(payload);
     if (result.failures.length > 0) {
-        for (const failure of result.failures) {
-            if (failure.error === "Aborted due to previous action failure") {
-                continue;
-            }
-            logger.error(`Error on {type} step. ${failure.message}`, {
-                type: failure.type,
+        // Collect every failure to report rich context. node-plop's failure
+        // objects have shape `{ type, path, error }` (the `error` property holds
+        // the original error's message — see node-plop's generator-runner.js).
+        const relevant = result.failures.filter((failure) => failure.error !== "Aborted due to previous action failure");
+        if (relevant.length === 0) {
+            return;
+        }
+        const summary = relevant
+            .map((failure) => `${failure.type || "action"}: ${failure.error ?? "unknown error"}`)
+            .join("; ");
+        for (const failure of relevant) {
+            logger.error("Error on {type} step: {error}", {
+                error: failure.error ?? "unknown error",
+                type: failure.type || "action",
             });
-            throw new Error("One or more actions failed during generation.");
         }
+        throw new Error(`One or more actions failed during generation (${summary}).`);
     }
 };
 export const runMonorepoGenerator = async (plop, githubService) => {

package/dist/index.js

@@ -1,4 +1,5 @@
 import "core-js/actual/set/index.js";
+import { configure, getConsoleSink } from "@logtape/logtape";
 import * as assert from "node:assert/strict";
 import { Octokit } from "octokit";
 import codemodRegistry from "./adapters/codemods/index.js";
@@ -13,7 +14,42 @@ import { getInfo } from "./domain/info.js";
 import { applyCodemodById } from "./use-cases/apply-codemod.js";
 import { listCodemods } from "./use-cases/list-codemods.js";
 import { requestAuthorization } from "./use-cases/request-authorization.js";
+/**
+ * Returns `true` when `-v` or `--verbose` is present in argv.
+ *
+ * We inspect argv directly — instead of relying on Commander — because the
+ * logtape configuration must be in place before any command handler runs
+ * (including the ones that emit debug logs while parsing prompts).
+ */
+const detectVerboseFromArgv = (argv) => argv.includes("-v") || argv.includes("--verbose");
+const configureLogging = async (verbose) => {
+    const level = verbose ? "debug" : "info";
+    await configure({
+        loggers: [
+            { category: ["dx-cli"], lowestLevel: level, sinks: ["console"] },
+            // The environment generator (`gen.env`) emits debug messages about
+            // provisioned Azure resources; surfacing them is the main value of
+            // `--verbose` when running `dx init` / `dx add environment`.
+            { category: ["gen"], lowestLevel: level, sinks: ["console"] },
+            // `savemoney` already emits structured debug output by default.
+            { category: ["savemoney"], lowestLevel: "debug", sinks: ["console"] },
+            { category: ["json"], lowestLevel: "info", sinks: ["rawJson"] },
+            {
+                category: ["logtape", "meta"],
+                lowestLevel: "warning",
+                sinks: ["console"],
+            },
+        ],
+        sinks: {
+            console: getConsoleSink(),
+            rawJson(record) {
+                console.log(record.rawMessage);
+            },
+        },
+    });
+};
 export const runCli = async (version) => {
+    await configureLogging(detectVerboseFromArgv(process.argv));
     // Creating the adapters
     const repositoryReader = makeRepositoryReader();
     const packageJsonReader = makePackageJsonReader();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/dx-cli",
-  "version": "0.20.2",
+  "version": "0.21.1",
   "type": "module",
   "description": "A CLI useful to manage DX tools.",
   "repository": {
@@ -31,7 +31,7 @@
     "@azure/identity": "^4.13.1",
     "@azure/keyvault-secrets": "^4.11.1",
     "@azure/storage-blob": "^12.31.0",
-    "@logtape/logtape": "^1.3.7",
+    "@logtape/logtape": "^1.3.8",
     "@microsoft/microsoft-graph-client": "^3.0.7",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
@@ -39,16 +39,16 @@
     "execa": "^9.6.1",
     "glob": "^11.1.0",
     "inquirer": "^9.3.8",
-    "libsodium-wrappers": "^0.8.2",
+    "libsodium-wrappers": "^0.8.4",
     "neverthrow": "^8.2.0",
     "node-plop": "^0.32.3",
     "octokit": "^5.0.5",
-    "ora": "^9.3.0",
+    "ora": "^9.4.0",
     "replace-in-file": "^8.4.0",
     "semver": "^7.7.4",
-    "yaml": "^2.8.3",
-    "zod": "^4.3.6",
-    "@pagopa/dx-savemoney": "^0.2.4"
+    "yaml": "^2.8.4",
+    "zod": "^4.4.2",
+    "@pagopa/dx-savemoney": "^0.2.5"
   },
   "devDependencies": {
     "@tsconfig/node24": "24.0.4",
@@ -57,14 +57,14 @@
     "@types/node": "^22.19.17",
     "@types/semver": "^7.7.1",
     "@vitest/coverage-v8": "^3.2.4",
-    "eslint": "^10.2.0",
-    "memfs": "^4.57.1",
+    "eslint": "^10.3.0",
+    "memfs": "^4.57.2",
     "plop": "^4.0.5",
     "prettier": "3.8.3",
     "typescript": "~5.9.3",
     "vitest": "^3.2.4",
     "vitest-mock-extended": "^3.1.1",
-    "@pagopa/eslint-config": "^6.0.3"
+    "@pagopa/eslint-config": "^6.0.4"
   },
   "engines": {
     "node": ">=22.0.0"

package/templates/environment/workflow/_release-terraform-apply-bootstrapper-{{env.name}}.yaml.hbs

@@ -9,6 +9,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   release:

package/templates/monorepo/.prettierignore

@@ -2,4 +2,5 @@
 **/*.hbs
 
 # Ignore built files
-dist
+dist
+CHANGELOG.md