devvami 1.1.2 → 1.2.0

package/oclif.manifest.json

@@ -273,6 +273,29 @@
         "upgrade.js"
       ]
     },
+    "welcome": {
+      "aliases": [],
+      "args": {},
+      "description": "Show the dvmi mission dashboard with animated intro",
+      "examples": [
+        "<%= config.bin %> welcome"
+      ],
+      "flags": {},
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "welcome",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "welcome.js"
+      ]
+    },
     "whoami": {
       "aliases": [],
       "args": {},
@@ -1346,6 +1369,46 @@
         "list.js"
       ]
     },
+    "security:setup": {
+      "aliases": [],
+      "args": {},
+      "description": "Interactive wizard to install and configure credential protection tools (aws-vault, pass, GPG, Git Credential Manager, macOS Keychain)",
+      "examples": [
+        "<%= config.bin %> security setup",
+        "<%= config.bin %> security setup --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "security:setup",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "security",
+        "setup.js"
+      ]
+    },
     "tasks:assigned": {
       "aliases": [],
       "args": {},
@@ -1498,5 +1561,5 @@
       ]
     }
   },
-  "version": "1.1.2"
+  "version": "1.2.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devvami",
   "description": "DevEx CLI for developers and teams — manage repos, PRs, pipelines, tasks, and costs from the terminal",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "author": "",
   "type": "module",
   "bin": {

package/src/commands/init.js

@@ -2,7 +2,7 @@ import { Command, Flags } from '@oclif/core'
 import chalk from 'chalk'
 import ora from 'ora'
 import { confirm, input, select } from '@inquirer/prompts'
-import { printBanner } from '../utils/banner.js'
+import { printWelcomeScreen } from '../utils/welcome.js'
 import { typewriterLine } from '../utils/typewriter.js'
 import { detectPlatform } from '../services/platform.js'
 import { exec, which } from '../services/shell.js'
@@ -32,7 +32,7 @@ export default class Init extends Command {
     const isDryRun = flags['dry-run']
     const isJson = flags.json
 
-    if (!isJson) await printBanner()
+    if (!isJson) await printWelcomeScreen(this.config.version)
 
     const platform = await detectPlatform()
     const steps = []

package/src/commands/prompts/run.js

@@ -1,7 +1,7 @@
 import { Command, Args, Flags } from '@oclif/core'
 import ora from 'ora'
 import chalk from 'chalk'
-import { select } from '@inquirer/prompts'
+import { select, confirm } from '@inquirer/prompts'
 import { join } from 'node:path'
 import { readdir } from 'node:fs/promises'
 import { resolveLocalPrompt, invokeTool, SUPPORTED_TOOLS } from '../../services/prompts.js'
@@ -176,6 +176,24 @@ export default class PromptsRun extends Command {
     this.log(chalk.bold(`\nRunning: ${chalk.hex('#FF9A5C')(prompt.title)}`))
     this.log(chalk.dim(`  Tool: ${toolName}`) + '\n')
 
+    // Security: show a preview of the prompt content and ask for confirmation.
+    // This protects against prompt injection from tampered local files (originally
+    // downloaded from remote repositories). Skipped in CI/non-interactive environments.
+    if (!process.env.CI && process.stdin.isTTY) {
+      const preview = prompt.body.length > 500
+        ? prompt.body.slice(0, 500) + chalk.dim('\n…[truncated]')
+        : prompt.body
+      this.log(chalk.yellow('Prompt preview:'))
+      this.log(chalk.dim('─'.repeat(50)))
+      this.log(chalk.dim(preview))
+      this.log(chalk.dim('─'.repeat(50)) + '\n')
+      const ok = await confirm({ message: `Run this prompt with ${toolName}?`, default: true })
+      if (!ok) {
+        this.log(chalk.dim('Aborted.'))
+        return
+      }
+    }
+
     // Invoke tool
     try {
       await invokeTool(toolName, prompt.body)

package/src/commands/security/setup.js

@@ -0,0 +1,249 @@
+import { Command, Flags } from '@oclif/core'
+import { confirm, select } from '@inquirer/prompts'
+import ora from 'ora'
+import chalk from 'chalk'
+import { execa } from 'execa'
+import { detectPlatform } from '../../services/platform.js'
+import { exec } from '../../services/shell.js'
+import { buildSteps, checkToolStatus, listGpgKeys, deriveOverallStatus } from '../../services/security.js'
+import { formatEducationalIntro, formatStepHeader, formatSecuritySummary } from '../../formatters/security.js'
+/** @import { SetupSession, SetupStep, StepResult, PlatformInfo } from '../../types.js' */
+
+export default class SecuritySetup extends Command {
+  static description = 'Interactive wizard to install and configure credential protection tools (aws-vault, pass, GPG, Git Credential Manager, macOS Keychain)'
+
+  static examples = [
+    '<%= config.bin %> security setup',
+    '<%= config.bin %> security setup --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    help: Flags.help({ char: 'h' }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(SecuritySetup)
+    const isJson = flags.json
+
+    // FR-018: Detect non-interactive environments
+    const isCI = process.env.CI === 'true'
+    const isNonInteractive = !process.stdout.isTTY
+
+    if ((isCI || isNonInteractive) && !isJson) {
+      this.error(
+        'This command requires an interactive terminal (TTY). Run with --json for a non-interactive health check.',
+        { exit: 1 },
+      )
+    }
+
+    // Detect platform
+    const platformInfo = await detectPlatform()
+    const { platform } = platformInfo
+
+    // FR-019: Sudo pre-flight on Linux/WSL2
+    if (platform !== 'macos' && !isJson) {
+      const sudoCheck = await exec('sudo', ['-n', 'true'])
+      if (sudoCheck.exitCode !== 0) {
+        this.error(
+          'sudo access is required to install packages. Run `sudo -v` to authenticate and retry.',
+          { exit: 1 },
+        )
+      }
+    }
+
+    // --json branch: health check only (no interaction)
+    if (isJson) {
+      const tools = await checkToolStatus(platform)
+      const overallStatus = deriveOverallStatus(tools)
+      return {
+        platform,
+        selection: null,
+        tools,
+        overallStatus,
+      }
+    }
+
+    // ---------------------------------------------------------------------------
+    // Pre-check: show current tool status
+    // ---------------------------------------------------------------------------
+    const spinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Checking current tool status...') }).start()
+    const currentStatus = await checkToolStatus(platform)
+    spinner.stop()
+
+    const anyInstalled = currentStatus.some((t) => t.status === 'installed' && t.status !== 'n/a')
+    if (anyInstalled) {
+      this.log(chalk.bold('\nCurrent security tool status:'))
+      for (const tool of currentStatus) {
+        if (tool.status === 'n/a') continue
+        let badge
+        if (tool.status === 'installed') badge = chalk.green('✔')
+        else if (tool.status === 'misconfigured') badge = chalk.yellow('⚠')
+        else badge = chalk.red('✗')
+        const versionStr = tool.version ? chalk.gray(` ${tool.version}`) : ''
+        this.log(`  ${badge}  ${tool.displayName}${versionStr}`)
+        if (tool.hint) this.log(chalk.dim(`       → ${tool.hint}`))
+      }
+      this.log('')
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-002 / FR-003: Educational intro + confirmation
+    // ---------------------------------------------------------------------------
+    this.log(formatEducationalIntro())
+    this.log('')
+
+    const understood = await confirm({
+      message: 'I understand and want to protect my credentials',
+      default: true,
+    })
+    if (!understood) {
+      this.log('Setup cancelled.')
+      return { platform, selection: null, tools: currentStatus, overallStatus: deriveOverallStatus(currentStatus) }
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-004: Selection menu
+    // ---------------------------------------------------------------------------
+    const selectionValue = await select({
+      message: 'What would you like to set up?',
+      choices: [
+        { name: 'Both AWS and Git credentials (recommended)', value: 'both' },
+        { name: 'AWS credentials only (aws-vault)', value: 'aws' },
+        { name: 'Git credentials only (macOS Keychain / GCM)', value: 'git' },
+      ],
+    })
+
+    /** @type {'aws'|'git'|'both'} */
+    const selection = /** @type {any} */ (selectionValue)
+
+    // ---------------------------------------------------------------------------
+    // GPG key prompt (Linux/WSL2 + AWS selected)
+    // ---------------------------------------------------------------------------
+    let gpgId = ''
+    if (platform !== 'macos' && (selection === 'aws' || selection === 'both')) {
+      const existingKeys = await listGpgKeys()
+
+      if (existingKeys.length > 0) {
+        const choices = [
+          ...existingKeys.map((k) => ({
+            name: `${k.name} <${k.email}> (${k.id})`,
+            value: k.id,
+          })),
+          { name: 'Create a new GPG key', value: '__new__' },
+        ]
+        const chosen = await select({
+          message: 'Select a GPG key for pass and Git Credential Manager:',
+          choices,
+        })
+        if (chosen !== '__new__') gpgId = /** @type {string} */ (chosen)
+      }
+      // If no keys or user chose __new__, gpgId stays '' and the create-gpg-key step will run interactively
+    }
+
+    // ---------------------------------------------------------------------------
+    // Build steps
+    // ---------------------------------------------------------------------------
+    const steps = buildSteps(platformInfo, selection, { gpgId })
+
+    /** @type {SetupSession} */
+    const session = {
+      platform,
+      selection,
+      steps,
+      results: new Map(),
+      overallStatus: 'in-progress',
+    }
+
+    this.log('')
+
+    // ---------------------------------------------------------------------------
+    // Step execution loop
+    // ---------------------------------------------------------------------------
+    for (const step of steps) {
+      this.log(formatStepHeader(step))
+
+      // FR-014: confirmation prompt before system-level changes
+      if (step.requiresConfirmation) {
+        const proceed = await confirm({ message: `Proceed with: ${step.label}?`, default: true })
+        if (!proceed) {
+          session.results.set(step.id, { status: 'skipped', message: 'Skipped by user' })
+          this.log(chalk.dim('  Skipped.'))
+          continue
+        }
+      }
+
+      // Special handling for GPG interactive steps (FR-010)
+      if (step.gpgInteractive && !gpgId) {
+        this.log(chalk.cyan('\n  GPG will now prompt you for a passphrase in your terminal.'))
+        this.log(chalk.dim('  Follow the interactive prompts to complete key generation.\n'))
+        try {
+          await execa('gpg', ['--full-generate-key'], { stdio: 'inherit', reject: true })
+          // Refresh the gpgId from newly created key
+          const newKeys = await listGpgKeys()
+          if (newKeys.length > 0) {
+            gpgId = newKeys[0].id
+            // gpgId is now set — subsequent step closures capture it via the shared context object
+          }
+          session.results.set(step.id, { status: 'success', message: `GPG key created (${gpgId || 'new key'})` })
+          this.log(chalk.green('  ✔ GPG key created'))
+        } catch {
+          const result = { status: /** @type {'failed'} */ ('failed'), hint: 'Run manually: gpg --full-generate-key' }
+          session.results.set(step.id, result)
+          this.log(chalk.red('  ✗ GPG key creation failed'))
+          this.log(chalk.dim(`  → ${result.hint}`))
+          session.overallStatus = 'failed'
+          break
+        }
+        continue
+      }
+
+      // Regular step with spinner
+      const stepSpinner = ora({ spinner: 'arc', color: false, text: chalk.dim(step.label) }).start()
+
+      let result
+      try {
+        result = await step.run()
+      } catch (err) {
+        result = {
+          status: /** @type {'failed'} */ ('failed'),
+          hint: err instanceof Error ? err.message : String(err),
+        }
+      }
+
+      session.results.set(step.id, result)
+
+      if (result.status === 'success') {
+        stepSpinner.succeed(chalk.green(result.message ?? step.label))
+      } else if (result.status === 'skipped') {
+        stepSpinner.info(chalk.dim(result.message ?? 'Skipped'))
+      } else {
+        // Failed — FR-015: abort immediately
+        stepSpinner.fail(chalk.red(`${step.label} — failed`))
+        if (result.hint) this.log(chalk.dim(`  → ${result.hint}`))
+        if (result.hintUrl) this.log(chalk.dim(`     ${result.hintUrl}`))
+        session.overallStatus = 'failed'
+        break
+      }
+    }
+
+    // Determine final overall status
+    if (session.overallStatus !== 'failed') {
+      const anyFailed = [...session.results.values()].some((r) => r.status === 'failed')
+      session.overallStatus = anyFailed ? 'failed' : 'completed'
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-016: Completion summary
+    // ---------------------------------------------------------------------------
+    this.log(formatSecuritySummary(session, platformInfo))
+
+    return {
+      platform,
+      selection,
+      tools: currentStatus,
+      overallStatus: session.overallStatus === 'completed' ? 'success' : session.overallStatus === 'failed' ? 'partial' : 'not-configured',
+    }
+  }
+}

package/src/commands/welcome.js

@@ -0,0 +1,17 @@
+import { Command } from '@oclif/core'
+import { printWelcomeScreen } from '../utils/welcome.js'
+
+/**
+ * Display the dvmi cyberpunk mission dashboard.
+ * Renders the animated DVMI logo followed by a full-color
+ * overview of CLI capabilities, focus areas, and quick-start commands.
+ */
+export default class Welcome extends Command {
+  static description = 'Show the dvmi mission dashboard with animated intro'
+
+  static examples = ['<%= config.bin %> welcome']
+
+  async run() {
+    await printWelcomeScreen(this.config.version)
+  }
+}

package/src/formatters/security.js

@@ -0,0 +1,119 @@
+import chalk from 'chalk'
+import { deriveOverallStatus } from '../services/security.js'
+
+/** @import { SetupSession, SecurityToolStatus, PlatformInfo } from '../types.js' */
+
+/**
+ * Format the educational introduction about credential security.
+ * @returns {string}
+ */
+export function formatEducationalIntro() {
+  const border = chalk.dim('─'.repeat(60))
+  const lines = [
+    border,
+    chalk.bold.yellow('  Why credential security matters'),
+    border,
+    '',
+    chalk.white('  Storing secrets in plaintext (shell history, .env files,'),
+    chalk.white('  ~/.aws/credentials) is the leading cause of supply chain'),
+    chalk.white('  attacks. One leaked key can compromise your entire org.'),
+    '',
+    chalk.bold('  What this setup installs:'),
+    '',
+    chalk.cyan('  aws-vault') + chalk.white('   — stores AWS credentials in an encrypted vault'),
+    chalk.cyan('             ') + chalk.white('  (macOS Keychain, pass on Linux).'),
+    chalk.cyan('  pass     ') + chalk.white('   — GPG-encrypted password store (Linux/WSL2).'),
+    chalk.cyan('  GCM      ') + chalk.white('   — Git Credential Manager: no more PATs in files.'),
+    chalk.cyan('  Keychain ') + chalk.white('   — macOS Keychain as Git credential helper.'),
+    '',
+    chalk.dim('  References: https://aws.github.io/aws-vault  |  https://www.passwordstore.org'),
+    border,
+  ]
+  return lines.join('\n')
+}
+
+/**
+ * Format a step header line for the setup flow.
+ * @param {{ id: string, label: string, type: string }} step
+ * @returns {string}
+ */
+export function formatStepHeader(step) {
+  const typeColor = {
+    check: chalk.blue,
+    install: chalk.yellow,
+    configure: chalk.cyan,
+    verify: chalk.green,
+  }
+  const colorFn = typeColor[step.type] ?? chalk.white
+  return `  ${colorFn(`[${step.type}]`)}  ${step.label}`
+}
+
+/**
+ * Format the completion summary table for a setup session.
+ * @param {SetupSession} session
+ * @param {PlatformInfo} platformInfo
+ * @returns {string}
+ */
+export function formatSecuritySummary(session, platformInfo) {
+  const border = chalk.dim('─'.repeat(60))
+  const lines = [
+    '',
+    border,
+    chalk.bold('  Security Setup — Summary'),
+    border,
+    '',
+    chalk.bold(`  Platform: ${chalk.cyan(platformInfo.platform)}`),
+    chalk.bold(`  Selection: ${chalk.cyan(session.selection)}`),
+    '',
+  ]
+
+  // Build a per-step result table
+  for (const step of session.steps) {
+    const result = session.results.get(step.id)
+    const status = result?.status ?? 'pending'
+    let badge
+    if (status === 'success') badge = chalk.green('✔')
+    else if (status === 'skipped') badge = chalk.dim('─')
+    else if (status === 'failed') badge = chalk.red('✗')
+    else badge = chalk.gray('○')
+
+    const label = chalk.white(step.label.padEnd(45))
+    const msg = result?.message ? chalk.gray(`  ${result.message}`) : ''
+    lines.push(`  ${badge}  ${label}${msg}`)
+
+    if (status === 'failed' && result?.hint) {
+      lines.push(chalk.dim(`       → ${result.hint}`))
+      if (result.hintUrl) lines.push(chalk.dim(`         ${result.hintUrl}`))
+    }
+  }
+
+  lines.push('')
+
+  // Overall status
+  const successful = [...session.results.values()].filter((r) => r.status === 'success').length
+  const failed = [...session.results.values()].filter((r) => r.status === 'failed').length
+  const skipped = [...session.results.values()].filter((r) => r.status === 'skipped').length
+
+  lines.push(
+    `  ${chalk.green(`${successful} succeeded`)}  ${chalk.dim(`${skipped} skipped`)}  ${failed > 0 ? chalk.red(`${failed} failed`) : chalk.dim('0 failed')}`,
+  )
+
+  if (failed === 0) {
+    lines.push('')
+    lines.push(chalk.bold.green('  All done! Restart your terminal to apply shell profile changes.'))
+    lines.push(chalk.dim('  Then run: dvmi auth login'))
+  } else {
+    lines.push('')
+    lines.push(chalk.bold.red('  Setup incomplete — see failure hints above.'))
+  }
+
+  lines.push(border)
+  return lines.join('\n')
+}
+
+/**
+ * Derive an overall status label from tool statuses (re-exported for convenience).
+ * @param {SecurityToolStatus[]} tools
+ * @returns {'success'|'partial'|'not-configured'}
+ */
+export { deriveOverallStatus }

package/src/help.js

@@ -78,6 +78,12 @@ const CATEGORIES = [
       { id: 'prompts:run',            hint: '[PATH] [--tool]' },
     ],
   },
+  {
+    title: 'Sicurezza & Credenziali',
+    cmds: [
+      { id: 'security:setup', hint: '[--json]' },
+    ],
+  },
   {
     title: 'Setup & Ambiente',
     cmds: [
@@ -105,6 +111,8 @@ const EXAMPLES = [
    { cmd: 'dvmi pipeline status',                                 note: 'Ultimi workflow CI/CD' },
    { cmd: 'dvmi tasks list --search "bug"',                       note: 'Cerca task ClickUp' },
    { cmd: 'dvmi costs get --json',                                note: 'Costi AWS in formato JSON' },
+   { cmd: 'dvmi security setup --json',                          note: 'Controlla lo stato degli strumenti di sicurezza' },
+   { cmd: 'dvmi security setup',                                 note: 'Wizard interattivo: installa aws-vault e GCM' },
  ]
 
 // ─── Help class ─────────────────────────────────────────────────────────────

package/src/services/clickup.js

@@ -1,7 +1,7 @@
 import http from 'node:http'
 import { randomBytes } from 'node:crypto'
 import { openBrowser } from '../utils/open-browser.js'
-import { loadConfig } from './config.js'
+import { loadConfig, saveConfig } from './config.js'
 
 /** @import { ClickUpTask } from '../types.js' */
 
@@ -103,19 +103,25 @@ export async function oauthFlow(clientId, clientSecret) {
 
 /**
  * Make an authenticated request to the ClickUp API.
+ * Retries automatically on HTTP 429 (rate limit) up to MAX_RETRIES times.
  * @param {string} path
+ * @param {number} [retries]
  * @returns {Promise<unknown>}
  */
- async function clickupFetch(path) {
+ async function clickupFetch(path, retries = 0) {
+   const MAX_RETRIES = 5
    const token = await getToken()
    if (!token) throw new Error('ClickUp not authenticated. Run `dvmi init` to authorize.')
   const resp = await fetch(`${API_BASE}${path}`, {
     headers: { Authorization: token },
   })
   if (resp.status === 429) {
+    if (retries >= MAX_RETRIES) {
+      throw new Error(`ClickUp API rate limit exceeded after ${MAX_RETRIES} retries. Try again later.`)
+    }
     const reset = Number(resp.headers.get('X-RateLimit-Reset') ?? Date.now() + 1000)
     await new Promise((r) => setTimeout(r, Math.max(reset - Date.now(), 1000)))
-    return clickupFetch(path)
+    return clickupFetch(path, retries + 1)
   }
   if (!resp.ok) {
     const body = /** @type {any} */ (await resp.json().catch(() => ({})))

package/src/services/docs.js

@@ -205,6 +205,10 @@ export function detectApiSpecType(path, content) {
       if (isOpenApi(/** @type {Record<string, unknown>} */ (doc))) return 'swagger'
       if (isAsyncApi(/** @type {Record<string, unknown>} */ (doc))) return 'asyncapi'
     }
-  } catch { /* ignore */ }
+  } catch (err) {
+    // File content is not valid YAML/JSON — not an API spec, return null.
+    // Log at debug level for troubleshooting without exposing parse errors to users.
+    if (process.env.DVMI_DEBUG) process.stderr.write(`[detectApiSpecType] parse failed: ${/** @type {Error} */ (err).message}\n`)
+  }
   return null
 }

package/src/services/prompts.js

@@ -237,8 +237,8 @@ export async function downloadPrompt(relativePath, localDir, opts = {}) {
 
   const content = serializeFrontmatter(fm, prompt.body)
 
-  await mkdir(dirname(destPath), { recursive: true })
-  await writeFile(destPath, content, 'utf8')
+  await mkdir(dirname(destPath), { recursive: true, mode: 0o700 })
+  await writeFile(destPath, content, { encoding: 'utf8', mode: 0o600 })
 
   return { path: destPath, skipped: false }
 }