devvami 1.1.2 → 1.3.0

package/README.md

@@ -114,8 +114,19 @@ dvmi tasks assigned   # Show tasks assigned to you
 
 ```bash
 dvmi costs get     # Analyze AWS costs
+dvmi costs trend   # Show 2-month daily AWS cost trend
 ```
 
+If `awsProfile` is configured (`dvmi init`), AWS cost commands automatically re-run via
+`aws-vault exec <profile> -- ...` when credentials are missing, so developers can run:
+
+```bash
+dvmi costs get
+dvmi costs trend
+```
+
+without manually prefixing `aws-vault exec`.
+
 ### Documentation
 
 ```bash
@@ -164,12 +175,36 @@ Devvami uses your system's **secure credential storage**:
 
 - **macOS**: Keychain
 - **Linux**: Secret Service / pass
-- **Windows**: Credential Manager
+- **WSL2**: Windows bridge for browser/GCM + Linux tooling for security setup
+- **Windows (native / non-WSL)**: limited support (see Platform Support)
 
 Tokens are **never stored in plain text**. They're stored securely via `@keytar/keytar`.
 
 ---
 
+## 🖥️ Platform Support
+
+### Fully supported
+
+- **macOS**
+- **Linux (Debian/Ubuntu family)**
+- **Windows via WSL2**
+
+### Linux/WSL notes
+
+- `dvmi security setup` currently uses `apt-get` for package install (Debian/Ubuntu oriented).
+- `dvmi security setup` requires authenticated `sudo` (`sudo -n true` must pass).
+- On WSL2, browser opening tries `wslview` first, then falls back to `xdg-open`.
+
+### Windows native (non-WSL)
+
+- Not fully supported today.
+- Platform detection does not handle `win32` explicitly yet.
+- Some shell assumptions are Unix-centric (for example `which` usage and security setup steps).
+- Recommended path on Windows is to use **WSL2**.
+
+---
+
 ## 📚 Documentation
 
 - **Setup**: See [Quick Start](#-quick-start) above

package/oclif.manifest.json

@@ -273,6 +273,29 @@
         "upgrade.js"
       ]
     },
+    "welcome": {
+      "aliases": [],
+      "args": {},
+      "description": "Show the dvmi mission dashboard with animated intro",
+      "examples": [
+        "<%= config.bin %> welcome"
+      ],
+      "flags": {},
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "welcome",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "welcome.js"
+      ]
+    },
     "whoami": {
       "aliases": [],
       "args": {},
@@ -361,16 +384,20 @@
       "aliases": [],
       "args": {
         "service": {
-          "description": "Nome del servizio",
+          "description": "Service name (used to derive tag filter from config)",
           "name": "service",
-          "required": true
+          "required": false
         }
       },
-      "description": "Stima costi AWS per un servizio (via Cost Explorer API)",
+      "description": "Get AWS costs for a service, grouped by service, tag, or both",
       "examples": [
+        "<%= config.bin %> costs get",
         "<%= config.bin %> costs get my-service",
-        "<%= config.bin %> costs get my-api --period mtd",
-        "<%= config.bin %> costs get my-service --json"
+        "<%= config.bin %> costs get --period mtd",
+        "<%= config.bin %> costs get --period last-week",
+        "<%= config.bin %> costs get --group-by tag --tag-key env",
+        "<%= config.bin %> costs get my-service --group-by both --tag-key env",
+        "<%= config.bin %> costs get --group-by tag --tag-key env --json"
       ],
       "flags": {
         "json": {
@@ -381,7 +408,7 @@
           "type": "boolean"
         },
         "period": {
-          "description": "Periodo: last-month, last-week, mtd",
+          "description": "Time period: last-month, last-week, mtd",
           "name": "period",
           "default": "last-month",
           "hasDynamicHelp": false,
@@ -392,6 +419,26 @@
             "mtd"
           ],
           "type": "option"
+        },
+        "group-by": {
+          "description": "Grouping dimension: service, tag, or both",
+          "name": "group-by",
+          "default": "service",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "service",
+            "tag",
+            "both"
+          ],
+          "type": "option"
+        },
+        "tag-key": {
+          "description": "Tag key for grouping when --group-by tag or both",
+          "name": "tag-key",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
         }
       },
       "hasDynamicHelp": false,
@@ -410,6 +457,69 @@
         "get.js"
       ]
     },
+    "costs:trend": {
+      "aliases": [],
+      "args": {},
+      "description": "Show a rolling 2-month daily cost trend chart",
+      "examples": [
+        "<%= config.bin %> costs trend",
+        "<%= config.bin %> costs trend --line",
+        "<%= config.bin %> costs trend --group-by tag --tag-key env",
+        "<%= config.bin %> costs trend --group-by both --tag-key env",
+        "<%= config.bin %> costs trend --group-by tag --tag-key env --line",
+        "<%= config.bin %> costs trend --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "group-by": {
+          "description": "Grouping dimension: service, tag, or both",
+          "name": "group-by",
+          "default": "service",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "service",
+            "tag",
+            "both"
+          ],
+          "type": "option"
+        },
+        "tag-key": {
+          "description": "Tag key for grouping when --group-by tag or both",
+          "name": "tag-key",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "line": {
+          "description": "Render as line chart instead of default bar chart",
+          "name": "line",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "costs:trend",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "costs",
+        "trend.js"
+      ]
+    },
     "create:repo": {
       "aliases": [],
       "args": {
@@ -703,6 +813,82 @@
         "search.js"
       ]
     },
+    "logs": {
+      "aliases": [],
+      "args": {},
+      "description": "Browse and query CloudWatch log groups interactively",
+      "examples": [
+        "<%= config.bin %> logs",
+        "<%= config.bin %> logs --group /aws/lambda/my-fn",
+        "<%= config.bin %> logs --group /aws/lambda/my-fn --filter \"ERROR\" --since 24h",
+        "<%= config.bin %> logs --group /aws/lambda/my-fn --limit 50 --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "group": {
+          "char": "g",
+          "description": "Log group name — bypasses interactive picker",
+          "name": "group",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "filter": {
+          "char": "f",
+          "description": "CloudWatch filter pattern (empty = all events)",
+          "name": "filter",
+          "default": "",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "since": {
+          "description": "Time window: 1h, 24h, 7d",
+          "name": "since",
+          "default": "1h",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "limit": {
+          "description": "Max log events to return (1–10000)",
+          "name": "limit",
+          "default": 100,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "region": {
+          "char": "r",
+          "description": "AWS region (defaults to project config awsRegion)",
+          "name": "region",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "logs",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "logs",
+        "index.js"
+      ]
+    },
     "pipeline:logs": {
       "aliases": [],
       "args": {
@@ -1346,6 +1532,46 @@
         "list.js"
       ]
     },
+    "security:setup": {
+      "aliases": [],
+      "args": {},
+      "description": "Interactive wizard to install and configure credential protection tools (aws-vault, pass, GPG, Git Credential Manager, macOS Keychain)",
+      "examples": [
+        "<%= config.bin %> security setup",
+        "<%= config.bin %> security setup --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "help": {
+          "char": "h",
+          "description": "Show CLI help.",
+          "name": "help",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "security:setup",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "security",
+        "setup.js"
+      ]
+    },
     "tasks:assigned": {
       "aliases": [],
       "args": {},
@@ -1498,5 +1724,5 @@
       ]
     }
   },
-  "version": "1.1.2"
+  "version": "1.3.0"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devvami",
   "description": "DevEx CLI for developers and teams — manage repos, PRs, pipelines, tasks, and costs from the terminal",
-  "version": "1.1.2",
+  "version": "1.3.0",
   "author": "",
   "type": "module",
   "bin": {
@@ -83,6 +83,7 @@
     }
   },
   "dependencies": {
+    "@aws-sdk/client-cloudwatch-logs": "^3.1018.0",
     "@aws-sdk/client-cost-explorer": "^3",
     "@inquirer/prompts": "^7",
     "@oclif/core": "^4",

package/src/commands/costs/get.js

@@ -1,49 +1,122 @@
 import { Command, Args, Flags } from '@oclif/core'
+import { input } from '@inquirer/prompts'
 import ora from 'ora'
 import { getServiceCosts } from '../../services/aws-costs.js'
 import { loadConfig } from '../../services/config.js'
 import { formatCostTable, calculateTotal } from '../../formatters/cost.js'
+import { DvmiError } from '../../utils/errors.js'
+import {
+  awsVaultPrefix,
+  isAwsVaultSession,
+  reexecCurrentCommandWithAwsVault,
+  reexecCurrentCommandWithAwsVaultProfile,
+} from '../../utils/aws-vault.js'
 
 export default class CostsGet extends Command {
-  static description = 'Stima costi AWS per un servizio (via Cost Explorer API)'
+  static description = 'Get AWS costs for a service, grouped by service, tag, or both'
 
   static examples = [
+    '<%= config.bin %> costs get',
     '<%= config.bin %> costs get my-service',
-    '<%= config.bin %> costs get my-api --period mtd',
-    '<%= config.bin %> costs get my-service --json',
+    '<%= config.bin %> costs get --period mtd',
+    '<%= config.bin %> costs get --period last-week',
+    '<%= config.bin %> costs get --group-by tag --tag-key env',
+    '<%= config.bin %> costs get my-service --group-by both --tag-key env',
+    '<%= config.bin %> costs get --group-by tag --tag-key env --json',
   ]
 
   static enableJsonFlag = true
 
   static args = {
-    service: Args.string({ description: 'Nome del servizio', required: true }),
+    service: Args.string({ description: 'Service name (used to derive tag filter from config)', required: false }),
   }
 
   static flags = {
     period: Flags.string({
-      description: 'Periodo: last-month, last-week, mtd',
+      description: 'Time period: last-month, last-week, mtd',
       default: 'last-month',
       options: ['last-month', 'last-week', 'mtd'],
     }),
+    'group-by': Flags.string({
+      description: 'Grouping dimension: service, tag, or both',
+      default: 'service',
+      options: ['service', 'tag', 'both'],
+    }),
+    'tag-key': Flags.string({
+      description: 'Tag key for grouping when --group-by tag or both',
+    }),
   }
 
   async run() {
     const { args, flags } = await this.parse(CostsGet)
     const isJson = flags.json
+    const isInteractive = !isJson && process.stdout.isTTY && process.env.CI !== 'true'
+    const groupBy = /** @type {'service'|'tag'|'both'} */ (flags['group-by'])
 
-    const spinner = isJson ? null : ora(`Fetching costs for ${args.service}...`).start()
-
-    // Get project tags from config
     const config = await loadConfig()
-    const tags = config.projectTags ?? { project: args.service }
+
+    if (
+      isInteractive &&
+      !isAwsVaultSession() &&
+      process.env.DVMI_AWS_VAULT_REEXEC !== '1'
+    ) {
+      const profile = await input({
+        message: 'AWS profile (aws-vault):',
+        default: config.awsProfile || process.env.AWS_VAULT || 'default',
+      })
+
+      const selected = profile.trim()
+      if (!selected) {
+        this.error('AWS profile is required to run this command.')
+      }
+
+      const promptedReexecExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+      if (promptedReexecExitCode !== null) {
+        this.exit(promptedReexecExitCode)
+        return
+      }
+    }
+
+    // Transparent aws-vault usage: if a profile is configured and no AWS creds are present,
+    // re-run this exact command via `aws-vault exec <profile> -- ...`.
+    const reexecExitCode = await reexecCurrentCommandWithAwsVault(config)
+    if (reexecExitCode !== null) {
+      this.exit(reexecExitCode)
+      return
+    }
+
+    // Resolve tag key: explicit flag → first key in config projectTags
+    const configTagKey = config.projectTags ? Object.keys(config.projectTags)[0] : undefined
+    const tagKey = flags['tag-key'] ?? configTagKey
+
+    // Validate: tag key required when grouping by tag or both
+    if ((groupBy === 'tag' || groupBy === 'both') && !tagKey) {
+      throw new DvmiError(
+        'No tag key available.',
+        'Pass --tag-key or configure projectTags in dvmi config.',
+      )
+    }
+
+    const serviceArg = args.service ?? 'all'
+    const tags = config.projectTags ?? (args.service ? { project: args.service } : {})
+
+    const spinner = isJson ? null : ora(`Fetching costs...`).start()
 
     try {
-      const { entries, period } = await getServiceCosts(args.service, tags, /** @type {any} */ (flags.period))
+      const { entries, period } = await getServiceCosts(
+        serviceArg,
+        tags,
+        /** @type {any} */ (flags.period),
+        groupBy,
+        tagKey,
+      )
       spinner?.stop()
 
       const total = calculateTotal(entries)
       const result = {
-        service: args.service,
+        service: args.service ?? null,
+        groupBy,
+        tagKey: tagKey ?? null,
         period,
         items: entries,
         total: { amount: total, unit: 'USD' },
@@ -52,21 +125,42 @@ export default class CostsGet extends Command {
       if (isJson) return result
 
       if (entries.length === 0) {
-        this.log(`No costs found for service "${args.service}".`)
-        this.log('Check service name and tagging convention.')
+        this.log(`No costs found.`)
         return result
       }
 
-      this.log(formatCostTable(entries, args.service))
+      const label = tagKey && groupBy !== 'service' ? `${serviceArg} (by ${tagKey})` : serviceArg
+      this.log(formatCostTable(entries, label, groupBy))
       return result
     } catch (err) {
       spinner?.stop()
       if (String(err).includes('AccessDenied') || String(err).includes('UnauthorizedAccess')) {
-        this.error('Missing IAM permission: ce:GetCostAndUsage\nContact your AWS admin to grant Cost Explorer access.')
+        this.error('Missing IAM permission: ce:GetCostAndUsage. Contact your AWS admin.')
+      }
+      if (String(err).includes('CredentialsProviderError') || String(err).includes('No credentials')) {
+        if (isInteractive) {
+          const suggestedProfile = config.awsProfile || process.env.AWS_VAULT || 'default'
+          const profile = await input({
+            message: 'No AWS credentials. Enter aws-vault profile to retry (empty to cancel):',
+            default: suggestedProfile,
+          })
+
+          const selected = profile.trim()
+          if (selected) {
+            const retryExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+            if (retryExitCode !== null) {
+              this.exit(retryExitCode)
+              return
+            }
+          }
+        }
+
+        const prefix = awsVaultPrefix(config)
+        this.error(
+          `No AWS credentials. Use: ${prefix}dvmi costs get` +
+            (args.service ? ` ${args.service}` : ''),
+        )
       }
-       if (String(err).includes('CredentialsProviderError') || String(err).includes('No credentials')) {
-         this.error('No AWS credentials. Use: aws-vault exec <profile> -- dvmi costs get ' + args.service)
-       }
       throw err
     }
   }