devvami 1.1.2 → 1.3.0

package/src/commands/costs/trend.js

@@ -0,0 +1,165 @@
+import { Command, Flags } from '@oclif/core'
+import { input } from '@inquirer/prompts'
+import ora from 'ora'
+import { getTrendCosts, getTwoMonthPeriod } from '../../services/aws-costs.js'
+import { loadConfig } from '../../services/config.js'
+import { barChart, lineChart } from '../../formatters/charts.js'
+import { DvmiError } from '../../utils/errors.js'
+import {
+  awsVaultPrefix,
+  isAwsVaultSession,
+  reexecCurrentCommandWithAwsVault,
+  reexecCurrentCommandWithAwsVaultProfile,
+} from '../../utils/aws-vault.js'
+
+export default class CostsTrend extends Command {
+  static description = 'Show a rolling 2-month daily cost trend chart'
+
+  static examples = [
+    '<%= config.bin %> costs trend',
+    '<%= config.bin %> costs trend --line',
+    '<%= config.bin %> costs trend --group-by tag --tag-key env',
+    '<%= config.bin %> costs trend --group-by both --tag-key env',
+    '<%= config.bin %> costs trend --group-by tag --tag-key env --line',
+    '<%= config.bin %> costs trend --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    'group-by': Flags.string({
+      description: 'Grouping dimension: service, tag, or both',
+      default: 'service',
+      options: ['service', 'tag', 'both'],
+    }),
+    'tag-key': Flags.string({
+      description: 'Tag key for grouping when --group-by tag or both',
+    }),
+    line: Flags.boolean({
+      description: 'Render as line chart instead of default bar chart',
+      default: false,
+    }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(CostsTrend)
+    const isJson = flags.json
+    const isInteractive = !isJson && process.stdout.isTTY && process.env.CI !== 'true'
+    const groupBy = /** @type {'service'|'tag'|'both'} */ (flags['group-by'])
+
+    const config = await loadConfig()
+
+    if (
+      isInteractive &&
+      !isAwsVaultSession() &&
+      process.env.DVMI_AWS_VAULT_REEXEC !== '1'
+    ) {
+      const profile = await input({
+        message: 'AWS profile (aws-vault):',
+        default: config.awsProfile || process.env.AWS_VAULT || 'default',
+      })
+
+      const selected = profile.trim()
+      if (!selected) {
+        this.error('AWS profile is required to run this command.')
+      }
+
+      const promptedReexecExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+      if (promptedReexecExitCode !== null) {
+        this.exit(promptedReexecExitCode)
+        return
+      }
+    }
+
+    // Transparent aws-vault usage: if a profile is configured and no AWS creds are present,
+    // re-run this exact command via `aws-vault exec <profile> -- ...`.
+    const reexecExitCode = await reexecCurrentCommandWithAwsVault(config)
+    if (reexecExitCode !== null) {
+      this.exit(reexecExitCode)
+      return
+    }
+
+    const configTagKey = config.projectTags ? Object.keys(config.projectTags)[0] : undefined
+    const tagKey = flags['tag-key'] ?? configTagKey
+
+    if ((groupBy === 'tag' || groupBy === 'both') && !tagKey) {
+      throw new DvmiError(
+        'No tag key available.',
+        'Pass --tag-key or configure projectTags in dvmi config.',
+      )
+    }
+
+    const spinner = isJson ? null : ora('Fetching cost trend data...').start()
+
+    try {
+      const trendSeries = await getTrendCosts(groupBy, tagKey)
+      spinner?.stop()
+
+      const { start, end } = getTwoMonthPeriod()
+
+      if (isJson) {
+        return {
+          groupBy,
+          tagKey: tagKey ?? null,
+          period: { start, end },
+          series: trendSeries,
+        }
+      }
+
+      if (trendSeries.length === 0) {
+        this.log('No cost data found for the last 2 months.')
+        return
+      }
+
+      // Convert CostTrendSeries[] → ChartSeries[]
+      // All series must share the same label (date) axis — use the union of all dates
+      const allDates = Array.from(
+        new Set(trendSeries.flatMap((s) => s.points.map((p) => p.date))),
+      ).sort()
+
+      /** @type {import('../../formatters/charts.js').ChartSeries[]} */
+      const chartSeries = trendSeries.map((s) => {
+        const dateToAmount = new Map(s.points.map((p) => [p.date, p.amount]))
+        return {
+          name: s.name,
+          values: allDates.map((d) => dateToAmount.get(d) ?? 0),
+          labels: allDates,
+        }
+      })
+
+      const title = `AWS Cost Trend — last 2 months  (${start} → ${end})`
+      const rendered = flags.line
+        ? lineChart(chartSeries, { title })
+        : barChart(chartSeries, { title })
+
+      this.log(rendered)
+    } catch (err) {
+      spinner?.stop()
+      if (String(err).includes('AccessDenied') || String(err).includes('UnauthorizedAccess')) {
+        this.error('Missing IAM permission: ce:GetCostAndUsage. Contact your AWS admin.')
+      }
+      if (String(err).includes('CredentialsProviderError') || String(err).includes('No credentials')) {
+        if (isInteractive) {
+          const suggestedProfile = config.awsProfile || process.env.AWS_VAULT || 'default'
+          const profile = await input({
+            message: 'No AWS credentials. Enter aws-vault profile to retry (empty to cancel):',
+            default: suggestedProfile,
+          })
+
+          const selected = profile.trim()
+          if (selected) {
+            const retryExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+            if (retryExitCode !== null) {
+              this.exit(retryExitCode)
+              return
+            }
+          }
+        }
+
+        const prefix = awsVaultPrefix(config)
+        this.error(`No AWS credentials. Use: ${prefix}dvmi costs trend`)
+      }
+      throw err
+    }
+  }
+}

package/src/commands/init.js

@@ -2,7 +2,7 @@ import { Command, Flags } from '@oclif/core'
 import chalk from 'chalk'
 import ora from 'ora'
 import { confirm, input, select } from '@inquirer/prompts'
-import { printBanner } from '../utils/banner.js'
+import { printWelcomeScreen } from '../utils/welcome.js'
 import { typewriterLine } from '../utils/typewriter.js'
 import { detectPlatform } from '../services/platform.js'
 import { exec, which } from '../services/shell.js'
@@ -32,7 +32,7 @@ export default class Init extends Command {
     const isDryRun = flags['dry-run']
     const isJson = flags.json
 
-    if (!isJson) await printBanner()
+    if (!isJson) await printWelcomeScreen(this.config.version)
 
     const platform = await detectPlatform()
     const steps = []
@@ -72,7 +72,12 @@ export default class Init extends Command {
       steps.push({ name: 'aws-vault', status: 'ok', action: 'found' })
     } else {
       steps.push({ name: 'aws-vault', status: 'warn', action: 'not installed' })
-      if (!isJson) this.log(chalk.yellow('  aws-vault not found. Install: brew install aws-vault'))
+      if (!isJson) {
+        const installHint = platform.platform === 'macos'
+          ? 'brew install aws-vault'
+          : 'run `dvmi security setup` (Debian/Ubuntu/WSL2) or install aws-vault manually'
+        this.log(chalk.yellow(`  aws-vault not found. Install: ${installHint}`))
+      }
     }
 
     // 4. Create/update config

package/src/commands/logs/index.js

@@ -0,0 +1,190 @@
+import { Command, Flags } from '@oclif/core'
+import ora from 'ora'
+import { search, input } from '@inquirer/prompts'
+import { listLogGroups, filterLogEvents, sinceToEpochMs } from '../../services/cloudwatch-logs.js'
+import { loadConfig } from '../../services/config.js'
+import { DvmiError } from '../../utils/errors.js'
+
+const SINCE_OPTIONS = ['1h', '24h', '7d']
+
+export default class Logs extends Command {
+  static description = 'Browse and query CloudWatch log groups interactively'
+
+  static examples = [
+    '<%= config.bin %> logs',
+    '<%= config.bin %> logs --group /aws/lambda/my-fn',
+    '<%= config.bin %> logs --group /aws/lambda/my-fn --filter "ERROR" --since 24h',
+    '<%= config.bin %> logs --group /aws/lambda/my-fn --limit 50 --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    group: Flags.string({
+      description: 'Log group name — bypasses interactive picker',
+      char: 'g',
+    }),
+    filter: Flags.string({
+      description: 'CloudWatch filter pattern (empty = all events)',
+      char: 'f',
+      default: '',
+    }),
+    since: Flags.string({
+      description: 'Time window: 1h, 24h, 7d',
+      default: '1h',
+    }),
+    limit: Flags.integer({
+      description: 'Max log events to return (1–10000)',
+      default: 100,
+    }),
+    region: Flags.string({
+      description: 'AWS region (defaults to project config awsRegion)',
+      char: 'r',
+    }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(Logs)
+    const isJson = flags.json
+
+    // Validate --limit
+    if (flags.limit < 1 || flags.limit > 10_000) {
+      throw new DvmiError('--limit must be between 1 and 10000.', '')
+    }
+
+    // Validate --since
+    if (!SINCE_OPTIONS.includes(flags.since)) {
+      throw new DvmiError('--since must be one of: 1h, 24h, 7d.', '')
+    }
+
+    const config = await loadConfig()
+    const region = flags.region ?? config.awsRegion ?? 'eu-west-1'
+
+    let logGroupName = flags.group
+    let filterPattern = flags.filter
+
+    // Interactive mode: pick log group + filter pattern
+    if (!logGroupName) {
+      const spinner = ora('Loading log groups...').start()
+      let groups
+      try {
+        groups = await listLogGroups(region)
+      } catch (err) {
+        spinner.stop()
+        this._handleAwsError(err, region)
+        throw err
+      }
+      spinner.stop()
+
+      if (groups.length === 0) {
+        this.log(`No log groups found in region ${region}. Check your AWS credentials and region.`)
+        return
+      }
+
+      try {
+        logGroupName = await search({
+          message: 'Select a log group',
+          source: async (input) => {
+            const term = (input ?? '').toLowerCase()
+            return groups
+              .filter((g) => g.name.toLowerCase().includes(term))
+              .map((g) => ({ name: g.name, value: g.name }))
+          },
+        })
+
+        filterPattern = await input({
+          message: 'Filter pattern (leave empty for all events)',
+          default: '',
+        })
+      } catch {
+        // Ctrl+C — clean exit with code 130
+        process.exit(130)
+      }
+    }
+
+    const { startTime, endTime } = sinceToEpochMs(/** @type {'1h'|'24h'|'7d'} */ (flags.since))
+
+    const fetchSpinner = isJson ? null : ora('Fetching log events...').start()
+
+    let result
+    try {
+      result = await filterLogEvents(logGroupName, filterPattern, startTime, endTime, flags.limit, region)
+    } catch (err) {
+      fetchSpinner?.stop()
+      this._handleAwsError(err, region, logGroupName)
+      throw err
+    }
+    fetchSpinner?.stop()
+
+    if (isJson) {
+      // NDJSON to stdout, summary to stderr
+      for (const event of result.events) {
+        this.log(
+          JSON.stringify({
+            eventId: event.eventId,
+            logStreamName: event.logStreamName,
+            timestamp: event.timestamp,
+            message: event.message,
+          }),
+        )
+      }
+      process.stderr.write(
+        JSON.stringify({
+          logGroupName: result.logGroupName,
+          filterPattern: result.filterPattern,
+          startTime: result.startTime,
+          endTime: result.endTime,
+          truncated: result.truncated,
+          count: result.events.length,
+        }) + '\n',
+      )
+      return
+    }
+
+    // Table output
+    const startIso = new Date(startTime).toISOString()
+    const endIso = new Date(endTime).toISOString()
+    const divider = '─'.repeat(74)
+
+    this.log(`Log Group: ${logGroupName}`)
+    this.log(`Period: last ${flags.since}  (${startIso} → ${endIso})`)
+    this.log(`Filter: ${filterPattern ? `"${filterPattern}"` : '(none)'}`)
+    this.log(divider)
+
+    for (const event of result.events) {
+      const ts = new Date(event.timestamp).toISOString()
+      const msg = event.message.length > 200 ? event.message.slice(0, 200) + '…' : event.message
+      this.log(`  ${ts}  ${event.logStreamName.slice(-20).padEnd(20)}  ${msg}`)
+    }
+
+    this.log(divider)
+    const truncationNotice = result.truncated ? '  [Truncated — use --limit or a narrower --since to see more]' : ''
+    this.log(`  ${result.events.length} events shown${truncationNotice}`)
+  }
+
+  /**
+   * Handle common AWS errors and throw DvmiError with spec-defined messages.
+   * @param {unknown} err
+   * @param {string} _region
+   * @param {string} [_logGroupName]
+   */
+  _handleAwsError(err, _region, _logGroupName) {
+    const msg = String(err)
+    if (msg.includes('AccessDenied') || msg.includes('UnauthorizedAccess')) {
+      this.error(
+        'Access denied. Ensure your role has logs:DescribeLogGroups and logs:FilterLogEvents permissions.',
+      )
+    }
+    if (msg.includes('ResourceNotFoundException')) {
+      this.error(
+        `Log group not found. Check the name and confirm you are using the correct region (--region).`,
+      )
+    }
+    if (msg.includes('InvalidParameterException')) {
+      this.error('Invalid filter pattern or parameter. Check the pattern syntax and time range.')
+    }
+    if (msg.includes('CredentialsProviderError') || msg.includes('No credentials')) {
+      this.error('No AWS credentials. Configure aws-vault and run `dvmi init` to set up your profile.')
+    }
+  }
+}

package/src/commands/prompts/run.js

@@ -1,7 +1,7 @@
 import { Command, Args, Flags } from '@oclif/core'
 import ora from 'ora'
 import chalk from 'chalk'
-import { select } from '@inquirer/prompts'
+import { select, confirm } from '@inquirer/prompts'
 import { join } from 'node:path'
 import { readdir } from 'node:fs/promises'
 import { resolveLocalPrompt, invokeTool, SUPPORTED_TOOLS } from '../../services/prompts.js'
@@ -176,6 +176,24 @@ export default class PromptsRun extends Command {
     this.log(chalk.bold(`\nRunning: ${chalk.hex('#FF9A5C')(prompt.title)}`))
     this.log(chalk.dim(`  Tool: ${toolName}`) + '\n')
 
+    // Security: show a preview of the prompt content and ask for confirmation.
+    // This protects against prompt injection from tampered local files (originally
+    // downloaded from remote repositories). Skipped in CI/non-interactive environments.
+    if (!process.env.CI && process.stdin.isTTY) {
+      const preview = prompt.body.length > 500
+        ? prompt.body.slice(0, 500) + chalk.dim('\n…[truncated]')
+        : prompt.body
+      this.log(chalk.yellow('Prompt preview:'))
+      this.log(chalk.dim('─'.repeat(50)))
+      this.log(chalk.dim(preview))
+      this.log(chalk.dim('─'.repeat(50)) + '\n')
+      const ok = await confirm({ message: `Run this prompt with ${toolName}?`, default: true })
+      if (!ok) {
+        this.log(chalk.dim('Aborted.'))
+        return
+      }
+    }
+
     // Invoke tool
     try {
       await invokeTool(toolName, prompt.body)

package/src/commands/security/setup.js

@@ -0,0 +1,249 @@
+import { Command, Flags } from '@oclif/core'
+import { confirm, select } from '@inquirer/prompts'
+import ora from 'ora'
+import chalk from 'chalk'
+import { execa } from 'execa'
+import { detectPlatform } from '../../services/platform.js'
+import { exec } from '../../services/shell.js'
+import { buildSteps, checkToolStatus, listGpgKeys, deriveOverallStatus } from '../../services/security.js'
+import { formatEducationalIntro, formatStepHeader, formatSecuritySummary } from '../../formatters/security.js'
+/** @import { SetupSession, SetupStep, StepResult, PlatformInfo } from '../../types.js' */
+
+export default class SecuritySetup extends Command {
+  static description = 'Interactive wizard to install and configure credential protection tools (aws-vault, pass, GPG, Git Credential Manager, macOS Keychain)'
+
+  static examples = [
+    '<%= config.bin %> security setup',
+    '<%= config.bin %> security setup --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    help: Flags.help({ char: 'h' }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(SecuritySetup)
+    const isJson = flags.json
+
+    // FR-018: Detect non-interactive environments
+    const isCI = process.env.CI === 'true'
+    const isNonInteractive = !process.stdout.isTTY
+
+    if ((isCI || isNonInteractive) && !isJson) {
+      this.error(
+        'This command requires an interactive terminal (TTY). Run with --json for a non-interactive health check.',
+        { exit: 1 },
+      )
+    }
+
+    // Detect platform
+    const platformInfo = await detectPlatform()
+    const { platform } = platformInfo
+
+    // FR-019: Sudo pre-flight on Linux/WSL2
+    if (platform !== 'macos' && !isJson) {
+      const sudoCheck = await exec('sudo', ['-n', 'true'])
+      if (sudoCheck.exitCode !== 0) {
+        this.error(
+          'sudo access is required to install packages. Run `sudo -v` to authenticate and retry.',
+          { exit: 1 },
+        )
+      }
+    }
+
+    // --json branch: health check only (no interaction)
+    if (isJson) {
+      const tools = await checkToolStatus(platform)
+      const overallStatus = deriveOverallStatus(tools)
+      return {
+        platform,
+        selection: null,
+        tools,
+        overallStatus,
+      }
+    }
+
+    // ---------------------------------------------------------------------------
+    // Pre-check: show current tool status
+    // ---------------------------------------------------------------------------
+    const spinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Checking current tool status...') }).start()
+    const currentStatus = await checkToolStatus(platform)
+    spinner.stop()
+
+    const anyInstalled = currentStatus.some((t) => t.status === 'installed' && t.status !== 'n/a')
+    if (anyInstalled) {
+      this.log(chalk.bold('\nCurrent security tool status:'))
+      for (const tool of currentStatus) {
+        if (tool.status === 'n/a') continue
+        let badge
+        if (tool.status === 'installed') badge = chalk.green('✔')
+        else if (tool.status === 'misconfigured') badge = chalk.yellow('⚠')
+        else badge = chalk.red('✗')
+        const versionStr = tool.version ? chalk.gray(` ${tool.version}`) : ''
+        this.log(`  ${badge}  ${tool.displayName}${versionStr}`)
+        if (tool.hint) this.log(chalk.dim(`       → ${tool.hint}`))
+      }
+      this.log('')
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-002 / FR-003: Educational intro + confirmation
+    // ---------------------------------------------------------------------------
+    this.log(formatEducationalIntro())
+    this.log('')
+
+    const understood = await confirm({
+      message: 'I understand and want to protect my credentials',
+      default: true,
+    })
+    if (!understood) {
+      this.log('Setup cancelled.')
+      return { platform, selection: null, tools: currentStatus, overallStatus: deriveOverallStatus(currentStatus) }
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-004: Selection menu
+    // ---------------------------------------------------------------------------
+    const selectionValue = await select({
+      message: 'What would you like to set up?',
+      choices: [
+        { name: 'Both AWS and Git credentials (recommended)', value: 'both' },
+        { name: 'AWS credentials only (aws-vault)', value: 'aws' },
+        { name: 'Git credentials only (macOS Keychain / GCM)', value: 'git' },
+      ],
+    })
+
+    /** @type {'aws'|'git'|'both'} */
+    const selection = /** @type {any} */ (selectionValue)
+
+    // ---------------------------------------------------------------------------
+    // GPG key prompt (Linux/WSL2 + AWS selected)
+    // ---------------------------------------------------------------------------
+    let gpgId = ''
+    if (platform !== 'macos' && (selection === 'aws' || selection === 'both')) {
+      const existingKeys = await listGpgKeys()
+
+      if (existingKeys.length > 0) {
+        const choices = [
+          ...existingKeys.map((k) => ({
+            name: `${k.name} <${k.email}> (${k.id})`,
+            value: k.id,
+          })),
+          { name: 'Create a new GPG key', value: '__new__' },
+        ]
+        const chosen = await select({
+          message: 'Select a GPG key for pass and Git Credential Manager:',
+          choices,
+        })
+        if (chosen !== '__new__') gpgId = /** @type {string} */ (chosen)
+      }
+      // If no keys or user chose __new__, gpgId stays '' and the create-gpg-key step will run interactively
+    }
+
+    // ---------------------------------------------------------------------------
+    // Build steps
+    // ---------------------------------------------------------------------------
+    const steps = buildSteps(platformInfo, selection, { gpgId })
+
+    /** @type {SetupSession} */
+    const session = {
+      platform,
+      selection,
+      steps,
+      results: new Map(),
+      overallStatus: 'in-progress',
+    }
+
+    this.log('')
+
+    // ---------------------------------------------------------------------------
+    // Step execution loop
+    // ---------------------------------------------------------------------------
+    for (const step of steps) {
+      this.log(formatStepHeader(step))
+
+      // FR-014: confirmation prompt before system-level changes
+      if (step.requiresConfirmation) {
+        const proceed = await confirm({ message: `Proceed with: ${step.label}?`, default: true })
+        if (!proceed) {
+          session.results.set(step.id, { status: 'skipped', message: 'Skipped by user' })
+          this.log(chalk.dim('  Skipped.'))
+          continue
+        }
+      }
+
+      // Special handling for GPG interactive steps (FR-010)
+      if (step.gpgInteractive && !gpgId) {
+        this.log(chalk.cyan('\n  GPG will now prompt you for a passphrase in your terminal.'))
+        this.log(chalk.dim('  Follow the interactive prompts to complete key generation.\n'))
+        try {
+          await execa('gpg', ['--full-generate-key'], { stdio: 'inherit', reject: true })
+          // Refresh the gpgId from newly created key
+          const newKeys = await listGpgKeys()
+          if (newKeys.length > 0) {
+            gpgId = newKeys[0].id
+            // gpgId is now set — subsequent step closures capture it via the shared context object
+          }
+          session.results.set(step.id, { status: 'success', message: `GPG key created (${gpgId || 'new key'})` })
+          this.log(chalk.green('  ✔ GPG key created'))
+        } catch {
+          const result = { status: /** @type {'failed'} */ ('failed'), hint: 'Run manually: gpg --full-generate-key' }
+          session.results.set(step.id, result)
+          this.log(chalk.red('  ✗ GPG key creation failed'))
+          this.log(chalk.dim(`  → ${result.hint}`))
+          session.overallStatus = 'failed'
+          break
+        }
+        continue
+      }
+
+      // Regular step with spinner
+      const stepSpinner = ora({ spinner: 'arc', color: false, text: chalk.dim(step.label) }).start()
+
+      let result
+      try {
+        result = await step.run()
+      } catch (err) {
+        result = {
+          status: /** @type {'failed'} */ ('failed'),
+          hint: err instanceof Error ? err.message : String(err),
+        }
+      }
+
+      session.results.set(step.id, result)
+
+      if (result.status === 'success') {
+        stepSpinner.succeed(chalk.green(result.message ?? step.label))
+      } else if (result.status === 'skipped') {
+        stepSpinner.info(chalk.dim(result.message ?? 'Skipped'))
+      } else {
+        // Failed — FR-015: abort immediately
+        stepSpinner.fail(chalk.red(`${step.label} — failed`))
+        if (result.hint) this.log(chalk.dim(`  → ${result.hint}`))
+        if (result.hintUrl) this.log(chalk.dim(`     ${result.hintUrl}`))
+        session.overallStatus = 'failed'
+        break
+      }
+    }
+
+    // Determine final overall status
+    if (session.overallStatus !== 'failed') {
+      const anyFailed = [...session.results.values()].some((r) => r.status === 'failed')
+      session.overallStatus = anyFailed ? 'failed' : 'completed'
+    }
+
+    // ---------------------------------------------------------------------------
+    // FR-016: Completion summary
+    // ---------------------------------------------------------------------------
+    this.log(formatSecuritySummary(session, platformInfo))
+
+    return {
+      platform,
+      selection,
+      tools: currentStatus,
+      overallStatus: session.overallStatus === 'completed' ? 'success' : session.overallStatus === 'failed' ? 'partial' : 'not-configured',
+    }
+  }
+}

package/src/commands/welcome.js

@@ -0,0 +1,17 @@
+import { Command } from '@oclif/core'
+import { printWelcomeScreen } from '../utils/welcome.js'
+
+/**
+ * Display the dvmi cyberpunk mission dashboard.
+ * Renders the animated DVMI logo followed by a full-color
+ * overview of CLI capabilities, focus areas, and quick-start commands.
+ */
+export default class Welcome extends Command {
+  static description = 'Show the dvmi mission dashboard with animated intro'
+
+  static examples = ['<%= config.bin %> welcome']
+
+  async run() {
+    await printWelcomeScreen(this.config.version)
+  }
+}