devvami 1.2.0 → 1.4.0

package/src/commands/costs/trend.js

@@ -0,0 +1,165 @@
+import { Command, Flags } from '@oclif/core'
+import { input } from '@inquirer/prompts'
+import ora from 'ora'
+import { getTrendCosts, getTwoMonthPeriod } from '../../services/aws-costs.js'
+import { loadConfig } from '../../services/config.js'
+import { barChart, lineChart } from '../../formatters/charts.js'
+import { DvmiError } from '../../utils/errors.js'
+import {
+  awsVaultPrefix,
+  isAwsVaultSession,
+  reexecCurrentCommandWithAwsVault,
+  reexecCurrentCommandWithAwsVaultProfile,
+} from '../../utils/aws-vault.js'
+
+export default class CostsTrend extends Command {
+  static description = 'Show a rolling 2-month daily cost trend chart'
+
+  static examples = [
+    '<%= config.bin %> costs trend',
+    '<%= config.bin %> costs trend --line',
+    '<%= config.bin %> costs trend --group-by tag --tag-key env',
+    '<%= config.bin %> costs trend --group-by both --tag-key env',
+    '<%= config.bin %> costs trend --group-by tag --tag-key env --line',
+    '<%= config.bin %> costs trend --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    'group-by': Flags.string({
+      description: 'Grouping dimension: service, tag, or both',
+      default: 'service',
+      options: ['service', 'tag', 'both'],
+    }),
+    'tag-key': Flags.string({
+      description: 'Tag key for grouping when --group-by tag or both',
+    }),
+    line: Flags.boolean({
+      description: 'Render as line chart instead of default bar chart',
+      default: false,
+    }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(CostsTrend)
+    const isJson = flags.json
+    const isInteractive = !isJson && process.stdout.isTTY && process.env.CI !== 'true'
+    const groupBy = /** @type {'service'|'tag'|'both'} */ (flags['group-by'])
+
+    const config = await loadConfig()
+
+    if (
+      isInteractive &&
+      !isAwsVaultSession() &&
+      process.env.DVMI_AWS_VAULT_REEXEC !== '1'
+    ) {
+      const profile = await input({
+        message: 'AWS profile (aws-vault):',
+        default: config.awsProfile || process.env.AWS_VAULT || 'default',
+      })
+
+      const selected = profile.trim()
+      if (!selected) {
+        this.error('AWS profile is required to run this command.')
+      }
+
+      const promptedReexecExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+      if (promptedReexecExitCode !== null) {
+        this.exit(promptedReexecExitCode)
+        return
+      }
+    }
+
+    // Transparent aws-vault usage: if a profile is configured and no AWS creds are present,
+    // re-run this exact command via `aws-vault exec <profile> -- ...`.
+    const reexecExitCode = await reexecCurrentCommandWithAwsVault(config)
+    if (reexecExitCode !== null) {
+      this.exit(reexecExitCode)
+      return
+    }
+
+    const configTagKey = config.projectTags ? Object.keys(config.projectTags)[0] : undefined
+    const tagKey = flags['tag-key'] ?? configTagKey
+
+    if ((groupBy === 'tag' || groupBy === 'both') && !tagKey) {
+      throw new DvmiError(
+        'No tag key available.',
+        'Pass --tag-key or configure projectTags in dvmi config.',
+      )
+    }
+
+    const spinner = isJson ? null : ora('Fetching cost trend data...').start()
+
+    try {
+      const trendSeries = await getTrendCosts(groupBy, tagKey)
+      spinner?.stop()
+
+      const { start, end } = getTwoMonthPeriod()
+
+      if (isJson) {
+        return {
+          groupBy,
+          tagKey: tagKey ?? null,
+          period: { start, end },
+          series: trendSeries,
+        }
+      }
+
+      if (trendSeries.length === 0) {
+        this.log('No cost data found for the last 2 months.')
+        return
+      }
+
+      // Convert CostTrendSeries[] → ChartSeries[]
+      // All series must share the same label (date) axis — use the union of all dates
+      const allDates = Array.from(
+        new Set(trendSeries.flatMap((s) => s.points.map((p) => p.date))),
+      ).sort()
+
+      /** @type {import('../../formatters/charts.js').ChartSeries[]} */
+      const chartSeries = trendSeries.map((s) => {
+        const dateToAmount = new Map(s.points.map((p) => [p.date, p.amount]))
+        return {
+          name: s.name,
+          values: allDates.map((d) => dateToAmount.get(d) ?? 0),
+          labels: allDates,
+        }
+      })
+
+      const title = `AWS Cost Trend — last 2 months  (${start} → ${end})`
+      const rendered = flags.line
+        ? lineChart(chartSeries, { title })
+        : barChart(chartSeries, { title })
+
+      this.log(rendered)
+    } catch (err) {
+      spinner?.stop()
+      if (String(err).includes('AccessDenied') || String(err).includes('UnauthorizedAccess')) {
+        this.error('Missing IAM permission: ce:GetCostAndUsage. Contact your AWS admin.')
+      }
+      if (String(err).includes('CredentialsProviderError') || String(err).includes('No credentials')) {
+        if (isInteractive) {
+          const suggestedProfile = config.awsProfile || process.env.AWS_VAULT || 'default'
+          const profile = await input({
+            message: 'No AWS credentials. Enter aws-vault profile to retry (empty to cancel):',
+            default: suggestedProfile,
+          })
+
+          const selected = profile.trim()
+          if (selected) {
+            const retryExitCode = await reexecCurrentCommandWithAwsVaultProfile(selected)
+            if (retryExitCode !== null) {
+              this.exit(retryExitCode)
+              return
+            }
+          }
+        }
+
+        const prefix = awsVaultPrefix(config)
+        this.error(`No AWS credentials. Use: ${prefix}dvmi costs trend`)
+      }
+      throw err
+    }
+  }
+}

package/src/commands/dotfiles/add.js

@@ -0,0 +1,249 @@
+import { Command, Flags, Args } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { checkbox, confirm, input } from '@inquirer/prompts'
+import { detectPlatform } from '../../services/platform.js'
+import {
+  isChezmoiInstalled,
+  getManagedFiles,
+  getDefaultFileList,
+  getSensitivePatterns,
+  isPathSensitive,
+  isWSLWindowsPath,
+} from '../../services/dotfiles.js'
+import { loadConfig } from '../../services/config.js'
+import { execOrThrow } from '../../services/shell.js'
+import { formatDotfilesAdd } from '../../formatters/dotfiles.js'
+import { DvmiError } from '../../utils/errors.js'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+import { existsSync } from 'node:fs'
+
+/** @import { DotfilesAddResult } from '../../types.js' */
+
+/**
+ * Expand tilde to home directory.
+ * @param {string} p
+ * @returns {string}
+ */
+function expandTilde(p) {
+  if (p.startsWith('~/') || p === '~') {
+    return join(homedir(), p.slice(2))
+  }
+  return p
+}
+
+export default class DotfilesAdd extends Command {
+  static description = 'Add dotfiles to chezmoi management with automatic encryption for sensitive files'
+
+  static examples = [
+    '<%= config.bin %> dotfiles add',
+    '<%= config.bin %> dotfiles add ~/.zshrc',
+    '<%= config.bin %> dotfiles add ~/.zshrc ~/.gitconfig',
+    '<%= config.bin %> dotfiles add ~/.ssh/id_ed25519 --encrypt',
+    '<%= config.bin %> dotfiles add --json ~/.zshrc',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    help: Flags.help({ char: 'h' }),
+    encrypt: Flags.boolean({ char: 'e', description: 'Force encryption for all files being added', default: false }),
+    'no-encrypt': Flags.boolean({ description: 'Disable auto-encryption (add all as plaintext)', default: false }),
+  }
+
+  static args = {
+    files: Args.string({ description: 'File paths to add', required: false }),
+  }
+
+  // oclif does not support variadic args natively via Args.string for multiple values;
+  // we'll parse extra args from this.argv
+  static strict = false
+
+  async run() {
+    const { flags } = await this.parse(DotfilesAdd)
+    const isJson = flags.json
+    const forceEncrypt = flags.encrypt
+    const forceNoEncrypt = flags['no-encrypt']
+
+    // Collect file args from argv (strict=false allows extra positional args)
+    const rawArgs = this.argv.filter((a) => !a.startsWith('-'))
+    const fileArgs = rawArgs
+
+    // Pre-checks
+    const config = await loadConfig()
+    if (!config.dotfiles?.enabled) {
+      throw new DvmiError(
+        'Chezmoi dotfiles management is not configured',
+        'Run `dvmi dotfiles setup` first',
+      )
+    }
+
+    const chezmoiInstalled = await isChezmoiInstalled()
+    if (!chezmoiInstalled) {
+      const platformInfo = await detectPlatform()
+      const hint = platformInfo.platform === 'macos'
+        ? 'Run `brew install chezmoi` or visit https://chezmoi.io/install'
+        : 'Run `sh -c "$(curl -fsLS get.chezmoi.io)"` or visit https://chezmoi.io/install'
+      throw new DvmiError('chezmoi is not installed', hint)
+    }
+
+    const platformInfo = await detectPlatform()
+    const { platform } = platformInfo
+    const sensitivePatterns = getSensitivePatterns(config)
+
+    // Get already-managed files for V-007 check
+    const managedFiles = await getManagedFiles()
+    const managedPaths = new Set(managedFiles.map((f) => f.path))
+
+    /** @type {DotfilesAddResult} */
+    const result = { added: [], skipped: [], rejected: [] }
+
+    if (fileArgs.length > 0) {
+      // Direct mode — files provided as arguments
+      for (const rawPath of fileArgs) {
+        const absPath = expandTilde(rawPath)
+        const displayPath = rawPath
+
+        // V-002: WSL2 Windows path rejection
+        if (platform === 'wsl2' && isWSLWindowsPath(absPath)) {
+          result.rejected.push({ path: displayPath, reason: 'Windows filesystem paths not supported on WSL2. Use Linux-native paths (~/) instead.' })
+          continue
+        }
+
+        // V-001: file must exist
+        if (!existsSync(absPath)) {
+          result.skipped.push({ path: displayPath, reason: 'File not found' })
+          continue
+        }
+
+        // V-007: not already managed
+        if (managedPaths.has(absPath)) {
+          result.skipped.push({ path: displayPath, reason: 'Already managed by chezmoi' })
+          continue
+        }
+
+        // Determine encryption
+        let encrypt = false
+        if (forceEncrypt) {
+          encrypt = true
+        } else if (forceNoEncrypt) {
+          encrypt = false
+        } else {
+          encrypt = isPathSensitive(rawPath, sensitivePatterns)
+        }
+
+        try {
+          const args = ['add']
+          if (encrypt) args.push('--encrypt')
+          args.push(absPath)
+          await execOrThrow('chezmoi', args)
+          result.added.push({ path: displayPath, encrypted: encrypt })
+        } catch {
+          result.skipped.push({ path: displayPath, reason: `Failed to add to chezmoi. Run \`chezmoi doctor\` to verify your setup.` })
+        }
+      }
+
+      if (isJson) return result
+      this.log(formatDotfilesAdd(result))
+      return result
+    }
+
+    // Interactive mode — no file args
+    if (isJson) {
+      // In --json with no files: return empty result
+      return result
+    }
+
+    // Non-interactive guard for interactive mode
+    const isCI = process.env.CI === 'true'
+    const isNonInteractive = !process.stdout.isTTY
+    if (isCI || isNonInteractive) {
+      this.error(
+        'This command requires an interactive terminal (TTY) when no files are specified. Provide file paths as arguments or run with --json.',
+        { exit: 1 },
+      )
+    }
+
+    const spinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Loading recommended files...') }).start()
+    const recommended = getDefaultFileList(platform)
+    spinner.stop()
+
+    // Filter and build choices
+    const choices = recommended.map((rec) => {
+      const absPath = expandTilde(rec.path)
+      const exists = existsSync(absPath)
+      const alreadyManaged = managedPaths.has(absPath)
+      const sensitive = rec.autoEncrypt || isPathSensitive(rec.path, sensitivePatterns)
+      const encTag = sensitive ? chalk.dim(' (auto-encrypted)') : ''
+      const statusTag = !exists ? chalk.dim(' (not found)') : alreadyManaged ? chalk.dim(' (already tracked)') : ''
+      return {
+        name: `${rec.path}${encTag}${statusTag} — ${rec.description}`,
+        value: rec.path,
+        checked: exists && !alreadyManaged,
+        disabled: alreadyManaged ? 'already tracked' : false,
+      }
+    })
+
+    const selected = await checkbox({
+      message: 'Select files to add to chezmoi:',
+      choices,
+    })
+
+    // Offer custom file
+    const addCustom = await confirm({ message: 'Add a custom file path?', default: false })
+    if (addCustom) {
+      const customPath = await input({ message: 'Enter file path:' })
+      if (customPath.trim()) selected.push(customPath.trim())
+    }
+
+    if (selected.length === 0) {
+      this.log(chalk.dim('  No files selected.'))
+      return result
+    }
+
+    const addSpinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Adding files to chezmoi...') }).start()
+    addSpinner.stop()
+
+    for (const rawPath of selected) {
+      const absPath = expandTilde(rawPath)
+
+      if (platform === 'wsl2' && isWSLWindowsPath(absPath)) {
+        result.rejected.push({ path: rawPath, reason: 'Windows filesystem paths not supported on WSL2' })
+        continue
+      }
+
+      if (!existsSync(absPath)) {
+        result.skipped.push({ path: rawPath, reason: 'File not found' })
+        continue
+      }
+
+      if (managedPaths.has(absPath)) {
+        result.skipped.push({ path: rawPath, reason: 'Already managed by chezmoi' })
+        continue
+      }
+
+      let encrypt = false
+      if (forceEncrypt) {
+        encrypt = true
+      } else if (forceNoEncrypt) {
+        encrypt = false
+      } else {
+        encrypt = isPathSensitive(rawPath, sensitivePatterns)
+      }
+
+      try {
+        const args = ['add']
+        if (encrypt) args.push('--encrypt')
+        args.push(absPath)
+        await execOrThrow('chezmoi', args)
+        result.added.push({ path: rawPath, encrypted: encrypt })
+      } catch {
+        result.skipped.push({ path: rawPath, reason: `Failed to add. Run \`chezmoi doctor\` to verify your setup.` })
+      }
+    }
+
+    this.log(formatDotfilesAdd(result))
+    return result
+  }
+}

package/src/commands/dotfiles/setup.js

@@ -0,0 +1,190 @@
+import { Command, Flags } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { confirm } from '@inquirer/prompts'
+import { detectPlatform } from '../../services/platform.js'
+import { isChezmoiInstalled, getChezmoiConfig, buildSetupSteps } from '../../services/dotfiles.js'
+import { formatDotfilesSetup } from '../../formatters/dotfiles.js'
+import { DvmiError } from '../../utils/errors.js'
+
+/** @import { DotfilesSetupResult, SetupStep, StepResult } from '../../types.js' */
+
+export default class DotfilesSetup extends Command {
+  static description = 'Interactive wizard to configure chezmoi with age encryption for dotfile management'
+
+  static examples = [
+    '<%= config.bin %> dotfiles setup',
+    '<%= config.bin %> dotfiles setup --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    help: Flags.help({ char: 'h' }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(DotfilesSetup)
+    const isJson = flags.json
+
+    // Non-interactive guard
+    const isCI = process.env.CI === 'true'
+    const isNonInteractive = !process.stdout.isTTY
+    if ((isCI || isNonInteractive) && !isJson) {
+      this.error(
+        'This command requires an interactive terminal (TTY). Run with --json for a non-interactive status check.',
+        { exit: 1 },
+      )
+    }
+
+    const platformInfo = await detectPlatform()
+    const { platform } = platformInfo
+
+    // --json branch: non-interactive setup attempt
+    if (isJson) {
+      const chezmoiInstalled = await isChezmoiInstalled()
+      if (!chezmoiInstalled) {
+        /** @type {DotfilesSetupResult} */
+        return {
+          platform,
+          chezmoiInstalled: false,
+          encryptionConfigured: false,
+          sourceDir: null,
+          publicKey: null,
+          status: 'failed',
+          message: platform === 'macos'
+            ? 'chezmoi is not installed. Run `brew install chezmoi` or visit https://chezmoi.io/install'
+            : 'chezmoi is not installed. Run `sh -c "$(curl -fsLS get.chezmoi.io)"` or visit https://chezmoi.io/install',
+        }
+      }
+
+      const existingConfig = await getChezmoiConfig()
+      const encryptionConfigured = existingConfig?.encryption?.tool === 'age' || !!existingConfig?.age?.identity
+
+      /** @type {DotfilesSetupResult} */
+      return {
+        platform,
+        chezmoiInstalled: true,
+        encryptionConfigured,
+        sourceDir: existingConfig?.sourceDir ?? existingConfig?.sourcePath ?? null,
+        publicKey: null,
+        status: 'success',
+        message: encryptionConfigured ? 'Chezmoi configured with age encryption' : 'Chezmoi configured (no encryption)',
+      }
+    }
+
+    // ---------------------------------------------------------------------------
+    // Interactive mode
+    // ---------------------------------------------------------------------------
+    const preSpinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Checking chezmoi status...') }).start()
+    const chezmoiInstalled = await isChezmoiInstalled()
+    const existingConfig = await getChezmoiConfig()
+    preSpinner.stop()
+
+    if (!chezmoiInstalled) {
+      const hint = platform === 'macos'
+        ? 'Run `brew install chezmoi` or visit https://chezmoi.io/install'
+        : 'Run `sh -c "$(curl -fsLS get.chezmoi.io)"` or visit https://chezmoi.io/install'
+      throw new DvmiError('chezmoi is not installed', hint)
+    }
+
+    // Check existing config state
+    const hasEncryption = existingConfig?.encryption?.tool === 'age' || !!existingConfig?.age?.identity
+    if (existingConfig && hasEncryption) {
+      this.log(chalk.green('  ✔ chezmoi is already configured with age encryption'))
+      const reconfigure = await confirm({ message: 'Reconfigure encryption (regenerate age key)?', default: false })
+      if (!reconfigure) {
+        const sourceDir = existingConfig?.sourceDir ?? existingConfig?.sourcePath ?? null
+        this.log(chalk.dim('  Skipped. Existing encryption configuration kept.'))
+        return { platform, chezmoiInstalled: true, encryptionConfigured: true, sourceDir, publicKey: null, status: 'skipped', message: 'Existing encryption configuration kept' }
+      }
+    } else if (existingConfig) {
+      this.log(chalk.yellow('  chezmoi is initialised but encryption is not configured — adding age encryption'))
+    }
+
+    // Build and run steps
+    const steps = buildSetupSteps(platform, { existingConfig })
+
+    this.log('')
+
+    let publicKey = null
+    let sourceDir = null
+
+    for (const step of steps) {
+      const typeColor = { check: chalk.blue, install: chalk.yellow, configure: chalk.cyan, verify: chalk.green }
+      const colorFn = typeColor[step.type] ?? chalk.white
+      this.log(`  ${colorFn(`[${step.type}]`)}  ${step.label}`)
+
+      if (step.requiresConfirmation) {
+        const proceed = await confirm({ message: `Proceed with: ${step.label}?`, default: true })
+        if (!proceed) {
+          this.log(chalk.dim('  Skipped.'))
+          continue
+        }
+      }
+
+      const stepSpinner = ora({ spinner: 'arc', color: false, text: chalk.dim(step.label) }).start()
+      let result
+      try {
+        result = await step.run()
+      } catch (err) {
+        result = { status: /** @type {'failed'} */ ('failed'), hint: err instanceof Error ? err.message : String(err) }
+      }
+
+      if (result.status === 'success') {
+        stepSpinner.succeed(chalk.green(result.message ?? step.label))
+        // Extract public key and source dir from relevant steps
+        if (step.id === 'configure-encryption' && result.message) {
+          const match = result.message.match(/\(public key: (age1[a-z0-9]+)/)
+          if (match) publicKey = match[1]
+        }
+        if (step.id === 'init-chezmoi' && result.message) {
+          const match = result.message.match(/Source dir: (.+)/)
+          if (match) sourceDir = match[1]
+        }
+      } else if (result.status === 'skipped') {
+        stepSpinner.info(chalk.dim(result.message ?? 'Skipped'))
+      } else {
+        stepSpinner.fail(chalk.red(`${step.label} — failed`))
+        if (result.hint) this.log(chalk.dim(`  → ${result.hint}`))
+        this.log(formatDotfilesSetup({ platform, chezmoiInstalled: true, encryptionConfigured: false, sourceDir: null, publicKey: null, status: 'failed', message: result.hint }))
+        return { platform, chezmoiInstalled: true, encryptionConfigured: false, sourceDir: null, publicKey: null, status: 'failed', message: result.hint }
+      }
+    }
+
+    // Get final config
+    const finalConfig = await getChezmoiConfig()
+    if (!sourceDir) {
+      sourceDir = finalConfig?.sourceDir ?? finalConfig?.sourcePath ?? null
+    }
+
+    // Try to get public key from key file
+    if (!publicKey) {
+      try {
+        const { homedir } = await import('node:os')
+        const { join } = await import('node:path')
+        const { readFile } = await import('node:fs/promises')
+        const keyPath = join(homedir(), '.config', 'chezmoi', 'key.txt')
+        const keyContent = await readFile(keyPath, 'utf8').catch(() => '')
+        const match = keyContent.match(/# public key: (age1[a-z0-9]+)/i)
+        if (match) publicKey = match[1]
+      } catch {
+        // ignore
+      }
+    }
+
+    /** @type {DotfilesSetupResult} */
+    const finalResult = {
+      platform,
+      chezmoiInstalled: true,
+      encryptionConfigured: true,
+      sourceDir,
+      publicKey,
+      status: 'success',
+      message: 'Chezmoi configured with age encryption',
+    }
+
+    this.log(formatDotfilesSetup(finalResult))
+    return finalResult
+  }
+}