devvami 1.3.0 → 1.4.1

package/src/commands/init.js

@@ -8,8 +8,8 @@ import { detectPlatform } from '../services/platform.js'
 import { exec, which } from '../services/shell.js'
 import { configExists, loadConfig, saveConfig, CONFIG_PATH } from '../services/config.js'
 import { oauthFlow, storeToken, validateToken, getTeams } from '../services/clickup.js'
-
 import { SUPPORTED_TOOLS } from '../services/prompts.js'
+import { isChezmoiInstalled, setupChezmoiInline } from '../services/dotfiles.js'
 
 export default class Init extends Command {
   static description = 'Setup completo ambiente di sviluppo locale'
@@ -243,7 +243,40 @@ export default class Init extends Command {
        }
      }
 
-     // 7. Shell completions
+     // 7. Chezmoi dotfiles setup
+     if (isDryRun) {
+       steps.push({ name: 'dotfiles', status: 'would configure' })
+     } else if (isJson) {
+       config = await loadConfig()
+       steps.push({
+         name: 'dotfiles',
+         status: config.dotfiles?.enabled ? 'configured' : 'not_configured',
+         enabled: config.dotfiles?.enabled ?? false,
+       })
+     } else {
+       const chezmoiInstalled = await isChezmoiInstalled()
+       if (!chezmoiInstalled) {
+         steps.push({ name: 'dotfiles', status: 'skipped', reason: 'chezmoi not installed' })
+       } else {
+         const setupDotfiles = await confirm({
+           message: 'Set up chezmoi dotfiles management with age encryption?',
+           default: false,
+         })
+         if (setupDotfiles) {
+           try {
+              const dotfilesResult = await setupChezmoiInline(platform.platform)
+             config = await loadConfig()
+             steps.push({ name: 'dotfiles', status: dotfilesResult.status, sourceDir: dotfilesResult.sourceDir })
+           } catch (err) {
+             steps.push({ name: 'dotfiles', status: 'failed', reason: err instanceof Error ? err.message : String(err) })
+           }
+         } else {
+           steps.push({ name: 'dotfiles', status: 'skipped', hint: 'Run `dvmi dotfiles setup` anytime to enable' })
+         }
+       }
+     }
+
+     // 8. Shell completions
      steps.push({ name: 'shell-completions', status: 'ok', action: 'install via: dvmi autocomplete' })
 
     const result = { steps, configPath: CONFIG_PATH }

package/src/commands/vuln/detail.js

@@ -0,0 +1,65 @@
+import { Command, Args, Flags } from '@oclif/core'
+import ora from 'ora'
+import { getCveDetail } from '../../services/nvd.js'
+import { formatCveDetail } from '../../formatters/vuln.js'
+import { openBrowser } from '../../utils/open-browser.js'
+import { ValidationError } from '../../utils/errors.js'
+
+export default class VulnDetail extends Command {
+  static description = 'View full details for a specific CVE'
+
+  static examples = [
+    '<%= config.bin %> vuln detail CVE-2021-44228',
+    '<%= config.bin %> vuln detail CVE-2021-44228 --open',
+    '<%= config.bin %> vuln detail CVE-2021-44228 --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static args = {
+    cveId: Args.string({ description: 'CVE identifier (e.g. CVE-2021-44228)', required: true }),
+  }
+
+  static flags = {
+    open: Flags.boolean({
+      char: 'o',
+      description: 'Open the first reference URL in the default browser',
+      default: false,
+    }),
+  }
+
+  async run() {
+    const { args, flags } = await this.parse(VulnDetail)
+    const isJson = flags.json
+    const { cveId } = args
+
+    if (!cveId || !/^CVE-\d{4}-\d{4,}$/i.test(cveId)) {
+      throw new ValidationError(
+        `Invalid CVE ID: ${cveId}`,
+        'CVE IDs must match the format CVE-YYYY-NNNNN (e.g. CVE-2021-44228)',
+      )
+    }
+
+    const spinner = isJson ? null : ora(`Fetching ${cveId.toUpperCase()}...`).start()
+
+    try {
+      const detail = await getCveDetail(cveId)
+      spinner?.stop()
+
+      if (isJson) return detail
+
+      this.log(formatCveDetail(detail))
+
+      if (flags.open && detail.references.length > 0) {
+        const firstUrl = detail.references[0].url
+        this.log(`\nOpening ${firstUrl} ...`)
+        await openBrowser(firstUrl)
+      }
+
+      return detail
+    } catch (err) {
+      spinner?.stop()
+      throw err
+    }
+  }
+}

package/src/commands/vuln/scan.js

@@ -0,0 +1,155 @@
+import { Command, Flags } from '@oclif/core'
+import { writeFile } from 'node:fs/promises'
+import ora from 'ora'
+import chalk from 'chalk'
+import { detectEcosystems, supportedEcosystemsMessage } from '../../services/audit-detector.js'
+import { runAudit, summarizeFindings, filterBySeverity } from '../../services/audit-runner.js'
+import { formatFindingsTable, formatScanSummary, formatMarkdownReport } from '../../formatters/vuln.js'
+
+export default class VulnScan extends Command {
+  static description = 'Scan the current directory for known vulnerabilities in dependencies'
+
+  static examples = [
+    '<%= config.bin %> vuln scan',
+    '<%= config.bin %> vuln scan --severity high',
+    '<%= config.bin %> vuln scan --no-fail',
+    '<%= config.bin %> vuln scan --report vuln-report.md',
+    '<%= config.bin %> vuln scan --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    severity: Flags.string({
+      char: 's',
+      description: 'Minimum severity filter',
+      options: ['low', 'medium', 'high', 'critical'],
+    }),
+    'no-fail': Flags.boolean({
+      description: 'Exit with code 0 even when vulnerabilities are found',
+      default: false,
+    }),
+    report: Flags.string({
+      char: 'r',
+      description: 'Export vulnerability report to file path (Markdown format)',
+    }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(VulnScan)
+    const isJson = flags.json
+    const { severity, 'no-fail': noFail, report } = flags
+
+    const projectPath = process.env.DVMI_SCAN_DIR ?? process.cwd()
+    const scanDate = new Date().toISOString()
+
+    // Detect ecosystems
+    const ecosystems = detectEcosystems(projectPath)
+
+    if (ecosystems.length === 0) {
+      if (isJson) {
+        return {
+          projectPath,
+          scanDate,
+          ecosystems: [],
+          findings: [],
+          summary: { critical: 0, high: 0, medium: 0, low: 0, unknown: 0, total: 0 },
+          errors: [{ ecosystem: 'none', message: 'No supported package manager detected.' }],
+        }
+      }
+
+      this.log(chalk.red('  ✘ No supported package manager detected.'))
+      this.log('')
+      this.log('  Supported ecosystems:')
+      this.log(supportedEcosystemsMessage())
+      this.log('')
+      this.log('  Tip: Make sure you have a lock file in the current directory.')
+      this.exit(2)
+      return
+    }
+
+    // Display detected ecosystems
+    if (!isJson) {
+      this.log(chalk.bold('Vulnerability Scan'))
+      this.log('')
+      this.log('  Detected ecosystems:')
+      for (const eco of ecosystems) {
+        this.log(`  ${chalk.green('●')} ${eco.name} (${eco.lockFile})`)
+      }
+      this.log('')
+    }
+
+    // Run audits
+    const allFindings = []
+    const errors = []
+
+    for (const eco of ecosystems) {
+      const spinner = isJson ? null : ora(`  Scanning ${eco.name} dependencies...`).start()
+
+      const { findings, error } = await runAudit(eco)
+
+      if (error) {
+        spinner?.fail(`  Scanning ${eco.name} dependencies... failed`)
+        errors.push({ ecosystem: eco.name, message: error })
+      } else {
+        spinner?.succeed(`  Scanning ${eco.name} dependencies... done`)
+        allFindings.push(...findings)
+      }
+    }
+
+    // Apply severity filter
+    const filteredFindings = filterBySeverity(allFindings, severity)
+
+    // Build summary
+    const summary = summarizeFindings(filteredFindings)
+
+    const result = {
+      projectPath,
+      scanDate,
+      ecosystems,
+      findings: filteredFindings,
+      summary,
+      errors,
+    }
+
+    // Write report if requested
+    if (report) {
+      const markdown = formatMarkdownReport(result)
+      await writeFile(report, markdown, 'utf8')
+      if (!isJson) this.log(`\n  Report saved to: ${report}`)
+    }
+
+    if (isJson) return result
+
+    this.log('')
+
+    if (filteredFindings.length === 0 && errors.length === 0) {
+      this.log(chalk.green('  ✔ No known vulnerabilities found.'))
+      return result
+    }
+
+    if (filteredFindings.length > 0) {
+      this.log(chalk.bold(`  Findings (${filteredFindings.length} ${filteredFindings.length === 1 ? 'vulnerability' : 'vulnerabilities'})`))
+      this.log('')
+      this.log(formatFindingsTable(filteredFindings))
+      this.log('')
+      this.log(chalk.bold('  Summary'))
+      this.log(formatScanSummary(summary))
+      this.log('')
+      this.log(chalk.yellow(`  ⚠ ${filteredFindings.length} ${filteredFindings.length === 1 ? 'vulnerability' : 'vulnerabilities'} found. Run \`dvmi vuln detail <CVE-ID>\` for details.`))
+    }
+
+    if (errors.length > 0) {
+      this.log('')
+      for (const err of errors) {
+        this.log(chalk.red(`  ✘ ${err.ecosystem}: ${err.message}`))
+      }
+    }
+
+    if (filteredFindings.length > 0 && !noFail) {
+      this.exit(1)
+    }
+
+    return result
+  }
+}

package/src/commands/vuln/search.js

@@ -0,0 +1,128 @@
+import { Command, Args, Flags } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { searchCves, getCveDetail } from '../../services/nvd.js'
+import { formatCveSearchTable, colorSeverity, formatScore, formatDate, truncate } from '../../formatters/vuln.js'
+import { startInteractiveTable } from '../../utils/tui/navigable-table.js'
+import { ValidationError } from '../../utils/errors.js'
+
+// Minimum terminal rows required to show the interactive TUI
+const MIN_TTY_ROWS = 6
+
+// Column widths for the navigable table
+const COL_WIDTHS = {
+  id: 20,
+  severity: 10,
+  score: 5,
+  published: 10,
+  reference: 30,
+}
+
+export default class VulnSearch extends Command {
+  static description = 'Search for recent CVEs by keyword (omit keyword to see all recent CVEs)'
+
+  static examples = [
+    '<%= config.bin %> vuln search openssl',
+    '<%= config.bin %> vuln search openssl --days 30',
+    '<%= config.bin %> vuln search log4j --severity critical',
+    '<%= config.bin %> vuln search nginx --limit 10 --json',
+    '<%= config.bin %> vuln search',
+    '<%= config.bin %> vuln search --days 7 --severity high',
+  ]
+
+  static enableJsonFlag = true
+
+  static args = {
+    keyword: Args.string({ description: 'Product, library, or keyword to search for (optional — omit to see all recent CVEs)', required: false }),
+  }
+
+  static flags = {
+    days: Flags.integer({
+      char: 'd',
+      description: 'Time window in days (search CVEs published within last N days)',
+      default: 14,
+    }),
+    severity: Flags.string({
+      char: 's',
+      description: 'Minimum severity filter',
+      options: ['low', 'medium', 'high', 'critical'],
+    }),
+    limit: Flags.integer({
+      char: 'l',
+      description: 'Maximum number of results to display',
+      default: 20,
+    }),
+  }
+
+  async run() {
+    const { args, flags } = await this.parse(VulnSearch)
+    const isJson = flags.json
+
+    const { keyword } = args
+    const { days, severity, limit } = flags
+
+    if (days < 1 || days > 120) {
+      throw new ValidationError(
+        `--days must be between 1 and 120, got ${days}`,
+        'The NVD API supports a maximum 120-day date range per request.',
+      )
+    }
+
+    if (limit < 1 || limit > 2000) {
+      throw new ValidationError(
+        `--limit must be between 1 and 2000, got ${limit}`,
+        'The NVD API returns at most 2000 results per page.',
+      )
+    }
+
+    const spinner = isJson ? null : ora(keyword ? `Searching NVD for "${keyword}"...` : `Fetching recent CVEs (last ${days} days)...`).start()
+
+    try {
+      const { results, totalResults } = await searchCves({ keyword, days, severity, limit })
+      spinner?.stop()
+
+      const result = { keyword: keyword ?? null, days, severity: severity ?? null, totalResults, results }
+
+      if (isJson) return result
+
+      this.log(formatCveSearchTable(results, keyword, days, totalResults))
+
+      // Interactive navigable table — only in a real TTY with enough rows, skipped in CI / --json / piped output
+      const ttyRows = process.stdout.rows ?? 0
+      if (process.stdout.isTTY && results.length > 0 && ttyRows >= MIN_TTY_ROWS) {
+        const heading = keyword
+          ? `CVE Search: "${keyword}" (last ${days} days)`
+          : `CVE Search: all recent (last ${days} days)`
+
+        const termCols = process.stdout.columns || 80
+        const descWidth = Math.max(20, Math.min(60, termCols - 84))
+
+        const rows = results.map((r) => ({
+          id: r.id,
+          severity: r.severity,
+          score: formatScore(r.score),
+          published: formatDate(r.publishedDate),
+          description: truncate(r.description, descWidth),
+          reference: r.firstReference ? truncate(r.firstReference, COL_WIDTHS.reference) : '—',
+        }))
+
+        /** @type {import('../../utils/tui/navigable-table.js').TableColumnDef[]} */
+        const columns = [
+          { header: 'CVE ID',      key: 'id',          width: COL_WIDTHS.id,        colorize: (v) => chalk.cyan(v) },
+          { header: 'Severity',    key: 'severity',     width: COL_WIDTHS.severity,  colorize: (v) => colorSeverity(v) },
+          { header: 'Score',       key: 'score',        width: COL_WIDTHS.score },
+          { header: 'Published',   key: 'published',    width: COL_WIDTHS.published },
+          { header: 'Description', key: 'description',  width: descWidth },
+          { header: 'Reference',   key: 'reference',    width: COL_WIDTHS.reference },
+        ]
+
+        await startInteractiveTable(rows, columns, heading, totalResults, getCveDetail)
+      }
+
+      return result
+    } catch (err) {
+      spinner?.stop()
+      throw err
+    }
+  }
+}

package/src/formatters/dotfiles.js

@@ -0,0 +1,259 @@
+import chalk from 'chalk'
+
+/** @import { DotfilesSetupResult, DotfilesStatusResult, DotfilesAddResult, DotfilesSyncResult, DotfileEntry } from '../types.js' */
+
+const BORDER = chalk.dim('─'.repeat(60))
+
+// ---------------------------------------------------------------------------
+// formatDotfilesSetup (T020)
+// ---------------------------------------------------------------------------
+
+/**
+ * Format the output of `dvmi dotfiles setup` completion.
+ * @param {DotfilesSetupResult} result
+ * @returns {string}
+ */
+export function formatDotfilesSetup(result) {
+  const lines = [
+    '',
+    BORDER,
+    chalk.bold('  Dotfiles Setup — Summary'),
+    BORDER,
+    '',
+    chalk.bold(`  Platform:    ${chalk.cyan(result.platform)}`),
+    chalk.bold(`  Status:      ${result.status === 'success' ? chalk.green('success') : result.status === 'skipped' ? chalk.dim('skipped') : chalk.red('failed')}`),
+  ]
+
+  if (result.sourceDir) {
+    lines.push(chalk.white(`  Source dir:  ${chalk.cyan(result.sourceDir)}`))
+  }
+
+  if (result.publicKey) {
+    lines.push('')
+    lines.push(chalk.white(`  Age public key:`))
+    lines.push(chalk.cyan(`    ${result.publicKey}`))
+    lines.push('')
+    lines.push(chalk.yellow('  IMPORTANT: Back up your age key!'))
+    lines.push(chalk.dim(`    Key file: ~/.config/chezmoi/key.txt`))
+    lines.push(chalk.dim('    Without this key you cannot decrypt your dotfiles on a new machine.'))
+  }
+
+  if (result.status === 'success') {
+    lines.push('')
+    lines.push(chalk.bold.green('  Chezmoi configured with age encryption!'))
+    lines.push(chalk.dim('  Run `dvmi dotfiles add` to start tracking files'))
+  } else if (result.status === 'failed') {
+    lines.push('')
+    lines.push(chalk.bold.red('  Setup failed.'))
+    if (result.message) lines.push(chalk.dim(`  → ${result.message}`))
+  } else if (result.status === 'skipped') {
+    lines.push('')
+    if (result.message) lines.push(chalk.dim(`  ${result.message}`))
+  }
+
+  lines.push(BORDER)
+  return lines.join('\n')
+}
+
+// ---------------------------------------------------------------------------
+// formatDotfilesSummary (T012)
+// ---------------------------------------------------------------------------
+
+/**
+ * Format the file count summary line.
+ * @param {{ total: number, encrypted: number, plaintext: number }} summary
+ * @returns {string}
+ */
+export function formatDotfilesSummary(summary) {
+  return `${summary.total} total: ${summary.plaintext} plaintext, ${summary.encrypted} encrypted`
+}
+
+// ---------------------------------------------------------------------------
+// formatDotfilesStatus (T012 / T032)
+// ---------------------------------------------------------------------------
+
+/**
+ * Infer a display category from a file path.
+ * @param {string} filePath
+ * @returns {string}
+ */
+function inferCategory(filePath) {
+  const lower = filePath.toLowerCase()
+  if (lower.includes('.ssh') || lower.includes('.gnupg') || lower.includes('gpg') || lower.includes('secret') || lower.includes('credential') || lower.includes('token') || lower.includes('password')) return 'Security'
+  if (lower.includes('.gitconfig') || lower.includes('.gitignore') || lower.includes('.git')) return 'Git'
+  if (lower.includes('zshrc') || lower.includes('bashrc') || lower.includes('bash_profile') || lower.includes('zprofile') || lower.includes('fish')) return 'Shell'
+  if (lower.includes('vim') || lower.includes('nvim') || lower.includes('emacs') || lower.includes('vscode') || lower.includes('cursor')) return 'Editor'
+  if (lower.includes('brew') || lower.includes('npm') || lower.includes('yarn') || lower.includes('pip') || lower.includes('gem')) return 'Package'
+  return 'Other'
+}
+
+/**
+ * Format the full `dvmi dotfiles status` interactive output.
+ * @param {DotfilesStatusResult} result
+ * @returns {string}
+ */
+export function formatDotfilesStatus(result) {
+  const lines = [
+    '',
+    BORDER,
+    chalk.bold('  Dotfiles Status'),
+    BORDER,
+    '',
+    chalk.white(`  Platform:    ${chalk.cyan(result.platform)}`),
+  ]
+
+  if (result.sourceDir) {
+    lines.push(chalk.white(`  Source dir:  ${chalk.cyan(result.sourceDir)}`))
+  }
+
+  const encLabel = result.encryptionConfigured ? chalk.green('age (configured)') : chalk.dim('not configured')
+  lines.push(chalk.white(`  Encryption:  ${encLabel}`))
+
+  if (result.repo) {
+    lines.push(chalk.white(`  Remote:      ${chalk.cyan(result.repo)}`))
+  } else {
+    lines.push(chalk.white(`  Remote:      ${chalk.dim('not configured')}`))
+  }
+
+  if (!result.enabled) {
+    lines.push('')
+    lines.push(chalk.dim('  Dotfiles management not configured.'))
+    lines.push(chalk.dim('  Run `dvmi dotfiles setup` to get started.'))
+    lines.push(BORDER)
+    return lines.join('\n')
+  }
+
+  // Group files by category
+  /** @type {Record<string, DotfileEntry[]>} */
+  const grouped = {}
+  for (const file of result.files) {
+    const category = inferCategory(file.path)
+    if (!grouped[category]) grouped[category] = []
+    grouped[category].push(file)
+  }
+
+  const summaryLine = formatDotfilesSummary(result.summary)
+  lines.push('')
+  lines.push(chalk.bold(`  Managed Files (${summaryLine})`))
+  lines.push(BORDER)
+
+  for (const [category, files] of Object.entries(grouped)) {
+    const catLabel = category === 'Security' ? `  ${category} 🔒` : `  ${category}`
+    lines.push('')
+    lines.push(chalk.bold(catLabel))
+    for (const file of files) {
+      const encTag = file.encrypted ? chalk.dim('  encrypted') : ''
+      lines.push(`    ${file.path}${encTag}`)
+    }
+  }
+
+  if (result.files.length === 0) {
+    lines.push('')
+    lines.push(chalk.dim('  No files managed yet. Run `dvmi dotfiles add` to start tracking files.'))
+  }
+
+  lines.push('')
+  lines.push(BORDER)
+  return lines.join('\n')
+}
+
+// ---------------------------------------------------------------------------
+// formatDotfilesAdd (T027)
+// ---------------------------------------------------------------------------
+
+/**
+ * Format the output of `dvmi dotfiles add` completion.
+ * @param {DotfilesAddResult} result
+ * @returns {string}
+ */
+export function formatDotfilesAdd(result) {
+  const lines = [
+    '',
+    BORDER,
+    chalk.bold('  Dotfiles Add — Summary'),
+    BORDER,
+    '',
+  ]
+
+  if (result.added.length > 0) {
+    lines.push(chalk.bold(`  Added (${result.added.length}):`))
+    for (const item of result.added) {
+      const encTag = item.encrypted ? chalk.dim(' [encrypted]') : ''
+      lines.push(chalk.green(`    ✔ ${item.path}${encTag}`))
+    }
+    lines.push('')
+  }
+
+  if (result.skipped.length > 0) {
+    lines.push(chalk.bold(`  Skipped (${result.skipped.length}):`))
+    for (const item of result.skipped) {
+      lines.push(chalk.dim(`    ─ ${item.path}  ${item.reason}`))
+    }
+    lines.push('')
+  }
+
+  if (result.rejected.length > 0) {
+    lines.push(chalk.bold(`  Rejected (${result.rejected.length}):`))
+    for (const item of result.rejected) {
+      lines.push(chalk.red(`    ✗ ${item.path}  ${item.reason}`))
+    }
+    lines.push('')
+  }
+
+  if (result.added.length === 0 && result.skipped.length === 0 && result.rejected.length === 0) {
+    lines.push(chalk.dim('  No files processed.'))
+    lines.push('')
+  }
+
+  lines.push(BORDER)
+  return lines.join('\n')
+}
+
+// ---------------------------------------------------------------------------
+// formatDotfilesSync (T039 / T044)
+// ---------------------------------------------------------------------------
+
+/**
+ * Format the output of `dvmi dotfiles sync` completion.
+ * @param {DotfilesSyncResult} result
+ * @returns {string}
+ */
+export function formatDotfilesSync(result) {
+  const actionLabel = {
+    push: 'Push',
+    pull: 'Pull',
+    'init-remote': 'Remote Setup',
+    skipped: 'Skipped',
+  }[result.action] ?? result.action
+
+  const lines = [
+    '',
+    BORDER,
+    chalk.bold(`  Dotfiles Sync — ${actionLabel}`),
+    BORDER,
+    '',
+    chalk.white(`  Action:  ${chalk.cyan(actionLabel)}`),
+    chalk.white(`  Status:  ${result.status === 'success' ? chalk.green('success') : result.status === 'skipped' ? chalk.dim('skipped') : chalk.red('failed')}`),
+  ]
+
+  if (result.repo) {
+    lines.push(chalk.white(`  Remote:  ${chalk.cyan(result.repo)}`))
+  }
+
+  if (result.message) {
+    lines.push('')
+    lines.push(chalk.white(`  ${result.message}`))
+  }
+
+  if (result.conflicts && result.conflicts.length > 0) {
+    lines.push('')
+    lines.push(chalk.bold.red(`  Conflicts (${result.conflicts.length}):`))
+    for (const conflict of result.conflicts) {
+      lines.push(chalk.red(`    ✗ ${conflict}`))
+    }
+    lines.push(chalk.dim('  Resolve conflicts manually and run `chezmoi apply` to continue.'))
+  }
+
+  lines.push(BORDER)
+  return lines.join('\n')
+}