PyPI - lnp-devopscli - Versions diffs - 1.0.0__py3-none-any.whl - Mend

lnp-devopscli 1.0.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

dc_cli/__init__.py +3 -0
dc_cli/groups/__init__.py +0 -0
dc_cli/groups/bw.py +430 -0
dc_cli/groups/gl.py +300 -0
dc_cli/groups/ws.py +1249 -0
dc_cli/main.py +54 -0
dc_cli/utils/__init__.py +0 -0
dc_cli/utils/config.py +83 -0
dc_cli/utils/gitlab.py +165 -0
lnp_devopscli-1.0.0.dist-info/METADATA +136 -0
lnp_devopscli-1.0.0.dist-info/RECORD +14 -0
lnp_devopscli-1.0.0.dist-info/WHEEL +5 -0
lnp_devopscli-1.0.0.dist-info/entry_points.txt +3 -0
lnp_devopscli-1.0.0.dist-info/top_level.txt +1 -0

dc_cli/groups/ws.py ADDED Viewed

@@ -0,0 +1,1249 @@
+"""Grupo: dc ws - Workspace sync utilities."""
+from __future__ import annotations
+import os
+import shutil
+import subprocess
+import sys
+import tempfile
+from pathlib import Path
+import click
+import yaml
+DEFAULT_REMOTE = "gdrive:workspace-sync"
+DEFAULT_CONFIG_PATH = Path.home() / "bin" / "config.yaml"
+DEVOPSCLI_GIT_URL = "git@gitlab.com:lnp-consulting-ti/devops/devops-cli.git"
+DEVOPSCLI_GIT_URL_HTTPS = "https://gitlab.com/lnp-consulting-ti/devops/devops-cli.git"
+BIN_EXCLUDES = [
+    "devops-cli/**",
+    "**/.git/**",
+    "**/.venv/**",
+    "**/__pycache__/**",
+    "**/*.pyc",
+    "**/.env",
+    "**/.env.*",
+]
+LOCAL_BIN_EXCLUDES = [
+    # gerenciados por outros instaladores (re-instalados no bootstrap)
+    "mise",
+    "uv",
+    # ansible scripts dependem de venv especifica
+    "ansible",
+    "ansible-*",
+    # backups / temporarios
+    "*.bak",
+    "*.bak-*",
+    "*.tmp",
+    "*.old",
+]
+SSH_EXCLUDES = [
+    "agent.*",
+    "sockets/**",
+    "S.*",
+    "*.sock",
+]
+ZELLIJ_CACHE_EXCLUDES = [
+    "**/initial_contents_*",
+]
+def _require_rclone() -> None:
+    if not shutil.which("rclone"):
+        click.echo("[ERRO] rclone nao encontrado no PATH.", err=True)
+        sys.exit(1)
+def _run(cmd: list[str], check: bool = True) -> subprocess.CompletedProcess:
+    result = subprocess.run(cmd)
+    if check and result.returncode != 0:
+        sys.exit(result.returncode)
+    return result
+def _copyto(src: Path | str, dst: str, dry_run: bool, check: bool = True) -> None:
+    cmd = ["rclone", "copyto", str(src), dst, "-v"]
+    if dry_run:
+        cmd.append("--dry-run")
+    _run(cmd, check=check)
+def _copy(
+    src: Path | str, dst: str, dry_run: bool, excludes: list[str] | None = None
+) -> None:
+    cmd = ["rclone", "copy", str(src), dst, "-v"]
+    if excludes:
+        for pattern in excludes:
+            cmd.extend(["--exclude", pattern])
+    if dry_run:
+        cmd.append("--dry-run")
+    _run(cmd)
+def _sync(
+    src: Path | str, dst: str, dry_run: bool, excludes: list[str] | None = None
+) -> None:
+    cmd = ["rclone", "sync", str(src), dst, "-v"]
+    if excludes:
+        for pattern in excludes:
+            cmd.extend(["--exclude", pattern])
+    if dry_run:
+        cmd.append("--dry-run")
+    _run(cmd)
+def _snapshot_and_copy(
+    src_dir: Path,
+    dst: str,
+    dry_run: bool,
+    excludes: list[str] | None = None,
+) -> None:
+    """Snapshot a live directory locally, then rclone copy the snapshot.
+    Eliminates 'source file is being updated' race conditions when the
+    source has files mutated continuously (e.g. zellij session cache).
+    """
+    if dry_run:
+        _copy(src_dir, dst, dry_run, excludes=excludes)
+        return
+    snapshot_root = Path(tempfile.mkdtemp(prefix=f"ws-snap-{src_dir.name}-"))
+    snapshot_dir = snapshot_root / src_dir.name
+    try:
+        shutil.copytree(
+            src_dir,
+            snapshot_dir,
+            symlinks=False,
+            ignore_dangling_symlinks=True,
+            copy_function=shutil.copy2,
+        )
+        _copy(snapshot_dir, dst, dry_run, excludes=excludes)
+    finally:
+        shutil.rmtree(snapshot_root, ignore_errors=True)
+def _load_workspace_config(path: Path) -> dict:
+    if not path.exists():
+        click.echo(f"[ERRO] config.yaml nao encontrado: {path}", err=True)
+        sys.exit(1)
+    return yaml.safe_load(path.read_text()) or {}
+@click.group(name="ws")
+def ws_group():
+    """Workspace sync utilities."""
+@ws_group.command(name="push")
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+@click.option("--dry-run", is_flag=True, default=False)
+def push_cmd(remote: str, dry_run: bool) -> None:
+    """Sync local workspace configs to Google Drive."""
+    _require_rclone()
+    home = Path.home()
+    alacritty_dir = home / ".config" / "alacritty"
+    workspace_config = home / "bin" / "config.yaml"
+    ssh_dir = home / ".ssh"
+    click.echo("Starting workspace sync to Google Drive...")
+    zellij_dir = home / ".config" / "zellij"
+    zellij_cache = home / ".cache" / "zellij"
+    click.echo("[1/8] Syncing zellij config...")
+    if zellij_dir.exists():
+        _sync(zellij_dir, f"{remote}/zellij/config", dry_run)
+    click.echo("[2/8] Syncing zellij session data (snapshot, no scrollback)...")
+    if zellij_cache.exists():
+        _snapshot_and_copy(
+            zellij_cache,
+            f"{remote}/zellij/cache",
+            dry_run,
+            excludes=ZELLIJ_CACHE_EXCLUDES,
+        )
+    click.echo("[3/8] Syncing alacritty config...")
+    if alacritty_dir.exists():
+        _sync(alacritty_dir, f"{remote}/alacritty", dry_run)
+    click.echo("[4/8] Syncing shell configs...")
+    if (home / ".zshrc").exists():
+        _copy(home / ".zshrc", f"{remote}/shell", dry_run)
+    if (home / ".bashrc").exists():
+        _copy(home / ".bashrc", f"{remote}/shell", dry_run)
+    click.echo("[5/8] Syncing ~/bin scripts...")
+    _sync(home / "bin", f"{remote}/bin", dry_run, excludes=BIN_EXCLUDES)
+    click.echo("[6/8] Syncing ~/.ssh ...")
+    if ssh_dir.exists():
+        _sync(ssh_dir, f"{remote}/ssh", dry_run, excludes=SSH_EXCLUDES)
+    click.echo("[7/13] Syncing workspace config.yaml...")
+    if workspace_config.exists():
+        _copyto(workspace_config, f"{remote}/config.yaml", dry_run)
+    click.echo("[8/13] Syncing crontab...")
+    with tempfile.NamedTemporaryFile(prefix="crontab_backup_", delete=False) as tmp:
+        tmp_path = Path(tmp.name)
+    try:
+        result = subprocess.run(["crontab", "-l"], capture_output=True, text=True)
+        tmp_path.write_text(
+            result.stdout if result.returncode == 0 else "# Empty crontab\n"
+        )
+        _copyto(tmp_path, f"{remote}/crontab/crontab", dry_run)
+    finally:
+        tmp_path.unlink(missing_ok=True)
+    click.echo("[9/13] Syncing rclone config...")
+    rclone_conf = home / ".config" / "rclone" / "rclone.conf"
+    if rclone_conf.exists():
+        _copy(rclone_conf, f"{remote}/rclone", dry_run)
+    click.echo("[10/13] Syncing mise config...")
+    mise_conf = home / ".config" / "mise" / "config.toml"
+    if mise_conf.exists():
+        _copy(mise_conf, f"{remote}/mise", dry_run)
+    click.echo("[11/13] Syncing /usr/local/bin user binaries...")
+    local_bin_snapshot = (
+        home / ".local" / "state" / "workspace-snapshot" / "user-local-bin"
+    )
+    if not dry_run:
+        local_bin_snapshot.mkdir(parents=True, exist_ok=True)
+        uid = os.getuid()
+        usr_local_bin = Path("/usr/local/bin")
+        if usr_local_bin.exists():
+            for f in usr_local_bin.iterdir():
+                try:
+                    st = f.stat()
+                except (OSError, PermissionError):
+                    continue
+                if st.st_uid == uid and not f.is_symlink() and f.is_file():
+                    try:
+                        shutil.copy2(f, local_bin_snapshot / f.name)
+                    except (OSError, PermissionError):
+                        pass
+    _sync(local_bin_snapshot, f"{remote}/usr-local-bin", dry_run)
+    click.echo("[12/13] Syncing system snapshots (apt/snap/mise)...")
+    snap_dir = home / ".local" / "state" / "workspace-snapshot"
+    if not dry_run:
+        snap_dir.mkdir(parents=True, exist_ok=True)
+        _write_snapshot(
+            snap_dir / "apt-manual.txt", ["apt-mark", "showmanual"]
+        )
+        _write_snapshot(snap_dir / "snaps.txt", ["snap", "list", "--all"])
+        if shutil.which("mise"):
+            _write_snapshot(snap_dir / "mise-list.txt", ["mise", "list"])
+        _write_snapshot(
+            snap_dir / "dpkg-selections.txt", ["dpkg", "--get-selections"]
+        )
+    for fname in (
+        "apt-manual.txt",
+        "snaps.txt",
+        "mise-list.txt",
+        "dpkg-selections.txt",
+    ):
+        fpath = snap_dir / fname
+        if fpath.exists():
+            _copy(fpath, f"{remote}/snapshots", dry_run)
+    click.echo("[13/13] Syncing ~/.local/bin (zellij, trivy, dc, devopscli, etc)...")
+    local_bin = home / ".local" / "bin"
+    if local_bin.exists():
+        _sync(local_bin, f"{remote}/local-bin", dry_run, excludes=LOCAL_BIN_EXCLUDES)
+    click.echo("")
+    click.echo("=== Workspace push completed! ===")
+    click.echo(f"Remote: {remote}")
+@ws_group.command(name="pull")
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+@click.option("--dry-run", is_flag=True, default=False)
+def pull_cmd(remote: str, dry_run: bool) -> None:
+    """Pull workspace configs from Google Drive."""
+    _require_rclone()
+    home = Path.home()
+    alacritty_dir = home / ".config" / "alacritty"
+    workspace_dir = home / "bin"
+    ssh_dir = home / ".ssh"
+    zellij_dir = home / ".config" / "zellij"
+    zellij_cache = home / ".cache" / "zellij"
+    click.echo("Starting workspace pull from Google Drive...")
+    click.echo("[1/13] Pulling zellij config...")
+    zellij_dir.mkdir(parents=True, exist_ok=True)
+    _sync(f"{remote}/zellij/config", str(zellij_dir), dry_run)
+    click.echo("[2/13] Pulling zellij session data...")
+    zellij_cache.mkdir(parents=True, exist_ok=True)
+    _copy(f"{remote}/zellij/cache", str(zellij_cache), dry_run)
+    click.echo("[3/13] Pulling alacritty config...")
+    alacritty_dir.mkdir(parents=True, exist_ok=True)
+    _sync(f"{remote}/alacritty", str(alacritty_dir), dry_run)
+    click.echo("[4/13] Pulling shell configs...")
+    _copy(f"{remote}/shell/.zshrc", str(home), dry_run)
+    _copy(f"{remote}/shell/.bashrc", str(home), dry_run)
+    click.echo("[5/13] Pulling ~/bin scripts...")
+    (home / "bin").mkdir(parents=True, exist_ok=True)
+    _sync(f"{remote}/bin", str(home / "bin"), dry_run, excludes=BIN_EXCLUDES)
+    if not dry_run:
+        for path in (home / "bin").glob("*"):
+            if path.is_file():
+                path.chmod(0o755)
+        _ensure_devopscli(home)
+    click.echo("[6/13] Pulling ~/.ssh ...")
+    ssh_dir.mkdir(parents=True, exist_ok=True)
+    if not dry_run:
+        ssh_dir.chmod(0o700)
+    _sync(f"{remote}/ssh", str(ssh_dir), dry_run, excludes=SSH_EXCLUDES)
+    if not dry_run:
+        for path in ssh_dir.iterdir():
+            if path.is_file():
+                path.chmod(0o600)
+    click.echo("[7/13] Pulling workspace config.yaml...")
+    workspace_dir.mkdir(parents=True, exist_ok=True)
+    _copy(f"{remote}/config.yaml", str(workspace_dir), dry_run)
+    click.echo("[8/13] Pulling crontab...")
+    crontab_target = Path("/tmp/crontab")
+    _copyto(f"{remote}/crontab/crontab", str(crontab_target), dry_run, check=False)
+    if not dry_run and crontab_target.exists():
+        subprocess.run(["crontab", str(crontab_target)])
+        crontab_target.unlink(missing_ok=True)
+    click.echo("[9/13] Pulling rclone config...")
+    rclone_dir = home / ".config" / "rclone"
+    if not dry_run:
+        rclone_dir.mkdir(parents=True, exist_ok=True)
+    _copy(f"{remote}/rclone", str(rclone_dir), dry_run)
+    if not dry_run:
+        rclone_conf = rclone_dir / "rclone.conf"
+        if rclone_conf.exists():
+            rclone_conf.chmod(0o600)
+    click.echo("[10/13] Pulling mise config...")
+    mise_dir = home / ".config" / "mise"
+    if not dry_run:
+        mise_dir.mkdir(parents=True, exist_ok=True)
+    _copy(f"{remote}/mise", str(mise_dir), dry_run)
+    click.echo("[11/13] Pulling /usr/local/bin user binaries (snapshot)...")
+    local_bin_snapshot = (
+        home / ".local" / "state" / "workspace-snapshot" / "user-local-bin"
+    )
+    if not dry_run:
+        local_bin_snapshot.mkdir(parents=True, exist_ok=True)
+    _sync(f"{remote}/usr-local-bin", str(local_bin_snapshot), dry_run)
+    if not dry_run:
+        for path in local_bin_snapshot.iterdir():
+            if path.is_file():
+                path.chmod(0o755)
+        click.echo(
+            f"  → snapshot em {local_bin_snapshot}. "
+            "Use 'sudo cp ~/.local/state/workspace-snapshot/user-local-bin/* "
+            "/usr/local/bin/' para instalar."
+        )
+    click.echo("[12/13] Pulling system snapshots...")
+    snap_dir = home / ".local" / "state" / "workspace-snapshot"
+    if not dry_run:
+        snap_dir.mkdir(parents=True, exist_ok=True)
+    _copy(f"{remote}/snapshots", str(snap_dir), dry_run)
+    click.echo("[13/13] Pulling ~/.local/bin (zellij, trivy, etc)...")
+    local_bin = home / ".local" / "bin"
+    if not dry_run:
+        local_bin.mkdir(parents=True, exist_ok=True)
+    _sync(f"{remote}/local-bin", str(local_bin), dry_run, excludes=LOCAL_BIN_EXCLUDES)
+    if not dry_run:
+        for path in local_bin.iterdir():
+            if path.is_file():
+                path.chmod(0o755)
+    click.echo("")
+    click.echo("=== Workspace pull completed! ===")
+    click.echo(
+        "Note: Restart your shell or run 'source ~/.zshrc' to apply shell changes"
+    )
+    click.echo(
+        "Note: Use 'devopscli ws apply-snapshots' para instalar apt/snap/mise listados"
+    )
+def _git_crypt_unlocked(path: Path) -> bool:
+    """Return True if repo has git-crypt and is currently unlocked.
+    If repo has no git-crypt at all, returns True (nothing to check).
+    If git-crypt files exist but content is still encrypted, returns False
+    to avoid committing encrypted blobs as plaintext.
+    """
+    gitattrs = path / ".gitattributes"
+    if not gitattrs.exists():
+        return True
+    if "git-crypt" not in gitattrs.read_text(errors="ignore"):
+        return True
+    if not shutil.which("git-crypt"):
+        click.echo("[WARN] git-crypt nao instalado; pulando auto-commit por seguranca")
+        return False
+    result = subprocess.run(
+        ["git-crypt", "status", "-e"],
+        cwd=str(path),
+        capture_output=True,
+        text=True,
+    )
+    # When locked, encrypted files appear as binary. We check via dump command
+    # which only works when unlocked.
+    check = subprocess.run(
+        ["git", "-C", str(path), "config", "--get", "filter.git-crypt.smudge"],
+        capture_output=True,
+        text=True,
+    )
+    return check.returncode == 0 and bool(check.stdout.strip())
+def _write_snapshot(out_path: Path, cmd: list[str]) -> None:
+    """Run a command and write its stdout to out_path. Silent on failure."""
+    if not shutil.which(cmd[0]):
+        return
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
+        if result.returncode == 0:
+            out_path.write_text(result.stdout)
+    except (subprocess.SubprocessError, OSError):
+        pass
+def _notify_sync_issue(repo_name: str, summary: str) -> None:
+    """Send desktop notification when sync fails (cron-safe).
+    Sets DBUS_SESSION_BUS_ADDRESS and DISPLAY so notify-send works even when
+    called from cron (which has no desktop env by default). Silently swallows
+    any error.
+    """
+    if not shutil.which("notify-send"):
+        return
+    env = os.environ.copy()
+    uid = os.getuid()
+    env.setdefault("DBUS_SESSION_BUS_ADDRESS", f"unix:path=/run/user/{uid}/bus")
+    env.setdefault("DISPLAY", ":0")
+    env.setdefault("XDG_RUNTIME_DIR", f"/run/user/{uid}")
+    try:
+        subprocess.run(
+            [
+                "notify-send",
+                "--urgency=critical",
+                "--icon=dialog-warning",
+                "--app-name=devopscli ws",
+                f"[ws sync] {repo_name}: acao manual necessaria",
+                summary[:500],
+            ],
+            env=env,
+            check=False,
+            timeout=5,
+        )
+    except (subprocess.SubprocessError, OSError):
+        pass
+def _auto_commit(path: Path, message: str | None) -> bool:
+    """Stage all changes and create a commit. Returns True if a commit was made.
+    Retries once if pre-commit hooks auto-fix files (common with ruff/prettier/
+    end-of-file-fixer). The hook re-formats the file and aborts the commit
+    expecting the user to re-stage; we do that automatically.
+    """
+    status = subprocess.run(
+        ["git", "-C", str(path), "status", "--porcelain"],
+        capture_output=True,
+        text=True,
+    )
+    if not status.stdout.strip():
+        return False
+    if not _git_crypt_unlocked(path):
+        click.echo(f"[skip] {path.name}: git-crypt locked, nao commitando")
+        return False
+    msg = message or "chore(auto-sync): commit automatico do ws ai-sync"
+    for attempt in (1, 2):
+        subprocess.run(["git", "-C", str(path), "add", "-A"])
+        staged = subprocess.run(
+            ["git", "-C", str(path), "diff", "--cached", "--quiet"],
+        )
+        if staged.returncode == 0:
+            return False
+        result = subprocess.run(
+            ["git", "-C", str(path), "commit", "-m", msg],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode == 0:
+            label = "[commit]" if attempt == 1 else "[commit/retry]"
+            click.echo(f"{label} {path.name}: {msg}")
+            return True
+        output = (result.stdout + result.stderr).lower()
+        hook_autofix = "files were modified by this hook" in output
+        if attempt == 1 and hook_autofix:
+            click.echo(
+                f"[retry] {path.name}: hooks auto-corrigiram arquivos, re-staging"
+            )
+            continue
+        err_summary = result.stderr.strip()[:300] or result.stdout.strip()[:300]
+        click.echo(f"[WARN] commit falhou em {path}: {err_summary}")
+        _notify_sync_issue(path.name, err_summary)
+        return False
+    return False
+SYSTEMD_UNITS = {
+    "ws-push.service": """[Unit]
+Description=Workspace push to GDrive (configs/dotfiles)
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=oneshot
+ExecStart=%h/bin/devops-cli/devopscli ws push
+Nice=10
+""",
+    "ws-push.timer": """[Unit]
+Description=Run ws push every 30 minutes
+[Timer]
+OnBootSec=5min
+OnUnitActiveSec=30min
+Persistent=true
+[Install]
+WantedBy=timers.target
+""",
+    "ws-sync.service": """[Unit]
+Description=Workspace full sync (pull + git + push)
+After=network-online.target
+Wants=network-online.target
+[Service]
+Type=oneshot
+ExecStart=%h/bin/devops-cli/devopscli ws sync
+Nice=10
+""",
+    "ws-sync.timer": """[Unit]
+Description=Run ws sync hourly
+[Timer]
+OnBootSec=10min
+OnUnitActiveSec=1h
+Persistent=true
+[Install]
+WantedBy=timers.target
+""",
+}
+@ws_group.command(name="install-timers")
+@click.option(
+    "--remove-cron",
+    is_flag=True,
+    default=True,
+    help="Remove old devopscli ws lines from crontab (default: true)",
+)
+def install_timers_cmd(remove_cron: bool) -> None:
+    """Install systemd user timers replacing the cron jobs."""
+    home = Path.home()
+    units_dir = home / ".config" / "systemd" / "user"
+    units_dir.mkdir(parents=True, exist_ok=True)
+    click.echo(f"▶ Writing units to {units_dir}/...")
+    for name, content in SYSTEMD_UNITS.items():
+        (units_dir / name).write_text(content)
+        click.echo(f"  • {name}")
+    click.echo("\n▶ systemctl --user daemon-reload")
+    subprocess.run(["systemctl", "--user", "daemon-reload"], check=False)
+    click.echo("\n▶ Enabling timers...")
+    for timer in ("ws-push.timer", "ws-sync.timer"):
+        subprocess.run(
+            ["systemctl", "--user", "enable", "--now", timer], check=False
+        )
+        click.echo(f"  ✓ {timer}")
+    if remove_cron:
+        click.echo("\n▶ Removing old devopscli ws lines from crontab...")
+        result = subprocess.run(
+            ["crontab", "-l"], capture_output=True, text=True
+        )
+        if result.returncode == 0:
+            kept = []
+            removed = []
+            for line in result.stdout.splitlines():
+                if "devopscli ws" in line and not line.lstrip().startswith("#"):
+                    removed.append(line)
+                else:
+                    kept.append(line)
+            if removed:
+                click.echo(f"  Removendo {len(removed)} linhas:")
+                for line in removed:
+                    click.echo(f"    - {line[:80]}")
+                with tempfile.NamedTemporaryFile(
+                    mode="w", suffix=".cron", delete=False
+                ) as tmp:
+                    tmp.write("\n".join(kept) + "\n")
+                    tmp_path = tmp.name
+                subprocess.run(["crontab", tmp_path], check=False)
+                Path(tmp_path).unlink(missing_ok=True)
+            else:
+                click.echo("  Nenhuma linha 'devopscli ws' encontrada no crontab.")
+    click.echo("\n▶ Status atual:")
+    subprocess.run(
+        ["systemctl", "--user", "list-timers", "ws-push.timer", "ws-sync.timer"],
+        check=False,
+    )
+    click.echo("\n=== Timers instalados! ===")
+    click.echo("Logs: journalctl --user -u ws-sync.service -f")
+    click.echo("Status: systemctl --user status ws-sync.timer")
+@ws_group.command(name="uninstall-timers")
+def uninstall_timers_cmd() -> None:
+    """Disable and remove systemd user timers (does NOT restore old cron)."""
+    home = Path.home()
+    units_dir = home / ".config" / "systemd" / "user"
+    click.echo("▶ Stopping and disabling timers...")
+    for timer in ("ws-push.timer", "ws-sync.timer"):
+        subprocess.run(
+            ["systemctl", "--user", "disable", "--now", timer], check=False
+        )
+    click.echo("▶ Removing unit files...")
+    for name in SYSTEMD_UNITS:
+        (units_dir / name).unlink(missing_ok=True)
+    subprocess.run(["systemctl", "--user", "daemon-reload"], check=False)
+    click.echo("=== Timers removed. ===")
+@ws_group.command(name="doctor")
+@click.option(
+    "--config",
+    "config_path",
+    default=str(DEFAULT_CONFIG_PATH),
+    show_default=True,
+)
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+@click.option(
+    "--skip-network",
+    is_flag=True,
+    help="Skip GDrive/network checks (offline mode)",
+)
+def doctor_cmd(config_path: str, remote: str, skip_network: bool) -> None:
+    """Full health check: deps, configs, timers, GDrive, repos, GPG."""
+    home = Path.home()
+    OK = click.style("✓", fg="green", bold=True)
+    WARN = click.style("⚠", fg="yellow", bold=True)
+    FAIL = click.style("✗", fg="red", bold=True)
+    DIM = lambda s: click.style(s, dim=True)
+    summary = {"ok": 0, "warn": 0, "fail": 0}
+    def status(level: str, msg: str, hint: str = "") -> None:
+        summary[level] += 1
+        mark = {"ok": OK, "warn": WARN, "fail": FAIL}[level]
+        click.echo(f"  {mark} {msg}")
+        if hint:
+            click.echo(f"     {DIM(hint)}")
+    def header(text: str) -> None:
+        click.echo()
+        click.echo(click.style(f"▶ {text}", fg="cyan", bold=True))
+        click.echo(click.style("─" * 60, dim=True))
+    # ─── Dependências obrigatórias ─────────────────────────────────
+    header("Dependências obrigatórias")
+    required_deps = {
+        "git": "git --version",
+        "rclone": "rclone --version",
+        "python3": "python3 --version",
+        "make": "make --version",
+        "gpg": "gpg --version",
+        "git-crypt": "git-crypt --version",
+        "systemctl": "systemctl --version",
+    }
+    for cmd, ver_cmd in required_deps.items():
+        if shutil.which(cmd):
+            try:
+                result = subprocess.run(
+                    ver_cmd.split(), capture_output=True, text=True, timeout=3
+                )
+                version = result.stdout.splitlines()[0] if result.stdout else "?"
+                status("ok", f"{cmd:<15} {DIM(version[:50])}")
+            except (subprocess.SubprocessError, OSError):
+                status("ok", f"{cmd:<15} {DIM('instalado')}")
+        else:
+            status(
+                "fail",
+                f"{cmd:<15} NÃO instalado",
+                f"sudo apt install -y {cmd}",
+            )
+    # ─── Dependências opcionais ────────────────────────────────────
+    header("Dependências opcionais")
+    optional_deps = {
+        "mise": ("mise --version", "curl -fsSL https://mise.run | sh"),
+        "notify-send": ("notify-send --version", "sudo apt install -y libnotify-bin"),
+        "whiptail": ("whiptail --version", "sudo apt install -y whiptail"),
+        "jq": ("jq --version", "sudo apt install -y jq"),
+        "yq": ("yq --version", "sudo apt install -y yq"),
+        "curl": ("curl --version", "sudo apt install -y curl"),
+        "zellij": ("zellij --version", "ws-bootstrap.sh install_zellij"),
+        "alacritty": ("alacritty --version", "sudo apt install -y alacritty"),
+        "devopscli": ("devopscli --version", "make -C ~/bin/devops-cli setup"),
+    }
+    for cmd, (ver_cmd, hint) in optional_deps.items():
+        if shutil.which(cmd):
+            try:
+                result = subprocess.run(
+                    ver_cmd.split(), capture_output=True, text=True, timeout=3
+                )
+                version = (result.stdout + result.stderr).splitlines()
+                version = version[0] if version else "?"
+                status("ok", f"{cmd:<15} {DIM(version[:50])}")
+            except (subprocess.SubprocessError, OSError):
+                status("ok", f"{cmd:<15} {DIM('instalado')}")
+        else:
+            status("warn", f"{cmd:<15} ausente", hint)
+    # ─── Python deps ───────────────────────────────────────────────
+    header("Python deps")
+    for module in ("yaml", "click"):
+        try:
+            __import__(module)
+            status("ok", f"python3 -m {module:<10} {DIM('importável')}")
+        except ImportError:
+            status(
+                "fail",
+                f"python3 -m {module:<10} NÃO importável",
+                f"pip install {module}" if module != "yaml" else "pip install pyyaml",
+            )
+    # ─── Schedule (systemd vs cron) ─────────────────────────────────
+    header("Schedule")
+    timers_active = False
+    for unit in ("ws-push.timer", "ws-sync.timer"):
+        active = subprocess.run(
+            ["systemctl", "--user", "is-active", unit],
+            capture_output=True, text=True,
+        )
+        enabled = subprocess.run(
+            ["systemctl", "--user", "is-enabled", unit],
+            capture_output=True, text=True,
+        )
+        a = active.stdout.strip()
+        e = enabled.stdout.strip()
+        if a == "active":
+            status("ok", f"{unit:<20} {DIM(f'(active, {e})')}")
+            timers_active = True
+        else:
+            status(
+                "fail",
+                f"{unit:<20} ({a}, {e})",
+                "rode: devopscli ws install-timers",
+            )
+    if timers_active:
+        timers = subprocess.run(
+            ["systemctl", "--user", "list-timers", "ws-*.timer", "--no-pager"],
+            capture_output=True, text=True,
+        )
+        for line in timers.stdout.splitlines()[1:3]:
+            if line.strip() and "ws-" in line:
+                click.echo(f"     {DIM(line.strip())}")
+    # Crontab leftovers
+    cron = subprocess.run(["crontab", "-l"], capture_output=True, text=True)
+    active_cron_lines = [
+        line for line in cron.stdout.splitlines()
+        if "devopscli ws" in line and not line.lstrip().startswith("#")
+    ]
+    if active_cron_lines:
+        status(
+            "warn",
+            f"crontab tem {len(active_cron_lines)} linha(s) devopscli ativa(s)",
+            "rode: devopscli ws install-timers --remove-cron",
+        )
+        for line in active_cron_lines:
+            click.echo(f"     {DIM(line[:80])}")
+    else:
+        status("ok", "crontab sem linhas devopscli ativas")
+    # ─── Last sync result ───────────────────────────────────────────
+    header("Última execução do sync")
+    journal = subprocess.run(
+        ["journalctl", "--user", "-u", "ws-sync.service",
+         "--since", "24 hours ago", "-o", "short-iso", "--no-pager"],
+        capture_output=True, text=True,
+    )
+    if not journal.stdout.strip():
+        click.echo(f"  {DIM('sem logs nas últimas 24h')}")
+    else:
+        lines = journal.stdout.splitlines()
+        last_started = None
+        last_finished = None
+        had_error = False
+        for line in lines:
+            if "Started ws-sync.service" in line:
+                last_started = line.split()[0] if line.split() else None
+            elif "Finished ws-sync.service" in line:
+                last_finished = line.split()[0] if line.split() else None
+            elif "[WARN]" in line or "ERROR" in line:
+                had_error = True
+        if last_finished:
+            if had_error:
+                status(
+                    "warn",
+                    f"última execução: {last_finished}",
+                    "warning/error nos logs — journalctl --user -u ws-sync.service",
+                )
+            else:
+                status("ok", f"última execução: {last_finished}")
+        elif last_started:
+            status("warn", f"ainda rodando? última started: {last_started}")
+        else:
+            click.echo(f"  {DIM('sem execuções completas detectadas')}")
+    # ─── GDrive ─────────────────────────────────────────────────────
+    header("GDrive (rclone)")
+    if skip_network:
+        click.echo(f"  {DIM('pulado (--skip-network)')}")
+    elif not shutil.which("rclone"):
+        status("fail", "rclone não instalado", "sudo apt install -y rclone")
+    else:
+        remotes = subprocess.run(
+            ["rclone", "listremotes"], capture_output=True, text=True
+        )
+        rclone_remote = remote.split(":")[0] + ":"
+        if rclone_remote not in remotes.stdout:
+            status(
+                "fail",
+                f"remote {rclone_remote} não configurado",
+                "rode: rclone config",
+            )
+        else:
+            status("ok", f"remote configurado: {rclone_remote}")
+            try:
+                ls = subprocess.run(
+                    ["rclone", "lsf", remote, "--max-depth", "1"],
+                    capture_output=True, text=True, timeout=30,
+                )
+                if ls.returncode == 0:
+                    count = len([l for l in ls.stdout.splitlines() if l.strip()])
+                    status("ok", f"acessível ({count} entradas em {remote}/)")
+                else:
+                    status(
+                        "fail",
+                        f"erro ao listar: {ls.stderr.strip()[:80]}",
+                    )
+            except subprocess.TimeoutExpired:
+                status(
+                    "warn",
+                    f"timeout (>30s) listando {remote}",
+                    "verifique conexão com Google Drive",
+                )
+    # ─── GPG ──────────────────────────────────────────────────────
+    header("GPG")
+    # Secret key local
+    if shutil.which("gpg"):
+        result = subprocess.run(
+            ["gpg", "--list-secret-keys", "--with-colons"],
+            capture_output=True, text=True,
+        )
+        key_count = sum(1 for line in result.stdout.splitlines() if line.startswith("sec:"))
+        if key_count > 0:
+            status("ok", f"GPG secret keys importadas: {key_count}")
+        else:
+            status(
+                "warn",
+                "Nenhuma GPG secret key importada",
+                "rode: devopscli ws gpg-restore",
+            )
+    # Backup no GDrive
+    if not skip_network and shutil.which("rclone"):
+        try:
+            gpg_check = subprocess.run(
+                ["rclone", "lsf", f"{remote}/gpg/", "--max-depth", "1"],
+                capture_output=True, text=True, timeout=30,
+            )
+            if gpg_check.returncode == 0 and "gpg-backup.gpg" in gpg_check.stdout:
+                status("ok", f"gpg-backup.gpg existe em {remote}/gpg/")
+            else:
+                status(
+                    "fail",
+                    f"gpg-backup.gpg NÃO encontrado em {remote}/gpg/",
+                    "devopscli ws gpg-backup (CRÍTICO para migração)",
+                )
+        except subprocess.TimeoutExpired:
+            status("warn", f"timeout checando {remote}/gpg/")
+    # ─── Git-crypt no workspace-personal ───────────────────────────
+    header("git-crypt (workspace-personal)")
+    wp = home / "workspace-personal"
+    if not (wp / ".git").exists():
+        status("warn", "workspace-personal não clonado")
+    elif not shutil.which("git-crypt"):
+        status("fail", "git-crypt não instalado", "sudo apt install -y git-crypt")
+    else:
+        result = subprocess.run(
+            ["git-crypt", "status", "-e"],
+            cwd=str(wp), capture_output=True, text=True,
+        )
+        # check filter setup
+        check = subprocess.run(
+            ["git", "-C", str(wp), "config", "--get", "filter.git-crypt.smudge"],
+            capture_output=True, text=True,
+        )
+        if check.returncode == 0 and check.stdout.strip():
+            # Check if .env is actually decrypted (binary check)
+            env_file = wp / ".env"
+            if env_file.exists():
+                first_bytes = env_file.read_bytes()[:10]
+                if first_bytes.startswith(b"\x00GITCRYPT"):
+                    status(
+                        "fail",
+                        "git-crypt LOCKED (.env ainda criptografado)",
+                        "cd ~/workspace-personal && git-crypt unlock",
+                    )
+                else:
+                    status("ok", "git-crypt unlocked (.env legível)")
+            else:
+                status("warn", ".env não existe no workspace-personal")
+        else:
+            status(
+                "fail",
+                "git-crypt filter não configurado",
+                "cd ~/workspace-personal && git-crypt unlock",
+            )
+    # ─── Repos sync ────────────────────────────────────────────────
+    header("Git repos sincronizados")
+    try:
+        cfg = _load_workspace_config(Path(config_path).expanduser())
+    except SystemExit:
+        cfg = {}
+    all_repos = (cfg.get("ai_workspaces") or []) + (cfg.get("repos_sync") or [])
+    if not all_repos:
+        click.echo(f"  {DIM('nenhum repo configurado')}")
+    else:
+        for r in all_repos:
+            name = r.get("name", "?")
+            path = Path(str(r.get("path", ""))).expanduser()
+            branch = r.get("branch", "main")
+            if not (path / ".git").exists():
+                status(
+                    "warn",
+                    f"{name:<32} NÃO clonado",
+                    f"git clone {r.get('clone_url', '?')} {path}",
+                )
+                continue
+            git_status = subprocess.run(
+                ["git", "-C", str(path), "status", "--porcelain"],
+                capture_output=True, text=True,
+            )
+            pending = len([l for l in git_status.stdout.splitlines() if l.strip()])
+            ab = subprocess.run(
+                ["git", "-C", str(path), "rev-list", "--left-right", "--count",
+                 f"origin/{branch}...HEAD"],
+                capture_output=True, text=True,
+            )
+            ab_parts = ab.stdout.strip().split() if ab.returncode == 0 else ["?", "?"]
+            behind, ahead = (ab_parts + ["?", "?"])[:2]
+            if pending == 0 and behind == "0" and ahead == "0":
+                status("ok", f"{name:<32} {DIM(f'clean (branch: {branch})')}")
+            else:
+                marks = []
+                if pending: marks.append(f"{pending} mod")
+                if behind != "0": marks.append(f"{behind} behind")
+                if ahead != "0": marks.append(f"{ahead} ahead")
+                status("warn", f"{name:<32} ({', '.join(marks)})")
+    # ─── Configs críticos locais ────────────────────────────────────
+    header("Configs críticos locais")
+    checks = [
+        (home / ".config" / "rclone" / "rclone.conf", "rclone config", True),
+        (home / ".config" / "mise" / "config.toml", "mise config", False),
+        (home / ".zshrc", ".zshrc", True),
+        (home / ".bashrc", ".bashrc", False),
+        (home / ".ssh" / "id_ed25519", "SSH key (id_ed25519)", True),
+        (home / "bin" / "config.yaml", "workspace config.yaml", True),
+        (home / ".config" / "alacritty" / "alacritty.toml", "alacritty.toml", False),
+        (home / ".config" / "zellij" / "config.kdl", "zellij config.kdl", False),
+        (home / ".gnupg", "GPG home (.gnupg)", True),
+    ]
+    for path, label, critical in checks:
+        if path.exists():
+            status("ok", f"{label:<25} {DIM(str(path))}")
+        else:
+            level = "fail" if critical else "warn"
+            status(level, f"{label:<25} ausente em {path}")
+    # ─── Summary ───────────────────────────────────────────────────
+    click.echo()
+    click.echo(click.style("─" * 60, dim=True))
+    total = summary["ok"] + summary["warn"] + summary["fail"]
+    ok_s = click.style(f"{summary['ok']} OK", fg="green", bold=True)
+    warn_s = click.style(f"{summary['warn']} warn", fg="yellow", bold=True)
+    fail_s = click.style(f"{summary['fail']} fail", fg="red", bold=True)
+    click.echo(f"  Total: {total}  |  {ok_s}  |  {warn_s}  |  {fail_s}")
+    if summary["fail"] > 0:
+        click.echo(click.style("\n  ✗ Setup tem problemas críticos. Veja itens com ✗ acima.", fg="red"))
+        sys.exit(1)
+    elif summary["warn"] > 0:
+        click.echo(click.style("\n  ⚠ Setup funcional com avisos. Veja itens com ⚠ acima.", fg="yellow"))
+    else:
+        click.echo(click.style("\n  ✓ Setup 100% saudável!", fg="green", bold=True))
+    click.echo()
+@ws_group.command(name="sync")
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+@click.option(
+    "--config",
+    "config_path",
+    default=str(DEFAULT_CONFIG_PATH),
+    show_default=True,
+)
+@click.option("--skip-pull", is_flag=True, help="Skip the initial GDrive pull step")
+@click.option("--skip-push", is_flag=True, help="Skip the final GDrive push step")
+def sync_cmd(remote: str, config_path: str, skip_pull: bool, skip_push: bool) -> None:
+    """Full bidirectional sync: pull → git-sync → push.
+    Ordem segura: pull traz mudancas do remoto, git-sync resolve repos,
+    push envia estado local. Idempotente — pode rodar a qualquer momento.
+    """
+    click.echo("╔═══════════════════════════════════════════════════════╗")
+    click.echo("║  ws sync — bidirectional workspace sync               ║")
+    click.echo("╚═══════════════════════════════════════════════════════╝")
+    if not skip_pull:
+        click.echo("\n▶ Stage 1/4: pulling configs from GDrive...")
+        ctx = click.get_current_context()
+        ctx.invoke(pull_cmd, remote=remote, dry_run=False)
+    else:
+        click.echo("\n⊘ Stage 1/4: pull skipped (--skip-pull)")
+    config = _load_workspace_config(Path(config_path).expanduser())
+    click.echo("\n▶ Stage 2/4: syncing ai_workspaces (git pull/commit/push)...")
+    _sync_repo_list(config.get("ai_workspaces", []), "ai_workspaces")
+    click.echo("\n▶ Stage 3/4: syncing repos_sync (git pull/commit/push)...")
+    _sync_repo_list(config.get("repos_sync", []), "repos_sync")
+    if not skip_push:
+        click.echo("\n▶ Stage 4/4: pushing configs to GDrive...")
+        ctx = click.get_current_context()
+        ctx.invoke(push_cmd, remote=remote, dry_run=False)
+    else:
+        click.echo("\n⊘ Stage 4/4: push skipped (--skip-push)")
+    click.echo("\n╔═══════════════════════════════════════════════════════╗")
+    click.echo("║  ws sync completed                                    ║")
+    click.echo("╚═══════════════════════════════════════════════════════╝")
+@ws_group.command(name="gpg-backup")
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+@click.option("--key-id", default=None, help="GPG key ID (default: first secret key)")
+def gpg_backup_cmd(remote: str, key_id: str | None) -> None:
+    """Export GPG secret key, encrypt with passphrase, send to GDrive."""
+    _require_rclone()
+    if not shutil.which("gpg"):
+        click.echo("[ERRO] gpg nao encontrado no PATH.", err=True)
+        sys.exit(1)
+    if not key_id:
+        result = subprocess.run(
+            ["gpg", "--list-secret-keys", "--with-colons"],
+            capture_output=True,
+            text=True,
+        )
+        for line in result.stdout.splitlines():
+            if line.startswith("fpr:"):
+                key_id = line.split(":")[9]
+                break
+        if not key_id:
+            click.echo("[ERRO] Nenhuma chave secreta GPG encontrada.", err=True)
+            sys.exit(1)
+        click.echo(f"[INFO] Usando key fingerprint: {key_id}")
+    with tempfile.TemporaryDirectory(prefix="gpg-backup-") as tmpdir:
+        plain = Path(tmpdir) / "gpg-secret.asc"
+        encrypted = Path(tmpdir) / "gpg-backup.gpg"
+        click.echo(f"[1/3] Exportando secret key {key_id}...")
+        result = subprocess.run(
+            ["gpg", "--armor", "--export-secret-keys", key_id],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode != 0:
+            click.echo(f"[ERRO] gpg export falhou: {result.stderr}", err=True)
+            sys.exit(1)
+        plain.write_text(result.stdout)
+        click.echo("[2/3] Criptografando com passphrase (digite quando solicitado)...")
+        result = subprocess.run(
+            [
+                "gpg",
+                "--symmetric",
+                "--cipher-algo",
+                "AES256",
+                "--output",
+                str(encrypted),
+                str(plain),
+            ]
+        )
+        plain.unlink(missing_ok=True)
+        if result.returncode != 0 or not encrypted.exists():
+            click.echo("[ERRO] gpg symmetric encrypt falhou.", err=True)
+            sys.exit(1)
+        click.echo(f"[3/3] Enviando para {remote}/gpg/...")
+        _copyto(encrypted, f"{remote}/gpg/gpg-backup.gpg", dry_run=False)
+    click.echo("")
+    click.echo("=== GPG backup completed! ===")
+    click.echo(f"Restore com: devopscli ws gpg-restore --remote {remote}")
+@ws_group.command(name="gpg-restore")
+@click.option("--remote", default=DEFAULT_REMOTE, show_default=True)
+def gpg_restore_cmd(remote: str) -> None:
+    """Download encrypted GPG key from GDrive and import into local keyring."""
+    _require_rclone()
+    if not shutil.which("gpg"):
+        click.echo("[ERRO] gpg nao encontrado no PATH.", err=True)
+        sys.exit(1)
+    with tempfile.TemporaryDirectory(prefix="gpg-restore-") as tmpdir:
+        encrypted = Path(tmpdir) / "gpg-backup.gpg"
+        decrypted = Path(tmpdir) / "gpg-secret.asc"
+        click.echo(f"[1/3] Baixando de {remote}/gpg/...")
+        _copyto(f"{remote}/gpg/gpg-backup.gpg", str(encrypted), dry_run=False)
+        if not encrypted.exists():
+            click.echo("[ERRO] gpg-backup.gpg nao encontrado no remote.", err=True)
+            sys.exit(1)
+        click.echo("[2/3] Descriptografando (digite a passphrase)...")
+        result = subprocess.run(
+            ["gpg", "--decrypt", "--output", str(decrypted), str(encrypted)]
+        )
+        if result.returncode != 0 or not decrypted.exists():
+            click.echo("[ERRO] gpg decrypt falhou (passphrase errada?).", err=True)
+            sys.exit(1)
+        click.echo("[3/3] Importando no keyring local...")
+        result = subprocess.run(["gpg", "--import", str(decrypted)])
+        if result.returncode != 0:
+            click.echo("[ERRO] gpg import falhou.", err=True)
+            sys.exit(1)
+    click.echo("")
+    click.echo("=== GPG restore completed! ===")
+    click.echo(
+        "Note: para git-crypt unlock no workspace-personal: "
+        "cd ~/workspace-personal && git-crypt unlock"
+    )
+def _sync_repo_list(items: list[dict], label: str) -> None:
+    if not items:
+        click.echo(f"[INFO] Nenhum {label} definido no config.yaml")
+        return
+    for item in items:
+        name = item.get("name") or "(sem nome)"
+        path = Path(str(item.get("path", ""))).expanduser()
+        remote = item.get("remote", "origin")
+        branch = item.get("branch", "main")
+        auto_commit = item.get("auto_commit", False)
+        commit_message = item.get("commit_message")
+        if not path.exists() or not (path / ".git").exists():
+            click.echo(f"[skip] {name}: not a git repo at {path}")
+            continue
+        click.echo(f"[sync] {name} ({path})")
+        subprocess.run(["git", "-C", str(path), "fetch", remote, "--prune"])
+        if auto_commit:
+            _auto_commit(path, commit_message)
+        subprocess.run(["git", "-C", str(path), "pull", "--rebase", remote, branch])
+        subprocess.run(["git", "-C", str(path), "push", remote, branch])
+def _ensure_devopscli(home: Path) -> None:
+    devops_cli_dir = home / "bin" / "devops-cli"
+    if devops_cli_dir.exists():
+        subprocess.run(["git", "-C", str(devops_cli_dir), "pull", "--rebase"])
+    else:
+        clone = subprocess.run(["git", "clone", DEVOPSCLI_GIT_URL, str(devops_cli_dir)])
+        if clone.returncode != 0:
+            click.echo("[WARN] clone SSH falhou, tentando HTTPS...")
+            subprocess.run(
+                ["git", "clone", DEVOPSCLI_GIT_URL_HTTPS, str(devops_cli_dir)]
+            )
+    if devops_cli_dir.exists():
+        subprocess.run(["make", "-C", str(devops_cli_dir), "setup"])
+@ws_group.command(name="ai-sync")
+@click.option(
+    "--config",
+    "config_path",
+    default=str(DEFAULT_CONFIG_PATH),
+    show_default=True,
+    help="Path to workspace config.yaml",
+)
+def ai_sync_cmd(config_path: str) -> None:
+    """Sync AI workspaces listed in config.yaml."""
+    config = _load_workspace_config(Path(config_path).expanduser())
+    _sync_repo_list(config.get("ai_workspaces", []), "ai_workspaces")
+@ws_group.command(name="repos-sync")
+@click.option(
+    "--config",
+    "config_path",
+    default=str(DEFAULT_CONFIG_PATH),
+    show_default=True,
+    help="Path to workspace config.yaml",
+)
+def repos_sync_cmd(config_path: str) -> None:
+    """Sync repositories listed in config.yaml."""
+    config = _load_workspace_config(Path(config_path).expanduser())
+    _sync_repo_list(config.get("repos_sync", []), "repos_sync")