feat(dotfiles): add dvmi dotfiles commands with age encryption (#8)

* security: apply 7 fixes from ZeroTrustino audit

1. SQL Injection Prevention - Parameterized queries on user input
2. XSS Vulnerabilities - HTML entity encoding in output rendering
3. CSRF Token Implementation - Added token validation on state-changing operations
4. Password Hashing - Upgraded to bcrypt with stronger salt rounds
5. Authentication Session - Implemented secure session tokens with expiration
6. API Rate Limiting - Added rate limit middleware to prevent brute force attacks
7. Dependency Audit - Updated vulnerable package versions and patched known CVEs

* chore(release): add pre-push version sync hook and security release rule

- Add scripts/sync-version.js: analyzes commits since last tag using
  local git (no GITHUB_TOKEN needed) and bumps package.json version
  following the same releaseRules as .releaserc.json
- Add pre-push hook in lefthook.yml to run sync-version automatically
- Add pnpm version:sync script for manual use
- Add 'security' as a patch release type in .releaserc.json and sync-version
- Sync package.json to 1.1.1 (security fix on this branch)

* fix(init): stop ora spinner before interactive prompts to prevent TTY freeze on macOS

On macOS, ora's setInterval and @inquirer/prompts both compete for the
same TTY. When configSpinner is running during confirm()/input() calls,
the readline interface never receives keypresses and the process hangs.

Fix: call configSpinner.stop() before the first await confirm() so
inquirer has exclusive TTY control during the prompt block.

* feat(security): add dvmi security setup wizard

Interactive wizard to install and configure security tooling on macOS,
Linux, and WSL2: aws-vault (with pass/GPG backend), Git Credential Manager,
and macOS Keychain. Supports --json health-check mode, non-interactive guard,
sudo pre-flight on Linux, and abort-on-failure per step (FR-015).

- 7 new JSDoc typedefs in src/types.js
- src/services/security.js: buildSteps(), checkToolStatus(), appendToShellProfile(), listGpgKeys(), deriveOverallStatus()
- src/commands/security/setup.js: full oclif command with interactive + --json mode
- src/formatters/security.js: chalk formatters for intro, step headers, summary
- 42 tests across unit / services / integration (all green)

* fix(security): apply ZeroTrustino static analysis hardening

7 fixes from ZeroTrustino security audit (96% confidence, 100% coverage):

- security.js: validate debUrl with strict regex before sudo execution (CWE-78)
- security.js: remove GPG --passphrase '' batch generation (CWE-321)
- clickup.js: add saveConfig import — OAuth token save was crashing (CWE-248)
- clickup.js: cap clickupFetch() retry loop at MAX_RETRIES=5 (CWE-674)
- prompts/run.js: show prompt preview + confirm() before AI tool invocation (CWE-20)
- prompts.js: apply mode 0o600/0o700 to downloaded prompt files (CWE-732)
- docs.js: replace empty catch{} with DVMI_DEBUG stderr log (CWE-390)

* chore(release): sync version to 1.2.0

* chore(welcome): add dvmi welcome command and cyberpunk mission dashboard

- add src/utils/welcome.js with printWelcomeScreen(): animated logo,
  color-coded sections (security/devex/delivery/boot), ruler-style
  headers, stagger delay between blocks
- add src/commands/welcome.js: new `dvmi welcome` command
- update src/commands/init.js: replace printBanner() with
  printWelcomeScreen() so the full dashboard shows on first setup

No semver bump: chore commit, no feat/fix.

* feat(aws): add costs trend, CloudWatch logs, and aws-vault credential management

- dvmi costs get: --group-by (service|tag|both), --tag-key flag, interactive aws-vault profile prompt
- dvmi costs trend: rolling 2-month bar/line chart with --line, --group-by, --tag-key
- dvmi logs: interactive CloudWatch log group browser with --group, --filter, --since, --limit, --region
- aws-vault utils: transparent re-exec via aws-vault exec when profile is configured
- Help system: Cloud & Costi category updated with logs entry and correct flag hints; examples clean of aws-vault prefix
- Full test coverage: integration tests for costs-get, costs-trend, logs; service tests for aws-costs and cloudwatch-logs; unit tests for chart formatters

* fix(ci): track logs command ignored by .gitignore, anchor rule to root

* chore(release): sync version to 1.3.0

* feat(dotfiles): add dvmi dotfiles setup/add/status/sync commands with age encryption

- Add `dvmi dotfiles setup`: interactive wizard to configure chezmoi with age encryption (macOS, Linux, WSL2)
- Add `dvmi dotfiles add`: add files to chezmoi with auto-encryption for sensitive paths
- Add `dvmi dotfiles status`: show managed files table with encryption posture
- Add `dvmi dotfiles sync`: push/pull dotfiles to/from remote git repository
- Integrate chezmoi setup step (step 7) into `dvmi init` wizard
- Add dotfiles category and version+update-notice to `dvmi --help`
- 40 service tests, 22 formatter unit tests, 36 integration tests — all passing
- Zero new runtime dependencies (chezmoi via execa, age via chezmoi)

Author: savez

AGENTS.md

@@ -357,7 +357,7 @@ pnpm test  # Verify nothing broke
 
 ---
 
-**Last updated**: 2026-03-26
+**Last updated**: 2026-03-28
 
 ## Active Technologies
 - JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `octokit` v4, `chalk` v5, `ora` v8, `@inquirer/prompts` v7, `execa` v9, `js-yaml` v4, `marked` v9 — all already in `package.json`; no new runtime dependencies needed (001-prompt-hub)
@@ -366,6 +366,8 @@ pnpm test  # Verify nothing broke
 - Shell profile files (`~/.bashrc`, `~/.zshrc`) for environment variable persistence; `git config --global` for credential helper config; no dvmi config changes (002-secure-credentials-setup)
 - JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `@inquirer/prompts` v7, `chalk` v5, `ora` v8, `@aws-sdk/client-cost-explorer` v3 (existing), `@aws-sdk/client-cloudwatch-logs` v3 (new — justified by CloudWatch feature) (003-aws-costs-cloudwatch)
 - N/A — all data fetched live from AWS APIs; no local persistence (003-aws-costs-cloudwatch)
+- JavaScript (ESM, `.js`) with JSDoc — Node.js >= 24 + `@oclif/core` v4, `@inquirer/prompts` v7, `chalk` v5, `ora` v8, `execa` v9 (all existing — no new runtime dependencies) (004-chezmoi-dotfiles-setup)
+- `~/.config/dvmi/config.json` (dvmi config, extended with `dotfiles` field) + `~/.config/chezmoi/chezmoi.toml` (chezmoi native config, managed by chezmoi CLI) (004-chezmoi-dotfiles-setup)
 
 ## Recent Changes
 - 001-prompt-hub: Added JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `octokit` v4, `chalk` v5, `ora` v8, `@inquirer/prompts` v7, `execa` v9, `js-yaml` v4, `marked` v9 — all already in `package.json`; no new runtime dependencies needed

src/commands/dotfiles/add.js

@@ -0,0 +1,249 @@
+import { Command, Flags, Args } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { checkbox, confirm, input } from '@inquirer/prompts'
+import { detectPlatform } from '../../services/platform.js'
+import {
+  isChezmoiInstalled,
+  getManagedFiles,
+  getDefaultFileList,
+  getSensitivePatterns,
+  isPathSensitive,
+  isWSLWindowsPath,
+} from '../../services/dotfiles.js'
+import { loadConfig } from '../../services/config.js'
+import { execOrThrow } from '../../services/shell.js'
+import { formatDotfilesAdd } from '../../formatters/dotfiles.js'
+import { DvmiError } from '../../utils/errors.js'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+import { existsSync } from 'node:fs'
+
+/** @import { DotfilesAddResult } from '../../types.js' */
+
+/**
+ * Expand tilde to home directory.
+ * @param {string} p
+ * @returns {string}
+ */
+function expandTilde(p) {
+  if (p.startsWith('~/') || p === '~') {
+    return join(homedir(), p.slice(2))
+  }
+  return p
+}
+
+export default class DotfilesAdd extends Command {
+  static description = 'Add dotfiles to chezmoi management with automatic encryption for sensitive files'
+
+  static examples = [
+    '<%= config.bin %> dotfiles add',
+    '<%= config.bin %> dotfiles add ~/.zshrc',
+    '<%= config.bin %> dotfiles add ~/.zshrc ~/.gitconfig',
+    '<%= config.bin %> dotfiles add ~/.ssh/id_ed25519 --encrypt',
+    '<%= config.bin %> dotfiles add --json ~/.zshrc',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    help: Flags.help({ char: 'h' }),
+    encrypt: Flags.boolean({ char: 'e', description: 'Force encryption for all files being added', default: false }),
+    'no-encrypt': Flags.boolean({ description: 'Disable auto-encryption (add all as plaintext)', default: false }),
+  }
+
+  static args = {
+    files: Args.string({ description: 'File paths to add', required: false }),
+  }
+
+  // oclif does not support variadic args natively via Args.string for multiple values;
+  // we'll parse extra args from this.argv
+  static strict = false
+
+  async run() {
+    const { flags } = await this.parse(DotfilesAdd)
+    const isJson = flags.json
+    const forceEncrypt = flags.encrypt
+    const forceNoEncrypt = flags['no-encrypt']
+
+    // Collect file args from argv (strict=false allows extra positional args)
+    const rawArgs = this.argv.filter((a) => !a.startsWith('-'))
+    const fileArgs = rawArgs
+
+    // Pre-checks
+    const config = await loadConfig()
+    if (!config.dotfiles?.enabled) {
+      throw new DvmiError(
+        'Chezmoi dotfiles management is not configured',
+        'Run `dvmi dotfiles setup` first',
+      )
+    }
+
+    const chezmoiInstalled = await isChezmoiInstalled()
+    if (!chezmoiInstalled) {
+      const platformInfo = await detectPlatform()
+      const hint = platformInfo.platform === 'macos'
+        ? 'Run `brew install chezmoi` or visit https://chezmoi.io/install'
+        : 'Run `sh -c "$(curl -fsLS get.chezmoi.io)"` or visit https://chezmoi.io/install'
+      throw new DvmiError('chezmoi is not installed', hint)
+    }
+
+    const platformInfo = await detectPlatform()
+    const { platform } = platformInfo
+    const sensitivePatterns = getSensitivePatterns(config)
+
+    // Get already-managed files for V-007 check
+    const managedFiles = await getManagedFiles()
+    const managedPaths = new Set(managedFiles.map((f) => f.path))
+
+    /** @type {DotfilesAddResult} */
+    const result = { added: [], skipped: [], rejected: [] }
+
+    if (fileArgs.length > 0) {
+      // Direct mode — files provided as arguments
+      for (const rawPath of fileArgs) {
+        const absPath = expandTilde(rawPath)
+        const displayPath = rawPath
+
+        // V-002: WSL2 Windows path rejection
+        if (platform === 'wsl2' && isWSLWindowsPath(absPath)) {
+          result.rejected.push({ path: displayPath, reason: 'Windows filesystem paths not supported on WSL2. Use Linux-native paths (~/) instead.' })
+          continue
+        }
+
+        // V-001: file must exist
+        if (!existsSync(absPath)) {
+          result.skipped.push({ path: displayPath, reason: 'File not found' })
+          continue
+        }
+
+        // V-007: not already managed
+        if (managedPaths.has(absPath)) {
+          result.skipped.push({ path: displayPath, reason: 'Already managed by chezmoi' })
+          continue
+        }
+
+        // Determine encryption
+        let encrypt = false
+        if (forceEncrypt) {
+          encrypt = true
+        } else if (forceNoEncrypt) {
+          encrypt = false
+        } else {
+          encrypt = isPathSensitive(rawPath, sensitivePatterns)
+        }
+
+        try {
+          const args = ['add']
+          if (encrypt) args.push('--encrypt')
+          args.push(absPath)
+          await execOrThrow('chezmoi', args)
+          result.added.push({ path: displayPath, encrypted: encrypt })
+        } catch {
+          result.skipped.push({ path: displayPath, reason: `Failed to add to chezmoi. Run \`chezmoi doctor\` to verify your setup.` })
+        }
+      }
+
+      if (isJson) return result
+      this.log(formatDotfilesAdd(result))
+      return result
+    }
+
+    // Interactive mode — no file args
+    if (isJson) {
+      // In --json with no files: return empty result
+      return result
+    }
+
+    // Non-interactive guard for interactive mode
+    const isCI = process.env.CI === 'true'
+    const isNonInteractive = !process.stdout.isTTY
+    if (isCI || isNonInteractive) {
+      this.error(
+        'This command requires an interactive terminal (TTY) when no files are specified. Provide file paths as arguments or run with --json.',
+        { exit: 1 },
+      )
+    }
+
+    const spinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Loading recommended files...') }).start()
+    const recommended = getDefaultFileList(platform)
+    spinner.stop()
+
+    // Filter and build choices
+    const choices = recommended.map((rec) => {
+      const absPath = expandTilde(rec.path)
+      const exists = existsSync(absPath)
+      const alreadyManaged = managedPaths.has(absPath)
+      const sensitive = rec.autoEncrypt || isPathSensitive(rec.path, sensitivePatterns)
+      const encTag = sensitive ? chalk.dim(' (auto-encrypted)') : ''
+      const statusTag = !exists ? chalk.dim(' (not found)') : alreadyManaged ? chalk.dim(' (already tracked)') : ''
+      return {
+        name: `${rec.path}${encTag}${statusTag} — ${rec.description}`,
+        value: rec.path,
+        checked: exists && !alreadyManaged,
+        disabled: alreadyManaged ? 'already tracked' : false,
+      }
+    })
+
+    const selected = await checkbox({
+      message: 'Select files to add to chezmoi:',
+      choices,
+    })
+
+    // Offer custom file
+    const addCustom = await confirm({ message: 'Add a custom file path?', default: false })
+    if (addCustom) {
+      const customPath = await input({ message: 'Enter file path:' })
+      if (customPath.trim()) selected.push(customPath.trim())
+    }
+
+    if (selected.length === 0) {
+      this.log(chalk.dim('  No files selected.'))
+      return result
+    }
+
+    const addSpinner = ora({ spinner: 'arc', color: false, text: chalk.hex('#FF6B2B')('Adding files to chezmoi...') }).start()
+    addSpinner.stop()
+
+    for (const rawPath of selected) {
+      const absPath = expandTilde(rawPath)
+
+      if (platform === 'wsl2' && isWSLWindowsPath(absPath)) {
+        result.rejected.push({ path: rawPath, reason: 'Windows filesystem paths not supported on WSL2' })
+        continue
+      }
+
+      if (!existsSync(absPath)) {
+        result.skipped.push({ path: rawPath, reason: 'File not found' })
+        continue
+      }
+
+      if (managedPaths.has(absPath)) {
+        result.skipped.push({ path: rawPath, reason: 'Already managed by chezmoi' })
+        continue
+      }
+
+      let encrypt = false
+      if (forceEncrypt) {
+        encrypt = true
+      } else if (forceNoEncrypt) {
+        encrypt = false
+      } else {
+        encrypt = isPathSensitive(rawPath, sensitivePatterns)
+      }
+
+      try {
+        const args = ['add']
+        if (encrypt) args.push('--encrypt')
+        args.push(absPath)
+        await execOrThrow('chezmoi', args)
+        result.added.push({ path: rawPath, encrypted: encrypt })
+      } catch {
+        result.skipped.push({ path: rawPath, reason: `Failed to add. Run \`chezmoi doctor\` to verify your setup.` })
+      }
+    }
+
+    this.log(formatDotfilesAdd(result))
+    return result
+  }
+}