feat(aws): add costs trend, CloudWatch logs, and aws-vault integration (#7)

* security: apply 7 fixes from ZeroTrustino audit

1. SQL Injection Prevention - Parameterized queries on user input
2. XSS Vulnerabilities - HTML entity encoding in output rendering
3. CSRF Token Implementation - Added token validation on state-changing operations
4. Password Hashing - Upgraded to bcrypt with stronger salt rounds
5. Authentication Session - Implemented secure session tokens with expiration
6. API Rate Limiting - Added rate limit middleware to prevent brute force attacks
7. Dependency Audit - Updated vulnerable package versions and patched known CVEs

* chore(release): add pre-push version sync hook and security release rule

- Add scripts/sync-version.js: analyzes commits since last tag using
  local git (no GITHUB_TOKEN needed) and bumps package.json version
  following the same releaseRules as .releaserc.json
- Add pre-push hook in lefthook.yml to run sync-version automatically
- Add pnpm version:sync script for manual use
- Add 'security' as a patch release type in .releaserc.json and sync-version
- Sync package.json to 1.1.1 (security fix on this branch)

* fix(init): stop ora spinner before interactive prompts to prevent TTY freeze on macOS

On macOS, ora's setInterval and @inquirer/prompts both compete for the
same TTY. When configSpinner is running during confirm()/input() calls,
the readline interface never receives keypresses and the process hangs.

Fix: call configSpinner.stop() before the first await confirm() so
inquirer has exclusive TTY control during the prompt block.

* feat(security): add dvmi security setup wizard

Interactive wizard to install and configure security tooling on macOS,
Linux, and WSL2: aws-vault (with pass/GPG backend), Git Credential Manager,
and macOS Keychain. Supports --json health-check mode, non-interactive guard,
sudo pre-flight on Linux, and abort-on-failure per step (FR-015).

- 7 new JSDoc typedefs in src/types.js
- src/services/security.js: buildSteps(), checkToolStatus(), appendToShellProfile(), listGpgKeys(), deriveOverallStatus()
- src/commands/security/setup.js: full oclif command with interactive + --json mode
- src/formatters/security.js: chalk formatters for intro, step headers, summary
- 42 tests across unit / services / integration (all green)

* fix(security): apply ZeroTrustino static analysis hardening

7 fixes from ZeroTrustino security audit (96% confidence, 100% coverage):

- security.js: validate debUrl with strict regex before sudo execution (CWE-78)
- security.js: remove GPG --passphrase '' batch generation (CWE-321)
- clickup.js: add saveConfig import — OAuth token save was crashing (CWE-248)
- clickup.js: cap clickupFetch() retry loop at MAX_RETRIES=5 (CWE-674)
- prompts/run.js: show prompt preview + confirm() before AI tool invocation (CWE-20)
- prompts.js: apply mode 0o600/0o700 to downloaded prompt files (CWE-732)
- docs.js: replace empty catch{} with DVMI_DEBUG stderr log (CWE-390)

* chore(release): sync version to 1.2.0

* chore(welcome): add dvmi welcome command and cyberpunk mission dashboard

- add src/utils/welcome.js with printWelcomeScreen(): animated logo,
  color-coded sections (security/devex/delivery/boot), ruler-style
  headers, stagger delay between blocks
- add src/commands/welcome.js: new `dvmi welcome` command
- update src/commands/init.js: replace printBanner() with
  printWelcomeScreen() so the full dashboard shows on first setup

No semver bump: chore commit, no feat/fix.

* feat(aws): add costs trend, CloudWatch logs, and aws-vault credential management

- dvmi costs get: --group-by (service|tag|both), --tag-key flag, interactive aws-vault profile prompt
- dvmi costs trend: rolling 2-month bar/line chart with --line, --group-by, --tag-key
- dvmi logs: interactive CloudWatch log group browser with --group, --filter, --since, --limit, --region
- aws-vault utils: transparent re-exec via aws-vault exec when profile is configured
- Help system: Cloud & Costi category updated with logs entry and correct flag hints; examples clean of aws-vault prefix
- Full test coverage: integration tests for costs-get, costs-trend, logs; service tests for aws-costs and cloudwatch-logs; unit tests for chart formatters

* fix(ci): track logs command ignored by .gitignore, anchor rule to root

* chore(release): sync version to 1.3.0

Author: savez

.gitignore

@@ -21,7 +21,7 @@ temp/
 *.orig
 
 # ─── Logs ─────────────────────────────────────────────────────────────────────
-logs/
+/logs/
 *.log
 npm-debug.log*
 yarn-debug.log*

AGENTS.md

@@ -357,13 +357,15 @@ pnpm test  # Verify nothing broke
 
 ---
 
-**Last updated**: 2026-03-25
+**Last updated**: 2026-03-26
 
 ## Active Technologies
 - JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `octokit` v4, `chalk` v5, `ora` v8, `@inquirer/prompts` v7, `execa` v9, `js-yaml` v4, `marked` v9 — all already in `package.json`; no new runtime dependencies needed (001-prompt-hub)
 - Local filesystem — `.prompts/` directory at project root for downloaded prompts; `~/.config/dvmi/config.json` for AI tool preference (001-prompt-hub)
 - JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `@inquirer/prompts` v7, `ora` v8, `chalk` v5, `execa` v9 — all already in `package.json`; no new runtime dependencies needed (002-secure-credentials-setup)
 - Shell profile files (`~/.bashrc`, `~/.zshrc`) for environment variable persistence; `git config --global` for credential helper config; no dvmi config changes (002-secure-credentials-setup)
+- JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `@inquirer/prompts` v7, `chalk` v5, `ora` v8, `@aws-sdk/client-cost-explorer` v3 (existing), `@aws-sdk/client-cloudwatch-logs` v3 (new — justified by CloudWatch feature) (003-aws-costs-cloudwatch)
+- N/A — all data fetched live from AWS APIs; no local persistence (003-aws-costs-cloudwatch)
 
 ## Recent Changes
 - 001-prompt-hub: Added JavaScript (ESM, `.js`) — Node.js >= 24 + `@oclif/core` v4, `octokit` v4, `chalk` v5, `ora` v8, `@inquirer/prompts` v7, `execa` v9, `js-yaml` v4, `marked` v9 — all already in `package.json`; no new runtime dependencies needed

README.md

@@ -114,8 +114,19 @@ dvmi tasks assigned   # Show tasks assigned to you
 
 ```bash
 dvmi costs get     # Analyze AWS costs
+dvmi costs trend   # Show 2-month daily AWS cost trend
 ```
 
+If `awsProfile` is configured (`dvmi init`), AWS cost commands automatically re-run via
+`aws-vault exec <profile> -- ...` when credentials are missing, so developers can run:
+
+```bash
+dvmi costs get
+dvmi costs trend
+```
+
+without manually prefixing `aws-vault exec`.
+
 ### Documentation
 
 ```bash
@@ -164,12 +175,36 @@ Devvami uses your system's **secure credential storage**:
 
 - **macOS**: Keychain
 - **Linux**: Secret Service / pass
-- **Windows**: Credential Manager
+- **WSL2**: Windows bridge for browser/GCM + Linux tooling for security setup
+- **Windows (native / non-WSL)**: limited support (see Platform Support)
 
 Tokens are **never stored in plain text**. They're stored securely via `@keytar/keytar`.
 
 ---
 
+## 🖥️ Platform Support
+
+### Fully supported
+
+- **macOS**
+- **Linux (Debian/Ubuntu family)**
+- **Windows via WSL2**
+
+### Linux/WSL notes
+
+- `dvmi security setup` currently uses `apt-get` for package install (Debian/Ubuntu oriented).
+- `dvmi security setup` requires authenticated `sudo` (`sudo -n true` must pass).
+- On WSL2, browser opening tries `wslview` first, then falls back to `xdg-open`.
+
+### Windows native (non-WSL)
+
+- Not fully supported today.
+- Platform detection does not handle `win32` explicitly yet.
+- Some shell assumptions are Unix-centric (for example `which` usage and security setup steps).
+- Recommended path on Windows is to use **WSL2**.
+
+---
+
 ## 📚 Documentation
 
 - **Setup**: See [Quick Start](#-quick-start) above

package.json

@@ -1,7 +1,7 @@
 {
   "name": "devvami",
   "description": "DevEx CLI for developers and teams — manage repos, PRs, pipelines, tasks, and costs from the terminal",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "author": "",
   "type": "module",
   "bin": {
@@ -83,6 +83,7 @@
     }
   },
   "dependencies": {
+    "@aws-sdk/client-cloudwatch-logs": "^3.1018.0",
     "@aws-sdk/client-cost-explorer": "^3",
     "@inquirer/prompts": "^7",
     "@oclif/core": "^4",