feat(cli): integrate devmetrics into rsk-cli with hardened validation, docs, and full test coverage

[lucifer1017]

Summary

This PR cleanly integrates the devmetrics command into rsk-cli2 (without breaking existing CLI structure), adds production-grade validation/error handling, resolves README conflicts, documents dependency decisions, and adds comprehensive test coverage for command flow + supporting modules.

What Was Added

• New CLI command wiring:
  • bin/index.ts (registers devmetrics command/options)
• New command orchestration:
  • src/commands/devmetrics.ts
• New services:
  • src/services/github.service.ts
  • src/services/rootstock.service.ts
• New formatters:
  • src/formatters/devmetrics/index.ts
  • src/formatters/devmetrics/table.formatter.ts
  • src/formatters/devmetrics/json.formatter.ts
  • src/formatters/devmetrics/markdown.formatter.ts
• New validation/types:
  • src/utils/devmetricsValidation.ts
  • src/utils/types.ts (DevMetrics-related interfaces)

README Updates (with ranges)

• TOC updates (devmetrics, gas estimator numbering, dependency notes):
  • README.md L12-L33
• New Developer Health Metrics docs section:
  • README.md L1155-L1256
• eas-sdk pin rationale documentation:
  • README.md L1259-L1267
• Merge conflict removed (gas section retained + renumbered):
  • conflict region around prior README.md L1093-L1151 now resolved

Findings Addressed

3) VULNERABILITY: Unvalidated --rpc-url (SSRF risk)

• Added strict URL validation in src/commands/devmetrics.ts:
  • accepts only http:// and https://
  • rejects invalid/malformed protocols early with explicit error + exit

4) VULNERABILITY: eas-sdk downgrade undocumented

• Added explicit rationale in docs:
  • README.md L1259-L1267
• Rationale captured: 2.9.0 ESM internal import compatibility issue under Node 22 (ERR_MODULE_NOT_FOUND), pinning 2.7.0 intentionally until upstream fix.

5) CODE_SMELL: Unsafe repo.split("/") as [string, string]

• Replaced with defensive parsing helper (splitRepo) in src/commands/devmetrics.ts
• Added explicit invariant checks before extracting owner/repoName

6) IMPROVEMENT: Recursive getMetrics() timeout complexity

• Refactored GitHubService flow:
  • getMetrics() owns a single outer timeout budget
  • 401 fallback retries through fetchMetrics() directly after auth reset
  • avoids nested Promise.race behavior and simplifies timeout reasoning

Required Changes Status

• Resolve README merge conflict
• Add test coverage (validation, formatters, services, orchestration)
• Document eas-sdk version pin rationale
• Sanitize --rpc-url protocol
• Simplify GitHub token fallback flow
• Add defensive repo splitting
• Follow project logging/spinner conventions (logError/logMessage/logWarning/logSuccess + createSpinner) in command flow

Tests Added

• src/__tests__/validation.test.ts
• src/__tests__/formatters/json.formatter.test.ts
• src/__tests__/formatters/markdown.formatter.test.ts
• src/__tests__/formatters/table.formatter.test.ts
• src/__tests__/services/github.service.test.ts
• src/__tests__/services/rootstock.service.test.ts
• src/__tests__/commands/devmetrics.test.ts

Verification

• npm test → 102/102 passing
• npm run build → success
• Manual CLI run validated with a bytecode-backed contract address on RSK mainnet