npm - @ait-co/console-cli - Versions diffs - 0.1.23 → 0.1.24 - Mend

@ait-co/console-cli 0.1.23 → 0.1.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -164,6 +164,48 @@ async function executeAndUnwrap(url, init, fetchImpl) {
 	throw new TossApiError(res.status, parsed.error.errorCode, parsed.error.reason, parsed.error.errorType);
 }
 //#endregion
+//#region src/api/certs.ts
+const BASE$5 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+async function fetchCerts(workspaceId, miniAppId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error(`Unexpected certs shape for app=${miniAppId}: not an array`);
+	return raw.map((c) => {
+		if (c === null || typeof c !== "object") return {};
+		return c;
+	});
+}
+async function issueCert(workspaceId, miniAppId, name, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/cert/issue`,
+		method: "POST",
+		body: { name },
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (raw === null || typeof raw !== "object") throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: not an object`);
+	const rec = raw;
+	const privateKey = typeof rec.privateKey === "string" ? rec.privateKey : null;
+	const publicKey = typeof rec.publicKey === "string" ? rec.publicKey : null;
+	if (privateKey === null || publicKey === null) throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: missing privateKey/publicKey`);
+	return {
+		privateKey,
+		publicKey
+	};
+}
+async function revokeCert(workspaceId, miniAppId, certId, cookies, opts = {}) {
+	await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs/${encodeURIComponent(certId)}/disable`,
+		method: "POST",
+		body: {},
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+//#endregion
 //#region src/api/mini-apps.ts
 const BASE$4 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
 async function fetchMiniApps(workspaceId, cookies, opts = {}) {
@@ -329,45 +371,6 @@ async function fetchConversionMetrics(params, cookies, opts = {}) {
 		cacheTime: typeof rec.cacheTime === "string" ? rec.cacheTime : void 0
 	};
 }
-async function fetchCerts(workspaceId, miniAppId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error(`Unexpected certs shape for app=${miniAppId}: not an array`);
-	return raw.map((c) => {
-		if (c === null || typeof c !== "object") return {};
-		return c;
-	});
-}
-async function issueCert(workspaceId, miniAppId, name, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/cert/issue`,
-		method: "POST",
-		body: { name },
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (raw === null || typeof raw !== "object") throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: not an object`);
-	const rec = raw;
-	const privateKey = typeof rec.privateKey === "string" ? rec.privateKey : null;
-	const publicKey = typeof rec.publicKey === "string" ? rec.publicKey : null;
-	if (privateKey === null || publicKey === null) throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: missing privateKey/publicKey`);
-	return {
-		privateKey,
-		publicKey
-	};
-}
-async function revokeCert(workspaceId, miniAppId, certId, cookies, opts = {}) {
-	await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs/${encodeURIComponent(certId)}/disable`,
-		method: "POST",
-		body: {},
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-}
 async function fetchShareRewards(params, cookies, opts = {}) {
 	const qs = new URLSearchParams();
 	qs.set("search", params.search ?? "");
@@ -1587,6 +1590,153 @@ function printContextHeader(ctx, opts) {
 	process.stderr.write(line);
 }
 //#endregion
+//#region src/api/me.ts
+const BASE$3 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+const MEMBER_USER_INFO_URL = `${BASE$3}/members/me/user-info`;
+async function fetchConsoleMemberUserInfo(cookies, opts = {}) {
+	return requestConsoleApi({
+		url: MEMBER_USER_INFO_URL,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+async function fetchUserTerms(cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$3}/console-user-terms/me`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error("Unexpected user-terms shape: not an array");
+	return raw.map((entry, i) => {
+		if (!entry || typeof entry !== "object") throw new Error(`Unexpected user-terms entry at index ${i}`);
+		const e = entry;
+		return {
+			required: Boolean(e.required),
+			termsId: typeof e.termsId === "number" ? e.termsId : 0,
+			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
+			title: typeof e.title === "string" ? e.title : "",
+			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
+			actionType: typeof e.actionType === "string" ? e.actionType : "",
+			isAgreed: Boolean(e.isAgreed),
+			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+		};
+	});
+}
+//#endregion
+//#region src/api/workspaces.ts
+const WORKSPACES_BASE = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+async function fetchWorkspaceDetail(workspaceId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	const id = raw.id;
+	const name = raw.name;
+	if (typeof id !== "number" || !Number.isInteger(id) || id <= 0 || typeof name !== "string") throw new Error(`Unexpected workspace detail shape for id=${workspaceId}`);
+	const { id: _id, name: _name, ...extra } = raw;
+	return {
+		workspaceId: id,
+		workspaceName: name,
+		extra
+	};
+}
+async function fetchWorkspacePartner(workspaceId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/partner`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	const registered = raw.registered;
+	if (typeof registered !== "boolean") throw new Error(`Unexpected workspace partner shape for id=${workspaceId}`);
+	return {
+		registered,
+		approvalType: typeof raw.approvalType === "string" ? raw.approvalType : null,
+		rejectMessage: typeof raw.rejectMessage === "string" ? raw.rejectMessage : null,
+		partner: raw.partner && typeof raw.partner === "object" ? raw.partner : null
+	};
+}
+const WORKSPACE_TERM_TYPES = [
+	"TOSS_LOGIN",
+	"BIZ_WORKSPACE",
+	"TOSS_PROMOTION_MONEY",
+	"IAA",
+	"IAP"
+];
+const DEFAULT_SEGMENT_CATEGORY = "생성된 세그먼트";
+async function fetchWorkspaceSegments(params, cookies, opts = {}) {
+	const page = params.page ?? 0;
+	const qs = new URLSearchParams();
+	qs.set("category", params.category ?? DEFAULT_SEGMENT_CATEGORY);
+	qs.set("search", params.search ?? "");
+	qs.set("page", String(page));
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${params.workspaceId}/segments/list?${qs.toString()}`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (raw === null || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`Unexpected segments shape for workspace=${params.workspaceId}`);
+	const data = raw;
+	return {
+		contents: (Array.isArray(data.contents) ? data.contents : []).map((c) => c && typeof c === "object" ? c : {}),
+		totalPage: typeof data.totalPage === "number" ? data.totalPage : 0,
+		currentPage: typeof data.currentPage === "number" ? data.currentPage : page
+	};
+}
+async function fetchWorkspaceTerms(workspaceId, type, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms/${type}/skip-permission`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error(`Unexpected workspace terms shape for type=${type}`);
+	return raw.map((entry, i) => {
+		if (!entry || typeof entry !== "object") throw new Error(`Unexpected workspace terms entry at index ${i} for type=${type}`);
+		const e = entry;
+		return {
+			required: Boolean(e.required),
+			termsId: typeof e.termsId === "number" ? e.termsId : 0,
+			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
+			title: typeof e.title === "string" ? e.title : "",
+			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
+			actionType: typeof e.actionType === "string" ? e.actionType : "",
+			isAgreed: Boolean(e.isAgreed),
+			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+		};
+	});
+}
+/**
+* Persist agreement for one-or-more workspace terms. The endpoint takes a
+* single `agreedList` regardless of which bucket the terms came from — the
+* type tag is implicit in the (termsId, revisionId) pairs.
+*
+* Captured behaviour (2026-05-08, ws=36577):
+*   - `POST /workspaces/<wid>/console-workspace-terms` with body
+*     `{"agreedList":[{"termsId": <int>, "revisionId": <int>}, ...]}`
+*   - Response on success: `{"resultType":"SUCCESS","success":{}}` — no
+*     useful payload. We resolve `void`.
+*   - Re-submitting an already-agreed term returns `errorCode: 500`
+*     (Internal Server Error). The server is NOT idempotent, so callers
+*     must filter to `isAgreed === false` before invoking.
+*   - Empty `agreedList` returns SUCCESS (no-op), but we throw client-side
+*     before sending — round-tripping a no-op request is wasted.
+*
+* Failure surfaces through `TossApiError` like every other write helper.
+*/
+async function agreeWorkspaceTerms(workspaceId, terms, cookies, opts = {}) {
+	if (terms.length === 0) throw new Error("agreeWorkspaceTerms requires at least one term");
+	await requestConsoleApi({
+		method: "POST",
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms`,
+		cookies,
+		body: { agreedList: terms.map(({ termsId, revisionId }) => ({
+			termsId,
+			revisionId
+		})) },
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+//#endregion
 //#region src/config/ait-bundle.ts
 var AitBundleError = class extends Error {
 	path;
@@ -1878,30 +2028,21 @@ async function runDeploy(args, deps = {}) {
 	const steps = ["upload"];
 	if (requestReview) steps.push("review");
 	if (release) steps.push("release");
-	if (args.dryRun) {
-		if (args.json) emitJson({
-			ok: true,
-			dryRun: true,
-			workspaceId,
-			appId,
-			deploymentId,
-			bundleFormat: bundleInfo.format,
-			bytes: bundleInfo.bytes.byteLength,
-			steps,
-			memo: memo ?? null,
-			releaseNotes: releaseNotes ?? null,
-			confirmed: confirm
-		});
-		else {
-			const stepsLine = steps.map((s) => {
-				if (s === "review") return `review (releaseNotes: ${JSON.stringify(releaseNotes ?? "")})`;
-				if (s === "release") return `release (${confirm ? "confirmed" : "NOT confirmed"})`;
-				return s;
-			}).join(" → ");
-			process.stdout.write(`DRY RUN\n  app           ${appId}\n  workspace     ${workspaceId}\n  bundle        ${args.path} (${bundleInfo.bytes.byteLength} bytes)\n  deploymentId  ${deploymentId}\n  memo          ${memo ?? "(none)"}\n  steps         ${stepsLine}\n`);
-		}
-		return exitAfterFlush(ExitCode.Ok);
-	}
+	if (args.dryRun) return runDryRun({
+		json: args.json,
+		path: args.path,
+		bundleInfo,
+		deploymentId,
+		explicitDeploymentId: typeof args.deploymentId === "string" && args.deploymentId !== "",
+		workspaceId,
+		appId,
+		session,
+		steps,
+		memo,
+		releaseNotes,
+		confirm,
+		fetchImpl: deps.fetchImpl
+	});
 	const apiOpts = deps.fetchImpl ? { fetchImpl: deps.fetchImpl } : {};
 	let uploaded = false;
 	let bundleRecord = null;
@@ -2037,38 +2178,154 @@ async function emitPartialFailure(json, err, progress) {
 	else process.stderr.write(`Unexpected error: ${err.message}\n`);
 	return exitAfterFlush(ExitCode.ApiError);
 }
-//#endregion
-//#region src/api/me.ts
-const BASE$3 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
-const MEMBER_USER_INFO_URL = `${BASE$3}/members/me/user-info`;
-async function fetchConsoleMemberUserInfo(cookies, opts = {}) {
-	return requestConsoleApi({
-		url: MEMBER_USER_INFO_URL,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
+const WORKSPACE_TERM_ERROR_CODES = {
+	TOSS_LOGIN: 4037,
+	BIZ_WORKSPACE: 4040,
+	TOSS_PROMOTION_MONEY: 4039,
+	IAA: 4099,
+	IAP: 5001
+};
+async function runDryRun(input) {
+	const apiOpts = input.fetchImpl ? { fetchImpl: input.fetchImpl } : {};
+	const embedded = input.bundleInfo.deploymentId;
+	const flagMatch = input.explicitDeploymentId ? input.deploymentId === embedded : null;
+	const [permissions, terms] = await Promise.all([fetchPermissions(input.workspaceId, input.session, apiOpts), fetchTermsBlockers(input.workspaceId, input.session, apiOpts)]);
+	const wouldSucceed = (flagMatch === null || flagMatch === true) && terms.blockers.length === 0;
+	if (input.json) {
+		emitJson({
+			ok: true,
+			dryRun: true,
+			wouldSucceed,
+			workspaceId: input.workspaceId,
+			appId: input.appId,
+			deploymentId: input.deploymentId,
+			bundleFormat: input.bundleInfo.format,
+			bytes: input.bundleInfo.bytes.byteLength,
+			steps: input.steps,
+			memo: input.memo ?? null,
+			releaseNotes: input.releaseNotes ?? null,
+			confirmed: input.confirm,
+			bundle: {
+				path: input.path,
+				format: input.bundleInfo.format,
+				deploymentId: input.deploymentId,
+				embeddedDeploymentId: embedded,
+				deploymentIdSource: input.explicitDeploymentId ? "flag" : "bundle",
+				flagMatch,
+				size: input.bundleInfo.bytes.byteLength
+			},
+			context: {
+				workspaceId: input.workspaceId,
+				appId: input.appId,
+				sessionValid: true,
+				permissions
+			},
+			terms
+		});
+		return exitAfterFlush(ExitCode.Ok);
+	}
+	process.stdout.write(renderDryRunText(input, {
+		embedded,
+		flagMatch,
+		permissions,
+		terms,
+		wouldSucceed
+	}));
+	return exitAfterFlush(ExitCode.Ok);
 }
-async function fetchUserTerms(cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$3}/console-user-terms/me`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error("Unexpected user-terms shape: not an array");
-	return raw.map((entry, i) => {
-		if (!entry || typeof entry !== "object") throw new Error(`Unexpected user-terms entry at index ${i}`);
-		const e = entry;
+async function fetchPermissions(workspaceId, session, apiOpts) {
+	try {
+		const ws = (await fetchConsoleMemberUserInfo(session.cookies, apiOpts)).workspaces.find((w) => w.workspaceId === workspaceId);
+		if (!ws) return {
+			role: null,
+			source: "unknown",
+			error: `current user has no membership in workspace ${workspaceId}`
+		};
 		return {
-			required: Boolean(e.required),
-			termsId: typeof e.termsId === "number" ? e.termsId : 0,
-			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
-			title: typeof e.title === "string" ? e.title : "",
-			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
-			actionType: typeof e.actionType === "string" ? e.actionType : "",
-			isAgreed: Boolean(e.isAgreed),
-			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+			role: ws.role,
+			source: "members/me"
 		};
-	});
+	} catch (err) {
+		return {
+			role: null,
+			source: "unknown",
+			error: err.message
+		};
+	}
+}
+async function fetchTermsBlockers(workspaceId, session, apiOpts) {
+	try {
+		const [userTerms, workspaceResults] = await Promise.all([fetchUserTerms(session.cookies, apiOpts), Promise.all(WORKSPACE_TERM_TYPES.map(async (t) => [t, await fetchWorkspaceTerms(workspaceId, t, session.cookies, apiOpts)]))]);
+		const blockers = [];
+		for (const t of userTerms) if (t.required && !t.isAgreed) blockers.push({
+			scope: "user",
+			type: "USER_TERMS",
+			errorCode: 4036,
+			title: t.title,
+			action: "aitcc me terms"
+		});
+		for (const [type, terms] of workspaceResults) for (const t of terms) {
+			if (!t.required || t.isAgreed) continue;
+			blockers.push({
+				scope: "workspace",
+				type,
+				errorCode: WORKSPACE_TERM_ERROR_CODES[type],
+				title: t.title,
+				action: `aitcc workspace terms --type ${type}`
+			});
+		}
+		return {
+			blockers,
+			checked: true
+		};
+	} catch (err) {
+		return {
+			blockers: [],
+			checked: false,
+			error: err.message
+		};
+	}
+}
+function renderDryRunText(input, derived) {
+	const lines = [];
+	lines.push(`DRY RUN — app deploy ${input.appId}\n`);
+	lines.push("\nBundle\n");
+	lines.push(`  path          ${input.path}\n`);
+	lines.push(`  format        ${input.bundleInfo.format.toUpperCase()}\n`);
+	lines.push(`  deploymentId  ${input.deploymentId}\n`);
+	if (derived.flagMatch === false) lines.push(`  flag match    MISMATCH (bundle embeds ${derived.embedded})\n`);
+	else if (derived.flagMatch === true) lines.push(`  flag match    ok (matches embedded)\n`);
+	lines.push(`  size          ${formatBytes(input.bundleInfo.bytes.byteLength)}\n`);
+	lines.push("\nContext\n");
+	lines.push(`  workspace     ${input.workspaceId}\n`);
+	lines.push(`  app           ${input.appId}\n`);
+	lines.push(`  session       valid\n`);
+	if (derived.permissions.role !== null) lines.push(`  permissions   ${derived.permissions.role}\n`);
+	else lines.push(`  permissions   unknown${derived.permissions.error ? ` (${derived.permissions.error})` : ""}\n`);
+	lines.push("\nTerms\n");
+	if (!derived.terms.checked) {
+		lines.push(`  warning: could not check terms status (${derived.terms.error ?? "unknown error"}).\n`);
+		lines.push("  live deploy may still fail with a 4032/4036/4037/4039/4040/4099/5001 errorCode.\n");
+	} else if (derived.terms.blockers.length === 0) lines.push("  all deploy-related terms are agreed\n");
+	else for (const b of derived.terms.blockers) lines.push(`  blocked: ${b.scope}/${b.type} — ${b.title} (errorCode ${b.errorCode})\n    action: ${b.action}\n`);
+	lines.push("\nPlan\n");
+	const stepsLine = input.steps.map((s) => {
+		if (s === "review") return `review (releaseNotes: ${JSON.stringify(input.releaseNotes ?? "")})`;
+		if (s === "release") return `release (${input.confirm ? "confirmed" : "NOT confirmed"})`;
+		return s;
+	}).join(" → ");
+	lines.push(`  steps         ${stepsLine}\n`);
+	lines.push(`  memo          ${input.memo ?? "(none)"}\n`);
+	lines.push("\nResult\n");
+	if (!derived.wouldSucceed) lines.push("  Live deploy would fail. Resolve the blocked items above, then re-run.\n");
+	else if (derived.permissions.role === null) lines.push("  Live deploy would clear bundle + terms checks. Workspace membership could not be confirmed; live deploy may still fail with a permissions error.\n");
+	else lines.push("  Live deploy would clear every pre-flight check.\n");
+	return lines.join("");
+}
+function formatBytes(n) {
+	if (n < 1024) return `${n} B`;
+	if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
+	return `${(n / (1024 * 1024)).toFixed(1)} MB`;
 }
 //#endregion
 //#region src/config/app-manifest.ts
@@ -4296,6 +4553,25 @@ const bundlesCommand = defineCommand({
 		})
 	}
 });
+const CERT_EXPIRY_WARN_DAYS = 30;
+const MS_PER_DAY = 864e5;
+function deriveDaysUntilExpiry(cert, now) {
+	const raw = cert.expireTs;
+	let ts = null;
+	if (typeof raw === "number" && Number.isFinite(raw)) ts = raw;
+	else if (typeof raw === "string") {
+		const parsed = Date.parse(raw);
+		if (Number.isFinite(parsed)) ts = parsed;
+	}
+	if (ts === null) return null;
+	return Math.floor((ts - now) / MS_PER_DAY);
+}
+function expiryMarker(days) {
+	if (days === null) return "";
+	if (days < 0) return `\t⚠ 만료됨`;
+	if (days <= CERT_EXPIRY_WARN_DAYS) return `\t⚠ 만료 임박 (${days}일)`;
+	return "";
+}
 const certsLsCommand = defineCommand({
 	meta: {
 		name: "ls",
@@ -4330,27 +4606,153 @@ const certsLsCommand = defineCommand({
 		const { session, workspaceId } = ctx;
 		try {
 			const certs = await fetchCerts(workspaceId, appId, session.cookies);
+			const now = Date.now();
+			const augmented = certs.map((c) => ({
+				...c,
+				daysUntilExpiry: deriveDaysUntilExpiry(c, now)
+			}));
 			if (args.json) {
 				emitJson({
 					ok: true,
 					workspaceId,
 					appId,
-					certs
+					certs: augmented
 				});
 				return exitAfterFlush(ExitCode.Ok);
 			}
-			if (certs.length === 0) {
+			if (augmented.length === 0) {
 				process.stdout.write(`App ${appId} (ws ${workspaceId}): no mTLS certs\n`);
 				return exitAfterFlush(ExitCode.Ok);
 			}
-			process.stdout.write(`App ${appId} (ws ${workspaceId}): ${certs.length} cert(s)\n`);
-			for (const c of certs) {
+			process.stdout.write(`App ${appId} (ws ${workspaceId}): ${augmented.length} cert(s)\n`);
+			for (const c of augmented) {
 				const id = typeof c.id === "string" || typeof c.id === "number" ? c.id : typeof c.certId === "string" || typeof c.certId === "number" ? c.certId : "-";
 				const cn = typeof c.commonName === "string" ? c.commonName : "-";
 				const createdAt = typeof c.createdAt === "string" ? c.createdAt : "";
-				const expiresAt = typeof c.expiresAt === "string" ? c.expiresAt : typeof c.validUntil === "string" ? c.validUntil : "";
-				process.stdout.write(`${id}\t${cn}\t${createdAt}\t${expiresAt}\n`);
+				const expiresAt = typeof c.expiresAt === "string" ? c.expiresAt : typeof c.validUntil === "string" ? c.validUntil : typeof c.expireTs === "number" && Number.isFinite(c.expireTs) ? new Date(c.expireTs).toISOString() : "";
+				process.stdout.write(`${id}\t${cn}\t${createdAt}\t${expiresAt}${expiryMarker(c.daysUntilExpiry)}\n`);
+			}
+			return exitAfterFlush(ExitCode.Ok);
+		} catch (err) {
+			return emitFailureFromError(args.json, err);
+		}
+	}
+});
+function pickCertById(certs, certId) {
+	const target = certId.trim();
+	if (target.length === 0) return null;
+	for (const c of certs) {
+		const candidate = typeof c.id === "string" || typeof c.id === "number" ? c.id : typeof c.certId === "string" || typeof c.certId === "number" ? c.certId : null;
+		if (candidate !== null && String(candidate) === target) return c;
+	}
+	return null;
+}
+function augmentCertExpiry(cert, now = Date.now()) {
+	let expiresAtMs;
+	if (typeof cert.expireTs === "number" && Number.isFinite(cert.expireTs)) expiresAtMs = cert.expireTs;
+	else if (typeof cert.expiresAt === "string") {
+		const t = Date.parse(cert.expiresAt);
+		if (Number.isFinite(t)) expiresAtMs = t;
+	} else if (typeof cert.validUntil === "string") {
+		const t = Date.parse(cert.validUntil);
+		if (Number.isFinite(t)) expiresAtMs = t;
+	}
+	if (expiresAtMs === void 0) return {};
+	const daysUntilExpiry = Math.floor((expiresAtMs - now) / 864e5);
+	return {
+		expiresAtMs,
+		daysUntilExpiry
+	};
+}
+const certsShowCommand = defineCommand({
+	meta: {
+		name: "show",
+		description: "Show a single mTLS certificate by id (metadata only — no PEM)."
+	},
+	args: {
+		certId: {
+			type: "positional",
+			description: "Cert ID (from `app certs ls`).",
+			required: true
+		},
+		app: {
+			type: "string",
+			description: "Mini-app ID the cert belongs to."
+		},
+		workspace: {
+			type: "string",
+			description: "Workspace ID. Defaults to the selected workspace."
+		},
+		json: {
+			type: "boolean",
+			description: "Emit machine-readable JSON.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const certId = typeof args.certId === "string" ? args.certId.trim() : "";
+		if (certId.length === 0) {
+			if (args.json) emitJson({
+				ok: false,
+				reason: "missing-cert-id",
+				message: "certId positional is required"
+			});
+			else process.stderr.write("app certs show: certId is required\n");
+			return exitAfterFlush(ExitCode.Usage);
+		}
+		const ctx = await resolveAppOrFail({
+			json: args.json,
+			appIdRaw: args.app,
+			appIdField: "app",
+			...args.workspace !== void 0 ? { workspace: args.workspace } : {}
+		});
+		if (!ctx) return;
+		const appId = await requireMiniAppId(ctx, args.json);
+		if (appId === null) return;
+		printContextHeader(ctx, { json: args.json });
+		const { session, workspaceId } = ctx;
+		try {
+			const match = pickCertById(await fetchCerts(workspaceId, appId, session.cookies), certId);
+			if (match === null) {
+				if (args.json) emitJson({
+					ok: false,
+					reason: "not-found",
+					workspaceId,
+					appId,
+					certId,
+					message: `cert ${certId} not found on app ${appId}`
+				});
+				else process.stderr.write(`app certs show: cert ${certId} not found on app ${appId} (ws ${workspaceId})\n`);
+				return exitAfterFlush(ExitCode.Usage);
+			}
+			const expiry = augmentCertExpiry(match);
+			if (args.json) {
+				emitJson({
+					ok: true,
+					workspaceId,
+					appId,
+					cert: match,
+					...expiry
+				});
+				return exitAfterFlush(ExitCode.Ok);
+			}
+			const id = typeof match.id === "string" || typeof match.id === "number" ? match.id : typeof match.certId === "string" || typeof match.certId === "number" ? match.certId : "-";
+			const name = typeof match.name === "string" ? match.name : "-";
+			const cn = typeof match.commonName === "string" ? match.commonName : "";
+			const createdAt = typeof match.createdAt === "string" ? match.createdAt : "";
+			const expiresAtIso = expiry.expiresAtMs !== void 0 ? new Date(expiry.expiresAtMs).toISOString() : "";
+			const status = typeof match.status === "string" ? match.status : "";
+			const lines = [`App ${appId} (ws ${workspaceId}): cert ${id}`, `  name:        ${name}`];
+			if (cn) lines.push(`  commonName:  ${cn}`);
+			if (createdAt) lines.push(`  createdAt:   ${createdAt}`);
+			if (expiresAtIso) lines.push(`  expiresAt:   ${expiresAtIso}`);
+			if (expiry.daysUntilExpiry !== void 0) {
+				const d = expiry.daysUntilExpiry;
+				const suffix = d > 0 ? ` (D-${d})` : d === 0 ? " (expires today)" : ` (expired ${-d} day(s) ago)`;
+				lines.push(`  daysUntilExpiry: ${d}${suffix}`);
 			}
+			if (status) lines.push(`  status:      ${status}`);
+			process.stdout.write(`${lines.join("\n")}\n`);
 			return exitAfterFlush(ExitCode.Ok);
 		} catch (err) {
 			return emitFailureFromError(args.json, err);
@@ -4370,6 +4772,7 @@ const certsCommand = defineCommand({
 	},
 	subCommands: {
 		ls: certsLsCommand,
+		show: certsShowCommand,
 		issue: defineCommand({
 			meta: {
 				name: "issue",
@@ -8498,7 +8901,7 @@ function resolveVersion() {
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.23";
+		return "0.1.24";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -8986,120 +9389,6 @@ const whoamiCommand = defineCommand({
 	}
 });
 //#endregion
-//#region src/api/workspaces.ts
-const WORKSPACES_BASE = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
-async function fetchWorkspaceDetail(workspaceId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	const id = raw.id;
-	const name = raw.name;
-	if (typeof id !== "number" || !Number.isInteger(id) || id <= 0 || typeof name !== "string") throw new Error(`Unexpected workspace detail shape for id=${workspaceId}`);
-	const { id: _id, name: _name, ...extra } = raw;
-	return {
-		workspaceId: id,
-		workspaceName: name,
-		extra
-	};
-}
-async function fetchWorkspacePartner(workspaceId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/partner`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	const registered = raw.registered;
-	if (typeof registered !== "boolean") throw new Error(`Unexpected workspace partner shape for id=${workspaceId}`);
-	return {
-		registered,
-		approvalType: typeof raw.approvalType === "string" ? raw.approvalType : null,
-		rejectMessage: typeof raw.rejectMessage === "string" ? raw.rejectMessage : null,
-		partner: raw.partner && typeof raw.partner === "object" ? raw.partner : null
-	};
-}
-const WORKSPACE_TERM_TYPES = [
-	"TOSS_LOGIN",
-	"BIZ_WORKSPACE",
-	"TOSS_PROMOTION_MONEY",
-	"IAA",
-	"IAP"
-];
-const DEFAULT_SEGMENT_CATEGORY = "생성된 세그먼트";
-async function fetchWorkspaceSegments(params, cookies, opts = {}) {
-	const page = params.page ?? 0;
-	const qs = new URLSearchParams();
-	qs.set("category", params.category ?? DEFAULT_SEGMENT_CATEGORY);
-	qs.set("search", params.search ?? "");
-	qs.set("page", String(page));
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${params.workspaceId}/segments/list?${qs.toString()}`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (raw === null || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`Unexpected segments shape for workspace=${params.workspaceId}`);
-	const data = raw;
-	return {
-		contents: (Array.isArray(data.contents) ? data.contents : []).map((c) => c && typeof c === "object" ? c : {}),
-		totalPage: typeof data.totalPage === "number" ? data.totalPage : 0,
-		currentPage: typeof data.currentPage === "number" ? data.currentPage : page
-	};
-}
-async function fetchWorkspaceTerms(workspaceId, type, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms/${type}/skip-permission`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error(`Unexpected workspace terms shape for type=${type}`);
-	return raw.map((entry, i) => {
-		if (!entry || typeof entry !== "object") throw new Error(`Unexpected workspace terms entry at index ${i} for type=${type}`);
-		const e = entry;
-		return {
-			required: Boolean(e.required),
-			termsId: typeof e.termsId === "number" ? e.termsId : 0,
-			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
-			title: typeof e.title === "string" ? e.title : "",
-			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
-			actionType: typeof e.actionType === "string" ? e.actionType : "",
-			isAgreed: Boolean(e.isAgreed),
-			isOneTimeConsent: Boolean(e.isOneTimeConsent)
-		};
-	});
-}
-/**
-* Persist agreement for one-or-more workspace terms. The endpoint takes a
-* single `agreedList` regardless of which bucket the terms came from — the
-* type tag is implicit in the (termsId, revisionId) pairs.
-*
-* Captured behaviour (2026-05-08, ws=36577):
-*   - `POST /workspaces/<wid>/console-workspace-terms` with body
-*     `{"agreedList":[{"termsId": <int>, "revisionId": <int>}, ...]}`
-*   - Response on success: `{"resultType":"SUCCESS","success":{}}` — no
-*     useful payload. We resolve `void`.
-*   - Re-submitting an already-agreed term returns `errorCode: 500`
-*     (Internal Server Error). The server is NOT idempotent, so callers
-*     must filter to `isAgreed === false` before invoking.
-*   - Empty `agreedList` returns SUCCESS (no-op), but we throw client-side
-*     before sending — round-tripping a no-op request is wasted.
-*
-* Failure surfaces through `TossApiError` like every other write helper.
-*/
-async function agreeWorkspaceTerms(workspaceId, terms, cookies, opts = {}) {
-	if (terms.length === 0) throw new Error("agreeWorkspaceTerms requires at least one term");
-	await requestConsoleApi({
-		method: "POST",
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms`,
-		cookies,
-		body: { agreedList: terms.map(({ termsId, revisionId }) => ({
-			termsId,
-			revisionId
-		})) },
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-}
-//#endregion
 //#region src/commands/workspace.ts
 function formatScalar(v) {
 	if (v === null) return "null";