npm - @ait-co/console-cli - Versions diffs - 0.1.23 → 0.1.25 - Mend

@ait-co/console-cli 0.1.23 → 0.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -164,6 +164,48 @@ async function executeAndUnwrap(url, init, fetchImpl) {
 	throw new TossApiError(res.status, parsed.error.errorCode, parsed.error.reason, parsed.error.errorType);
 }
 //#endregion
+//#region src/api/certs.ts
+const BASE$5 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+async function fetchCerts(workspaceId, miniAppId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error(`Unexpected certs shape for app=${miniAppId}: not an array`);
+	return raw.map((c) => {
+		if (c === null || typeof c !== "object") return {};
+		return c;
+	});
+}
+async function issueCert(workspaceId, miniAppId, name, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/cert/issue`,
+		method: "POST",
+		body: { name },
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (raw === null || typeof raw !== "object") throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: not an object`);
+	const rec = raw;
+	const privateKey = typeof rec.privateKey === "string" ? rec.privateKey : null;
+	const publicKey = typeof rec.publicKey === "string" ? rec.publicKey : null;
+	if (privateKey === null || publicKey === null) throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: missing privateKey/publicKey`);
+	return {
+		privateKey,
+		publicKey
+	};
+}
+async function revokeCert(workspaceId, miniAppId, certId, cookies, opts = {}) {
+	await requestConsoleApi({
+		url: `${BASE$5}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs/${encodeURIComponent(certId)}/disable`,
+		method: "POST",
+		body: {},
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+//#endregion
 //#region src/api/mini-apps.ts
 const BASE$4 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
 async function fetchMiniApps(workspaceId, cookies, opts = {}) {
@@ -329,45 +371,6 @@ async function fetchConversionMetrics(params, cookies, opts = {}) {
 		cacheTime: typeof rec.cacheTime === "string" ? rec.cacheTime : void 0
 	};
 }
-async function fetchCerts(workspaceId, miniAppId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error(`Unexpected certs shape for app=${miniAppId}: not an array`);
-	return raw.map((c) => {
-		if (c === null || typeof c !== "object") return {};
-		return c;
-	});
-}
-async function issueCert(workspaceId, miniAppId, name, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/cert/issue`,
-		method: "POST",
-		body: { name },
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (raw === null || typeof raw !== "object") throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: not an object`);
-	const rec = raw;
-	const privateKey = typeof rec.privateKey === "string" ? rec.privateKey : null;
-	const publicKey = typeof rec.publicKey === "string" ? rec.publicKey : null;
-	if (privateKey === null || publicKey === null) throw new Error(`Unexpected issue-cert shape for app=${miniAppId}: missing privateKey/publicKey`);
-	return {
-		privateKey,
-		publicKey
-	};
-}
-async function revokeCert(workspaceId, miniAppId, certId, cookies, opts = {}) {
-	await requestConsoleApi({
-		url: `${BASE$4}/workspaces/${workspaceId}/mini-app/${miniAppId}/certs/${encodeURIComponent(certId)}/disable`,
-		method: "POST",
-		body: {},
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-}
 async function fetchShareRewards(params, cookies, opts = {}) {
 	const qs = new URLSearchParams();
 	qs.set("search", params.search ?? "");
@@ -1587,6 +1590,153 @@ function printContextHeader(ctx, opts) {
 	process.stderr.write(line);
 }
 //#endregion
+//#region src/api/me.ts
+const BASE$3 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+const MEMBER_USER_INFO_URL = `${BASE$3}/members/me/user-info`;
+async function fetchConsoleMemberUserInfo(cookies, opts = {}) {
+	return requestConsoleApi({
+		url: MEMBER_USER_INFO_URL,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+async function fetchUserTerms(cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${BASE$3}/console-user-terms/me`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error("Unexpected user-terms shape: not an array");
+	return raw.map((entry, i) => {
+		if (!entry || typeof entry !== "object") throw new Error(`Unexpected user-terms entry at index ${i}`);
+		const e = entry;
+		return {
+			required: Boolean(e.required),
+			termsId: typeof e.termsId === "number" ? e.termsId : 0,
+			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
+			title: typeof e.title === "string" ? e.title : "",
+			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
+			actionType: typeof e.actionType === "string" ? e.actionType : "",
+			isAgreed: Boolean(e.isAgreed),
+			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+		};
+	});
+}
+//#endregion
+//#region src/api/workspaces.ts
+const WORKSPACES_BASE = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
+async function fetchWorkspaceDetail(workspaceId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	const id = raw.id;
+	const name = raw.name;
+	if (typeof id !== "number" || !Number.isInteger(id) || id <= 0 || typeof name !== "string") throw new Error(`Unexpected workspace detail shape for id=${workspaceId}`);
+	const { id: _id, name: _name, ...extra } = raw;
+	return {
+		workspaceId: id,
+		workspaceName: name,
+		extra
+	};
+}
+async function fetchWorkspacePartner(workspaceId, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/partner`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	const registered = raw.registered;
+	if (typeof registered !== "boolean") throw new Error(`Unexpected workspace partner shape for id=${workspaceId}`);
+	return {
+		registered,
+		approvalType: typeof raw.approvalType === "string" ? raw.approvalType : null,
+		rejectMessage: typeof raw.rejectMessage === "string" ? raw.rejectMessage : null,
+		partner: raw.partner && typeof raw.partner === "object" ? raw.partner : null
+	};
+}
+const WORKSPACE_TERM_TYPES = [
+	"TOSS_LOGIN",
+	"BIZ_WORKSPACE",
+	"TOSS_PROMOTION_MONEY",
+	"IAA",
+	"IAP"
+];
+const DEFAULT_SEGMENT_CATEGORY = "생성된 세그먼트";
+async function fetchWorkspaceSegments(params, cookies, opts = {}) {
+	const page = params.page ?? 0;
+	const qs = new URLSearchParams();
+	qs.set("category", params.category ?? DEFAULT_SEGMENT_CATEGORY);
+	qs.set("search", params.search ?? "");
+	qs.set("page", String(page));
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${params.workspaceId}/segments/list?${qs.toString()}`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (raw === null || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`Unexpected segments shape for workspace=${params.workspaceId}`);
+	const data = raw;
+	return {
+		contents: (Array.isArray(data.contents) ? data.contents : []).map((c) => c && typeof c === "object" ? c : {}),
+		totalPage: typeof data.totalPage === "number" ? data.totalPage : 0,
+		currentPage: typeof data.currentPage === "number" ? data.currentPage : page
+	};
+}
+async function fetchWorkspaceTerms(workspaceId, type, cookies, opts = {}) {
+	const raw = await requestConsoleApi({
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms/${type}/skip-permission`,
+		cookies,
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+	if (!Array.isArray(raw)) throw new Error(`Unexpected workspace terms shape for type=${type}`);
+	return raw.map((entry, i) => {
+		if (!entry || typeof entry !== "object") throw new Error(`Unexpected workspace terms entry at index ${i} for type=${type}`);
+		const e = entry;
+		return {
+			required: Boolean(e.required),
+			termsId: typeof e.termsId === "number" ? e.termsId : 0,
+			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
+			title: typeof e.title === "string" ? e.title : "",
+			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
+			actionType: typeof e.actionType === "string" ? e.actionType : "",
+			isAgreed: Boolean(e.isAgreed),
+			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+		};
+	});
+}
+/**
+* Persist agreement for one-or-more workspace terms. The endpoint takes a
+* single `agreedList` regardless of which bucket the terms came from — the
+* type tag is implicit in the (termsId, revisionId) pairs.
+*
+* Captured behaviour (2026-05-08, ws=36577):
+*   - `POST /workspaces/<wid>/console-workspace-terms` with body
+*     `{"agreedList":[{"termsId": <int>, "revisionId": <int>}, ...]}`
+*   - Response on success: `{"resultType":"SUCCESS","success":{}}` — no
+*     useful payload. We resolve `void`.
+*   - Re-submitting an already-agreed term returns `errorCode: 500`
+*     (Internal Server Error). The server is NOT idempotent, so callers
+*     must filter to `isAgreed === false` before invoking.
+*   - Empty `agreedList` returns SUCCESS (no-op), but we throw client-side
+*     before sending — round-tripping a no-op request is wasted.
+*
+* Failure surfaces through `TossApiError` like every other write helper.
+*/
+async function agreeWorkspaceTerms(workspaceId, terms, cookies, opts = {}) {
+	if (terms.length === 0) throw new Error("agreeWorkspaceTerms requires at least one term");
+	await requestConsoleApi({
+		method: "POST",
+		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms`,
+		cookies,
+		body: { agreedList: terms.map(({ termsId, revisionId }) => ({
+			termsId,
+			revisionId
+		})) },
+		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
+	});
+}
+//#endregion
 //#region src/config/ait-bundle.ts
 var AitBundleError = class extends Error {
 	path;
@@ -1878,30 +2028,21 @@ async function runDeploy(args, deps = {}) {
 	const steps = ["upload"];
 	if (requestReview) steps.push("review");
 	if (release) steps.push("release");
-	if (args.dryRun) {
-		if (args.json) emitJson({
-			ok: true,
-			dryRun: true,
-			workspaceId,
-			appId,
-			deploymentId,
-			bundleFormat: bundleInfo.format,
-			bytes: bundleInfo.bytes.byteLength,
-			steps,
-			memo: memo ?? null,
-			releaseNotes: releaseNotes ?? null,
-			confirmed: confirm
-		});
-		else {
-			const stepsLine = steps.map((s) => {
-				if (s === "review") return `review (releaseNotes: ${JSON.stringify(releaseNotes ?? "")})`;
-				if (s === "release") return `release (${confirm ? "confirmed" : "NOT confirmed"})`;
-				return s;
-			}).join(" → ");
-			process.stdout.write(`DRY RUN\n  app           ${appId}\n  workspace     ${workspaceId}\n  bundle        ${args.path} (${bundleInfo.bytes.byteLength} bytes)\n  deploymentId  ${deploymentId}\n  memo          ${memo ?? "(none)"}\n  steps         ${stepsLine}\n`);
-		}
-		return exitAfterFlush(ExitCode.Ok);
-	}
+	if (args.dryRun) return runDryRun({
+		json: args.json,
+		path: args.path,
+		bundleInfo,
+		deploymentId,
+		explicitDeploymentId: typeof args.deploymentId === "string" && args.deploymentId !== "",
+		workspaceId,
+		appId,
+		session,
+		steps,
+		memo,
+		releaseNotes,
+		confirm,
+		fetchImpl: deps.fetchImpl
+	});
 	const apiOpts = deps.fetchImpl ? { fetchImpl: deps.fetchImpl } : {};
 	let uploaded = false;
 	let bundleRecord = null;
@@ -2037,38 +2178,154 @@ async function emitPartialFailure(json, err, progress) {
 	else process.stderr.write(`Unexpected error: ${err.message}\n`);
 	return exitAfterFlush(ExitCode.ApiError);
 }
-//#endregion
-//#region src/api/me.ts
-const BASE$3 = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
-const MEMBER_USER_INFO_URL = `${BASE$3}/members/me/user-info`;
-async function fetchConsoleMemberUserInfo(cookies, opts = {}) {
-	return requestConsoleApi({
-		url: MEMBER_USER_INFO_URL,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
+const WORKSPACE_TERM_ERROR_CODES = {
+	TOSS_LOGIN: 4037,
+	BIZ_WORKSPACE: 4040,
+	TOSS_PROMOTION_MONEY: 4039,
+	IAA: 4099,
+	IAP: 5001
+};
+async function runDryRun(input) {
+	const apiOpts = input.fetchImpl ? { fetchImpl: input.fetchImpl } : {};
+	const embedded = input.bundleInfo.deploymentId;
+	const flagMatch = input.explicitDeploymentId ? input.deploymentId === embedded : null;
+	const [permissions, terms] = await Promise.all([fetchPermissions(input.workspaceId, input.session, apiOpts), fetchTermsBlockers(input.workspaceId, input.session, apiOpts)]);
+	const wouldSucceed = (flagMatch === null || flagMatch === true) && terms.blockers.length === 0;
+	if (input.json) {
+		emitJson({
+			ok: true,
+			dryRun: true,
+			wouldSucceed,
+			workspaceId: input.workspaceId,
+			appId: input.appId,
+			deploymentId: input.deploymentId,
+			bundleFormat: input.bundleInfo.format,
+			bytes: input.bundleInfo.bytes.byteLength,
+			steps: input.steps,
+			memo: input.memo ?? null,
+			releaseNotes: input.releaseNotes ?? null,
+			confirmed: input.confirm,
+			bundle: {
+				path: input.path,
+				format: input.bundleInfo.format,
+				deploymentId: input.deploymentId,
+				embeddedDeploymentId: embedded,
+				deploymentIdSource: input.explicitDeploymentId ? "flag" : "bundle",
+				flagMatch,
+				size: input.bundleInfo.bytes.byteLength
+			},
+			context: {
+				workspaceId: input.workspaceId,
+				appId: input.appId,
+				sessionValid: true,
+				permissions
+			},
+			terms
+		});
+		return exitAfterFlush(ExitCode.Ok);
+	}
+	process.stdout.write(renderDryRunText(input, {
+		embedded,
+		flagMatch,
+		permissions,
+		terms,
+		wouldSucceed
+	}));
+	return exitAfterFlush(ExitCode.Ok);
 }
-async function fetchUserTerms(cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${BASE$3}/console-user-terms/me`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error("Unexpected user-terms shape: not an array");
-	return raw.map((entry, i) => {
-		if (!entry || typeof entry !== "object") throw new Error(`Unexpected user-terms entry at index ${i}`);
-		const e = entry;
+async function fetchPermissions(workspaceId, session, apiOpts) {
+	try {
+		const ws = (await fetchConsoleMemberUserInfo(session.cookies, apiOpts)).workspaces.find((w) => w.workspaceId === workspaceId);
+		if (!ws) return {
+			role: null,
+			source: "unknown",
+			error: `current user has no membership in workspace ${workspaceId}`
+		};
 		return {
-			required: Boolean(e.required),
-			termsId: typeof e.termsId === "number" ? e.termsId : 0,
-			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
-			title: typeof e.title === "string" ? e.title : "",
-			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
-			actionType: typeof e.actionType === "string" ? e.actionType : "",
-			isAgreed: Boolean(e.isAgreed),
-			isOneTimeConsent: Boolean(e.isOneTimeConsent)
+			role: ws.role,
+			source: "members/me"
 		};
-	});
+	} catch (err) {
+		return {
+			role: null,
+			source: "unknown",
+			error: err.message
+		};
+	}
+}
+async function fetchTermsBlockers(workspaceId, session, apiOpts) {
+	try {
+		const [userTerms, workspaceResults] = await Promise.all([fetchUserTerms(session.cookies, apiOpts), Promise.all(WORKSPACE_TERM_TYPES.map(async (t) => [t, await fetchWorkspaceTerms(workspaceId, t, session.cookies, apiOpts)]))]);
+		const blockers = [];
+		for (const t of userTerms) if (t.required && !t.isAgreed) blockers.push({
+			scope: "user",
+			type: "USER_TERMS",
+			errorCode: 4036,
+			title: t.title,
+			action: "aitcc me terms"
+		});
+		for (const [type, terms] of workspaceResults) for (const t of terms) {
+			if (!t.required || t.isAgreed) continue;
+			blockers.push({
+				scope: "workspace",
+				type,
+				errorCode: WORKSPACE_TERM_ERROR_CODES[type],
+				title: t.title,
+				action: `aitcc workspace terms --type ${type}`
+			});
+		}
+		return {
+			blockers,
+			checked: true
+		};
+	} catch (err) {
+		return {
+			blockers: [],
+			checked: false,
+			error: err.message
+		};
+	}
+}
+function renderDryRunText(input, derived) {
+	const lines = [];
+	lines.push(`DRY RUN — app deploy ${input.appId}\n`);
+	lines.push("\nBundle\n");
+	lines.push(`  path          ${input.path}\n`);
+	lines.push(`  format        ${input.bundleInfo.format.toUpperCase()}\n`);
+	lines.push(`  deploymentId  ${input.deploymentId}\n`);
+	if (derived.flagMatch === false) lines.push(`  flag match    MISMATCH (bundle embeds ${derived.embedded})\n`);
+	else if (derived.flagMatch === true) lines.push(`  flag match    ok (matches embedded)\n`);
+	lines.push(`  size          ${formatBytes(input.bundleInfo.bytes.byteLength)}\n`);
+	lines.push("\nContext\n");
+	lines.push(`  workspace     ${input.workspaceId}\n`);
+	lines.push(`  app           ${input.appId}\n`);
+	lines.push(`  session       valid\n`);
+	if (derived.permissions.role !== null) lines.push(`  permissions   ${derived.permissions.role}\n`);
+	else lines.push(`  permissions   unknown${derived.permissions.error ? ` (${derived.permissions.error})` : ""}\n`);
+	lines.push("\nTerms\n");
+	if (!derived.terms.checked) {
+		lines.push(`  warning: could not check terms status (${derived.terms.error ?? "unknown error"}).\n`);
+		lines.push("  live deploy may still fail with a 4032/4036/4037/4039/4040/4099/5001 errorCode.\n");
+	} else if (derived.terms.blockers.length === 0) lines.push("  all deploy-related terms are agreed\n");
+	else for (const b of derived.terms.blockers) lines.push(`  blocked: ${b.scope}/${b.type} — ${b.title} (errorCode ${b.errorCode})\n    action: ${b.action}\n`);
+	lines.push("\nPlan\n");
+	const stepsLine = input.steps.map((s) => {
+		if (s === "review") return `review (releaseNotes: ${JSON.stringify(input.releaseNotes ?? "")})`;
+		if (s === "release") return `release (${input.confirm ? "confirmed" : "NOT confirmed"})`;
+		return s;
+	}).join(" → ");
+	lines.push(`  steps         ${stepsLine}\n`);
+	lines.push(`  memo          ${input.memo ?? "(none)"}\n`);
+	lines.push("\nResult\n");
+	if (!derived.wouldSucceed) lines.push("  Live deploy would fail. Resolve the blocked items above, then re-run.\n");
+	else if (derived.permissions.role === null) lines.push("  Live deploy would clear bundle + terms checks. Workspace membership could not be confirmed; live deploy may still fail with a permissions error.\n");
+	else lines.push("  Live deploy would clear every pre-flight check.\n");
+	return lines.join("");
+}
+function formatBytes(n) {
+	if (n < 1024) return `${n} B`;
+	if (n < 1024 * 1024) return `${(n / 1024).toFixed(1)} KB`;
+	return `${(n / (1024 * 1024)).toFixed(1)} MB`;
 }
 //#endregion
 //#region src/config/app-manifest.ts
@@ -2336,7 +2593,7 @@ async function runAppInit(args) {
 		workspaceId = await pickWorkspace(session.cookies);
 		categoryIds = await pickCategories(session.cookies);
 	} catch (err) {
-		if (isPromptCancelled$1(err)) {
+		if (isPromptCancelled$2(err)) {
 			process.stderr.write("Aborted.\n");
 			return exitAfterFlush(ExitCode.Usage);
 		}
@@ -2379,7 +2636,7 @@ async function runAppInit(args) {
 			categoryIds
 		};
 	} catch (err) {
-		if (isPromptCancelled$1(err)) {
+		if (isPromptCancelled$2(err)) {
 			process.stderr.write("Aborted.\n");
 			return exitAfterFlush(ExitCode.Usage);
 		}
@@ -2438,7 +2695,7 @@ async function fileExists(path) {
 		return false;
 	}
 }
-function isPromptCancelled$1(err) {
+function isPromptCancelled$2(err) {
 	return err instanceof Error && err.name === "ExitPromptError";
 }
 async function pickWorkspace(cookies) {
@@ -4296,6 +4553,25 @@ const bundlesCommand = defineCommand({
 		})
 	}
 });
+const CERT_EXPIRY_WARN_DAYS = 30;
+const MS_PER_DAY = 864e5;
+function deriveDaysUntilExpiry(cert, now) {
+	const raw = cert.expireTs;
+	let ts = null;
+	if (typeof raw === "number" && Number.isFinite(raw)) ts = raw;
+	else if (typeof raw === "string") {
+		const parsed = Date.parse(raw);
+		if (Number.isFinite(parsed)) ts = parsed;
+	}
+	if (ts === null) return null;
+	return Math.floor((ts - now) / MS_PER_DAY);
+}
+function expiryMarker(days) {
+	if (days === null) return "";
+	if (days < 0) return `\t⚠ 만료됨`;
+	if (days <= CERT_EXPIRY_WARN_DAYS) return `\t⚠ 만료 임박 (${days}일)`;
+	return "";
+}
 const certsLsCommand = defineCommand({
 	meta: {
 		name: "ls",
@@ -4330,27 +4606,153 @@ const certsLsCommand = defineCommand({
 		const { session, workspaceId } = ctx;
 		try {
 			const certs = await fetchCerts(workspaceId, appId, session.cookies);
+			const now = Date.now();
+			const augmented = certs.map((c) => ({
+				...c,
+				daysUntilExpiry: deriveDaysUntilExpiry(c, now)
+			}));
+			if (args.json) {
+				emitJson({
+					ok: true,
+					workspaceId,
+					appId,
+					certs: augmented
+				});
+				return exitAfterFlush(ExitCode.Ok);
+			}
+			if (augmented.length === 0) {
+				process.stdout.write(`App ${appId} (ws ${workspaceId}): no mTLS certs\n`);
+				return exitAfterFlush(ExitCode.Ok);
+			}
+			process.stdout.write(`App ${appId} (ws ${workspaceId}): ${augmented.length} cert(s)\n`);
+			for (const c of augmented) {
+				const id = typeof c.id === "string" || typeof c.id === "number" ? c.id : typeof c.certId === "string" || typeof c.certId === "number" ? c.certId : "-";
+				const cn = typeof c.commonName === "string" ? c.commonName : "-";
+				const createdAt = typeof c.createdAt === "string" ? c.createdAt : "";
+				const expiresAt = typeof c.expiresAt === "string" ? c.expiresAt : typeof c.validUntil === "string" ? c.validUntil : typeof c.expireTs === "number" && Number.isFinite(c.expireTs) ? new Date(c.expireTs).toISOString() : "";
+				process.stdout.write(`${id}\t${cn}\t${createdAt}\t${expiresAt}${expiryMarker(c.daysUntilExpiry)}\n`);
+			}
+			return exitAfterFlush(ExitCode.Ok);
+		} catch (err) {
+			return emitFailureFromError(args.json, err);
+		}
+	}
+});
+function pickCertById(certs, certId) {
+	const target = certId.trim();
+	if (target.length === 0) return null;
+	for (const c of certs) {
+		const candidate = typeof c.id === "string" || typeof c.id === "number" ? c.id : typeof c.certId === "string" || typeof c.certId === "number" ? c.certId : null;
+		if (candidate !== null && String(candidate) === target) return c;
+	}
+	return null;
+}
+function augmentCertExpiry(cert, now = Date.now()) {
+	let expiresAtMs;
+	if (typeof cert.expireTs === "number" && Number.isFinite(cert.expireTs)) expiresAtMs = cert.expireTs;
+	else if (typeof cert.expiresAt === "string") {
+		const t = Date.parse(cert.expiresAt);
+		if (Number.isFinite(t)) expiresAtMs = t;
+	} else if (typeof cert.validUntil === "string") {
+		const t = Date.parse(cert.validUntil);
+		if (Number.isFinite(t)) expiresAtMs = t;
+	}
+	if (expiresAtMs === void 0) return {};
+	const daysUntilExpiry = Math.floor((expiresAtMs - now) / 864e5);
+	return {
+		expiresAtMs,
+		daysUntilExpiry
+	};
+}
+const certsShowCommand = defineCommand({
+	meta: {
+		name: "show",
+		description: "Show a single mTLS certificate by id (metadata only — no PEM)."
+	},
+	args: {
+		certId: {
+			type: "positional",
+			description: "Cert ID (from `app certs ls`).",
+			required: true
+		},
+		app: {
+			type: "string",
+			description: "Mini-app ID the cert belongs to."
+		},
+		workspace: {
+			type: "string",
+			description: "Workspace ID. Defaults to the selected workspace."
+		},
+		json: {
+			type: "boolean",
+			description: "Emit machine-readable JSON.",
+			default: false
+		}
+	},
+	async run({ args }) {
+		const certId = typeof args.certId === "string" ? args.certId.trim() : "";
+		if (certId.length === 0) {
+			if (args.json) emitJson({
+				ok: false,
+				reason: "missing-cert-id",
+				message: "certId positional is required"
+			});
+			else process.stderr.write("app certs show: certId is required\n");
+			return exitAfterFlush(ExitCode.Usage);
+		}
+		const ctx = await resolveAppOrFail({
+			json: args.json,
+			appIdRaw: args.app,
+			appIdField: "app",
+			...args.workspace !== void 0 ? { workspace: args.workspace } : {}
+		});
+		if (!ctx) return;
+		const appId = await requireMiniAppId(ctx, args.json);
+		if (appId === null) return;
+		printContextHeader(ctx, { json: args.json });
+		const { session, workspaceId } = ctx;
+		try {
+			const match = pickCertById(await fetchCerts(workspaceId, appId, session.cookies), certId);
+			if (match === null) {
+				if (args.json) emitJson({
+					ok: false,
+					reason: "not-found",
+					workspaceId,
+					appId,
+					certId,
+					message: `cert ${certId} not found on app ${appId}`
+				});
+				else process.stderr.write(`app certs show: cert ${certId} not found on app ${appId} (ws ${workspaceId})\n`);
+				return exitAfterFlush(ExitCode.Usage);
+			}
+			const expiry = augmentCertExpiry(match);
 			if (args.json) {
 				emitJson({
 					ok: true,
 					workspaceId,
 					appId,
-					certs
+					cert: match,
+					...expiry
 				});
 				return exitAfterFlush(ExitCode.Ok);
 			}
-			if (certs.length === 0) {
-				process.stdout.write(`App ${appId} (ws ${workspaceId}): no mTLS certs\n`);
-				return exitAfterFlush(ExitCode.Ok);
-			}
-			process.stdout.write(`App ${appId} (ws ${workspaceId}): ${certs.length} cert(s)\n`);
-			for (const c of certs) {
-				const id = typeof c.id === "string" || typeof c.id === "number" ? c.id : typeof c.certId === "string" || typeof c.certId === "number" ? c.certId : "-";
-				const cn = typeof c.commonName === "string" ? c.commonName : "-";
-				const createdAt = typeof c.createdAt === "string" ? c.createdAt : "";
-				const expiresAt = typeof c.expiresAt === "string" ? c.expiresAt : typeof c.validUntil === "string" ? c.validUntil : "";
-				process.stdout.write(`${id}\t${cn}\t${createdAt}\t${expiresAt}\n`);
+			const id = typeof match.id === "string" || typeof match.id === "number" ? match.id : typeof match.certId === "string" || typeof match.certId === "number" ? match.certId : "-";
+			const name = typeof match.name === "string" ? match.name : "-";
+			const cn = typeof match.commonName === "string" ? match.commonName : "";
+			const createdAt = typeof match.createdAt === "string" ? match.createdAt : "";
+			const expiresAtIso = expiry.expiresAtMs !== void 0 ? new Date(expiry.expiresAtMs).toISOString() : "";
+			const status = typeof match.status === "string" ? match.status : "";
+			const lines = [`App ${appId} (ws ${workspaceId}): cert ${id}`, `  name:        ${name}`];
+			if (cn) lines.push(`  commonName:  ${cn}`);
+			if (createdAt) lines.push(`  createdAt:   ${createdAt}`);
+			if (expiresAtIso) lines.push(`  expiresAt:   ${expiresAtIso}`);
+			if (expiry.daysUntilExpiry !== void 0) {
+				const d = expiry.daysUntilExpiry;
+				const suffix = d > 0 ? ` (D-${d})` : d === 0 ? " (expires today)" : ` (expired ${-d} day(s) ago)`;
+				lines.push(`  daysUntilExpiry: ${d}${suffix}`);
 			}
+			if (status) lines.push(`  status:      ${status}`);
+			process.stdout.write(`${lines.join("\n")}\n`);
 			return exitAfterFlush(ExitCode.Ok);
 		} catch (err) {
 			return emitFailureFromError(args.json, err);
@@ -4370,6 +4772,7 @@ const certsCommand = defineCommand({
 	},
 	subCommands: {
 		ls: certsLsCommand,
+		show: certsShowCommand,
 		issue: defineCommand({
 			meta: {
 				name: "issue",
@@ -5453,7 +5856,7 @@ async function runCommand(command, opts) {
 function isCommandNotFound(err) {
 	return err.code === "ENOENT";
 }
-function stripTrailingNewline(s) {
+function stripTrailingNewline$1(s) {
 	return s.replace(/\r?\n$/, "");
 }
 function redactStderr(stderr) {
@@ -5487,7 +5890,7 @@ const LINUX_BACKEND = {
 			throw new CredentialBackendCommandError("secret-tool lookup", result.exitCode, redactStderr(result.stderr));
 		}
 		if (result.stdout.length === 0) return null;
-		const password = stripTrailingNewline(result.stdout);
+		const password = stripTrailingNewline$1(result.stdout);
 		return password.length > 0 ? password : null;
 	},
 	async set(account, password) {
@@ -5551,7 +5954,7 @@ const MACOS_BACKEND = {
 		}
 		if (result.exitCode === 44) return null;
 		if (result.exitCode !== 0) return null;
-		const password = stripTrailingNewline(result.stdout);
+		const password = stripTrailingNewline$1(result.stdout);
 		return password.length > 0 ? password : null;
 	},
 	async set(account, password) {
@@ -6086,13 +6489,17 @@ const authImportCommand = defineCommand({
 });
 //#endregion
 //#region src/commands/auth.ts
+function emitDeprecation(replacement) {
+	process.stderr.write(`warning: this command is deprecated and will be removed in 1.0; ${replacement}\n`);
+}
 async function runAuthSet(args, deps = {}) {
+	emitDeprecation("use `aitcc login` (interactive prompt offers a save option).");
 	const env = deps.env ?? process.env;
 	let email = args.email?.trim();
-	let password$2 = args.password;
-	const argvPasswordUsed = password$2 !== void 0;
+	let password$1 = args.password;
+	const argvPasswordUsed = password$1 !== void 0;
 	if (!email && env.AITCC_EMAIL) email = env.AITCC_EMAIL;
-	if (password$2 === void 0 && env.AITCC_PASSWORD) password$2 = env.AITCC_PASSWORD;
+	if (password$1 === void 0 && env.AITCC_PASSWORD) password$1 = env.AITCC_PASSWORD;
 	if (argvPasswordUsed) process.stderr.write("Warning: --password on argv is visible in `ps`/Task Manager. Prefer the AITCC_PASSWORD environment variable for scripted use.\n");
 	const interactive = process.stdout.isTTY && process.stdin.isTTY && !args.json;
 	if (!email) {
@@ -6106,7 +6513,7 @@ async function runAuthSet(args, deps = {}) {
 				validate: (raw) => raw.trim().length > 0 ? true : "email is required"
 			})).trim();
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
@@ -6122,26 +6529,26 @@ async function runAuthSet(args, deps = {}) {
 		else process.stderr.write(`Invalid email: ${email}\n`);
 		return exitAfterFlush(ExitCode.Usage);
 	}
-	if (password$2 === void 0) {
+	if (password$1 === void 0) {
 		if (!interactive) {
 			emitInteractiveRequired(args.json, "password");
 			return exitAfterFlush(ExitCode.Usage);
 		}
 		try {
-			password$2 = await password({
+			password$1 = await password({
 				message: "Password:",
 				mask: true,
 				validate: (raw) => raw.length > 0 ? true : "password is required"
 			});
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
 			throw err;
 		}
 	}
-	if (password$2.length === 0) {
+	if (password$1.length === 0) {
 		if (args.json) emitJson({
 			ok: false,
 			reason: "invalid-password",
@@ -6152,7 +6559,7 @@ async function runAuthSet(args, deps = {}) {
 	}
 	let result;
 	try {
-		result = await saveCredentials(email, password$2, deps.backend ? { override: deps.backend } : {});
+		result = await saveCredentials(email, password$1, deps.backend ? { override: deps.backend } : {});
 	} catch (err) {
 		const message = err.message;
 		if (args.json) emitJson({
@@ -6173,6 +6580,7 @@ async function runAuthSet(args, deps = {}) {
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthClear(args, deps = {}) {
+	emitDeprecation("use `aitcc logout --purge` to remove session and saved credentials together.");
 	const interactive = process.stdout.isTTY && process.stdin.isTTY && !args.json;
 	const active = await getActiveCredentialEmail(deps.env ? { env: deps.env } : {}).catch(() => null);
 	if (!args.yes) {
@@ -6193,7 +6601,7 @@ async function runAuthClear(args, deps = {}) {
 				default: false
 			});
 		} catch (err) {
-			if (isPromptCancelled(err)) {
+			if (isPromptCancelled$1(err)) {
 				process.stderr.write("Aborted.\n");
 				return exitAfterFlush(ExitCode.Usage);
 			}
@@ -6231,6 +6639,7 @@ async function runAuthClear(args, deps = {}) {
 	return exitAfterFlush(ExitCode.Ok);
 }
 async function runAuthStatus(args, deps = {}) {
+	emitDeprecation("use `aitcc whoami` (now reports credential source).");
 	const active = await getActiveCredentialEmail(deps.env ? { env: deps.env } : {}).catch(() => null);
 	const session = await readSession();
 	if (args.json) {
@@ -6269,7 +6678,7 @@ function emitInteractiveRequired(json, missing) {
 	});
 	else process.stderr.write(`Cannot prompt for ${missing} in non-interactive mode. Use --${missing} or set AITCC_${missing.toUpperCase()}.\n`);
 }
-function isPromptCancelled(err) {
+function isPromptCancelled$1(err) {
 	return err instanceof Error && err.name === "ExitPromptError";
 }
 const authCommand = defineCommand({
@@ -6281,7 +6690,7 @@ const authCommand = defineCommand({
 		set: defineCommand({
 			meta: {
 				name: "set",
-				description: "Save email + password to the OS keychain for future headless logins."
+				description: "[deprecated] Use `aitcc login` instead — the prompt now offers a save option."
 			},
 			args: {
 				json: {
@@ -6309,7 +6718,7 @@ const authCommand = defineCommand({
 		clear: defineCommand({
 			meta: {
 				name: "clear",
-				description: "Delete the saved credentials and the auth-state pointer."
+				description: "[deprecated] Use `aitcc logout --purge` instead."
 			},
 			args: {
 				json: {
@@ -6334,7 +6743,7 @@ const authCommand = defineCommand({
 		status: defineCommand({
 			meta: {
 				name: "status",
-				description: "Report whether credentials and a session are configured."
+				description: "[deprecated] Use `aitcc whoami` (now reports credential source)."
 			},
 			args: { json: {
 				type: "boolean",
@@ -7494,10 +7903,38 @@ function chooseLoginMode(input) {
 	if (input.interactiveFlag) return "interactive";
 	return input.hasCredentials ? "headless" : "interactive";
 }
+const defaultPromptDeps = {
+	email: (defaultValue) => input({
+		message: "Email:",
+		...defaultValue !== void 0 ? { default: defaultValue } : {},
+		validate: (raw) => {
+			const trimmed = raw.trim();
+			if (trimmed.length === 0) return "email is required";
+			if (!trimmed.includes("@")) return "must contain \"@\"";
+			return true;
+		}
+	}).then((s) => s.trim()),
+	password: () => password({
+		message: "Password:",
+		mask: true,
+		validate: (raw) => raw.length > 0 ? true : "password is required"
+	}),
+	saveTarget: () => select({
+		message: "Where would you like to save the credentials?",
+		default: "keychain",
+		choices: [{
+			name: "OS keychain (recommended) — next login runs headlessly",
+			value: "keychain"
+		}, {
+			name: "Do not save — one-shot. (Tip: AITCC_EMAIL/AITCC_PASSWORD env for CI.)",
+			value: "none"
+		}]
+	})
+};
 const loginCommand = defineCommand({
 	meta: {
 		name: "login",
-		description: "Open a browser to sign in, then capture the console session cookies."
+		description: "Sign in to the Apps in Toss console and capture the session cookies."
 	},
 	args: {
 		json: {
@@ -7515,9 +7952,26 @@ const loginCommand = defineCommand({
 			description: "Force the visible-browser flow even if credentials are configured.",
 			default: false
 		},
+		email: {
+			type: "string",
+			description: "Email (skip prompt; required for non-interactive use)."
+		},
+		password: {
+			type: "string",
+			description: "Password (skip prompt; visible in `ps`/Task Manager — prefer --password-stdin or AITCC_PASSWORD env)."
+		},
+		"password-stdin": {
+			type: "boolean",
+			description: "Read the password from stdin (recommended for non-interactive use).",
+			default: false
+		},
+		save: {
+			type: "string",
+			description: "Where to persist credentials when --email/--password* are passed: \"keychain\" or \"none\" (default)."
+		},
 		"skip-onboarding": {
 			type: "boolean",
-			description: "Skip the post-login prompt to save credentials to the OS keychain.",
+			description: "Deprecated no-op; kept so existing scripts do not break.",
 			default: false
 		}
 	},
@@ -7526,7 +7980,10 @@ const loginCommand = defineCommand({
 			json: args.json,
 			timeout: args.timeout,
 			interactive: args.interactive,
-			skipOnboarding: args["skip-onboarding"]
+			email: typeof args.email === "string" ? args.email : void 0,
+			password: typeof args.password === "string" ? args.password : void 0,
+			passwordStdin: args["password-stdin"],
+			save: typeof args.save === "string" ? args.save : void 0
 		}, {
 			getCredentials: loadCredentials,
 			saveCredentials
@@ -7570,17 +8027,41 @@ async function runLoginCommand(args, deps) {
 		}
 		process.stderr.write(`Using custom authorize URL from AITCC_OAUTH_URL: ${authorizeUrl}\n`);
 	}
-	let credentials = null;
-	if (!args.interactive) {
-		const getCredentials = deps.getCredentials;
-		if (getCredentials) credentials = await getCredentials().catch((err) => {
-			process.stderr.write(`Credential lookup failed (${err.message}); using interactive login.\n`);
-			return null;
-		});
+	const resolved = await resolveCredentialsForLogin(args, deps);
+	if (resolved.kind === "error") {
+		emitError({
+			reason: resolved.reason,
+			message: resolved.message
+		}, resolved.message);
+		return exitAfterFlush(resolved.exitCode);
+	}
+	let saved = "skipped";
+	if (resolved.saveTarget === "keychain" && resolved.credentials !== null) {
+		const save = deps.saveCredentials;
+		if (!save) {
+			emitError({
+				reason: "save-unavailable",
+				message: "no save backend configured"
+			}, "Cannot save credentials: no backend configured.");
+			return exitAfterFlush(ExitCode.Generic);
+		}
+		try {
+			const result = await save(resolved.credentials.email, resolved.credentials.password);
+			saved = result.status;
+			if (!args.json) if (result.status === "unchanged") process.stderr.write("Credentials already saved (no change).\n");
+			else process.stderr.write(`Credentials saved to OS keychain (${resolved.credentials.email}).\n`);
+		} catch (err) {
+			const message = err.message;
+			emitError({
+				reason: "keychain-save-failed",
+				message
+			}, `Failed to save credentials to the OS keychain: ${message}\nOn Linux, install libsecret (\`secret-tool\`) and retry. Re-run with \`--save none\` to skip persistence.`);
+			return exitAfterFlush(ExitCode.Usage);
+		}
 	}
 	const initialMode = chooseLoginMode({
 		interactiveFlag: args.interactive,
-		hasCredentials: credentials !== null
+		hasCredentials: resolved.credentials !== null
 	});
 	const endpointTimeoutMs = Math.min(6e4, Math.max(3e4, Math.floor(timeoutMs / 2)));
 	const firstAttemptStart = Date.now();
@@ -7590,9 +8071,9 @@ async function runLoginCommand(args, deps) {
 		endpointTimeoutMs,
 		authorizeUrl,
 		mode: initialMode,
-		credentials,
-		emitError,
-		deps
+		credentials: resolved.credentials,
+		saved,
+		emitError
 	});
 	if (result.status === "fallback-to-interactive") {
 		process.stderr.write(`${result.message}\n`);
@@ -7603,8 +8084,8 @@ async function runLoginCommand(args, deps) {
 			authorizeUrl,
 			mode: "interactive",
 			credentials: null,
-			emitError,
-			deps
+			saved,
+			emitError
 		});
 		if (second.status === "exit") return exitAfterFlush(second.code);
 		second.status;
@@ -7612,8 +8093,167 @@ async function runLoginCommand(args, deps) {
 	}
 	return exitAfterFlush(result.code);
 }
+/**
+* Resolve credentials and the requested save target for `aitcc login`.
+* Pure-ish: only side-effect is reading stdin via `deps.readStdin` (when
+* `--password-stdin` is set) and prompting via `deps.prompts` (when TTY).
+*/
+async function resolveCredentialsForLogin(args, deps, opts = {}) {
+	const env = opts.env ?? process.env;
+	const stdoutIsTTY = opts.stdoutIsTTY ?? Boolean(process.stdout.isTTY);
+	const stdinIsTTY = opts.stdinIsTTY ?? Boolean(process.stdin.isTTY);
+	const interactiveTty = stdoutIsTTY && stdinIsTTY && !args.json;
+	if (args.password !== void 0 && args.passwordStdin) return {
+		kind: "error",
+		reason: "conflicting-password-source",
+		message: "--password and --password-stdin cannot be used together.",
+		exitCode: ExitCode.Usage
+	};
+	if (args.interactive && (args.email !== void 0 || args.password !== void 0 || args.passwordStdin || args.save !== void 0)) return {
+		kind: "error",
+		reason: "conflicting-interactive-flags",
+		message: "--interactive cannot be combined with --email/--password/--password-stdin/--save. Drop --interactive to use credentials, or drop the credential flags to type in the browser.",
+		exitCode: ExitCode.Usage
+	};
+	let saveTarget;
+	if (args.save !== void 0) {
+		if (args.save !== "keychain" && args.save !== "none") return {
+			kind: "error",
+			reason: "invalid-save",
+			message: `--save must be "keychain" or "none" (got "${args.save}").`,
+			exitCode: ExitCode.Usage
+		};
+		saveTarget = args.save;
+	}
+	if (args.email !== void 0 || args.password !== void 0 || args.passwordStdin) {
+		if (args.email === void 0 || args.email.trim().length === 0) return {
+			kind: "error",
+			reason: "missing-email",
+			message: "--email is required when --password / --password-stdin is passed.",
+			exitCode: ExitCode.Usage
+		};
+		if (!args.email.includes("@")) return {
+			kind: "error",
+			reason: "invalid-email",
+			message: `Invalid email: ${args.email}`,
+			exitCode: ExitCode.Usage
+		};
+		let password;
+		if (args.passwordStdin) {
+			password = stripTrailingNewline(await (deps.readStdin ?? readStdinAll)());
+			if (password.length === 0) return {
+				kind: "error",
+				reason: "invalid-password",
+				message: "--password-stdin received an empty password on stdin.",
+				exitCode: ExitCode.Usage
+			};
+		} else if (args.password !== void 0) {
+			process.stderr.write("Warning: --password on argv is visible in `ps`/Task Manager. Prefer --password-stdin or the AITCC_PASSWORD environment variable.\n");
+			password = args.password;
+			if (password.length === 0) return {
+				kind: "error",
+				reason: "invalid-password",
+				message: "--password value is empty.",
+				exitCode: ExitCode.Usage
+			};
+		} else return {
+			kind: "error",
+			reason: "missing-password",
+			message: "--email passed without a password. Add --password-stdin (recommended) or --password.",
+			exitCode: ExitCode.Usage
+		};
+		return {
+			kind: "ok",
+			credentials: {
+				source: "argv",
+				email: args.email.trim(),
+				password
+			},
+			saveTarget: saveTarget ?? "none"
+		};
+	}
+	if (args.interactive) return {
+		kind: "ok",
+		credentials: null,
+		saveTarget: saveTarget ?? "none"
+	};
+	if (env.AITCC_EMAIL && env.AITCC_PASSWORD) return {
+		kind: "ok",
+		credentials: {
+			source: "env",
+			email: env.AITCC_EMAIL,
+			password: env.AITCC_PASSWORD
+		},
+		saveTarget: saveTarget ?? "none"
+	};
+	const getCredentials = deps.getCredentials;
+	if (getCredentials) {
+		const fromStore = await getCredentials().catch((err) => {
+			process.stderr.write(`Credential lookup failed (${err.message}); ignoring.\n`);
+			return null;
+		});
+		if (fromStore) {
+			if (!args.json) process.stderr.write(`Using credentials from OS keychain for ${fromStore.email}. Pass --interactive to type a different account.
+`);
+			return {
+				kind: "ok",
+				credentials: {
+					source: fromStore.kind,
+					email: fromStore.email,
+					password: fromStore.password
+				},
+				saveTarget: saveTarget ?? "none"
+			};
+		}
+	}
+	if (interactiveTty) {
+		const prompts = deps.prompts ?? defaultPromptDeps;
+		let email;
+		let password;
+		try {
+			email = await prompts.email();
+			password = await prompts.password();
+		} catch (err) {
+			if (isPromptCancelled(err)) return {
+				kind: "error",
+				reason: "aborted",
+				message: "Aborted.",
+				exitCode: ExitCode.Usage
+			};
+			throw err;
+		}
+		let promptedSave;
+		if (saveTarget !== void 0) promptedSave = saveTarget;
+		else try {
+			promptedSave = await prompts.saveTarget();
+		} catch (err) {
+			if (isPromptCancelled(err)) return {
+				kind: "error",
+				reason: "aborted",
+				message: "Aborted.",
+				exitCode: ExitCode.Usage
+			};
+			throw err;
+		}
+		return {
+			kind: "ok",
+			credentials: {
+				source: "prompt",
+				email,
+				password
+			},
+			saveTarget: promptedSave
+		};
+	}
+	return {
+		kind: "error",
+		reason: "interactive-required",
+		message: "No credentials configured and stdin is not a TTY. Pass --email + --password-stdin (or set AITCC_EMAIL + AITCC_PASSWORD).",
+		exitCode: ExitCode.Usage
+	};
+}
 async function attemptLogin(opts) {
-	const { args, timeoutMs, endpointTimeoutMs, authorizeUrl, mode, credentials, emitError, deps } = opts;
+	const { args, timeoutMs, endpointTimeoutMs, authorizeUrl, mode, credentials, saved, emitError } = opts;
 	const launched = await launchChrome({
 		initialUrl: authorizeUrl,
 		endpointTimeoutMs,
@@ -7652,8 +8292,8 @@ async function attemptLogin(opts) {
 	}
 	if (mode === "interactive") process.stderr.write("Opened a browser window — complete the sign-in there. The CLI will capture the session automatically.\n");
 	else {
-		const source = credentials?.kind === "env" ? "env" : "keychain";
-		process.stderr.write(`Signing in headlessly with credentials from ${source}…\n`);
+		const sourceLabel = credentials?.source ?? "configured store";
+		process.stderr.write(`Signing in headlessly with credentials from ${sourceLabel}…\n`);
 	}
 	let client = null;
 	const disposeAll = async () => {
@@ -7820,57 +8460,29 @@ async function attemptLogin(opts) {
 		capturedAt: session.capturedAt,
 		cookieCount: cookies.length,
 		mode,
+		credentialSource: credentials?.source ?? "browser",
+		saved,
 		stepUp
 	})}\n`);
 	else process.stdout.write(`Logged in as ${user.name} <${user.email}>\n`);
 	await disposeAll();
-	if (mode === "interactive" && credentials === null && !args.json && !args.skipOnboarding && process.stdout.isTTY && process.stdin.isTTY && deps.saveCredentials) await runOnboardingPrompt(user.email, deps.saveCredentials);
 	return {
 		status: "exit",
 		code: ExitCode.Ok
 	};
 }
-/**
-* Post-login prompt that offers to persist the user's email + password
-* to the OS keychain so subsequent `aitcc login` runs can take the
-* headless form-fill path. Failures are non-fatal: we already wrote a
-* valid session, so a keychain hiccup just means the next login will
-* fall back to interactive — exactly the same UX as before.
-*/
-async function runOnboardingPrompt(email, save) {
-	process.stdout.write("\n");
-	process.stdout.write("Would you like to save your password to the OS keychain so the next `aitcc login` runs headlessly?\n");
-	let agreed;
-	try {
-		agreed = await confirm({
-			message: "Save credentials?",
-			default: true
-		});
-	} catch (err) {
-		if (err instanceof Error && err.name === "ExitPromptError") return;
-		process.stderr.write(`Onboarding prompt failed: ${err.message}\n`);
-		return;
-	}
-	if (!agreed) return;
-	let password$1;
-	try {
-		password$1 = await password({
-			message: "Password:",
-			mask: true,
-			validate: (raw) => raw.length > 0 ? true : "password is required"
-		});
-	} catch (err) {
-		if (err instanceof Error && err.name === "ExitPromptError") return;
-		process.stderr.write(`Could not read password: ${err.message}\n`);
-		return;
-	}
-	try {
-		await save(email, password$1);
-		process.stdout.write("Saved. Next `aitcc login` will run headlessly.\n");
-	} catch (err) {
-		process.stderr.write(`Could not save credentials: ${err.message}. You can retry later with \`aitcc auth set\`.
-`);
-	}
+async function readStdinAll() {
+	if (process.stdin.isTTY) throw new Error("--password-stdin requires stdin to be a pipe, not a TTY.");
+	process.stdin.setEncoding("utf8");
+	let buf = "";
+	for await (const chunk of process.stdin) buf += chunk;
+	return buf;
+}
+function stripTrailingNewline(s) {
+	return s.replace(/\r?\n$/, "");
+}
+function isPromptCancelled(err) {
+	return err instanceof Error && err.name === "ExitPromptError";
 }
 async function waitForLanding(client, sessionId, timeoutMs) {
 	return await new Promise((resolve) => {
@@ -7934,18 +8546,25 @@ async function resolveUserWithRetry(cookies, opts = {}) {
 const logoutCommand = defineCommand({
 	meta: {
 		name: "logout",
-		description: "Delete the local session file."
+		description: "Delete the local session file (and optionally the saved credentials)."
+	},
+	args: {
+		json: {
+			type: "boolean",
+			description: "Emit machine-readable JSON to stdout.",
+			default: false
+		},
+		purge: {
+			type: "boolean",
+			description: "Also delete saved keychain credentials and the auth-state pointer.",
+			default: false
+		}
 	},
-	args: { json: {
-		type: "boolean",
-		description: "Emit machine-readable JSON to stdout.",
-		default: false
-	} },
 	async run({ args }) {
 		const path = sessionPathForDiagnostics();
-		let existed;
+		let sessionRemoved;
 		try {
-			existed = (await clearSession()).existed;
+			sessionRemoved = (await clearSession()).existed;
 		} catch (err) {
 			const message = err.message;
 			if (args.json) process.stdout.write(`${JSON.stringify({
@@ -7957,13 +8576,29 @@ const logoutCommand = defineCommand({
 			process.stderr.write(`Failed to remove session file at ${path}: ${message}\n`);
 			return exitAfterFlush(ExitCode.Generic);
 		}
-		if (args.json) process.stdout.write(`${JSON.stringify({
-			ok: true,
-			status: existed ? "logged-out" : "no-session",
-			path
-		})}\n`);
-		else if (existed) process.stdout.write(`Logged out. Session removed from ${path}\n`);
-		else process.stdout.write(`No active session at ${path}.\n`);
+		let credentialsPurged = false;
+		let purgeError = null;
+		if (args.purge) try {
+			credentialsPurged = (await deleteCredentials()).existed;
+		} catch (err) {
+			purgeError = err.message;
+		}
+		if (args.json) {
+			const payload = {
+				ok: true,
+				sessionRemoved,
+				credentialsPurged,
+				path
+			};
+			if (purgeError !== null) payload.purgeError = purgeError;
+			process.stdout.write(`${JSON.stringify(payload)}\n`);
+		} else {
+			if (sessionRemoved) process.stdout.write(`Logged out. Session removed from ${path}\n`);
+			else process.stdout.write(`No active session at ${path}.\n`);
+			if (args.purge) if (purgeError !== null) process.stderr.write(`Could not delete saved credentials: ${purgeError}\n`);
+			else if (credentialsPurged) process.stdout.write("Saved credentials deleted from the OS keychain.\n");
+			else process.stdout.write("No saved credentials to delete.\n");
+		}
 		return exitAfterFlush(ExitCode.Ok);
 	}
 });
@@ -8498,7 +9133,7 @@ function resolveVersion() {
 		if (typeof injected === "string" && injected.length > 0) return injected;
 	} catch {}
 	try {
-		return "0.1.23";
+		return "0.1.25";
 	} catch {}
 	return "0.0.0-dev";
 }
@@ -8870,6 +9505,22 @@ function maybeEmitNotice(entry, env) {
 }
 //#endregion
 //#region src/commands/whoami.ts
+async function describeCredentialSource() {
+	const active = await getActiveCredentialEmail().catch(() => null);
+	if (!active) return {
+		source: "none",
+		email: null
+	};
+	return {
+		source: active.kind,
+		email: active.email
+	};
+}
+function formatCredentials(cred) {
+	if (cred.source === "none") return "none (run `aitcc login` to save)";
+	if (cred.source === "env") return `env (AITCC_EMAIL${cred.email ? ` = ${cred.email}` : ""})`;
+	return `keychain${cred.email ? ` (${cred.email})` : ""}`;
+}
 async function runBackgroundUpdateCheck(json) {
 	if (json) return;
 	const timeoutMs = 500;
@@ -8897,14 +9548,18 @@ const whoamiCommand = defineCommand({
 	},
 	async run({ args }) {
 		const session = await readSession();
+		const cred = await describeCredentialSource();
 		if (!session) {
 			if (args.json) process.stdout.write(`${JSON.stringify({
 				ok: true,
-				authenticated: false
+				authenticated: false,
+				credentialSource: cred.source,
+				...cred.email ? { credentialEmail: cred.email } : {}
 			})}\n`);
 			else {
 				process.stderr.write("Not logged in. Run `aitcc login` to start a session.\n");
 				process.stderr.write(`Session file checked: ${sessionPathForDiagnostics()}\n`);
+				process.stderr.write(`Credentials: ${formatCredentials(cred)}\n`);
 			}
 			return exitAfterFlush(ExitCode.NotAuthenticated);
 		}
@@ -8915,12 +9570,15 @@ const whoamiCommand = defineCommand({
 					authenticated: true,
 					source: "cache",
 					user: session.user,
-					capturedAt: session.capturedAt
+					capturedAt: session.capturedAt,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
 				return exitAfterFlush(ExitCode.Ok);
 			}
 			const label = session.user.displayName ? `${session.user.displayName} <${session.user.email}>` : session.user.email;
 			process.stdout.write(`Logged in as ${label} (cached)\n`);
+			process.stdout.write(`Credentials: ${formatCredentials(cred)}\n`);
 			process.stdout.write(`Session captured: ${session.capturedAt}\n`);
 			await runBackgroundUpdateCheck(args.json);
 			return exitAfterFlush(ExitCode.Ok);
@@ -8944,11 +9602,14 @@ const whoamiCommand = defineCommand({
 						workspaceName: w.workspaceName,
 						role: w.role
 					})),
-					capturedAt: session.capturedAt
+					capturedAt: session.capturedAt,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
 				return exitAfterFlush(ExitCode.Ok);
 			}
 			process.stdout.write(`Logged in as ${info.name} <${info.email}> (${info.role})\n`);
+			process.stdout.write(`Credentials: ${formatCredentials(cred)}\n`);
 			if (info.workspaces.length > 0) {
 				process.stdout.write("Workspaces:\n");
 				for (const w of info.workspaces) process.stdout.write(`  - ${w.workspaceName} (id ${w.workspaceId}, ${w.role})\n`);
@@ -8961,9 +9622,14 @@ const whoamiCommand = defineCommand({
 					ok: true,
 					authenticated: false,
 					reason: "session-expired",
-					errorCode: err.errorCode
+					errorCode: err.errorCode,
+					credentialSource: cred.source,
+					...cred.email ? { credentialEmail: cred.email } : {}
 				})}\n`);
-				else process.stderr.write("Session is no longer valid. Run `aitcc login` again.\n");
+				else {
+					process.stderr.write("Session is no longer valid. Run `aitcc login` again.\n");
+					process.stderr.write(`Credentials: ${formatCredentials(cred)}\n`);
+				}
 				return exitAfterFlush(ExitCode.NotAuthenticated);
 			}
 			if (err instanceof NetworkError) {
@@ -8986,120 +9652,6 @@ const whoamiCommand = defineCommand({
 	}
 });
 //#endregion
-//#region src/api/workspaces.ts
-const WORKSPACES_BASE = "https://apps-in-toss.toss.im/console/api-public/v3/appsintossconsole";
-async function fetchWorkspaceDetail(workspaceId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	const id = raw.id;
-	const name = raw.name;
-	if (typeof id !== "number" || !Number.isInteger(id) || id <= 0 || typeof name !== "string") throw new Error(`Unexpected workspace detail shape for id=${workspaceId}`);
-	const { id: _id, name: _name, ...extra } = raw;
-	return {
-		workspaceId: id,
-		workspaceName: name,
-		extra
-	};
-}
-async function fetchWorkspacePartner(workspaceId, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/partner`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	const registered = raw.registered;
-	if (typeof registered !== "boolean") throw new Error(`Unexpected workspace partner shape for id=${workspaceId}`);
-	return {
-		registered,
-		approvalType: typeof raw.approvalType === "string" ? raw.approvalType : null,
-		rejectMessage: typeof raw.rejectMessage === "string" ? raw.rejectMessage : null,
-		partner: raw.partner && typeof raw.partner === "object" ? raw.partner : null
-	};
-}
-const WORKSPACE_TERM_TYPES = [
-	"TOSS_LOGIN",
-	"BIZ_WORKSPACE",
-	"TOSS_PROMOTION_MONEY",
-	"IAA",
-	"IAP"
-];
-const DEFAULT_SEGMENT_CATEGORY = "생성된 세그먼트";
-async function fetchWorkspaceSegments(params, cookies, opts = {}) {
-	const page = params.page ?? 0;
-	const qs = new URLSearchParams();
-	qs.set("category", params.category ?? DEFAULT_SEGMENT_CATEGORY);
-	qs.set("search", params.search ?? "");
-	qs.set("page", String(page));
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${params.workspaceId}/segments/list?${qs.toString()}`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (raw === null || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`Unexpected segments shape for workspace=${params.workspaceId}`);
-	const data = raw;
-	return {
-		contents: (Array.isArray(data.contents) ? data.contents : []).map((c) => c && typeof c === "object" ? c : {}),
-		totalPage: typeof data.totalPage === "number" ? data.totalPage : 0,
-		currentPage: typeof data.currentPage === "number" ? data.currentPage : page
-	};
-}
-async function fetchWorkspaceTerms(workspaceId, type, cookies, opts = {}) {
-	const raw = await requestConsoleApi({
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms/${type}/skip-permission`,
-		cookies,
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-	if (!Array.isArray(raw)) throw new Error(`Unexpected workspace terms shape for type=${type}`);
-	return raw.map((entry, i) => {
-		if (!entry || typeof entry !== "object") throw new Error(`Unexpected workspace terms entry at index ${i} for type=${type}`);
-		const e = entry;
-		return {
-			required: Boolean(e.required),
-			termsId: typeof e.termsId === "number" ? e.termsId : 0,
-			revisionId: typeof e.revisionId === "number" ? e.revisionId : 0,
-			title: typeof e.title === "string" ? e.title : "",
-			contentsUrl: typeof e.contentsUrl === "string" ? e.contentsUrl : "",
-			actionType: typeof e.actionType === "string" ? e.actionType : "",
-			isAgreed: Boolean(e.isAgreed),
-			isOneTimeConsent: Boolean(e.isOneTimeConsent)
-		};
-	});
-}
-/**
-* Persist agreement for one-or-more workspace terms. The endpoint takes a
-* single `agreedList` regardless of which bucket the terms came from — the
-* type tag is implicit in the (termsId, revisionId) pairs.
-*
-* Captured behaviour (2026-05-08, ws=36577):
-*   - `POST /workspaces/<wid>/console-workspace-terms` with body
-*     `{"agreedList":[{"termsId": <int>, "revisionId": <int>}, ...]}`
-*   - Response on success: `{"resultType":"SUCCESS","success":{}}` — no
-*     useful payload. We resolve `void`.
-*   - Re-submitting an already-agreed term returns `errorCode: 500`
-*     (Internal Server Error). The server is NOT idempotent, so callers
-*     must filter to `isAgreed === false` before invoking.
-*   - Empty `agreedList` returns SUCCESS (no-op), but we throw client-side
-*     before sending — round-tripping a no-op request is wasted.
-*
-* Failure surfaces through `TossApiError` like every other write helper.
-*/
-async function agreeWorkspaceTerms(workspaceId, terms, cookies, opts = {}) {
-	if (terms.length === 0) throw new Error("agreeWorkspaceTerms requires at least one term");
-	await requestConsoleApi({
-		method: "POST",
-		url: `${WORKSPACES_BASE}/workspaces/${workspaceId}/console-workspace-terms`,
-		cookies,
-		body: { agreedList: terms.map(({ termsId, revisionId }) => ({
-			termsId,
-			revisionId
-		})) },
-		...opts.fetchImpl ? { fetchImpl: opts.fetchImpl } : {}
-	});
-}
-//#endregion
 //#region src/commands/workspace.ts
 function formatScalar(v) {
 	if (v === null) return "null";