@athsra/cli 0.1.0 → 1.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "0.1.0",
+  "version": "1.0.0",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",
@@ -30,7 +30,11 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   },
-  "files": ["src/", "README.md", "LICENSE"],
+  "files": [
+    "src/",
+    "README.md",
+    "LICENSE"
+  ],
   "engines": {
     "bun": ">=1.3"
   },
@@ -40,13 +44,14 @@
   },
   "dependencies": {
     "@athsra/crypto": "^0.1.0",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "@napi-rs/keyring": "^1.1.6",
     "@scure/bip39": "^2.2.0",
     "prompts": "^2.4.2"
   },
   "devDependencies": {
-    "@types/bun": "^1.3.11",
+    "@types/bun": "^1.3.14",
     "@types/prompts": "^2.4.9",
-    "typescript": "^6.0.2"
+    "typescript": "^6.0.3"
   }
 }

package/src/commands/admin.ts

@@ -0,0 +1,308 @@
+/**
+ * Phase 2.2 (2026-05-25) — `athsra users/role/project` admin CLI.
+ *
+ * worker `/v1/admin/*` 호출 — admin role 필수.
+ *
+ * 명령:
+ *   athsra users list                                — 모든 user + role 표시
+ *   athsra users invite <identifier> [--role=dev]    — 신규 user invite (master pw prompt)
+ *   athsra role grant <user_id> <role>               — role grant
+ *   athsra role revoke <user_id> <role>              — role revoke
+ *   athsra project share <project> <user_id> --perms=<read|write>
+ *   athsra project unshare <project> <user_id>
+ *
+ * role 종류: admin / dev / viewer / auditor / sa
+ */
+
+import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { promptPassword } from '../lib/prompt.ts';
+
+const VALID_ROLES = ['admin', 'dev', 'viewer', 'auditor', 'sa'] as const;
+type RoleName = (typeof VALID_ROLES)[number];
+
+const USAGE_USERS = [
+  'usage:',
+  '  athsra users list                              — 모든 user + role',
+  '  athsra users invite <identifier> [--role=dev]  — 신규 user invite',
+].join('\n');
+
+const USAGE_ROLE = [
+  'usage:',
+  '  athsra role grant  <user_id> <role>            — role 추가',
+  '  athsra role revoke <user_id> <role>            — role 제거',
+  `  role: ${VALID_ROLES.join(' | ')}`,
+].join('\n');
+
+const USAGE_PROJECT = [
+  'usage:',
+  '  athsra project share   <project> <user_id> --perms=<read|write>',
+  '  athsra project unshare <project> <user_id>',
+].join('\n');
+
+function isRoleName(s: string): s is RoleName {
+  return (VALID_ROLES as ReadonlyArray<string>).includes(s);
+}
+
+async function getUserClient() {
+  const ctx = await loadAuthContext();
+  if (!ctx) return null;
+  if (ctx.kind !== 'user') {
+    console.error('admin 명령은 user token (master pw) 가 필요합니다. service token 거부.');
+    return null;
+  }
+  return ctx;
+}
+
+async function listUsersCmd(): Promise<number> {
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+  const { users, count } = await ctx.client.listUsers();
+  if (count === 0) {
+    console.log('(no users registered)');
+    return 0;
+  }
+  console.log(`${count} user${count > 1 ? 's' : ''}:`);
+  console.log('');
+  for (const u of users) {
+    const rolesLabel = u.roles.length > 0 ? u.roles.join(', ') : '(no roles)';
+    const statusLabel = u.status === 'active' ? '' : ` (${u.status})`;
+    console.log(`  #${u.id} ${u.identifier}${statusLabel}`);
+    console.log(`    roles:   ${rolesLabel}`);
+    console.log(`    created: ${u.created_at}`);
+    console.log('');
+  }
+  console.log('Phase 2.2 RBAC — admin role 이 무권한자에게 신규 user invite/role grant 가능.');
+  return 0;
+}
+
+async function inviteUserCmd(args: string[]): Promise<number> {
+  const positional = args.filter((a) => !a.startsWith('-'));
+  const identifier = positional[0];
+  if (!identifier) {
+    console.error(USAGE_USERS);
+    return 2;
+  }
+  let role: RoleName = 'dev';
+  for (const a of args) {
+    if (a.startsWith('--role=')) {
+      const v = a.slice('--role='.length);
+      if (!isRoleName(v)) {
+        console.error(`invalid role: ${v}. options: ${VALID_ROLES.join(' | ')}`);
+        return 2;
+      }
+      role = v;
+    }
+  }
+
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+
+  // 신규 user 의 master pw 입력 — admin 이 사전에 받음 (out-of-band)
+  console.log(`신규 user '${identifier}' 의 master password 를 입력하세요.`);
+  console.log('  (이 값은 자체적으로 저장되지 않음 — Argon2id 후 worker 에 PROOF 만 전달)');
+  const masterPw = await promptPassword('new master password: ');
+  if (!masterPw || masterPw.length === 0) {
+    console.error('master password 비어있음 — 중단');
+    return 2;
+  }
+  const masterPwConfirm = await promptPassword('confirm master password: ');
+  if (masterPw !== masterPwConfirm) {
+    console.error('confirm mismatch — 중단');
+    return 2;
+  }
+
+  // proof = Argon2id(masterPw + GLOBAL_SALT)
+  const info = await ctx.client.info();
+  const proofBytes = deriveKey(masterPw, fromBase64(info.global_salt));
+  const proof = toBase64(proofBytes);
+
+  try {
+    const res = await ctx.client.inviteUser({
+      identifier,
+      proof,
+      globalSaltVersion: info.global_salt_version,
+      initialRole: role,
+    });
+    console.log('✓ user invited');
+    console.log(`  id:         #${res.id}`);
+    console.log(`  identifier: ${res.identifier}`);
+    console.log(`  status:     ${res.status}`);
+    console.log(`  role:       ${res.role}`);
+    console.log('');
+    console.log('다음 단계:');
+    console.log(`  1. 신규 user 가 본인 머신에서 \`athsra login\` 실행`);
+    console.log(`     (위 master pw 사용 → worker 의 admin user PROOF 와 다른 신규 PROOF 등록)`);
+    console.log(`  2. 추가 role 부여: athsra role grant ${res.id} <role>`);
+    console.log(`  3. project ACL: athsra project share <project> ${res.id} --perms=<read|write>`);
+    return 0;
+  } catch (err) {
+    const msg = (err as Error).message;
+    if (msg.includes('409')) {
+      console.error(`✗ identifier '${identifier}' already exists`);
+    } else {
+      console.error(`✗ invite failed: ${msg}`);
+    }
+    return 1;
+  }
+}
+
+async function grantRoleCmd(args: string[]): Promise<number> {
+  const userIdStr = args[0];
+  const role = args[1];
+  if (!userIdStr || !role) {
+    console.error(USAGE_ROLE);
+    return 2;
+  }
+  const userId = Number(userIdStr);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    console.error('user_id must be positive integer');
+    return 2;
+  }
+  if (!isRoleName(role)) {
+    console.error(`invalid role: ${role}. options: ${VALID_ROLES.join(' | ')}`);
+    return 2;
+  }
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+  try {
+    const res = await ctx.client.grantRole({ userId, role });
+    console.log(`✓ role granted: user #${res.user_id} ← ${res.role}`);
+    return 0;
+  } catch (err) {
+    console.error(`✗ grant failed: ${(err as Error).message}`);
+    return 1;
+  }
+}
+
+async function revokeRoleCmd(args: string[]): Promise<number> {
+  const userIdStr = args[0];
+  const role = args[1];
+  if (!userIdStr || !role) {
+    console.error(USAGE_ROLE);
+    return 2;
+  }
+  const userId = Number(userIdStr);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    console.error('user_id must be positive integer');
+    return 2;
+  }
+  if (!isRoleName(role)) {
+    console.error(`invalid role: ${role}. options: ${VALID_ROLES.join(' | ')}`);
+    return 2;
+  }
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+  try {
+    const res = await ctx.client.revokeRole({ userId, role });
+    console.log(`✓ role revoked: user #${res.user_id} ✗ ${res.role}`);
+    return 0;
+  } catch (err) {
+    const msg = (err as Error).message;
+    if (msg.includes('lockout')) {
+      console.error('✗ cannot revoke own admin role (lockout 방지)');
+    } else {
+      console.error(`✗ revoke failed: ${msg}`);
+    }
+    return 1;
+  }
+}
+
+async function shareCmd(args: string[]): Promise<number> {
+  const positional = args.filter((a) => !a.startsWith('-'));
+  const project = positional[0];
+  const userIdStr = positional[1];
+  if (!project || !userIdStr) {
+    console.error(USAGE_PROJECT);
+    return 2;
+  }
+  const userId = Number(userIdStr);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    console.error('user_id must be positive integer');
+    return 2;
+  }
+  let perms: 'read' | 'write' = 'read';
+  for (const a of args) {
+    if (a.startsWith('--perms=')) {
+      const v = a.slice('--perms='.length);
+      if (v !== 'read' && v !== 'write') {
+        console.error('--perms must be read or write');
+        return 2;
+      }
+      perms = v;
+    }
+  }
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+  try {
+    const res = await ctx.client.grantAcl({ project, userId, perms });
+    console.log(`✓ ACL granted: user #${res.user_id} → ${res.project} (${res.perms})`);
+    return 0;
+  } catch (err) {
+    console.error(`✗ share failed: ${(err as Error).message}`);
+    return 1;
+  }
+}
+
+async function unshareCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  const userIdStr = args[1];
+  if (!project || !userIdStr) {
+    console.error(USAGE_PROJECT);
+    return 2;
+  }
+  const userId = Number(userIdStr);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    console.error('user_id must be positive integer');
+    return 2;
+  }
+  const ctx = await getUserClient();
+  if (!ctx) return 1;
+  try {
+    await ctx.client.revokeAcl({ project, userId });
+    console.log(`✓ ACL revoked: user #${userId} ✗ ${project}`);
+    return 0;
+  } catch (err) {
+    console.error(`✗ unshare failed: ${(err as Error).message}`);
+    return 1;
+  }
+}
+
+export async function usersCmd(args: string[]): Promise<number> {
+  const action = args[0];
+  if (action === 'list') return listUsersCmd();
+  if (action === 'invite') return inviteUserCmd(args.slice(1));
+  if (!action || action === '--help' || action === '-h') {
+    console.log(USAGE_USERS);
+    return action ? 0 : 2;
+  }
+  console.error(`Unknown action: ${action}`);
+  console.error(USAGE_USERS);
+  return 2;
+}
+
+export async function roleCmd(args: string[]): Promise<number> {
+  const action = args[0];
+  if (action === 'grant') return grantRoleCmd(args.slice(1));
+  if (action === 'revoke') return revokeRoleCmd(args.slice(1));
+  if (!action || action === '--help' || action === '-h') {
+    console.log(USAGE_ROLE);
+    return action ? 0 : 2;
+  }
+  console.error(`Unknown action: ${action}`);
+  console.error(USAGE_ROLE);
+  return 2;
+}
+
+export async function projectCmd(args: string[]): Promise<number> {
+  const action = args[0];
+  if (action === 'share') return shareCmd(args.slice(1));
+  if (action === 'unshare') return unshareCmd(args.slice(1));
+  if (!action || action === '--help' || action === '-h') {
+    console.log(USAGE_PROJECT);
+    return action ? 0 : 2;
+  }
+  console.error(`Unknown action: ${action}`);
+  console.error(USAGE_PROJECT);
+  return 2;
+}