@athsra/cli 0.1.0 → 1.0.0

package/src/commands/logout.ts

@@ -0,0 +1,50 @@
+import { existsSync, unlinkSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { loadConfig } from '../lib/config.ts';
+import { clearMasterPw, clearToken } from '../lib/keyring.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+/**
+ * athsra logout              keyring 의 master pw + token clear (worker-side token 유지)
+ * athsra logout --full       config (~/.athsra/config.json) 도 삭제
+ *
+ * worker-side 토큰을 invalidate 하지 않습니다. 토큰 유출 우려 시 `athsra revoke` 사용.
+ * 동일 머신에서 `athsra login` 다시 실행하면 즉시 재 사용 가능 (PROOF 동일하면 token 재 발급).
+ *
+ * Doppler-level service UX — keyring clear 와 token revoke 분리. revoke 와 logout 의 차이:
+ *   - logout = local 정리 (keyring + 선택적 config). worker-side token 활성 유지.
+ *   - revoke = worker-side token invalidate (irreversible). keyring 도 함께 clear.
+ */
+export async function logoutCmd(args: string[]): Promise<number> {
+  const config = loadConfig();
+  if (!config) {
+    console.log('Already logged out (no ~/.athsra/config.json found).');
+    return 0;
+  }
+  const full = args.includes('--full');
+
+  if (process.env.ATHSRA_LOGOUT_CONFIRMED !== '1') {
+    const ok = await promptConfirm(
+      `Logout machine ${config.machineId}? (keyring clear, worker token stays active — use \`athsra revoke\` to fully invalidate)`,
+    );
+    if (!ok) return 0;
+  }
+
+  clearMasterPw(config.machineId);
+  clearToken(config.machineId);
+  console.log(`✓ keyring cleared for machine: ${config.machineId}`);
+  console.log('  • master-pw + Bearer token removed from OS keyring');
+  console.log('  • worker-side token still active — `athsra revoke` to invalidate fully');
+
+  if (full) {
+    const configPath = join(homedir(), '.athsra', 'config.json');
+    if (existsSync(configPath)) {
+      unlinkSync(configPath);
+      console.log(`  • ${configPath} removed (--full)`);
+    }
+  }
+
+  console.log('\nNext: athsra login');
+  return 0;
+}

package/src/commands/ls.ts

@@ -1,6 +1,6 @@
-import { decrypt, deriveKey, fromBase64 } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { parseEnv } from '../lib/env-format.ts';
+import { partitionEnv } from '../lib/env-format.ts';
+import { readPlain } from '../lib/envelope.ts';
 
 /**
  * athsra ls                       — active projects only
@@ -9,9 +9,9 @@ import { parseEnv } from '../lib/env-format.ts';
  * athsra ls <project>             — keys of project (decrypt 필요)
  */
 export async function lsCmd(args: string[]): Promise<number> {
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  const { masterPw, client } = ctx;
+  const client = ctx.client;
 
   const positional = args.filter((a) => !a.startsWith('-'));
   const includeDeleted = args.includes('--all') || args.includes('--include-deleted');
@@ -37,21 +37,31 @@ export async function lsCmd(args: string[]): Promise<number> {
     return 0;
   }
 
-  // ls <project> — key 목록 (값 없음, decrypt 후 key 만)
+  // ls <project> — key 목록 + 값 상태 ((empty) 또는 길이, decrypt 필요)
   const project = positional[0];
   if (!project) return 0;
 
-  const envelope = await client.getEnvelope(project);
-  if (!envelope) {
+  const plain = await readPlain(ctx, project);
+  if (!plain) {
     console.error(`project not found: ${project}`);
     return 1;
   }
-  const derived = deriveKey(masterPw, fromBase64(envelope.salt));
-  const text = await decrypt(derived, {
-    ciphertext: fromBase64(envelope.ciphertext),
-    nonce: fromBase64(envelope.nonce),
-  });
-  const plain = parseEnv(text);
-  for (const k of Object.keys(plain).sort()) console.log(k);
+  const keys = Object.keys(plain).sort();
+  if (keys.length === 0) {
+    console.log('(no keys)');
+    return 0;
+  }
+  const { filled, emptyKeys } = partitionEnv(plain);
+  const emptySet = new Set(emptyKeys);
+  const width = Math.max(...keys.map((k) => k.length));
+  for (const k of keys) {
+    const status = emptySet.has(k) ? '(empty)' : `${(filled[k] ?? '').length} chars`;
+    console.log(`${k.padEnd(width)}  ${status}`);
+  }
+  if (emptyKeys.length > 0) {
+    console.error(
+      `\n${emptyKeys.length} of ${keys.length} key${keys.length > 1 ? 's' : ''} empty — \`athsra run\` skips empty keys (parent env used). Set values: \`athsra set ${project} KEY=value\``,
+    );
+  }
   return 0;
 }

package/src/commands/manifest.ts

@@ -0,0 +1,354 @@
+/**
+ * manifest.ts — `athsra manifest {init,show,validate,add,remove}` 명령.
+ *
+ * Phase 2.6 (2026-05-26) Option γ — sibling worker 의 secrets opt-in manifest 관리.
+ *
+ * 사용 흐름 (sibling repo 안에서):
+ *   athsra manifest init --keys=DATABASE_URL,SESSION_SECRET
+ *   athsra manifest validate
+ *   athsra manifest add NEW_KEY
+ *   athsra manifest show
+ *
+ * manifest 가 worker 디렉토리 안에 commit 됨 (사업장 키 이름만, 값 X — safe to commit).
+ */
+
+import { inferAdoptContext, type WrangerWorker } from '../lib/adopt-context.ts';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { resolveProject } from '../lib/auto-project.ts';
+import { readPlain } from '../lib/envelope.ts';
+import {
+  applyManifest,
+  createManifest,
+  loadManifest,
+  type SecretsManifest,
+  manifestPath,
+  saveManifest,
+} from '../lib/secrets-manifest.ts';
+
+const USAGE = [
+  'usage: athsra manifest <subcommand> [options]',
+  '',
+  'Phase 2.6 Option γ — sibling worker 의 secrets opt-in manifest 관리.',
+  '',
+  '서브명령:',
+  '  init [--worker=<name>] [--all] [--keys=K1,K2,...] [--keys-from=<file>]',
+  '      manifest 신규 작성. --all 은 envelope 전체 키. --keys 명시 (콤마 구분).',
+  '',
+  '  show [--worker=<name>]',
+  '      manifest 내용 출력.',
+  '',
+  '  validate [<project>] [--worker=<name>]',
+  '      manifest vs envelope diff. project 명시 시 envelope 부족분 / 초과분 표시.',
+  '',
+  '  add <KEY> [<KEY2>...] [--worker=<name>]',
+  '      manifest 에 키 추가 (이미 있으면 idempotent).',
+  '',
+  '  remove <KEY> [<KEY2>...] [--worker=<name>]',
+  '      manifest 에서 키 제거.',
+  '',
+  '공통 옵션:',
+  '  --worker=<name>   다수 wrangler.jsonc 있는 monorepo 에서 명시. 단일이면 생략.',
+  '',
+  'manifest 위치: <worker.cwd>/.athsra/secrets.json',
+].join('\n');
+
+interface ParsedFlags {
+  worker?: string;
+  keys?: string[];
+  keysFrom?: string;
+  all: boolean;
+  positional: string[];
+}
+
+function parseFlags(args: string[]): ParsedFlags {
+  const positional: string[] = [];
+  const flags: Record<string, string | boolean> = {};
+  for (const a of args) {
+    if (a.startsWith('--')) {
+      const eq = a.indexOf('=');
+      if (eq > 0) flags[a.slice(2, eq)] = a.slice(eq + 1);
+      else flags[a.slice(2)] = true;
+    } else {
+      positional.push(a);
+    }
+  }
+  const keysRaw = typeof flags.keys === 'string' ? flags.keys : undefined;
+  return {
+    worker: typeof flags.worker === 'string' ? flags.worker : undefined,
+    keys: keysRaw
+      ? keysRaw
+          .split(',')
+          .map((s) => s.trim())
+          .filter(Boolean)
+      : undefined,
+    keysFrom: typeof flags['keys-from'] === 'string' ? flags['keys-from'] : undefined,
+    all: flags.all === true,
+    positional,
+  };
+}
+
+function pickWorker(workers: WrangerWorker[], explicit?: string): WrangerWorker | string {
+  if (explicit) {
+    const found = workers.find((w) => w.name === explicit);
+    if (!found) {
+      const names = workers.map((w) => w.name).join(', ') || '(none)';
+      return `worker '${explicit}' not found in cwd. available: ${names}`;
+    }
+    return found;
+  }
+  if (workers.length === 0) {
+    return 'no wrangler.jsonc found in cwd. cd into sibling repo (or its subdirectory).';
+  }
+  if (workers.length === 1) {
+    const [only] = workers;
+    if (!only) return 'no wrangler.jsonc found';
+    return only;
+  }
+  const list = workers.map((w) => `  - ${w.name} (root=${w.rootDirectory})`).join('\n');
+  return `multiple workers found. --worker=<name>:\n${list}`;
+}
+
+async function readKeysFromFile(path: string): Promise<string[]> {
+  const file = Bun.file(path);
+  if (!(await file.exists())) {
+    throw new Error(`--keys-from file not found: ${path}`);
+  }
+  const text = await file.text();
+  return text
+    .split(/\r?\n/)
+    .map((s) => s.trim())
+    .filter((s) => s.length > 0 && !s.startsWith('#'));
+}
+
+async function cmdInit(flags: ParsedFlags): Promise<number> {
+  const inferred = inferAdoptContext(process.cwd());
+  const worker = pickWorker(inferred.workers, flags.worker);
+  if (typeof worker === 'string') {
+    console.error(`✗ ${worker}`);
+    return 2;
+  }
+
+  const existing = loadManifest({ workerCwd: worker.cwd });
+  if (existing.manifest) {
+    console.error(`✗ manifest already exists: ${existing.path}`);
+    console.error('  use `athsra manifest add/remove` to modify, or delete file to recreate');
+    return 1;
+  }
+
+  let secrets: string[];
+  if (flags.keys && flags.keys.length > 0) {
+    secrets = flags.keys;
+  } else if (flags.keysFrom) {
+    secrets = await readKeysFromFile(flags.keysFrom);
+  } else if (flags.all) {
+    // envelope 전체 키 — project 추론 필요
+    const { project } = resolveProject([]);
+    if (!project) {
+      console.error('✗ --all 사용 시 project 추론 실패. .athsra 또는 --project=<x> 명시 필요');
+      return 2;
+    }
+    const ctx = await loadAuthContext();
+    if (!ctx || ctx.kind !== 'user') {
+      console.error('✗ user token (master pw) 필요. service token 거부.');
+      return 1;
+    }
+    const envelope = await readPlain(ctx, project);
+    if (!envelope) {
+      console.error(`✗ envelope '${project}' not found`);
+      return 1;
+    }
+    secrets = Object.keys(envelope).filter(
+      (k) => typeof envelope[k] === 'string' && envelope[k].length > 0,
+    );
+    console.log(`  envelope '${project}' 의 ${secrets.length} 키를 manifest 로 캡처`);
+  } else {
+    console.error('✗ secrets 출처 명시 필요: --keys=K1,K2 / --keys-from=<file> / --all');
+    return 2;
+  }
+
+  if (secrets.length === 0) {
+    console.error('✗ no secrets to capture');
+    return 1;
+  }
+
+  let manifest: SecretsManifest;
+  try {
+    manifest = createManifest(secrets);
+  } catch (err) {
+    console.error(`✗ ${(err as Error).message}`);
+    return 1;
+  }
+
+  const saved = saveManifest(worker.cwd, manifest);
+  console.log(`✓ manifest written: ${saved}`);
+  console.log(`  worker:  ${worker.name}`);
+  console.log(`  secrets: ${manifest.secrets.length} (alphabetical)`);
+  console.log('');
+  console.log('다음 단계:');
+  console.log(`  git add ${saved}`);
+  console.log('  git commit -m "feat(athsra): add secrets manifest"');
+  return 0;
+}
+
+function cmdShow(flags: ParsedFlags): number {
+  const inferred = inferAdoptContext(process.cwd());
+  const worker = pickWorker(inferred.workers, flags.worker);
+  if (typeof worker === 'string') {
+    console.error(`✗ ${worker}`);
+    return 2;
+  }
+  const loaded = loadManifest({ workerCwd: worker.cwd });
+  if (loaded.error) {
+    console.error(`✗ manifest invalid (${loaded.path}): ${loaded.error}`);
+    return 1;
+  }
+  if (!loaded.manifest) {
+    console.error(`✗ no manifest at ${loaded.path}`);
+    console.error('  create with: athsra manifest init --keys=K1,K2,...');
+    return 1;
+  }
+  console.log(`# ${loaded.path}`);
+  console.log(`# worker: ${worker.name}`);
+  console.log(`# secrets: ${loaded.manifest.secrets.length}`);
+  console.log('');
+  for (const k of loaded.manifest.secrets) {
+    console.log(k);
+  }
+  return 0;
+}
+
+async function cmdValidate(flags: ParsedFlags): Promise<number> {
+  const inferred = inferAdoptContext(process.cwd());
+  const worker = pickWorker(inferred.workers, flags.worker);
+  if (typeof worker === 'string') {
+    console.error(`✗ ${worker}`);
+    return 2;
+  }
+  const loaded = loadManifest({ workerCwd: worker.cwd });
+  if (loaded.error) {
+    console.error(`✗ manifest invalid (${loaded.path}): ${loaded.error}`);
+    return 1;
+  }
+  if (!loaded.manifest) {
+    console.error(`✗ no manifest at ${loaded.path}`);
+    return 1;
+  }
+  console.log(`✓ manifest schema valid (${loaded.manifest.secrets.length} secrets)`);
+
+  const projectArg = flags.positional[0];
+  const { project } = resolveProject(projectArg ? [projectArg] : []);
+  if (!project) {
+    console.log('  (project 미지정 — envelope diff 생략. project 명시 시 추가 검증)');
+    return 0;
+  }
+  const ctx = await loadAuthContext();
+  if (!ctx || ctx.kind !== 'user') {
+    console.error('✗ envelope diff 위해 user token (master pw) 필요');
+    return 1;
+  }
+  const envelope = await readPlain(ctx, project);
+  if (!envelope) {
+    console.error(`✗ envelope '${project}' not found`);
+    return 1;
+  }
+  const envelopeKeys = Object.keys(envelope).filter(
+    (k) => typeof envelope[k] === 'string' && envelope[k].length > 0,
+  );
+  const applied = applyManifest(loaded.manifest, envelopeKeys);
+  console.log('');
+  console.log(`envelope '${project}' diff:`);
+  console.log(`  ✓ allowed (will sync): ${applied.allowed.length}`);
+  if (applied.missing.length > 0) {
+    console.log(`  ⚠ in manifest but missing from envelope: ${applied.missing.length}`);
+    for (const k of applied.missing) console.log(`      - ${k}`);
+  }
+  if (applied.excluded.length > 0) {
+    console.log(`  · in envelope but not in manifest (excluded): ${applied.excluded.length}`);
+    if (applied.excluded.length <= 10) {
+      for (const k of applied.excluded) console.log(`      - ${k}`);
+    } else {
+      for (const k of applied.excluded.slice(0, 5)) console.log(`      - ${k}`);
+      console.log(`      ... + ${applied.excluded.length - 5} more`);
+    }
+  }
+  return applied.missing.length > 0 ? 1 : 0;
+}
+
+function modifyManifest(
+  flags: ParsedFlags,
+  op: 'add' | 'remove',
+): number {
+  const keys = flags.positional;
+  if (keys.length === 0) {
+    console.error(`✗ usage: athsra manifest ${op} <KEY> [<KEY2>...] [--worker=<name>]`);
+    return 2;
+  }
+  const inferred = inferAdoptContext(process.cwd());
+  const worker = pickWorker(inferred.workers, flags.worker);
+  if (typeof worker === 'string') {
+    console.error(`✗ ${worker}`);
+    return 2;
+  }
+  const loaded = loadManifest({ workerCwd: worker.cwd });
+  if (loaded.error) {
+    console.error(`✗ manifest invalid (${loaded.path}): ${loaded.error}`);
+    return 1;
+  }
+  if (!loaded.manifest) {
+    console.error(`✗ no manifest at ${loaded.path}`);
+    console.error('  create with: athsra manifest init --keys=K1,K2,...');
+    return 1;
+  }
+  const current = new Set(loaded.manifest.secrets);
+  const before = current.size;
+  if (op === 'add') {
+    for (const k of keys) current.add(k);
+  } else {
+    for (const k of keys) current.delete(k);
+  }
+  const after = current.size;
+  if (after === before) {
+    console.log(`(no change — ${op} ${keys.join(',')})`);
+    return 0;
+  }
+  let updated: SecretsManifest;
+  try {
+    updated = createManifest(Array.from(current));
+  } catch (err) {
+    console.error(`✗ ${(err as Error).message}`);
+    return 1;
+  }
+  const saved = saveManifest(worker.cwd, updated);
+  console.log(`✓ manifest ${op}: ${keys.join(', ')} (now ${after} secrets)`);
+  console.log(`  ${saved}`);
+  return 0;
+}
+
+export async function manifestCmd(args: string[]): Promise<number> {
+  const [sub, ...rest] = args;
+  if (!sub || sub === '--help' || sub === '-h' || sub === 'help') {
+    console.log(USAGE);
+    return sub ? 0 : 2;
+  }
+  const flags = parseFlags(rest);
+  switch (sub) {
+    case 'init':
+      return cmdInit(flags);
+    case 'show':
+      return cmdShow(flags);
+    case 'validate':
+      return cmdValidate(flags);
+    case 'add':
+      return modifyManifest(flags, 'add');
+    case 'remove':
+    case 'rm':
+      return modifyManifest(flags, 'remove');
+    default:
+      console.error(`✗ unknown subcommand: ${sub}`);
+      console.error(USAGE);
+      return 2;
+  }
+}
+
+/** Path helper for callers (e.g., adopt.ts error formatting). */
+export { manifestPath };