@athsra/cli 0.1.0 → 1.0.1

package/src/commands/purge.ts

@@ -22,7 +22,7 @@ export async function purgeCmd(args: string[]): Promise<number> {
   }
   const yes = args.includes('--yes') || args.includes('-y');
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
   const { client } = ctx;
 

package/src/commands/restore.ts

@@ -15,7 +15,7 @@ export async function restoreCmd(args: string[]): Promise<number> {
     return 2;
   }
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
   const { client } = ctx;
 

package/src/commands/revoke.ts

@@ -10,9 +10,10 @@ import { promptConfirm } from '../lib/prompt.ts';
  */
 export async function revokeCmd(args: string[]): Promise<number> {
   const target = args[0];
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  const { client, config } = ctx;
+  const client = ctx.client;
+  const userConfig = ctx.kind === 'user' ? ctx.config : null;
 
   if (!target) {
     if (process.env.ATHSRA_REVOKE_CONFIRMED !== '1') {
@@ -22,14 +23,16 @@ export async function revokeCmd(args: string[]): Promise<number> {
       if (!ok) return 0;
     }
     const result = await client.revoke();
-    clearMasterPw(config.machineId);
-    clearToken(config.machineId);
-    console.log(`✓ self-revoke: ${result.revoked} (keyring cleared)`);
+    if (userConfig) {
+      clearMasterPw(userConfig.machineId);
+      clearToken(userConfig.machineId);
+    }
+    console.log(`✓ self-revoke: ${result.revoked}${userConfig ? ' (keyring cleared)' : ''}`);
     return 0;
   }
 
-  if (!target.startsWith('atk_')) {
-    console.error('Token must start with atk_*');
+  if (!target.startsWith('atk_') && !target.startsWith('ats_')) {
+    console.error('Token must start with atk_ or ats_');
     return 2;
   }
   const result = await client.revoke(target);

package/src/commands/rollback.ts

@@ -18,7 +18,7 @@ export async function rollbackCmd(args: string[]): Promise<number> {
   }
   const yes = args.includes('--yes') || args.includes('-y');
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
   const { client } = ctx;
 

package/src/commands/rotate-master.ts

@@ -1,30 +1,27 @@
-import {
-  DEFAULT_KDF,
-  decrypt,
-  deriveKey,
-  encrypt,
-  fromBase64,
-  randomSalt,
-  type SecretEnvelope,
-  toBase64,
-} from '@athsra/crypto';
-import { loadAuthContext } from '../lib/auth-context.ts';
+import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
+import { loadAuthContext, type UserAuthContext } from '../lib/auth-context.ts';
 import { isValidPhrase, normalizePhrase, wordCount } from '../lib/bip39.ts';
 import { AthsraClient } from '../lib/client.ts';
+import { readPlain, writePlain } from '../lib/envelope.ts';
 import { setMasterPw, setToken } from '../lib/keyring.ts';
 import { promptConfirm, promptPassword } from '../lib/prompt.ts';
 
 /**
- * athsra rotate-master — master password 변경 (모든 projects re-encrypt).
+ * athsra rotate-master — master password 변경 (모든 projects re-encrypt as v2).
  *
  * 흐름:
- *   1. 옛 master pw (keyring) 로 모든 envelope decrypt
- *   2. POST /auth/rotate-master — 옛 proof 검증 + 새 proof 저장 + 모든 token 삭제 + 새 token 발급
- *   3. 새 master pw + 새 token 으로 모든 envelope re-encrypt + PUT
+ *   1. 옛 master pw 로 모든 envelope (v1 또는 v2) decrypt → plain (메모리)
+ *   2. POST /auth/rotate-master — 옛 proof 검증 + 새 proof 저장 + 모든 token 삭제 + 새 token
+ *   3. 새 master pw + 새 token 으로 모든 envelope re-encrypt + PUT (자동 v2)
  *   4. keyring 갱신
  *
- * 비-원자적 (step 3 도중 실패 시 일부 envelope 만 새 master pw 로). 다만 step 2
- * 이후에는 옛 master pw 와 옛 token 모두 invalid — 사용자 안내로 rotate-master 재시도 권장.
+ * 비-원자적: step 3 도중 실패 시 일부 envelope 만 새 master pw 로. step 2 이후
+ * 옛 master pw 와 옛 token 모두 invalid — rotate-master 재시도 필요.
+ *
+ * v2 자동 마이그레이션: rotate-master 는 모든 envelope 를 v2 로 재작성한다 —
+ * 기존 v1 envelope 도 한 번에 v2 로 갱신됨. 단 v2 의 service token recipient 들은
+ * 손실 (rotate-master 는 master pw 재확립 = 모든 scoped 신뢰 reset, 보안상
+ * 의도적). service token 은 rotate-master 후 다시 발급 필요.
  *
  * envvar:
  *   ATHSRA_NEW_MASTER_PW                — 새 master pw (non-interactive)
@@ -33,8 +30,12 @@ import { promptConfirm, promptPassword } from '../lib/prompt.ts';
 export async function rotateMasterCmd(_args: string[]): Promise<number> {
   console.log('athsra rotate-master\n');
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
+  if (ctx.kind !== 'user') {
+    console.error('athsra rotate-master 는 user token (master pw) 가 필요합니다.');
+    return 1;
+  }
   const { masterPw: oldPw, client, config } = ctx;
 
   // 새 master pw 입력
@@ -85,20 +86,15 @@ export async function rotateMasterCmd(_args: string[]): Promise<number> {
     }
   }
 
-  // 1. 모든 projects fetch + decrypt (옛 master pw)
+  // 1. 모든 projects decrypt (옛 master pw, v1+v2 dispatcher)
   const projects = await client.listProjects();
   console.log(`\n• Decrypting ${projects.length} projects with old master pw...`);
-  const plaintexts: Record<string, string> = {};
+  const plaintexts: Record<string, Record<string, string>> = {};
   for (const p of projects) {
-    const env = await client.getEnvelope(p);
-    if (!env) continue;
-    const key = deriveKey(oldPw, fromBase64(env.salt));
-    const text = await decrypt(key, {
-      ciphertext: fromBase64(env.ciphertext),
-      nonce: fromBase64(env.nonce),
-    });
-    plaintexts[p] = text;
-    console.log(`  ✓ ${p} (${text.split('\n').filter((l) => l.includes('=')).length} keys)`);
+    const plain = await readPlain(ctx, p);
+    if (!plain) continue;
+    plaintexts[p] = plain;
+    console.log(`  ✓ ${p} (${Object.keys(plain).length} keys)`);
   }
 
   // 2. POST /auth/rotate-master
@@ -114,30 +110,28 @@ export async function rotateMasterCmd(_args: string[]): Promise<number> {
   setMasterPw(config.machineId, newPw);
   setToken(config.machineId, rot.token);
   const newClient = new AthsraClient(config.workerUrl, rot.token);
+  const newCtx: UserAuthContext = {
+    kind: 'user',
+    config,
+    masterPw: newPw,
+    token: rot.token,
+    client: newClient,
+  };
 
-  // 4. re-encrypt + PUT
-  console.log(`\n• Re-encrypting ${Object.keys(plaintexts).length} projects with new master pw...`);
-  for (const [p, text] of Object.entries(plaintexts)) {
-    const newSalt = randomSalt();
-    const newKey = deriveKey(newPw, newSalt);
-    const blob = await encrypt(newKey, text);
-    const envelope: SecretEnvelope = {
-      version: 1,
-      alg: 'aes-256-gcm',
-      kdf: 'argon2id',
-      kdf_params: DEFAULT_KDF,
-      salt: toBase64(newSalt),
-      nonce: toBase64(blob.nonce),
-      ciphertext: toBase64(blob.ciphertext),
-      version_id: `v${Date.now()}`,
-      updated_at: new Date().toISOString(),
-    };
-    await newClient.putEnvelope(p, envelope);
+  // 4. re-encrypt + PUT (v2 envelope, 자동 마이그레이션)
+  console.log(
+    `\n• Re-encrypting ${Object.keys(plaintexts).length} projects with new master pw (as v2)...`,
+  );
+  for (const [p, plain] of Object.entries(plaintexts)) {
+    await writePlain(newCtx, p, plain);
     console.log(`  ✓ ${p}`);
   }
 
   console.log(
-    `\n✓ master password rotated. ${Object.keys(plaintexts).length} projects re-encrypted.`,
+    `\n✓ master password rotated. ${Object.keys(plaintexts).length} projects re-encrypted as v2.`,
+  );
+  console.log(
+    '  service token recipients (있다면) 손실 — `athsra service-token create` 로 재발급 필요.',
   );
   console.log(
     '  다른 머신은 모두 token invalidated — 각 머신에서 athsra login (handoff) 재실행 필요.',

package/src/commands/run.ts

@@ -1,13 +1,27 @@
 import { spawn } from 'node:child_process';
-import { decrypt, deriveKey, fromBase64 } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { parseEnv } from '../lib/env-format.ts';
+import { resolveProject } from '../lib/auto-project.ts';
+import { partitionEnv } from '../lib/env-format.ts';
+import { readPlain } from '../lib/envelope.ts';
+
+const USAGE = [
+  'usage: athsra run [<project>] -- <command> [args...]',
+  '',
+  '<project> 자동 감지 (cwd 기반): basename(cwd) > .athsra > package.json athsra.project',
+  '23 sibling repo 안에서: cd ~/code/<repo> && athsra run -- bun run dev',
+].join('\n');
 
 export async function runCmd(args: string[]): Promise<number> {
-  const project = args[0];
   const sepIdx = args.indexOf('--');
-  if (!project || sepIdx < 1) {
-    console.error('usage: athsra run <project> -- <command> [args...]');
+  if (sepIdx < 0) {
+    console.error(USAGE);
+    return 2;
+  }
+  // -- 앞 영역에서 project 추출 (auto-detect 가능). -- 뒤는 cmd.
+  const beforeSep = args.slice(0, sepIdx);
+  const { project } = resolveProject(beforeSep);
+  if (!project) {
+    console.error(USAGE);
     return 2;
   }
   const cmd = args.slice(sepIdx + 1);
@@ -16,21 +30,21 @@ export async function runCmd(args: string[]): Promise<number> {
     return 2;
   }
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  const { masterPw, client } = ctx;
-  const envelope = await client.getEnvelope(project);
-  if (!envelope) {
+
+  const plain = await readPlain(ctx, project);
+  if (!plain) {
     console.error(`project not found: ${project}`);
     return 1;
   }
 
-  const derived = deriveKey(masterPw, fromBase64(envelope.salt));
-  const text = await decrypt(derived, {
-    ciphertext: fromBase64(envelope.ciphertext),
-    nonce: fromBase64(envelope.nonce),
-  });
-  const plain = parseEnv(text);
+  const { env, skipped } = buildChildEnv(process.env, plain);
+  if (skipped.length > 0) {
+    console.error(
+      `athsra: ${skipped.length} empty-value key${skipped.length > 1 ? 's' : ''} skipped — parent environment preserved: ${skipped.join(', ')}`,
+    );
+  }
 
   return await new Promise<number>((resolve) => {
     const cmdName = cmd[0];
@@ -39,7 +53,7 @@ export async function runCmd(args: string[]): Promise<number> {
       return;
     }
     const child = spawn(cmdName, cmd.slice(1), {
-      env: { ...process.env, ...plain },
+      env,
       stdio: 'inherit',
     });
     child.on('close', (code) => resolve(code ?? 1));
@@ -49,3 +63,22 @@ export async function runCmd(args: string[]): Promise<number> {
     });
   });
 }
+
+/**
+ * 자식 프로세스 env 를 만든다. 빈 값 secret 키는 inject 대상에서 제외해
+ * 부모 환경 변수를 보존한다.
+ *
+ * 키 이름만 등록되고 값이 빈 secret (migration scaffolding 산출물) 을
+ * `{ ...process.env, ...plain }` 로 합치면 부모 env 의 유효한 값 (예:
+ * ~/.zshrc 의 CLOUDFLARE_API_TOKEN) 이 빈 문자열로 덮어써져 배포 인증이
+ * 깨진다. 빈 값 키를 제외하면 부모 env 값이 그대로 살아남는다.
+ *
+ * @returns env — 자식 프로세스 env, skipped — 제외된 빈 값 키 (정렬됨)
+ */
+export function buildChildEnv(
+  parentEnv: Record<string, string | undefined>,
+  plain: Record<string, string>,
+): { env: Record<string, string | undefined>; skipped: string[] } {
+  const { filled, emptyKeys } = partitionEnv(plain);
+  return { env: { ...parentEnv, ...filled }, skipped: emptyKeys };
+}

package/src/commands/service-token.ts

@@ -0,0 +1,200 @@
+import { addServiceRecipient, migrateV1ToV2, type SecretEnvelopeV2 } from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { resolveProject } from '../lib/auto-project.ts';
+
+const USAGE = [
+  'usage:',
+  '  athsra service-token create [<project>] --label=<name> [--read-only|--write] [--expires-days=N]',
+  '  athsra service-token list [<project>]',
+  '  athsra service-token revoke <token>',
+  '',
+  'service token = scoped + revocable + master-pw 없이 envelope 복호 가능한 token.',
+  '  → headless 호스트 (NAS Docker, CI, 자동화) 용 — E2EE 유지, master pw 유출 X.',
+].join('\n');
+
+async function createCmd(args: string[]): Promise<number> {
+  const { project, rest } = resolveProject(args);
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+
+  let label: string | null = null;
+  let perms: 'read' | 'write' = 'read';
+  let expiresDays: number | undefined;
+  for (const a of rest) {
+    if (a.startsWith('--label=')) {
+      label = a.slice('--label='.length);
+    } else if (a === '--read-only') {
+      perms = 'read';
+    } else if (a === '--write') {
+      perms = 'write';
+    } else if (a.startsWith('--expires-days=')) {
+      const n = Number(a.slice('--expires-days='.length));
+      if (!Number.isFinite(n) || n <= 0) {
+        console.error('--expires-days must be a positive number');
+        return 2;
+      }
+      expiresDays = n;
+    } else if (a.startsWith('-')) {
+      console.error(`Unknown flag: ${a}`);
+      console.error(USAGE);
+      return 2;
+    }
+  }
+
+  if (!label) {
+    console.error('--label=<name> required (관리·감사 식별용)');
+    return 2;
+  }
+
+  const ctx = await loadAuthContext();
+  if (!ctx) return 1;
+  if (ctx.kind !== 'user') {
+    console.error('athsra service-token create 은 user token (master pw) 가 필요합니다.');
+    return 1;
+  }
+  const { masterPw, client } = ctx;
+
+  // envelope 확인 — 없으면 service token 발급 무의미
+  const envelope = await client.getEnvelope(project);
+  if (!envelope) {
+    console.error(
+      `project ${project} envelope 없음 — 먼저 \`athsra set ${project} KEY=value\` 실행.`,
+    );
+    return 1;
+  }
+
+  // worker 에 service token 발급
+  const created = await client.createServiceToken({
+    project,
+    label,
+    perms,
+    expiresInDays: expiresDays,
+  });
+
+  // envelope 에 recipient 추가 — v1 이면 v2 로 자동 migrate
+  let v2Envelope: SecretEnvelopeV2;
+  if (envelope.version === 1) {
+    v2Envelope = await migrateV1ToV2(envelope, masterPw);
+  } else {
+    v2Envelope = envelope;
+  }
+  const updated = await addServiceRecipient(
+    v2Envelope,
+    masterPw,
+    created.token,
+    created.recipient_id,
+  );
+  await client.putEnvelope(project, updated);
+
+  console.log('\n✓ service token 발급 완료\n');
+  console.log(`  token:        ${created.token}`);
+  console.log(`  project:      ${created.project}`);
+  console.log(`  perms:        ${created.perms}`);
+  console.log(`  recipient_id: ${created.recipient_id}`);
+  if (created.expires_at) console.log(`  expires_at:   ${created.expires_at}`);
+  console.log('');
+  console.log('보관 (password manager / 0600 파일 / secret manager):');
+  console.log(`  export ATHSRA_TOKEN='${created.token}'`);
+  console.log(`  export ATHSRA_PROJECT='${project}'`);
+  console.log('');
+  console.log('headless 호스트 사용 (master pw 없이):');
+  console.log(`  ATHSRA_TOKEN=... ATHSRA_PROJECT=${project} athsra run -- <cmd>`);
+  console.log('');
+  console.log(
+    'revoke (분실·로테이션 시): `athsra service-token revoke ats_...` — worker auth 즉시 거부 (D1 strong consistency).',
+  );
+
+  return 0;
+}
+
+async function revokeCmd(args: string[]): Promise<number> {
+  const token = args[0];
+  if (!token) {
+    console.error('usage: athsra service-token revoke <token>');
+    return 2;
+  }
+  if (!token.startsWith('ats_')) {
+    console.error('service token must start with ats_');
+    return 2;
+  }
+  const ctx = await loadAuthContext();
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  const res = await client.revoke(token);
+  console.log(`✓ revoked: ${res.revoked}`);
+  console.log(
+    '  envelope 의 recipient entry 는 그대로 남지만 보안상 무해 (worker auth 가 hash 로 거부).',
+  );
+  return 0;
+}
+
+async function listCmd(args: string[]): Promise<number> {
+  const project = args[0] && !args[0].startsWith('-') ? args[0] : undefined;
+
+  const ctx = await loadAuthContext();
+  if (!ctx) return 1;
+  if (ctx.kind !== 'user') {
+    console.error('athsra service-token list 는 user token (master pw) 가 필요합니다.');
+    return 1;
+  }
+  const { client } = ctx;
+
+  const { tokens, count } = await client.listServiceTokens(project ? { project } : undefined);
+
+  if (count === 0) {
+    console.log(
+      project ? `(no service tokens scoped to project: ${project})` : '(no service tokens issued)',
+    );
+    return 0;
+  }
+
+  const header = project
+    ? `service tokens scoped to ${project} (${count}):`
+    : `service tokens (${count}):`;
+  console.log(header);
+  console.log('');
+  const now = Date.now();
+  for (const t of tokens) {
+    const expired = t.expires_at && new Date(t.expires_at).getTime() < now;
+    const expiresLabel = t.expires_at
+      ? expired
+        ? `expired ${t.expires_at}`
+        : `expires ${t.expires_at}`
+      : 'no expiry';
+    console.log(`  ${t.label}`);
+    console.log(`    project:      ${t.project}`);
+    console.log(`    perms:        ${t.perms}`);
+    console.log(`    recipient_id: ${t.recipient_id}`);
+    console.log(`    hash:         ${t.hash.slice(0, 16)}…`);
+    console.log(`    issued by:    ${t.machine_id}`);
+    console.log(`    created:      ${t.created_at}`);
+    console.log(`    last seen:    ${t.last_seen_at}`);
+    console.log(`    ${expiresLabel}`);
+    console.log('');
+  }
+  console.log(
+    'revoke: `athsra service-token revoke ats_...` (token 본문은 발급 시점에만 노출 — 분실 시 hash 로 식별 후 재발급).',
+  );
+  return 0;
+}
+
+export async function serviceTokenCmd(args: string[]): Promise<number> {
+  const action = args[0];
+  if (action === 'create') return createCmd(args.slice(1));
+  if (action === 'list') return listCmd(args.slice(1));
+  if (action === 'revoke') return revokeCmd(args.slice(1));
+  if (action === '--help' || action === '-h') {
+    console.log(USAGE);
+    return 0;
+  }
+  if (!action) {
+    console.error(USAGE);
+    return 2;
+  }
+  console.error(`Unknown action: ${action}`);
+  console.error(USAGE);
+  return 2;
+}

package/src/commands/set.ts

@@ -1,21 +1,17 @@
 import { readFileSync } from 'node:fs';
-import {
-  DEFAULT_KDF,
-  decrypt,
-  deriveKey,
-  encrypt,
-  fromBase64,
-  randomSalt,
-  type SecretEnvelope,
-  toBase64,
-} from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { parseEnv, serializeEnv } from '../lib/env-format.ts';
+import { resolveProject } from '../lib/auto-project.ts';
+import { parseEnv, partitionEnv } from '../lib/env-format.ts';
+import { readPlain, writePlain } from '../lib/envelope.ts';
 
 const USAGE = [
-  'usage: athsra set <project> KEY=value [KEY2=value2 ...]',
-  '   or: athsra set <project> --from-file <path>   (.env 형식)',
-  '   or: athsra set <project> --stdin              (.env 형식 stdin)',
+  'usage: athsra set [<project>] KEY=value [KEY2=value2 ...]',
+  '   or: athsra set [<project>] --from-file <path>   (.env 형식)',
+  '   or: athsra set [<project>] --stdin              (.env 형식 stdin)',
+  '',
+  '<project> 자동 감지 (cwd 기반):',
+  '  --project=<x> > positional > .athsra file > package.json athsra.project > basename(cwd)',
+  '23 sibling repo 안에서는 cd 한 후 project 인자 생략 가능 (basename 자동 사용).',
 ].join('\n');
 
 async function readStdin(): Promise<string> {
@@ -40,12 +36,15 @@ function parsePairsArg(pairs: string[]): Record<string, string> | null {
 }
 
 export async function setCmd(args: string[]): Promise<number> {
-  const project = args[0];
+  const { project, rest, source } = resolveProject(args);
   if (!project) {
     console.error(USAGE);
     return 2;
   }
-  const rest = args.slice(1);
+  // mutating 명령 — auto-detect 시점 source 안내 (실수 방지). positional/flag 면 silent.
+  if (source !== 'positional' && source !== 'flag') {
+    console.log(`(project=${project} auto-detected from ${source})`);
+  }
 
   let updates: Record<string, string>;
   if (rest[0] === '--from-file') {
@@ -75,44 +74,31 @@ export async function setCmd(args: string[]): Promise<number> {
     return 2;
   }
 
-  const ctx = loadAuthContext();
-  if (!ctx) return 1;
-  const { masterPw, client } = ctx;
+  // 빈 값 키는 migration scaffolding 의 흔적 — silently 저장하지 않고 경고한다.
+  const { emptyKeys } = partitionEnv(updates);
+  if (emptyKeys.length > 0) {
+    console.error(
+      `⚠ ${emptyKeys.length} key${emptyKeys.length > 1 ? 's' : ''} set to an empty value: ${emptyKeys.join(', ')}`,
+    );
+    console.error(
+      '  empty values are treated as unset — `athsra run` skips them; use `athsra unset` to remove a key.',
+    );
+  }
 
-  // 기존 envelope fetch + decrypt (read-modify-write)
-  let plain: Record<string, string> = {};
-  const existing = await client.getEnvelope(project);
-  if (existing) {
-    const key = deriveKey(masterPw, fromBase64(existing.salt));
-    const text = await decrypt(key, {
-      ciphertext: fromBase64(existing.ciphertext),
-      nonce: fromBase64(existing.nonce),
-    });
-    plain = parseEnv(text);
+  const ctx = await loadAuthContext();
+  if (!ctx) return 1;
+  if (ctx.kind !== 'user') {
+    console.error('athsra set 은 user token (master pw) 가 필요합니다.');
+    return 1;
   }
 
-  // merge updates
+  // read-modify-write — v1/v2 dispatcher 가 read 처리, write 는 항상 v2.
+  const plain: Record<string, string> = (await readPlain(ctx, project)) ?? {};
   for (const [k, v] of Object.entries(updates)) {
     plain[k] = v;
   }
+  await writePlain(ctx, project, plain);
 
-  // 새 envelope (새 salt + nonce 매번)
-  const newSalt = randomSalt();
-  const newKey = deriveKey(masterPw, newSalt);
-  const blob = await encrypt(newKey, serializeEnv(plain));
-  const envelope: SecretEnvelope = {
-    version: 1,
-    alg: 'aes-256-gcm',
-    kdf: 'argon2id',
-    kdf_params: DEFAULT_KDF,
-    salt: toBase64(newSalt),
-    nonce: toBase64(blob.nonce),
-    ciphertext: toBase64(blob.ciphertext),
-    version_id: `v${Date.now()}`,
-    updated_at: new Date().toISOString(),
-  };
-
-  await client.putEnvelope(project, envelope);
   console.log(
     `✓ ${project}: ${updateCount} key${updateCount > 1 ? 's' : ''} set (${Object.keys(plain).length} total)`,
   );

package/src/commands/unset.ts

@@ -1,15 +1,5 @@
-import {
-  DEFAULT_KDF,
-  decrypt,
-  deriveKey,
-  encrypt,
-  fromBase64,
-  randomSalt,
-  type SecretEnvelope,
-  toBase64,
-} from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { parseEnv, serializeEnv } from '../lib/env-format.ts';
+import { readPlain, writePlain } from '../lib/envelope.ts';
 
 const USAGE =
   'usage: athsra unset <project> KEY1 [KEY2 ...]   # 해당 keys 만 제거 (envelope 그대로, 다른 keys 유지)';
@@ -26,21 +16,18 @@ export async function unsetCmd(args: string[]): Promise<number> {
     return 2;
   }
 
-  const ctx = loadAuthContext();
+  const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  const { masterPw, client } = ctx;
+  if (ctx.kind !== 'user') {
+    console.error('athsra unset 은 user token (master pw) 가 필요합니다.');
+    return 1;
+  }
 
-  const existing = await client.getEnvelope(project);
-  if (!existing) {
+  const plain = await readPlain(ctx, project);
+  if (!plain) {
     console.error(`project not found: ${project}`);
     return 1;
   }
-  const oldKey = deriveKey(masterPw, fromBase64(existing.salt));
-  const text = await decrypt(oldKey, {
-    ciphertext: fromBase64(existing.ciphertext),
-    nonce: fromBase64(existing.nonce),
-  });
-  const plain = parseEnv(text);
 
   const removed: string[] = [];
   const notFound: string[] = [];
@@ -58,23 +45,7 @@ export async function unsetCmd(args: string[]): Promise<number> {
     return 1;
   }
 
-  // re-encrypt + PUT (새 salt + nonce)
-  const newSalt = randomSalt();
-  const newKey = deriveKey(masterPw, newSalt);
-  const blob = await encrypt(newKey, serializeEnv(plain));
-  const envelope: SecretEnvelope = {
-    version: 1,
-    alg: 'aes-256-gcm',
-    kdf: 'argon2id',
-    kdf_params: DEFAULT_KDF,
-    salt: toBase64(newSalt),
-    nonce: toBase64(blob.nonce),
-    ciphertext: toBase64(blob.ciphertext),
-    version_id: `v${Date.now()}`,
-    updated_at: new Date().toISOString(),
-  };
-
-  await client.putEnvelope(project, envelope);
+  await writePlain(ctx, project, plain);
   console.log(
     `✓ ${project}: ${removed.length} key${removed.length > 1 ? 's' : ''} removed (${Object.keys(plain).length} remaining)`,
   );