@athsra/cli 0.1.0 → 1.0.1

package/src/lib/client.ts

@@ -1,4 +1,4 @@
-import type { SecretEnvelope } from '@athsra/crypto';
+import type { SecretEnvelopeAny } from '@athsra/crypto';
 
 export interface WorkerInfo {
   name: string;
@@ -7,6 +7,10 @@ export interface WorkerInfo {
   description?: string;
   global_salt: string;
   global_salt_version: string;
+  /** Phase 1.x.5: PROOF row 의 globalSaltVersion (기록된 값). null = PROOF 미bootstrap. */
+  proof_global_salt_version?: string | null;
+  /** Phase 1.x.5: GLOBAL_SALT_VERSION 변경 감지. true = 다음 register 시 auto invalidate. */
+  proof_invalidated?: boolean;
 }
 
 export interface RegisterResponse {
@@ -20,6 +24,11 @@ export interface WhoamiResponse {
   label: string;
   createdAt: string;
   lastSeenAt: string;
+  /** Phase 1.x.8 — service token 일 때만 set. */
+  kind?: 'user' | 'service';
+  scopeProject?: string;
+  scopePerms?: 'read' | 'write';
+  recipientId?: string;
 }
 
 /**
@@ -88,6 +97,71 @@ export class AthsraClient {
     return (await res.json()) as { ok: boolean; revoked: string; self?: boolean };
   }
 
+  async createServiceToken(args: {
+    project: string;
+    label: string;
+    perms?: 'read' | 'write';
+    expiresInDays?: number;
+  }): Promise<{
+    token: string;
+    recipient_id: string;
+    project: string;
+    perms: string;
+    expires_at: string | null;
+  }> {
+    const res = await fetch(this.url('/auth/service-tokens'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({
+        project: args.project,
+        label: args.label,
+        perms: args.perms,
+        expires_in_days: args.expiresInDays,
+      }),
+    });
+    if (!res.ok) throw new Error(`service-token create ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      token: string;
+      recipient_id: string;
+      project: string;
+      perms: string;
+      expires_at: string | null;
+    };
+  }
+
+  async listServiceTokens(opts?: { project?: string }): Promise<{
+    tokens: {
+      hash: string;
+      label: string;
+      project: string;
+      perms: 'read' | 'write';
+      recipient_id: string;
+      machine_id: string;
+      created_at: string;
+      last_seen_at: string;
+      expires_at: string | null;
+    }[];
+    count: number;
+  }> {
+    const qs = opts?.project ? `?project=${encodeURIComponent(opts.project)}` : '';
+    const res = await fetch(this.url(`/auth/service-tokens${qs}`), { headers: this.headers() });
+    if (!res.ok) throw new Error(`service-token list ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      tokens: {
+        hash: string;
+        label: string;
+        project: string;
+        perms: 'read' | 'write';
+        recipient_id: string;
+        machine_id: string;
+        created_at: string;
+        last_seen_at: string;
+        expires_at: string | null;
+      }[];
+      count: number;
+    };
+  }
+
   async rotateMaster(
     oldProof: string,
     newProof: string,
@@ -126,16 +200,16 @@ export class AthsraClient {
     };
   }
 
-  async getEnvelope(project: string): Promise<SecretEnvelope | null> {
+  async getEnvelope(project: string): Promise<SecretEnvelopeAny | null> {
     const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
       headers: this.headers(),
     });
     if (res.status === 404) return null;
     if (!res.ok) throw new Error(`fetch ${res.status}: ${await res.text()}`);
-    return (await res.json()) as SecretEnvelope;
+    return (await res.json()) as SecretEnvelopeAny;
   }
 
-  async putEnvelope(project: string, envelope: SecretEnvelope): Promise<void> {
+  async putEnvelope(project: string, envelope: SecretEnvelopeAny): Promise<void> {
     const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
       method: 'PUT',
       headers: this.headers({ 'content-type': 'application/json' }),
@@ -245,4 +319,285 @@ export class AthsraClient {
           count: number;
         };
   }
+
+  /**
+   * Phase 1.x.9 — GET /v1/audit (audit log query).
+   *
+   * 권한: user token full / service token with scope_perms='audit:read' / 그 외 403.
+   * 페이지네이션: cursor 기반 (ts DESC + id DESC), nextCursor 가 null 이면 끝.
+   */
+  /** Phase 2.2 — RBAC admin endpoints. user token + admin role 필요. */
+  async listUsers(): Promise<{ users: RbacUser[]; count: number }> {
+    const res = await fetch(this.url('/v1/admin/users'), { headers: this.headers() });
+    if (!res.ok) throw new Error(`admin list users ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { users: RbacUser[]; count: number };
+  }
+
+  async inviteUser(args: {
+    identifier: string;
+    proof: string;
+    globalSaltVersion?: string;
+    initialRole?: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; id: number; identifier: string; status: string; role: string }> {
+    const res = await fetch(this.url('/v1/admin/users'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({
+        identifier: args.identifier,
+        proof: args.proof,
+        global_salt_version: args.globalSaltVersion,
+        initial_role: args.initialRole,
+      }),
+    });
+    if (!res.ok) throw new Error(`admin invite ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      ok: true;
+      id: number;
+      identifier: string;
+      status: string;
+      role: string;
+    };
+  }
+
+  async grantRole(args: {
+    userId: number;
+    role: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; user_id: number; role: string }> {
+    const res = await fetch(this.url(`/v1/admin/users/${args.userId}/roles`), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({ role: args.role }),
+    });
+    if (!res.ok) throw new Error(`admin grant role ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: true; user_id: number; role: string };
+  }
+
+  async revokeRole(args: {
+    userId: number;
+    role: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; user_id: number; role: string }> {
+    const res = await fetch(
+      this.url(`/v1/admin/users/${args.userId}/roles/${encodeURIComponent(args.role)}`),
+      { method: 'DELETE', headers: this.headers() },
+    );
+    if (!res.ok) throw new Error(`admin revoke role ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: true; user_id: number; role: string };
+  }
+
+  async grantAcl(args: {
+    project: string;
+    userId: number;
+    perms: 'read' | 'write';
+  }): Promise<{ ok: true; user_id: number; project: string; perms: string }> {
+    const res = await fetch(
+      this.url(`/v1/admin/projects/${encodeURIComponent(args.project)}/acl`),
+      {
+        method: 'POST',
+        headers: this.headers({ 'content-type': 'application/json' }),
+        body: JSON.stringify({ user_id: args.userId, perms: args.perms }),
+      },
+    );
+    if (!res.ok) throw new Error(`admin grant acl ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      ok: true;
+      user_id: number;
+      project: string;
+      perms: string;
+    };
+  }
+
+  async revokeAcl(args: { project: string; userId: number }): Promise<{ ok: true }> {
+    const res = await fetch(
+      this.url(`/v1/admin/projects/${encodeURIComponent(args.project)}/acl/${args.userId}`),
+      { method: 'DELETE', headers: this.headers() },
+    );
+    if (!res.ok) throw new Error(`admin revoke acl ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: true };
+  }
+
+  /**
+   * Phase 2.5 — project 의 CF Worker mapping 목록 조회 (dashboard 용).
+   * 404 시 null — caller silent 처리.
+   */
+  async listCwWorkers(project: string): Promise<CwWorkerRow[] | null> {
+    const res = await fetch(this.url(`/v1/workers/${encodeURIComponent(project)}`), {
+      headers: this.headers(),
+    });
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`listCwWorkers ${res.status}: ${await res.text()}`);
+    const json = (await res.json()) as { workers: CwWorkerRow[] };
+    return json.workers;
+  }
+
+  /**
+   * Phase 2.5 — project ↔ CF Worker mapping 제거.
+   */
+  async deleteCwWorker(project: string, workerName: string): Promise<{ ok: true } | null> {
+    const res = await fetch(
+      this.url(`/v1/workers/${encodeURIComponent(project)}/${encodeURIComponent(workerName)}`),
+      {
+        method: 'DELETE',
+        headers: this.headers(),
+      },
+    );
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`deleteCwWorker ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: true };
+  }
+
+  /**
+   * Phase 2.5 — project ↔ CF Worker mapping 등록 (idempotent upsert).
+   * 404 (athsra worker 미 deploy 또는 endpoint 미 등록) 시 null 반환 — caller 가 silent 처리.
+   */
+  async registerCwWorker(
+    project: string,
+    body: {
+      workerName: string;
+      accountId: string;
+      rootDirectory?: string;
+      branch?: string;
+      triggerUuid?: string;
+    },
+  ): Promise<{ id: number; created: boolean } | null> {
+    const res = await fetch(this.url(`/v1/workers/${encodeURIComponent(project)}`), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify(body),
+    });
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`registerCwWorker ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { id: number; created: boolean };
+  }
+
+  /**
+   * Phase 2.5 — project ↔ CF Worker snapshot 갱신 (sync/build 결과 기록).
+   * 404 (athsra worker 미 deploy 또는 mapping 미존재) 시 null — caller 가 silent 처리.
+   */
+  async updateCwWorker(
+    project: string,
+    workerName: string,
+    body: {
+      rootDirectory?: string;
+      branch?: string;
+      triggerUuid?: string;
+      lastSyncedAt?: string;
+      lastSyncOutcome?: 'success' | 'fail';
+      lastSyncKeyCount?: number;
+      lastBuildUuid?: string;
+      lastBuildOutcome?: 'success' | 'fail';
+      lastBuildAt?: string;
+    },
+  ): Promise<{ ok: true; id: number } | null> {
+    const res = await fetch(
+      this.url(`/v1/workers/${encodeURIComponent(project)}/${encodeURIComponent(workerName)}`),
+      {
+        method: 'PATCH',
+        headers: this.headers({ 'content-type': 'application/json' }),
+        body: JSON.stringify(body),
+      },
+    );
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`updateCwWorker ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: true; id: number };
+  }
+
+  async queryAudit(opts?: {
+    actor?: string;
+    action?: string;
+    status?: number;
+    from?: string;
+    to?: string;
+    limit?: number;
+    cursor?: string;
+  }): Promise<{
+    entries: AuditEntry[];
+    count: number;
+    nextCursor: string | null;
+  }> {
+    const qs = new URLSearchParams();
+    if (opts?.actor) qs.set('actor', opts.actor);
+    if (opts?.action) qs.set('action', opts.action);
+    if (opts?.status !== undefined) qs.set('status', String(opts.status));
+    if (opts?.from) qs.set('from', opts.from);
+    if (opts?.to) qs.set('to', opts.to);
+    if (opts?.limit !== undefined) qs.set('limit', String(opts.limit));
+    if (opts?.cursor) qs.set('cursor', opts.cursor);
+    const url = this.url(`/v1/audit${qs.toString() ? `?${qs.toString()}` : ''}`);
+    const res = await fetch(url, { headers: this.headers() });
+    if (!res.ok) throw new Error(`audit query ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      entries: AuditEntry[];
+      count: number;
+      nextCursor: string | null;
+    };
+  }
+}
+
+/**
+ * Phase 1.x.9 — audit log row 형식. worker route `/v1/audit` 의 응답 매핑.
+ * D1 의 raw row 가 아닌 worker side enriched (meta_json parsed) entry.
+ */
+export interface CwWorkerRow {
+  id: number;
+  project: string;
+  workerName: string;
+  accountId: string;
+  rootDirectory: string | null;
+  branch: string | null;
+  lastSyncedAt: string | null;
+  lastSyncOutcome: 'success' | 'fail' | null;
+  lastSyncKeyCount: number | null;
+  triggerUuid: string | null;
+  lastBuildUuid: string | null;
+  lastBuildOutcome: 'success' | 'fail' | null;
+  lastBuildAt: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface AuditEntry {
+  id: number;
+  ts: string;
+  type: string;
+  actor: string;
+  action: string;
+  request_method: string | null;
+  request_path: string | null;
+  status: number;
+  meta: unknown;
+}
+
+/** Phase 2.2 — RBAC user row (admin endpoint 응답). */
+export interface RbacUser {
+  id: number;
+  identifier: string;
+  status: 'active' | 'disabled';
+  created_at: string;
+  updated_at: string;
+  roles: string[];
+}
+
+/** Phase 2.2 — admin endpoint 호출 helper (client extension via prototype 식). */
+export interface AdminClient {
+  listUsers(): Promise<{ users: RbacUser[]; count: number }>;
+  inviteUser(args: {
+    identifier: string;
+    proof: string;
+    globalSaltVersion?: string;
+    initialRole?: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; id: number; identifier: string; status: string; role: string }>;
+  grantRole(args: {
+    userId: number;
+    role: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; user_id: number; role: string }>;
+  revokeRole(args: {
+    userId: number;
+    role: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
+  }): Promise<{ ok: true; user_id: number; role: string }>;
+  grantAcl(args: {
+    project: string;
+    userId: number;
+    perms: 'read' | 'write';
+  }): Promise<{ ok: true; user_id: number; project: string; perms: string }>;
+  revokeAcl(args: { project: string; userId: number }): Promise<{ ok: true }>;
 }

package/src/lib/env-format.ts

@@ -29,3 +29,28 @@ export function serializeEnv(plain: Record<string, string>): string {
     .map(([k, v]) => `${k}=${v}`)
     .join('\n');
 }
+
+/**
+ * 빈 값 키 (value === '') 를 정상 키와 분리한다.
+ *
+ * athsra 는 빈 값 키를 "미설정" 으로 취급한다 — `run` 은 inject 를 건너뛰어
+ * 부모 환경 변수를 보존하고, `ls`/`doctor` 는 `(empty)` 로 노출한다. 키 이름만
+ * 등록되고 값이 누락된 산출물 (migration scaffolding) 이 유효한 부모 env 를
+ * silently 덮어써 배포 인증을 깨뜨리는 사고를 차단하기 위한 "빈 값" 의 단일 정의.
+ */
+export function partitionEnv(plain: Record<string, string>): {
+  filled: Record<string, string>;
+  emptyKeys: string[];
+} {
+  const filled: Record<string, string> = {};
+  const emptyKeys: string[] = [];
+  for (const [key, value] of Object.entries(plain)) {
+    if (value === '') {
+      emptyKeys.push(key);
+    } else {
+      filled[key] = value;
+    }
+  }
+  emptyKeys.sort();
+  return { filled, emptyKeys };
+}

package/src/lib/envelope.ts

@@ -0,0 +1,76 @@
+/**
+ * envelope dispatcher — v1/v2 read 통합 + v2-only write, user/service mode 모두.
+ *
+ * 모든 CLI command 가 사용. user mode 는 master pw 로, service mode 는 ats_*
+ * token 자체를 Argon2id wrap secret 으로 사용해 recipient 의 wrapped DEK 를 풀어
+ * 본문 복호 (master pw 없이도 E2EE 유지). v1 envelope (legacy) 도 user mode 에서
+ * 자동 처리 — service mode 는 v2 만 가능 (v1 은 recipients[] 없음).
+ *
+ * write 는 항상 v2 (DEK + master recipient 만). service mode 는 write 시도 시
+ * 에러 (worker 가 scope_perms='read' 거부할 뿐 아니라 client 측에서 사전 차단).
+ */
+
+import {
+  createEnvelopeV2,
+  decrypt,
+  decryptEnvelopeV2,
+  deriveKey,
+  fromBase64,
+  type SecretEnvelopeAny,
+  type SecretEnvelopeV2,
+} from '@athsra/crypto';
+import type { AuthContext } from './auth-context.ts';
+import { parseEnv, serializeEnv } from './env-format.ts';
+
+async function decryptEnvelope(env: SecretEnvelopeAny, ctx: AuthContext): Promise<string> {
+  if (ctx.kind === 'user') {
+    if (env.version === 2) {
+      return decryptEnvelopeV2(env, ctx.masterPw, 'master');
+    }
+    const key = deriveKey(ctx.masterPw, fromBase64(env.salt), env.kdf_params);
+    return decrypt(key, {
+      ciphertext: fromBase64(env.ciphertext),
+      nonce: fromBase64(env.nonce),
+    });
+  }
+  // service mode: v2 만 가능 (recipient unwrap)
+  if (env.version !== 2) {
+    throw new Error(
+      'service token requires envelope v2 — run `athsra rotate-master` (or any `athsra set`) ' +
+        'on a user-token machine to migrate v1 → v2 first',
+    );
+  }
+  return decryptEnvelopeV2(env, ctx.tokenSecret, ctx.recipientId);
+}
+
+/**
+ * Fetch + decrypt project envelope (v1 또는 v2, user 또는 service mode), 파싱된
+ * env map 반환. envelope 없으면 null.
+ */
+export async function readPlain(
+  ctx: AuthContext,
+  project: string,
+): Promise<Record<string, string> | null> {
+  const env = await ctx.client.getEnvelope(project);
+  if (!env) return null;
+  const text = await decryptEnvelope(env, ctx);
+  return parseEnv(text);
+}
+
+/**
+ * Encrypt + write project envelope as v2. user mode 만 — service mode 는 에러
+ * (master pw 없으므로 fresh v2 envelope 를 만들 수 없음; worker 도 scope_perms
+ * 검사로 거부함, 여기선 client 측에서 사전 차단).
+ */
+export async function writePlain(
+  ctx: AuthContext,
+  project: string,
+  plain: Record<string, string>,
+): Promise<SecretEnvelopeV2> {
+  if (ctx.kind !== 'user') {
+    throw new Error('service token cannot write envelopes — use a user token (master pw)');
+  }
+  const env = await createEnvelopeV2(serializeEnv(plain), ctx.masterPw);
+  await ctx.client.putEnvelope(project, env);
+  return env;
+}