@athsra/cli 0.1.0

package/src/commands/login.ts

@@ -0,0 +1,142 @@
+import { hostname } from 'node:os';
+import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
+import { isValidPhrase, normalizePhrase, wordCount } from '../lib/bip39.ts';
+import { AthsraClient } from '../lib/client.ts';
+import { type Config, loadConfig, saveConfig } from '../lib/config.ts';
+import { probeKeyring, setMasterPw, setToken } from '../lib/keyring.ts';
+import { consumeLegacySession } from '../lib/legacy-session.ts';
+import { promptConfirm, promptPassword, promptText } from '../lib/prompt.ts';
+
+export async function loginCmd(_args: string[]): Promise<number> {
+  console.log('athsra login\n');
+
+  // 1. keyring backend probe (정공법: fallback 없음)
+  const probe = probeKeyring();
+  if (!probe.ok) {
+    console.error(`✗ keyring backend unavailable: ${probe.error ?? 'unknown'}`);
+    console.error('  Run `athsra doctor` for setup instructions (apt install + dbus).');
+    return 1;
+  }
+
+  // 2. legacy ~/.athsra/session 발견 시 1회 migration
+  const legacy = consumeLegacySession();
+  if (legacy) {
+    console.log('• Detected legacy ~/.athsra/session — will migrate to keyring + remove file.\n');
+  }
+
+  // 3. config — workerUrl + machineId ($ATHSRA_WORKER_URL 우선)
+  const existing = loadConfig();
+  const envUrl = process.env.ATHSRA_WORKER_URL;
+  const workerUrl =
+    existing?.workerUrl ??
+    envUrl ??
+    (await promptText('Worker URL', 'https://athsra-worker.winterermod.workers.dev'));
+  const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`;
+
+  // 4. master pw
+  //    우선순위: legacy session > $ATHSRA_MASTER_PW (non-interactive) > prompt
+  let masterPw: string;
+  const envPw = process.env.ATHSRA_MASTER_PW;
+  if (legacy) {
+    masterPw = legacy.masterPw;
+    console.log('• Using master password from legacy session.');
+  } else if (envPw && envPw.length >= 8) {
+    masterPw = envPw;
+    console.log('• Master password from $ATHSRA_MASTER_PW (non-interactive mode).');
+  } else {
+    masterPw = await promptPassword('Master password (8+ chars)');
+    if (masterPw.length < 8) {
+      console.error('Master password must be at least 8 characters');
+      return 1;
+    }
+    const confirm = await promptPassword('Confirm');
+    if (masterPw !== confirm) {
+      console.error('Passwords do not match');
+      return 1;
+    }
+  }
+
+  // 5. paper-backup confirm + BIP-39 phrase detect (legacy 는 skip)
+  //    $ATHSRA_PAPER_BACKUP_CONFIRMED=1 명시 시 prompt 우회 (호출자 명시 ack)
+  if (!legacy) {
+    if (isValidPhrase(masterPw)) {
+      const wc = wordCount(masterPw);
+      console.log(
+        `\n• Master password is a valid BIP-39 ${wc}-word phrase ✓ (recommended, checksum verified).`,
+      );
+      // BIP-39 phrase 는 normalize 후 사용 (소문자 + single space)
+      masterPw = normalizePhrase(masterPw);
+    } else {
+      console.log(
+        '\n• Tip: `athsra new-phrase` 로 BIP-39 12-word phrase 생성 가능 (분실 risk 완화).',
+      );
+    }
+
+    console.log(
+      '\n⚠ CRITICAL: master password 분실 = 모든 secret 영구 loss (Phase 1 = recovery 없음).',
+    );
+    console.log('  반드시 종이에 적어 안전한 곳에 보관하세요.');
+    if (process.env.ATHSRA_PAPER_BACKUP_CONFIRMED === '1') {
+      console.log('• $ATHSRA_PAPER_BACKUP_CONFIRMED=1 — paper-backup ack 자동 적용.');
+    } else {
+      const acked = await promptConfirm(
+        'I have written down my master password on paper and stored it safely',
+      );
+      if (!acked) {
+        console.error('Aborted — please backup your master password before continuing.');
+        return 1;
+      }
+    }
+  }
+
+  // 6. worker reachability + global_salt fetch
+  const tempClient = new AthsraClient(workerUrl);
+  const reachable = await tempClient.health();
+  if (!reachable) {
+    console.error(`✗ worker unreachable: ${workerUrl}`);
+    return 1;
+  }
+  const info = await tempClient.info();
+  if (info.phase < 1) {
+    console.error(`✗ worker phase=${info.phase} — Pre-A 인증 미배포. wrangler deploy 후 재시도.`);
+    return 1;
+  }
+
+  // 7. master_pw_proof = Argon2id(pw + GLOBAL_SALT)
+  const proofBytes = deriveKey(masterPw, fromBase64(info.global_salt));
+  const proofBase64 = toBase64(proofBytes);
+
+  // 8. register → token
+  let reg: Awaited<ReturnType<typeof tempClient.register>>;
+  try {
+    reg = await tempClient.register(proofBase64, machineId);
+  } catch (err) {
+    const msg = (err as Error).message;
+    if (msg.includes('401')) {
+      console.error('✗ master password mismatch — 이미 등록된 master pw 와 다릅니다.');
+      console.error('  올바른 master pw 입력 또는 기존 머신에서 revoke 후 재시도.');
+    } else {
+      console.error(`✗ register failed: ${msg}`);
+    }
+    return 1;
+  }
+
+  // 9. config + keyring 저장
+  const config: Config = {
+    workerUrl,
+    machineId,
+    createdAt: existing?.createdAt ?? reg.createdAt,
+  };
+  saveConfig(config);
+  setMasterPw(machineId, masterPw);
+  setToken(machineId, reg.token);
+
+  console.log(`\n✓ logged in (machine: ${machineId})`);
+  console.log(`  worker:   ${workerUrl}`);
+  console.log(`  config:   ~/.athsra/config.json`);
+  console.log('  keyring:  master-pw + token saved (OS keyring, 무기한)');
+  if (legacy) {
+    console.log('  legacy:   ~/.athsra/session migrated and removed.');
+  }
+  return 0;
+}

package/src/commands/ls.ts

@@ -0,0 +1,57 @@
+import { decrypt, deriveKey, fromBase64 } from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { parseEnv } from '../lib/env-format.ts';
+
+/**
+ * athsra ls                       — active projects only
+ * athsra ls --all                 — active + soft-deleted (deleted 표시)
+ * athsra ls --include-deleted     — alias of --all
+ * athsra ls <project>             — keys of project (decrypt 필요)
+ */
+export async function lsCmd(args: string[]): Promise<number> {
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { masterPw, client } = ctx;
+
+  const positional = args.filter((a) => !a.startsWith('-'));
+  const includeDeleted = args.includes('--all') || args.includes('--include-deleted');
+
+  // ls — project 목록
+  if (positional.length === 0) {
+    const result = await client.listProjectsExtended({ includeDeleted });
+    if (result.count === 0) {
+      console.log('(no projects yet — run `athsra set <project> KEY=value`)');
+      return 0;
+    }
+    if (Array.isArray(result.projects) && typeof result.projects[0] === 'string') {
+      // active-only response
+      for (const p of result.projects as string[]) console.log(p);
+      return 0;
+    }
+    // include_deleted response — { project, active, deleted }
+    const items = result.projects as { project: string; active: boolean; deleted: boolean }[];
+    for (const it of items) {
+      const tag = it.deleted ? ' (deleted)' : '';
+      console.log(`${it.project}${tag}`);
+    }
+    return 0;
+  }
+
+  // ls <project> — key 목록 (값 없음, decrypt 후 key 만)
+  const project = positional[0];
+  if (!project) return 0;
+
+  const envelope = await client.getEnvelope(project);
+  if (!envelope) {
+    console.error(`project not found: ${project}`);
+    return 1;
+  }
+  const derived = deriveKey(masterPw, fromBase64(envelope.salt));
+  const text = await decrypt(derived, {
+    ciphertext: fromBase64(envelope.ciphertext),
+    nonce: fromBase64(envelope.nonce),
+  });
+  const plain = parseEnv(text);
+  for (const k of Object.keys(plain).sort()) console.log(k);
+  return 0;
+}

package/src/commands/new-phrase.ts

@@ -0,0 +1,62 @@
+import { generatePhrase, wordCount } from '../lib/bip39.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+const USAGE = [
+  'usage: athsra new-phrase                    # random BIP-39 12-word phrase 생성',
+  '',
+  'Phase 1+ 권장: master password 를 BIP-39 12-word phrase 로 사용.',
+  '  - 128-bit entropy + checksum 검증',
+  '  - 종이 backup 쉬움 (영문 12 단어)',
+  '  - Ledger/Trezor 호환 표준 (Phase 3+ hardware wallet 통합 가능)',
+  '',
+  '생성 후 흐름:',
+  '  - 첫 머신:  athsra login       # master pw 입력 시 phrase 사용',
+  '  - 변경:    athsra rotate-master # 기존 pw 를 phrase 로 교체',
+].join('\n');
+
+export async function newPhraseCmd(args: string[]): Promise<number> {
+  if (args[0] === '--help' || args[0] === '-h') {
+    console.log(USAGE);
+    return 0;
+  }
+
+  const phrase = generatePhrase();
+  const count = wordCount(phrase);
+
+  console.log('\n=== BIP-39 12-word recovery phrase (master password 후보) ===\n');
+  // 4 단어씩 줄바꿈 (paper backup 쓰기 쉽게)
+  const words = phrase.split(' ');
+  for (let i = 0; i < words.length; i += 4) {
+    const line = words
+      .slice(i, i + 4)
+      .map((w, idx) => `${(i + idx + 1).toString().padStart(2, ' ')}. ${w.padEnd(10, ' ')}`)
+      .join('  ');
+    console.log(`  ${line}`);
+  }
+  console.log(`\n  (${count} words, 128-bit entropy, BIP-39 checksum verified)\n`);
+  console.log('============================================================\n');
+
+  console.log('⚠ CRITICAL — 종이에 정확히 적어 안전한 곳에 보관하세요.');
+  console.log('  - phrase 자체가 master password 입니다.');
+  console.log('  - 분실 시 모든 secret 영구 loss (Phase 1 = recovery 없음).');
+  console.log('  - 다른 사람과 공유 X. 사진 / 클라우드 backup 권장 X.\n');
+
+  if (process.env.ATHSRA_PAPER_BACKUP_CONFIRMED === '1') {
+    console.log('• $ATHSRA_PAPER_BACKUP_CONFIRMED=1 — ack 자동 적용.\n');
+  } else {
+    const acked = await promptConfirm(
+      'I have written down the BIP-39 phrase on paper exactly and stored it safely',
+    );
+    if (!acked) {
+      console.error('Aborted — phrase 는 메모리에서 폐기됩니다 (재생성하려면 다시 실행).');
+      return 1;
+    }
+  }
+
+  console.log('다음 단계:');
+  console.log(
+    '  athsra login                   # 첫 머신 (PROOF bootstrap, 위 phrase 를 master pw 로 입력)',
+  );
+  console.log('  athsra rotate-master           # 기존 master pw 가 있다면 위 phrase 로 변경');
+  return 0;
+}

package/src/commands/purge.ts

@@ -0,0 +1,44 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+const USAGE = [
+  'usage: athsra purge <project>          # hard-delete (모든 versions 영구 제거)',
+  '   or: athsra purge <project> --yes    # confirm 우회 (CI 용)',
+  '',
+  'note: athsra delete <project> --hard 와 동일. 명시적 별칭.',
+].join('\n');
+
+/**
+ * athsra purge <project>
+ *   - hard-delete alias. 모든 versions + tombstone 영구 제거. 복원 불가능.
+ *   - delete --hard 와 동일 동작이지만 명시적 명령 — 위험성을 더 분명히 드러냄.
+ *   - 무조건 double confirm (--yes 또는 ATHSRA_PURGE_CONFIRMED=1 로 우회)
+ */
+export async function purgeCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+  const yes = args.includes('--yes') || args.includes('-y');
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  if (!yes && process.env.ATHSRA_PURGE_CONFIRMED !== '1') {
+    const ok = await promptConfirm(
+      `PURGE ${project}? All version history permanently removed. NOT RECOVERABLE.`,
+      false,
+    );
+    if (!ok) return 0;
+    const ok2 = await promptConfirm(`Type confirmation: really purge ${project}?`, false);
+    if (!ok2) return 0;
+  }
+
+  const result = await client.deleteProject(project, { hard: true });
+  console.log(
+    `✓ ${project}: purged (${result.removed_versions ?? 0} version${(result.removed_versions ?? 0) === 1 ? '' : 's'} permanently removed)`,
+  );
+  return 0;
+}

package/src/commands/restore.ts

@@ -0,0 +1,27 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+
+const USAGE = 'usage: athsra restore <project>   # tombstone 제거 + 최신 version 활성화';
+
+/**
+ * athsra restore <project>
+ *   - soft-deleted project 복원 (tombstone 제거 + 가장 최신 version 으로 current 복원)
+ *   - tombstone 없으면 400 — 이미 활성
+ *   - hard-delete 후엔 versions 가 없어 복원 불가
+ */
+export async function restoreCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  const result = await client.restoreProject(project);
+  console.log(
+    `✓ ${project}: restored to ${result.restored_version} (was deleted ${result.deleted_at} by ${result.deleted_by})`,
+  );
+  return 0;
+}

package/src/commands/revoke.ts

@@ -0,0 +1,38 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { clearMasterPw, clearToken } from '../lib/keyring.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+/**
+ * athsra revoke              — 자기 token revoke (현재 머신)
+ * athsra revoke <atk_*>      — 명시 token revoke (다른 머신 정리)
+ *
+ * self-revoke 시 keyring 의 master-pw + token 도 함께 clear (다음 set/get 시 login 필요).
+ */
+export async function revokeCmd(args: string[]): Promise<number> {
+  const target = args[0];
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { client, config } = ctx;
+
+  if (!target) {
+    if (process.env.ATHSRA_REVOKE_CONFIRMED !== '1') {
+      const ok = await promptConfirm(
+        'Revoke this machine token? Next set/get will require athsra login.',
+      );
+      if (!ok) return 0;
+    }
+    const result = await client.revoke();
+    clearMasterPw(config.machineId);
+    clearToken(config.machineId);
+    console.log(`✓ self-revoke: ${result.revoked} (keyring cleared)`);
+    return 0;
+  }
+
+  if (!target.startsWith('atk_')) {
+    console.error('Token must start with atk_*');
+    return 2;
+  }
+  const result = await client.revoke(target);
+  console.log(`✓ revoke: ${result.revoked}`);
+  return 0;
+}

package/src/commands/rollback.ts

@@ -0,0 +1,35 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+const USAGE = 'usage: athsra rollback <project> <version_id>';
+
+/**
+ * athsra rollback <project> <version_id>
+ *   - 특정 version 을 current 로 복원
+ *   - tombstone 있으면 자동 제거 (rollback 은 항상 active 상태로)
+ *   - confirm 필요 (--yes 로 우회 가능)
+ */
+export async function rollbackCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  const versionId = args[1];
+  if (!project || !versionId) {
+    console.error(USAGE);
+    return 2;
+  }
+  const yes = args.includes('--yes') || args.includes('-y');
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  if (!yes && process.env.ATHSRA_ROLLBACK_CONFIRMED !== '1') {
+    const ok = await promptConfirm(
+      `Rollback ${project} to ${versionId}? Current version becomes inactive (still in history).`,
+    );
+    if (!ok) return 0;
+  }
+
+  const result = await client.rollbackProject(project, versionId);
+  console.log(`✓ ${project}: rolled back to ${result.current_version}`);
+  return 0;
+}

package/src/commands/rotate-master.ts

@@ -0,0 +1,146 @@
+import {
+  DEFAULT_KDF,
+  decrypt,
+  deriveKey,
+  encrypt,
+  fromBase64,
+  randomSalt,
+  type SecretEnvelope,
+  toBase64,
+} from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { isValidPhrase, normalizePhrase, wordCount } from '../lib/bip39.ts';
+import { AthsraClient } from '../lib/client.ts';
+import { setMasterPw, setToken } from '../lib/keyring.ts';
+import { promptConfirm, promptPassword } from '../lib/prompt.ts';
+
+/**
+ * athsra rotate-master — master password 변경 (모든 projects re-encrypt).
+ *
+ * 흐름:
+ *   1. 옛 master pw (keyring) 로 모든 envelope decrypt
+ *   2. POST /auth/rotate-master — 옛 proof 검증 + 새 proof 저장 + 모든 token 삭제 + 새 token 발급
+ *   3. 새 master pw + 새 token 으로 모든 envelope re-encrypt + PUT
+ *   4. keyring 갱신
+ *
+ * 비-원자적 (step 3 도중 실패 시 일부 envelope 만 새 master pw 로). 다만 step 2
+ * 이후에는 옛 master pw 와 옛 token 모두 invalid — 사용자 안내로 rotate-master 재시도 권장.
+ *
+ * envvar:
+ *   ATHSRA_NEW_MASTER_PW                — 새 master pw (non-interactive)
+ *   ATHSRA_PAPER_BACKUP_CONFIRMED=1     — paper-backup ack 자동
+ */
+export async function rotateMasterCmd(_args: string[]): Promise<number> {
+  console.log('athsra rotate-master\n');
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { masterPw: oldPw, client, config } = ctx;
+
+  // 새 master pw 입력
+  let newPw: string;
+  const envPw = process.env.ATHSRA_NEW_MASTER_PW;
+  if (envPw && envPw.length >= 8) {
+    newPw = envPw;
+    console.log('• New master pw from $ATHSRA_NEW_MASTER_PW (non-interactive).');
+  } else {
+    newPw = await promptPassword('New master password (8+ chars)');
+    if (newPw.length < 8) {
+      console.error('Master password must be at least 8 characters');
+      return 1;
+    }
+    const confirm = await promptPassword('Confirm');
+    if (newPw !== confirm) {
+      console.error('Passwords do not match');
+      return 1;
+    }
+  }
+
+  if (newPw === oldPw) {
+    console.error('새 master pw 가 기존과 동일합니다.');
+    return 1;
+  }
+
+  // BIP-39 phrase detect + normalize
+  if (isValidPhrase(newPw)) {
+    const wc = wordCount(newPw);
+    console.log(`• New master pw is a valid BIP-39 ${wc}-word phrase ✓ (recommended).`);
+    newPw = normalizePhrase(newPw);
+  } else {
+    console.log('• Tip: `athsra new-phrase` 로 BIP-39 12-word phrase 생성 가능.');
+  }
+
+  // paper-backup confirm
+  console.log('\n⚠ CRITICAL: 새 master password 분실 = 모든 secret 영구 loss.');
+  console.log('  반드시 종이에 적어 안전한 곳에 보관하세요.');
+  if (process.env.ATHSRA_PAPER_BACKUP_CONFIRMED === '1') {
+    console.log('• $ATHSRA_PAPER_BACKUP_CONFIRMED=1 — ack 자동.');
+  } else {
+    const acked = await promptConfirm(
+      'I have written down the NEW master password on paper and stored it safely',
+    );
+    if (!acked) {
+      console.error('Aborted.');
+      return 1;
+    }
+  }
+
+  // 1. 모든 projects fetch + decrypt (옛 master pw)
+  const projects = await client.listProjects();
+  console.log(`\n• Decrypting ${projects.length} projects with old master pw...`);
+  const plaintexts: Record<string, string> = {};
+  for (const p of projects) {
+    const env = await client.getEnvelope(p);
+    if (!env) continue;
+    const key = deriveKey(oldPw, fromBase64(env.salt));
+    const text = await decrypt(key, {
+      ciphertext: fromBase64(env.ciphertext),
+      nonce: fromBase64(env.nonce),
+    });
+    plaintexts[p] = text;
+    console.log(`  ✓ ${p} (${text.split('\n').filter((l) => l.includes('=')).length} keys)`);
+  }
+
+  // 2. POST /auth/rotate-master
+  console.log('\n• Rotating server-side proof + invalidating all tokens...');
+  const info = await client.info();
+  const globalSalt = fromBase64(info.global_salt);
+  const oldProof = toBase64(deriveKey(oldPw, globalSalt));
+  const newProof = toBase64(deriveKey(newPw, globalSalt));
+  const rot = await client.rotateMaster(oldProof, newProof);
+  console.log(`  ✓ new token issued (machineId=${rot.machineId})`);
+
+  // 3. keyring 갱신 + 새 client
+  setMasterPw(config.machineId, newPw);
+  setToken(config.machineId, rot.token);
+  const newClient = new AthsraClient(config.workerUrl, rot.token);
+
+  // 4. re-encrypt + PUT
+  console.log(`\n• Re-encrypting ${Object.keys(plaintexts).length} projects with new master pw...`);
+  for (const [p, text] of Object.entries(plaintexts)) {
+    const newSalt = randomSalt();
+    const newKey = deriveKey(newPw, newSalt);
+    const blob = await encrypt(newKey, text);
+    const envelope: SecretEnvelope = {
+      version: 1,
+      alg: 'aes-256-gcm',
+      kdf: 'argon2id',
+      kdf_params: DEFAULT_KDF,
+      salt: toBase64(newSalt),
+      nonce: toBase64(blob.nonce),
+      ciphertext: toBase64(blob.ciphertext),
+      version_id: `v${Date.now()}`,
+      updated_at: new Date().toISOString(),
+    };
+    await newClient.putEnvelope(p, envelope);
+    console.log(`  ✓ ${p}`);
+  }
+
+  console.log(
+    `\n✓ master password rotated. ${Object.keys(plaintexts).length} projects re-encrypted.`,
+  );
+  console.log(
+    '  다른 머신은 모두 token invalidated — 각 머신에서 athsra login (handoff) 재실행 필요.',
+  );
+  return 0;
+}

package/src/commands/run.ts

@@ -0,0 +1,51 @@
+import { spawn } from 'node:child_process';
+import { decrypt, deriveKey, fromBase64 } from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { parseEnv } from '../lib/env-format.ts';
+
+export async function runCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  const sepIdx = args.indexOf('--');
+  if (!project || sepIdx < 1) {
+    console.error('usage: athsra run <project> -- <command> [args...]');
+    return 2;
+  }
+  const cmd = args.slice(sepIdx + 1);
+  if (cmd.length === 0) {
+    console.error('No command after --');
+    return 2;
+  }
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { masterPw, client } = ctx;
+  const envelope = await client.getEnvelope(project);
+  if (!envelope) {
+    console.error(`project not found: ${project}`);
+    return 1;
+  }
+
+  const derived = deriveKey(masterPw, fromBase64(envelope.salt));
+  const text = await decrypt(derived, {
+    ciphertext: fromBase64(envelope.ciphertext),
+    nonce: fromBase64(envelope.nonce),
+  });
+  const plain = parseEnv(text);
+
+  return await new Promise<number>((resolve) => {
+    const cmdName = cmd[0];
+    if (!cmdName) {
+      resolve(2);
+      return;
+    }
+    const child = spawn(cmdName, cmd.slice(1), {
+      env: { ...process.env, ...plain },
+      stdio: 'inherit',
+    });
+    child.on('close', (code) => resolve(code ?? 1));
+    child.on('error', (err) => {
+      console.error(`spawn error: ${err.message}`);
+      resolve(1);
+    });
+  });
+}