@athsra/cli 0.1.0

package/src/commands/set.ts

@@ -0,0 +1,120 @@
+import { readFileSync } from 'node:fs';
+import {
+  DEFAULT_KDF,
+  decrypt,
+  deriveKey,
+  encrypt,
+  fromBase64,
+  randomSalt,
+  type SecretEnvelope,
+  toBase64,
+} from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { parseEnv, serializeEnv } from '../lib/env-format.ts';
+
+const USAGE = [
+  'usage: athsra set <project> KEY=value [KEY2=value2 ...]',
+  '   or: athsra set <project> --from-file <path>   (.env 형식)',
+  '   or: athsra set <project> --stdin              (.env 형식 stdin)',
+].join('\n');
+
+async function readStdin(): Promise<string> {
+  const chunks: Buffer[] = [];
+  for await (const chunk of process.stdin as AsyncIterable<Buffer>) {
+    chunks.push(chunk);
+  }
+  return Buffer.concat(chunks).toString('utf-8');
+}
+
+function parsePairsArg(pairs: string[]): Record<string, string> | null {
+  const out: Record<string, string> = {};
+  for (const pair of pairs) {
+    const eqIdx = pair.indexOf('=');
+    if (eqIdx < 0) {
+      console.error(`Invalid format (missing =): ${pair}`);
+      return null;
+    }
+    out[pair.slice(0, eqIdx)] = pair.slice(eqIdx + 1);
+  }
+  return out;
+}
+
+export async function setCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+  const rest = args.slice(1);
+
+  let updates: Record<string, string>;
+  if (rest[0] === '--from-file') {
+    const path = rest[1];
+    if (!path) {
+      console.error('--from-file requires a path');
+      return 2;
+    }
+    const text = readFileSync(path, 'utf-8');
+    updates = parseEnv(text);
+  } else if (rest[0] === '--stdin') {
+    const text = await readStdin();
+    updates = parseEnv(text);
+  } else {
+    if (rest.length === 0) {
+      console.error('No KEY=value pairs given');
+      return 2;
+    }
+    const parsed = parsePairsArg(rest);
+    if (!parsed) return 2;
+    updates = parsed;
+  }
+
+  const updateCount = Object.keys(updates).length;
+  if (updateCount === 0) {
+    console.error('No KEY=value pairs given (input was empty)');
+    return 2;
+  }
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { masterPw, client } = ctx;
+
+  // 기존 envelope fetch + decrypt (read-modify-write)
+  let plain: Record<string, string> = {};
+  const existing = await client.getEnvelope(project);
+  if (existing) {
+    const key = deriveKey(masterPw, fromBase64(existing.salt));
+    const text = await decrypt(key, {
+      ciphertext: fromBase64(existing.ciphertext),
+      nonce: fromBase64(existing.nonce),
+    });
+    plain = parseEnv(text);
+  }
+
+  // merge updates
+  for (const [k, v] of Object.entries(updates)) {
+    plain[k] = v;
+  }
+
+  // 새 envelope (새 salt + nonce 매번)
+  const newSalt = randomSalt();
+  const newKey = deriveKey(masterPw, newSalt);
+  const blob = await encrypt(newKey, serializeEnv(plain));
+  const envelope: SecretEnvelope = {
+    version: 1,
+    alg: 'aes-256-gcm',
+    kdf: 'argon2id',
+    kdf_params: DEFAULT_KDF,
+    salt: toBase64(newSalt),
+    nonce: toBase64(blob.nonce),
+    ciphertext: toBase64(blob.ciphertext),
+    version_id: `v${Date.now()}`,
+    updated_at: new Date().toISOString(),
+  };
+
+  await client.putEnvelope(project, envelope);
+  console.log(
+    `✓ ${project}: ${updateCount} key${updateCount > 1 ? 's' : ''} set (${Object.keys(plain).length} total)`,
+  );
+  return 0;
+}

package/src/commands/unset.ts

@@ -0,0 +1,82 @@
+import {
+  DEFAULT_KDF,
+  decrypt,
+  deriveKey,
+  encrypt,
+  fromBase64,
+  randomSalt,
+  type SecretEnvelope,
+  toBase64,
+} from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { parseEnv, serializeEnv } from '../lib/env-format.ts';
+
+const USAGE =
+  'usage: athsra unset <project> KEY1 [KEY2 ...]   # 해당 keys 만 제거 (envelope 그대로, 다른 keys 유지)';
+
+export async function unsetCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+  const keys = args.slice(1);
+  if (keys.length === 0) {
+    console.error('No keys to unset');
+    return 2;
+  }
+
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { masterPw, client } = ctx;
+
+  const existing = await client.getEnvelope(project);
+  if (!existing) {
+    console.error(`project not found: ${project}`);
+    return 1;
+  }
+  const oldKey = deriveKey(masterPw, fromBase64(existing.salt));
+  const text = await decrypt(oldKey, {
+    ciphertext: fromBase64(existing.ciphertext),
+    nonce: fromBase64(existing.nonce),
+  });
+  const plain = parseEnv(text);
+
+  const removed: string[] = [];
+  const notFound: string[] = [];
+  for (const k of keys) {
+    if (k in plain) {
+      delete plain[k];
+      removed.push(k);
+    } else {
+      notFound.push(k);
+    }
+  }
+
+  if (notFound.length > 0) {
+    console.error(`✗ keys not found: ${notFound.join(', ')}`);
+    return 1;
+  }
+
+  // re-encrypt + PUT (새 salt + nonce)
+  const newSalt = randomSalt();
+  const newKey = deriveKey(masterPw, newSalt);
+  const blob = await encrypt(newKey, serializeEnv(plain));
+  const envelope: SecretEnvelope = {
+    version: 1,
+    alg: 'aes-256-gcm',
+    kdf: 'argon2id',
+    kdf_params: DEFAULT_KDF,
+    salt: toBase64(newSalt),
+    nonce: toBase64(blob.nonce),
+    ciphertext: toBase64(blob.ciphertext),
+    version_id: `v${Date.now()}`,
+    updated_at: new Date().toISOString(),
+  };
+
+  await client.putEnvelope(project, envelope);
+  console.log(
+    `✓ ${project}: ${removed.length} key${removed.length > 1 ? 's' : ''} removed (${Object.keys(plain).length} remaining)`,
+  );
+  return 0;
+}

package/src/commands/versions.ts

@@ -0,0 +1,37 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+
+const USAGE = 'usage: athsra versions <project>';
+
+/**
+ * athsra versions <project>
+ *   - 모든 version + tombstone 상태 출력
+ *   - current version 은 * 표시
+ *   - tombstone 있으면 (deleted) 헤더로 표시
+ */
+export async function versionsCmd(args: string[]): Promise<number> {
+  const project = args[0];
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+  const ctx = loadAuthContext();
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  const data = await client.listVersions(project);
+  if (data.tombstone) {
+    console.log(
+      `(deleted ${data.tombstone.deleted_at} by ${data.tombstone.deleted_by} — ${data.versions.length} version(s) recoverable)`,
+    );
+  }
+  if (data.count === 0) {
+    console.log('(no versions — project never existed or hard-deleted)');
+    return 0;
+  }
+  for (const v of data.versions) {
+    const marker = v.version_id === data.current_version ? '*' : ' ';
+    console.log(`${marker} ${v.version_id}  ${v.updated_at}  (${v.size}B)`);
+  }
+  console.log(`(${data.count} version${data.count > 1 ? 's' : ''})`);
+  return 0;
+}

package/src/index.ts

@@ -0,0 +1,102 @@
+#!/usr/bin/env bun
+import { deleteCmd } from './commands/delete.ts';
+import { doctorCmd } from './commands/doctor.ts';
+import { getCmd } from './commands/get.ts';
+import { handoffCmd } from './commands/handoff.ts';
+import { initCmd } from './commands/init.ts';
+import { loginCmd } from './commands/login.ts';
+import { lsCmd } from './commands/ls.ts';
+import { newPhraseCmd } from './commands/new-phrase.ts';
+import { purgeCmd } from './commands/purge.ts';
+import { restoreCmd } from './commands/restore.ts';
+import { revokeCmd } from './commands/revoke.ts';
+import { rollbackCmd } from './commands/rollback.ts';
+import { rotateMasterCmd } from './commands/rotate-master.ts';
+import { runCmd } from './commands/run.ts';
+import { setCmd } from './commands/set.ts';
+import { unsetCmd } from './commands/unset.ts';
+import { versionsCmd } from './commands/versions.ts';
+
+const VERSION = '0.1.0';
+
+const commands: Record<string, (args: string[]) => Promise<number>> = {
+  login: loginCmd,
+  init: initCmd,
+  set: setCmd,
+  unset: unsetCmd,
+  get: getCmd,
+  ls: lsCmd,
+  run: runCmd,
+  doctor: doctorCmd,
+  'rotate-master': rotateMasterCmd,
+  'new-phrase': newPhraseCmd,
+  handoff: handoffCmd,
+  revoke: revokeCmd,
+  versions: versionsCmd,
+  rollback: rollbackCmd,
+  delete: deleteCmd,
+  restore: restoreCmd,
+  purge: purgeCmd,
+};
+
+const args = Bun.argv.slice(2);
+const cmd = args[0];
+
+if (!cmd || cmd === '--help' || cmd === '-h' || cmd === 'help') {
+  console.log(`athsra v${VERSION} — E2EE secret manager on Cloudflare edge
+
+Usage:
+  athsra login                              master pw 입력 + 머신 등록 (Bearer token 발급)
+  athsra init <project>                     신규 project 안내
+  athsra set <project> KEY=value            secret 추가/수정 (다건 가능)
+  athsra unset <project> KEY [...]          특정 key 제거 (envelope 유지)
+  athsra get <project> [KEY]                값 출력 (single 또는 dump)
+  athsra ls [project] [--all]               project 또는 key 목록 (--all=deleted 포함)
+  athsra run <project> -- <cmd>             env inject 후 명령 실행 (Doppler-style)
+  athsra doctor                             환경 검증 (keyring/dbus/worker phase)
+
+  athsra versions <project>                 모든 version + tombstone 상태
+  athsra rollback <project> <version_id>    특정 version 으로 current 복원
+  athsra delete <project> [--hard]          soft-delete (default) 또는 hard-delete
+  athsra restore <project>                  tombstone 제거 + 최신 version 활성화
+  athsra purge <project>                    hard-delete (delete --hard 별칭, double-confirm)
+
+  athsra rotate-master                      master pw 변경 (모든 projects re-encrypt)
+  athsra new-phrase                         BIP-39 12-word phrase 생성 (master pw 권장)
+  athsra handoff [--accept]                 새 머신 추가 (issue / accept)
+  athsra revoke [<atk_*>]                   self 또는 명시 token revoke
+
+Files / Storage:
+  ~/.athsra/config.json                     worker URL + machine_id
+  OS keyring (libsecret/Keychain/Cred Manager)  master pw + Bearer token
+
+Env vars (CI):
+  ATHSRA_MASTER_PW             non-interactive login
+  ATHSRA_REVOKE_CONFIRMED=1    skip self-revoke confirm
+  ATHSRA_DELETE_CONFIRMED=1    skip delete confirm
+  ATHSRA_PURGE_CONFIRMED=1     skip purge double-confirm
+  ATHSRA_ROLLBACK_CONFIRMED=1  skip rollback confirm
+
+Phase 1.x.1 = Bearer auth + keyring + soft-delete + version history.
+docs: github.com/modfolio/athsra
+`);
+  process.exit(0);
+}
+
+if (cmd === '--version' || cmd === '-V' || cmd === 'version') {
+  console.log(VERSION);
+  process.exit(0);
+}
+
+const handler = commands[cmd];
+if (!handler) {
+  console.error(`Unknown command: ${cmd}\nRun \`athsra --help\` for usage.`);
+  process.exit(2);
+}
+
+handler(args.slice(1))
+  .then((code) => process.exit(code))
+  .catch((err: Error) => {
+    console.error(`error: ${err.message}`);
+    process.exit(1);
+  });

package/src/lib/auth-context.ts

@@ -0,0 +1,35 @@
+import { AthsraClient } from './client.ts';
+import { type Config, loadConfig } from './config.ts';
+import { getMasterPw, getToken } from './keyring.ts';
+
+export interface AuthContext {
+  config: Config;
+  masterPw: string;
+  token: string;
+  client: AthsraClient;
+}
+
+/**
+ * 모든 인증 요구 commands (set/get/ls/run/doctor 부분) 의 공통 진입점.
+ *
+ * 실패 시 적절한 에러 메시지 출력 + null 반환. 호출자는 `return 1` 만.
+ */
+export function loadAuthContext(): AuthContext | null {
+  const config = loadConfig();
+  if (!config) {
+    console.error('Not logged in. Run `athsra login` first.');
+    return null;
+  }
+  const masterPw = getMasterPw(config.machineId);
+  const token = getToken(config.machineId);
+  if (!masterPw || !token) {
+    console.error('keyring missing master pw / token. Run `athsra login` first.');
+    return null;
+  }
+  return {
+    config,
+    masterPw,
+    token,
+    client: new AthsraClient(config.workerUrl, token),
+  };
+}

package/src/lib/bip39.ts

@@ -0,0 +1,45 @@
+import { generateMnemonic, mnemonicToEntropy, validateMnemonic } from '@scure/bip39';
+import { wordlist } from '@scure/bip39/wordlists/english.js';
+
+/**
+ * BIP-39 12-word mnemonic phrase 표준 (128-bit entropy, 영문 wordlist).
+ *
+ * athsra master pw 의 권장 형식. random byte string 보다:
+ *   - paper backup 쉬움 (12 단어 영문)
+ *   - checksum 자동 검증 (오타 detect)
+ *   - hardware wallet 호환 (Ledger / Trezor 표준)
+ *
+ * 주: BIP-39 표준 master pw 강제 X. 사용자 자유 phrase 도 그대로 작동.
+ * `new-phrase` 명령으로 generate 후 `rotate-master` 또는 `login` 시 사용.
+ */
+export function generatePhrase(): string {
+  return generateMnemonic(wordlist, 128);
+}
+
+export function isValidPhrase(phrase: string): boolean {
+  try {
+    return validateMnemonic(normalizePhrase(phrase), wordlist);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * 입력 normalize: trim + lowercase + 다중 공백 → single space.
+ * BIP-39 표준 비교 시 안정.
+ */
+export function normalizePhrase(phrase: string): string {
+  return phrase.trim().toLowerCase().replace(/\s+/g, ' ');
+}
+
+/**
+ * BIP-39 phrase → 16 bytes entropy (validate + return). 향후 hardware wallet
+ * 통합 시 사용 (Phase 3+).
+ */
+export function phraseToEntropy(phrase: string): Uint8Array {
+  return mnemonicToEntropy(normalizePhrase(phrase), wordlist);
+}
+
+export function wordCount(phrase: string): number {
+  return normalizePhrase(phrase).split(' ').filter(Boolean).length;
+}

package/src/lib/client.ts

@@ -0,0 +1,248 @@
+import type { SecretEnvelope } from '@athsra/crypto';
+
+export interface WorkerInfo {
+  name: string;
+  version: string;
+  phase: number;
+  description?: string;
+  global_salt: string;
+  global_salt_version: string;
+}
+
+export interface RegisterResponse {
+  token: string;
+  machineId: string;
+  createdAt: string;
+}
+
+export interface WhoamiResponse {
+  machineId: string;
+  label: string;
+  createdAt: string;
+  lastSeenAt: string;
+}
+
+/**
+ * Phase 1+: 모든 /v1/* + /auth/whoami + /auth/revoke 호출에
+ * Authorization: Bearer <token> 자동 첨부.
+ * /healthz, /, /auth/register 는 unauth public.
+ */
+export class AthsraClient {
+  constructor(
+    private readonly _workerUrl: string,
+    private readonly token: string | null = null,
+  ) {}
+
+  get workerUrl(): string {
+    return this._workerUrl;
+  }
+
+  private url(path: string): string {
+    return `${this._workerUrl.replace(/\/$/, '')}${path}`;
+  }
+
+  private headers(extra?: Record<string, string>): Record<string, string> {
+    const h: Record<string, string> = { ...(extra ?? {}) };
+    if (this.token) h.Authorization = `Bearer ${this.token}`;
+    return h;
+  }
+
+  async health(): Promise<boolean> {
+    try {
+      const res = await fetch(this.url('/healthz'));
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+
+  async info(): Promise<WorkerInfo> {
+    const res = await fetch(this.url('/'));
+    if (!res.ok) throw new Error(`info ${res.status}: ${await res.text()}`);
+    return (await res.json()) as WorkerInfo;
+  }
+
+  async register(masterPwProof: string, label: string): Promise<RegisterResponse> {
+    const res = await fetch(this.url('/auth/register'), {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ master_pw_proof: masterPwProof, label }),
+    });
+    if (!res.ok) throw new Error(`register ${res.status}: ${await res.text()}`);
+    return (await res.json()) as RegisterResponse;
+  }
+
+  async whoami(): Promise<WhoamiResponse> {
+    const res = await fetch(this.url('/auth/whoami'), { headers: this.headers() });
+    if (!res.ok) throw new Error(`whoami ${res.status}: ${await res.text()}`);
+    return (await res.json()) as WhoamiResponse;
+  }
+
+  async revoke(targetToken?: string): Promise<{ ok: boolean; revoked: string; self?: boolean }> {
+    const res = await fetch(this.url('/auth/revoke'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify(targetToken ? { token: targetToken } : {}),
+    });
+    if (!res.ok) throw new Error(`revoke ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: boolean; revoked: string; self?: boolean };
+  }
+
+  async rotateMaster(
+    oldProof: string,
+    newProof: string,
+  ): Promise<{ token: string; machineId: string; rotatedAt: string }> {
+    const res = await fetch(this.url('/auth/rotate-master'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({ old_proof: oldProof, new_proof: newProof }),
+    });
+    if (!res.ok) throw new Error(`rotate-master ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { token: string; machineId: string; rotatedAt: string };
+  }
+
+  async handoff(
+    masterPwProof: string,
+    label: string,
+  ): Promise<{
+    token: string;
+    machineId: string;
+    createdAt: string;
+    expiresAt?: string;
+    ttlSeconds?: number;
+  }> {
+    const res = await fetch(this.url('/auth/handoff'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({ master_pw_proof: masterPwProof, label }),
+    });
+    if (!res.ok) throw new Error(`handoff ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      token: string;
+      machineId: string;
+      createdAt: string;
+      expiresAt?: string;
+      ttlSeconds?: number;
+    };
+  }
+
+  async getEnvelope(project: string): Promise<SecretEnvelope | null> {
+    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
+      headers: this.headers(),
+    });
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`fetch ${res.status}: ${await res.text()}`);
+    return (await res.json()) as SecretEnvelope;
+  }
+
+  async putEnvelope(project: string, envelope: SecretEnvelope): Promise<void> {
+    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
+      method: 'PUT',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify(envelope),
+    });
+    if (!res.ok) throw new Error(`put ${res.status}: ${await res.text()}`);
+  }
+
+  async listProjects(): Promise<string[]> {
+    const res = await fetch(this.url('/v1/secrets'), { headers: this.headers() });
+    if (!res.ok) throw new Error(`list ${res.status}: ${await res.text()}`);
+    const data = (await res.json()) as { projects: string[] };
+    return data.projects;
+  }
+
+  async deleteProject(
+    project: string,
+    opts?: { hard?: boolean },
+  ): Promise<{
+    soft?: boolean;
+    hard?: boolean;
+    recoverable_versions?: number;
+    removed_versions?: number;
+  }> {
+    const url =
+      this.url(`/v1/secrets/${encodeURIComponent(project)}`) + (opts?.hard ? '?hard=true' : '');
+    const res = await fetch(url, {
+      method: 'DELETE',
+      headers: this.headers(),
+    });
+    if (!res.ok) throw new Error(`delete ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      soft?: boolean;
+      hard?: boolean;
+      recoverable_versions?: number;
+      removed_versions?: number;
+    };
+  }
+
+  async listVersions(project: string): Promise<{
+    project: string;
+    current_version: string | null;
+    tombstone: { deleted_at: string; deleted_by: string } | null;
+    versions: { version_id: string; updated_at: string; size: number }[];
+    count: number;
+  }> {
+    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/versions`), {
+      headers: this.headers(),
+    });
+    if (!res.ok) throw new Error(`versions ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      project: string;
+      current_version: string | null;
+      tombstone: { deleted_at: string; deleted_by: string } | null;
+      versions: { version_id: string; updated_at: string; size: number }[];
+      count: number;
+    };
+  }
+
+  async rollbackProject(
+    project: string,
+    versionId: string,
+  ): Promise<{ ok: boolean; project: string; current_version: string }> {
+    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/rollback`), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({ version_id: versionId }),
+    });
+    if (!res.ok) throw new Error(`rollback ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: boolean; project: string; current_version: string };
+  }
+
+  async restoreProject(project: string): Promise<{
+    ok: boolean;
+    project: string;
+    restored_version: string;
+    deleted_at: string;
+    deleted_by: string;
+  }> {
+    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/restore`), {
+      method: 'POST',
+      headers: this.headers(),
+    });
+    if (!res.ok) throw new Error(`restore ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      ok: boolean;
+      project: string;
+      restored_version: string;
+      deleted_at: string;
+      deleted_by: string;
+    };
+  }
+
+  async listProjectsExtended(opts?: {
+    includeDeleted?: boolean;
+  }): Promise<
+    | { projects: string[]; count: number }
+    | { projects: { project: string; active: boolean; deleted: boolean }[]; count: number }
+  > {
+    const url = this.url('/v1/secrets') + (opts?.includeDeleted ? '?include_deleted=true' : '');
+    const res = await fetch(url, { headers: this.headers() });
+    if (!res.ok) throw new Error(`list ${res.status}: ${await res.text()}`);
+    return (await res.json()) as
+      | { projects: string[]; count: number }
+      | {
+          projects: { project: string; active: boolean; deleted: boolean }[];
+          count: number;
+        };
+  }
+}

package/src/lib/config.ts

@@ -0,0 +1,29 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+export const CONFIG_DIR = join(homedir(), '.athsra');
+export const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+export const SESSION_FILE = join(CONFIG_DIR, 'session');
+
+export interface Config {
+  workerUrl: string;
+  machineId: string;
+  createdAt: string;
+}
+
+export function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+export function loadConfig(): Config | null {
+  if (!existsSync(CONFIG_FILE)) return null;
+  return JSON.parse(readFileSync(CONFIG_FILE, 'utf-8')) as Config;
+}
+
+export function saveConfig(config: Config): void {
+  ensureConfigDir();
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+}