npm - @athsra/cli - Versions diffs - 1.0.0 → 1.0.2 - Mend

@athsra/cli 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +2 -2
package/src/commands/adopt.ts +23 -1
package/src/commands/manifest.ts +68 -4
package/src/lib/adopt-context.ts +1 -43
package/src/lib/jsonc.ts +48 -0
package/src/lib/wrangler-scan.ts +224 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",
@@ -43,7 +43,7 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@athsra/crypto": "^0.1.0",
+    "@athsra/crypto": "^1.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@napi-rs/keyring": "^1.1.6",
     "@scure/bip39": "^2.2.0",

package/src/commands/adopt.ts CHANGED Viewed

@@ -40,6 +40,11 @@ import { loadAuthContext } from '../lib/auth-context.ts';
 import { resolveProject } from '../lib/auto-project.ts';
 import { readPlain } from '../lib/envelope.ts';
 import { createManifest, loadManifest, saveManifest } from '../lib/secrets-manifest.ts';
+import {
+  describeConflicts,
+  findConflicts,
+  scanWranglerConfig,
+} from '../lib/wrangler-scan.ts';
 import {
   ensureRepoConnection,
   getLatestBuildToken,
@@ -284,13 +289,30 @@ export async function adoptCmd(args: string[]): Promise<number> {
         return 1;
       }
       if (!existing.manifest) {
-        const envelopeKeys = Object.entries(envelope)
+        let envelopeKeys = Object.entries(envelope)
           .filter(([, v]) => typeof v === 'string' && v.length > 0)
           .map(([k]) => k);
         if (envelopeKeys.length === 0) {
           console.error('✗ --auto-manifest: envelope 에 캡처할 키가 없음');
           return 1;
         }
+        // Phase 2.6.2 (v1.0.2): wrangler.jsonc vars/bindings 자동 dedupe.
+        // envelope 에서 자동 캡처하는 경로이므로 충돌은 자동 제외 (보고만).
+        const scan = scanWranglerConfig(worker.cwd);
+        if (scan) {
+          const conflicts = findConflicts(scan, envelopeKeys);
+          if (conflicts.length > 0) {
+            const conflictSet = new Set(conflicts);
+            console.log(
+              `  auto-dedupe (wrangler.jsonc 충돌, ${conflicts.length} key): ${describeConflicts(scan, conflicts)}`,
+            );
+            envelopeKeys = envelopeKeys.filter((k) => !conflictSet.has(k));
+          }
+        }
+        if (envelopeKeys.length === 0) {
+          console.error('✗ --auto-manifest: dedupe 후 남은 키 0 — 모두 wrangler.jsonc 와 충돌');
+          return 1;
+        }
         if (parsed.dryRun) {
           console.log(
             `  (dry-run) would create manifest with ${envelopeKeys.length} keys at ${existing.path}`,

package/src/commands/manifest.ts CHANGED Viewed

@@ -24,6 +24,11 @@ import {
   manifestPath,
   saveManifest,
 } from '../lib/secrets-manifest.ts';
+import {
+  describeConflicts,
+  findConflicts,
+  scanWranglerConfig,
+} from '../lib/wrangler-scan.ts';
 const USAGE = [
   'usage: athsra manifest <subcommand> [options]',
@@ -31,8 +36,11 @@ const USAGE = [
   'Phase 2.6 Option γ — sibling worker 의 secrets opt-in manifest 관리.',
   '',
   '서브명령:',
-  '  init [--worker=<name>] [--all] [--keys=K1,K2,...] [--keys-from=<file>]',
+  '  init [--worker=<name>] [--all] [--keys=K1,K2,...] [--keys-from=<file>] [--force]',
   '      manifest 신규 작성. --all 은 envelope 전체 키. --keys 명시 (콤마 구분).',
+  '      v1.0.2+ Phase 2.6.2 — wrangler.jsonc 의 vars/bindings 자동 dedupe.',
+  '      --all 은 충돌 자동 제외 + 보고. --keys / --keys-from 충돌 시 에러',
+  '      (--force 로 우회 가능, 의도된 override 라면).',
   '',
   '  show [--worker=<name>]',
   '      manifest 내용 출력.',
@@ -40,14 +48,15 @@ const USAGE = [
   '  validate [<project>] [--worker=<name>]',
   '      manifest vs envelope diff. project 명시 시 envelope 부족분 / 초과분 표시.',
   '',
-  '  add <KEY> [<KEY2>...] [--worker=<name>]',
-  '      manifest 에 키 추가 (이미 있으면 idempotent).',
+  '  add <KEY> [<KEY2>...] [--worker=<name>] [--force]',
+  '      manifest 에 키 추가 (이미 있으면 idempotent). wrangler.jsonc 충돌 시 에러.',
   '',
   '  remove <KEY> [<KEY2>...] [--worker=<name>]',
   '      manifest 에서 키 제거.',
   '',
   '공통 옵션:',
   '  --worker=<name>   다수 wrangler.jsonc 있는 monorepo 에서 명시. 단일이면 생략.',
+  '  --force           wrangler.jsonc 충돌 무시 (의도된 override 일 때).',
   '',
   'manifest 위치: <worker.cwd>/.athsra/secrets.json',
 ].join('\n');
@@ -57,6 +66,7 @@ interface ParsedFlags {
   keys?: string[];
   keysFrom?: string;
   all: boolean;
+  force: boolean;
   positional: string[];
 }
@@ -83,10 +93,48 @@ function parseFlags(args: string[]): ParsedFlags {
       : undefined,
     keysFrom: typeof flags['keys-from'] === 'string' ? flags['keys-from'] : undefined,
     all: flags.all === true,
+    force: flags.force === true,
     positional,
   };
 }
+/**
+ * wrangler.jsonc 의 vars/bindings 와 충돌하는 manifest key 자동 검출 + 처리.
+ *
+ * @param explicit true 면 사용자가 명시 입력 (--keys / --keys-from / manifest add) —
+ *   충돌은 실수일 가능성 → `--force` 없으면 에러로 거부.
+ *   false 면 envelope 전체 자동 캡처 (--all) — 충돌은 envelope 기존 키 — 자동 제외.
+ * @returns 처리 후 keys (자동 제외 결과) + ok 플래그 (false 면 caller 가 즉시 종료)
+ */
+function applyWranglerDedupe(
+  workerCwd: string,
+  keys: string[],
+  explicit: boolean,
+  force: boolean,
+): { keys: string[]; ok: boolean } {
+  const scan = scanWranglerConfig(workerCwd);
+  if (!scan) return { keys, ok: true };
+  const conflicts = findConflicts(scan, keys);
+  if (conflicts.length === 0) return { keys, ok: true };
+  if (explicit && !force) {
+    console.error(`✗ ${conflicts.length} key(s) collide with wrangler.jsonc vars/bindings:`);
+    console.error(`    ${describeConflicts(scan, conflicts)}`);
+    console.error(`  파일: ${scan.configPath}`);
+    console.error('  wrangler 가 이미 이 식별자를 var 또는 binding 으로 정의함 —');
+    console.error('  secret 으로 sync 하면 deploy 시점에 충돌 (CF wrangler 가 거부).');
+    console.error('  해결:');
+    console.error('    1) 명시에서 빼고 재시도 (권장)');
+    console.error('    2) wrangler.jsonc 의 vars/binding 이름 변경');
+    console.error('    3) 의도된 override 면 --force');
+    return { keys, ok: false };
+  }
+  const conflictSet = new Set(conflicts);
+  console.log(
+    `  자동 제외 (wrangler.jsonc 충돌, ${conflicts.length} key): ${describeConflicts(scan, conflicts)}`,
+  );
+  return { keys: keys.filter((k) => !conflictSet.has(k)), ok: true };
+}
 function pickWorker(workers: WrangerWorker[], explicit?: string): WrangerWorker | string {
   if (explicit) {
     const found = workers.find((w) => w.name === explicit);
@@ -136,10 +184,13 @@ async function cmdInit(flags: ParsedFlags): Promise<number> {
   }
   let secrets: string[];
+  let explicit: boolean;
   if (flags.keys && flags.keys.length > 0) {
     secrets = flags.keys;
+    explicit = true;
   } else if (flags.keysFrom) {
     secrets = await readKeysFromFile(flags.keysFrom);
+    explicit = true;
   } else if (flags.all) {
     // envelope 전체 키 — project 추론 필요
     const { project } = resolveProject([]);
@@ -160,6 +211,7 @@ async function cmdInit(flags: ParsedFlags): Promise<number> {
     secrets = Object.keys(envelope).filter(
       (k) => typeof envelope[k] === 'string' && envelope[k].length > 0,
     );
+    explicit = false;
     console.log(`  envelope '${project}' 의 ${secrets.length} 키를 manifest 로 캡처`);
   } else {
     console.error('✗ secrets 출처 명시 필요: --keys=K1,K2 / --keys-from=<file> / --all');
@@ -171,6 +223,15 @@ async function cmdInit(flags: ParsedFlags): Promise<number> {
     return 1;
   }
+  // Phase 2.6.2 (v1.0.2): wrangler.jsonc vars/bindings 자동 dedupe
+  const deduped = applyWranglerDedupe(worker.cwd, secrets, explicit, flags.force);
+  if (!deduped.ok) return 1;
+  secrets = deduped.keys;
+  if (secrets.length === 0) {
+    console.error('✗ dedupe 후 남은 secret 0개 — 모든 키가 wrangler.jsonc 와 충돌');
+    return 1;
+  }
   let manifest: SecretsManifest;
   try {
     manifest = createManifest(secrets);
@@ -302,7 +363,10 @@ function modifyManifest(
   const current = new Set(loaded.manifest.secrets);
   const before = current.size;
   if (op === 'add') {
-    for (const k of keys) current.add(k);
+    // Phase 2.6.2 — manifest add 도 wrangler.jsonc 충돌 검사
+    const deduped = applyWranglerDedupe(worker.cwd, keys, true, flags.force);
+    if (!deduped.ok) return 1;
+    for (const k of deduped.keys) current.add(k);
   } else {
     for (const k of keys) current.delete(k);
   }

package/src/lib/adopt-context.ts CHANGED Viewed

@@ -9,6 +9,7 @@
 import { spawnSync } from 'node:child_process';
 import { readdirSync, readFileSync, statSync } from 'node:fs';
 import { dirname, join, relative, resolve } from 'node:path';
+import { parseJsonc } from './jsonc.ts';
 export interface AdoptInferred {
   /** 발견된 모든 wrangler.jsonc / wrangler.toml 경로 + 추출된 name */
@@ -28,49 +29,6 @@ export interface WrangerWorker {
   rootDirectory: string;
 }
-/** JSONC (comments 허용) 안전 파싱 — wrangler.jsonc 가 표준 JSONC 사용. */
-function parseJsonc(text: string): unknown {
-  // 단순 cleanup: line comments (//) + block comments (/* */) 제거.
-  // 문자열 내부 // 는 보존 — 정공법은 proper JSONC parser 인데 의존성 추가 회피.
-  let cleaned = '';
-  let i = 0;
-  let inString = false;
-  let escaped = false;
-  while (i < text.length) {
-    const c = text[i];
-    const next = text[i + 1];
-    if (inString) {
-      cleaned += c;
-      if (escaped) escaped = false;
-      else if (c === '\\') escaped = true;
-      else if (c === '"') inString = false;
-      i++;
-      continue;
-    }
-    if (c === '"') {
-      inString = true;
-      cleaned += c;
-      i++;
-      continue;
-    }
-    if (c === '/' && next === '/') {
-      while (i < text.length && text[i] !== '\n') i++;
-      continue;
-    }
-    if (c === '/' && next === '*') {
-      i += 2;
-      while (i < text.length - 1 && !(text[i] === '*' && text[i + 1] === '/')) i++;
-      i += 2;
-      continue;
-    }
-    cleaned += c;
-    i++;
-  }
-  // trailing commas 제거 (objects + arrays). 단순 regex.
-  cleaned = cleaned.replace(/,\s*([}\]])/g, '$1');
-  return JSON.parse(cleaned);
-}
 /** wrangler.jsonc / wrangler.toml 의 name field. 없으면 null. */
 function readWranglerName(path: string): string | null {
   try {

package/src/lib/jsonc.ts ADDED Viewed

@@ -0,0 +1,48 @@
+/**
+ * jsonc.ts — JSON-with-comments parser. 의존성 0.
+ *
+ * wrangler.jsonc 가 JSONC 사용 (`// line`, block comment, trailing comma 허용).
+ * 외부 의존성 추가 회피 — 단순 state machine 으로 in-string 토큰 보호하면서
+ * comment 제거 + trailing comma 제거 후 표준 `JSON.parse`.
+ *
+ * Phase 2.6.2 (2026-05-27, v1.0.2): `adopt-context.ts` 에서 추출. wrangler-scan
+ * 이 추가로 재사용 — single source of truth.
+ */
+export function parseJsonc(text: string): unknown {
+  let cleaned = '';
+  let i = 0;
+  let inString = false;
+  let escaped = false;
+  while (i < text.length) {
+    const c = text[i];
+    const next = text[i + 1];
+    if (inString) {
+      cleaned += c;
+      if (escaped) escaped = false;
+      else if (c === '\\') escaped = true;
+      else if (c === '"') inString = false;
+      i++;
+      continue;
+    }
+    if (c === '"') {
+      inString = true;
+      cleaned += c;
+      i++;
+      continue;
+    }
+    if (c === '/' && next === '/') {
+      while (i < text.length && text[i] !== '\n') i++;
+      continue;
+    }
+    if (c === '/' && next === '*') {
+      i += 2;
+      while (i < text.length - 1 && !(text[i] === '*' && text[i + 1] === '/')) i++;
+      i += 2;
+      continue;
+    }
+    cleaned += c;
+    i++;
+  }
+  cleaned = cleaned.replace(/,\s*([}\]])/g, '$1');
+  return JSON.parse(cleaned);
+}

package/src/lib/wrangler-scan.ts ADDED Viewed

@@ -0,0 +1,224 @@
+/**
+ * wrangler-scan.ts — wrangler.jsonc 의 vars + 모든 binding 식별자 추출.
+ *
+ * **목적** (Phase 2.6.2, 2026-05-27, v1.0.2):
+ * manifest init / adopt --auto-manifest 시점에 envelope key 가 wrangler.jsonc 의
+ * vars (plain text) 또는 binding (KV/R2/D1/queue/DO/...) 식별자와 충돌하지 않도록
+ * 자동 dedupe.
+ *
+ * **배경** (commit 762188d, modfolio-connect Phase 2.6 적용 시):
+ * envelope 의 `JWKS_KEYS` (PEM) 가 apps/auth/wrangler.jsonc 의 kv_namespace binding
+ * "JWKS_KEYS" 와 충돌. `JWKS_URI`, `PUBLIC_AUTH_URL` 가 apps/app/wrangler.jsonc 의
+ * `[vars]` 와 충돌. 수동 dedupe 했지만 v1.0.2 부터 자동 감지 + 제외.
+ *
+ * **스캔 대상**:
+ * - Top-level `vars` (object 의 모든 key)
+ * - Top-level 모든 binding 종류 (kv_namespaces, d1_databases, r2_buckets,
+ *   durable_objects.bindings, queues.producers, workflows, services,
+ *   analytics_engine_datasets, hyperdrive, vectorize, ai, browser, assets,
+ *   images, send_email, mtls_certificates, dispatch_namespaces,
+ *   secret_store_secrets, pipelines, worker_loaders)
+ * - `env.*` (per-environment override) — recursive (단, env 안의 env 는 무시)
+ *
+ * **정공법**:
+ * - 의존성 추가 회피 — `lib/jsonc.ts` parser 재사용
+ * - 알 수 없는 binding 종류는 무시 (false-negative 가 false-positive 보다 안전 —
+ *   미지원 binding 충돌은 향후 BINDING_SPECS 추가로 처리, 사용자에게 환각 dedupe X)
+ * - env-specific binding 도 union — 한 env 만 충돌해도 dedupe (worker 가 어느
+ *   환경으로 deploy 될지 manifest 시점에 알 수 없음)
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { parseJsonc } from './jsonc.ts';
+export interface WranglerIdentifiers {
+  /** [vars] 의 모든 key (env override 포함) */
+  vars: string[];
+  /** 모든 binding 식별자 (KV/R2/D1/queue/DO/etc) */
+  bindings: string[];
+  /** vars + bindings 합집합 (dedupe 비교에 사용) */
+  all: string[];
+  /** 식별자별 출처 — "JWKS_KEYS" → ["kv_namespaces"] 같이 보고용 */
+  byType: Record<string, string[]>;
+  /** 파싱한 파일의 절대 경로 (보고용) */
+  configPath: string;
+}
+interface BindingSpec {
+  /** wrangler.jsonc 안의 path (dot-delimited; e.g. "durable_objects.bindings") */
+  path: string;
+  /** entry 안에서 식별자를 가진 field — `binding` (대부분) 또는 `name` (DO/send_email) */
+  idKey: 'binding' | 'name';
+}
+/**
+ * 알려진 binding 종류 — Cloudflare Workers wrangler.jsonc schema 기반 (2026-05).
+ * 새 binding 종류 추가 시 한 줄 추가.
+ */
+const BINDING_SPECS: BindingSpec[] = [
+  // array of {binding: string, ...}
+  { path: 'kv_namespaces', idKey: 'binding' },
+  { path: 'd1_databases', idKey: 'binding' },
+  { path: 'r2_buckets', idKey: 'binding' },
+  { path: 'queues.producers', idKey: 'binding' },
+  { path: 'workflows', idKey: 'binding' },
+  { path: 'services', idKey: 'binding' },
+  { path: 'analytics_engine_datasets', idKey: 'binding' },
+  { path: 'hyperdrive', idKey: 'binding' },
+  { path: 'vectorize', idKey: 'binding' },
+  { path: 'mtls_certificates', idKey: 'binding' },
+  { path: 'dispatch_namespaces', idKey: 'binding' },
+  { path: 'secret_store_secrets', idKey: 'binding' },
+  { path: 'pipelines', idKey: 'binding' },
+  { path: 'worker_loaders', idKey: 'binding' },
+  // array of {name: string, ...}
+  { path: 'durable_objects.bindings', idKey: 'name' },
+  { path: 'send_email', idKey: 'name' },
+  // single object {binding: string}
+  { path: 'ai', idKey: 'binding' },
+  { path: 'browser', idKey: 'binding' },
+  { path: 'images', idKey: 'binding' },
+  { path: 'assets', idKey: 'binding' },
+];
+function getPath(obj: unknown, path: string): unknown {
+  const parts = path.split('.');
+  let cur: unknown = obj;
+  for (const p of parts) {
+    if (typeof cur !== 'object' || cur === null) return undefined;
+    cur = (cur as Record<string, unknown>)[p];
+  }
+  return cur;
+}
+function extractFromSpec(obj: unknown, spec: BindingSpec): string[] {
+  const node = getPath(obj, spec.path);
+  if (node === undefined || node === null) return [];
+  const collect = (entry: unknown): string | null => {
+    if (typeof entry !== 'object' || entry === null) return null;
+    const val = (entry as Record<string, unknown>)[spec.idKey];
+    return typeof val === 'string' && val.length > 0 ? val : null;
+  };
+  if (Array.isArray(node)) {
+    const ids: string[] = [];
+    for (const entry of node) {
+      const id = collect(entry);
+      if (id) ids.push(id);
+    }
+    return ids;
+  }
+  const single = collect(node);
+  return single ? [single] : [];
+}
+function extractVarsKeys(obj: unknown): string[] {
+  const node = getPath(obj, 'vars');
+  if (typeof node !== 'object' || node === null || Array.isArray(node)) return [];
+  return Object.keys(node);
+}
+function pushSource(byType: Record<string, string[]>, key: string, source: string): void {
+  const arr = byType[key];
+  if (!arr) {
+    byType[key] = [source];
+    return;
+  }
+  if (!arr.includes(source)) arr.push(source);
+}
+interface ScanAcc {
+  vars: Set<string>;
+  bindings: Set<string>;
+  byType: Record<string, string[]>;
+}
+function scanInto(obj: unknown, acc: ScanAcc, envName?: string): void {
+  const envPrefix = envName ? `env.${envName}.` : '';
+  for (const v of extractVarsKeys(obj)) {
+    acc.vars.add(v);
+    pushSource(acc.byType, v, `${envPrefix}vars`);
+  }
+  for (const spec of BINDING_SPECS) {
+    for (const id of extractFromSpec(obj, spec)) {
+      acc.bindings.add(id);
+      pushSource(acc.byType, id, `${envPrefix}${spec.path}`);
+    }
+  }
+  if (envName) return;
+  const env = getPath(obj, 'env');
+  if (typeof env !== 'object' || env === null) return;
+  for (const [name, child] of Object.entries(env as Record<string, unknown>)) {
+    scanInto(child, acc, name);
+  }
+}
+/**
+ * `<workerCwd>/wrangler.jsonc` (또는 `.json`) 파싱 후 모든 식별자 추출.
+ * 파일 없거나 파싱 실패 시 null — caller 는 dedupe 적용 skip (안전 fallback).
+ *
+ * wrangler.toml 미지원 — JSONC 만. toml sibling 은 jsonc 마이그레이션 권장.
+ */
+export function scanWranglerConfig(workerCwd: string): WranglerIdentifiers | null {
+  const candidates = ['wrangler.jsonc', 'wrangler.json'];
+  let parsed: unknown = null;
+  let configPath = '';
+  for (const name of candidates) {
+    const path = join(workerCwd, name);
+    if (!existsSync(path)) continue;
+    configPath = path;
+    try {
+      parsed = parseJsonc(readFileSync(path, 'utf-8'));
+    } catch {
+      return null;
+    }
+    break;
+  }
+  if (parsed === null) return null;
+  const acc: ScanAcc = {
+    vars: new Set<string>(),
+    bindings: new Set<string>(),
+    byType: {},
+  };
+  scanInto(parsed, acc);
+  const vars = Array.from(acc.vars).sort();
+  const bindings = Array.from(acc.bindings).sort();
+  const all = Array.from(new Set([...vars, ...bindings])).sort();
+  return { vars, bindings, all, byType: acc.byType, configPath };
+}
+/**
+ * 사람 가독 conflict 보고 — `describeConflicts(scan, ['JWKS_KEYS', 'JWKS_URI'])`
+ *   → "JWKS_KEYS (kv_namespaces), JWKS_URI (vars)"
+ */
+export function describeConflicts(
+  scan: WranglerIdentifiers,
+  conflicts: string[],
+): string {
+  return conflicts
+    .map((k) => {
+      const types = scan.byType[k];
+      if (!types || types.length === 0) return k;
+      return `${k} (${types.join(', ')})`;
+    })
+    .join(', ');
+}
+/**
+ * envelope/manifest key 목록에서 wrangler.jsonc 와 충돌하는 키만 반환 (alphabetical).
+ * 정공법 helper — caller 는 conflicts.length>0 로 분기 + 보고.
+ */
+export function findConflicts(
+  scan: WranglerIdentifiers,
+  keys: readonly string[],
+): string[] {
+  const all = new Set(scan.all);
+  const out: string[] = [];
+  for (const k of keys) {
+    if (all.has(k)) out.push(k);
+  }
+  return out.sort();
+}
+export const __test = { scanInto, extractFromSpec, extractVarsKeys, BINDING_SPECS };