@athsra/cli 1.0.1 → 1.0.3

package/src/lib/client.ts

@@ -19,6 +19,23 @@ export interface RegisterResponse {
   createdAt: string;
 }
 
+/** Phase 4 Slice 3 — auth_user_keys row (GET/POST /auth/keys). worker 는 base64 형식만 저장. */
+export interface IdentityKeyRow {
+  public_key: string;
+  wrapped_private_key: string;
+  key_salt: string;
+  wrap_nonce: string;
+  kdf_params: { m: number; t: number; p: number };
+}
+
+/** Phase 4 Slice 3 — rotate-master 의 privkey 재포장 재료 (pubkey 불변이므로 미포함). */
+export interface IdentityKeyRewrap {
+  wrapped_private_key: string;
+  key_salt: string;
+  wrap_nonce: string;
+  kdf_params: { m: number; t: number; p: number };
+}
+
 export interface WhoamiResponse {
   machineId: string;
   label: string;
@@ -29,23 +46,131 @@ export interface WhoamiResponse {
   scopeProject?: string;
   scopePerms?: 'read' | 'write';
   recipientId?: string;
+  /** Phase 2.2 — user token 의 RBAC user FK. */
+  userId?: number;
+  /** Phase 4 Slice 2 — token 이 행위하는 org. */
+  orgId?: number;
 }
 
+/** Phase 3 P3 — POST /auth/device/code 응답. */
+export interface DeviceCodeResponse {
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete: string;
+  expires_in: number;
+  interval: number;
+  project: string;
+  perms: 'read' | 'write';
+}
+
+/** Phase 3 P3 — POST /auth/device/token (poll) 결과. */
+export type DevicePollResult =
+  | {
+      status: 'token';
+      token: string;
+      recipientId: string;
+      project: string;
+      perms: 'read' | 'write';
+    }
+  | { status: 'pending'; error: string; interval?: number };
+
 /**
  * Phase 1+: 모든 /v1/* + /auth/whoami + /auth/revoke 호출에
  * Authorization: Bearer <token> 자동 첨부.
  * /healthz, /, /auth/register 는 unauth public.
  */
+export type RestoreR2ScopeArg =
+  | { kind: 'full' }
+  | { kind: 'project'; owner: string; project: string }
+  | { kind: 'key'; key: string };
+
+export interface R2RestoreResult {
+  ok?: boolean;
+  mode: 'dry-run' | 'execute';
+  date: string;
+  would_restore?: number;
+  sample_keys?: string[];
+  confirm_token?: string;
+  scanned?: number;
+  restored?: number;
+  skipped?: number;
+  errors?: number;
+  failures?: { backup_key: string; store_key: string; error: string }[];
+}
+
+export interface D1RestoreResult {
+  ok?: boolean;
+  mode: 'dry-run' | 'execute';
+  dump_key: string;
+  policy: string;
+  tables: Record<
+    string,
+    {
+      dump_rows?: number;
+      current_rows?: number;
+      written?: number;
+      filtered?: number;
+      error?: string;
+    }
+  >;
+  confirm_token?: string;
+  security_warning?: string;
+  errors?: number;
+}
+
+/** Phase 4 Slice 6a — GET /v1/orgs 의 org 항목. */
+export interface OrgSummary {
+  id: number;
+  slug: string;
+  name: string;
+  type: string;
+  role: 'owner' | 'admin' | 'member';
+  status: 'active' | 'pending';
+  is_current: boolean;
+}
+
+/** Phase 4 Slice 6a — GET /v1/orgs/current/members 의 멤버 항목. */
+export interface OrgMember {
+  user_id: number;
+  identifier: string;
+  role: 'owner' | 'admin' | 'member';
+  status: 'active' | 'pending';
+  joined_at: string | null;
+  /** Phase 4 Slice 6b — keypair 보유 여부 (re-wrap 가능 시점 게이팅). */
+  has_identity_key?: boolean;
+}
+
 export class AthsraClient {
+  private token: string | null;
+  /**
+   * Phase 3 — idle timeout 자동 재인증 콜백 (auth-context 가 주입).
+   * 401 session_idle_timeout 시 keyring master pw 로 silent re-register → 새 token.
+   * 기기 잠금 (OS keyring 접근 차단) 이 진짜 방어선 — 작업 중엔 끊김 없음.
+   */
+  private onIdleRefresh?: () => Promise<string | null>;
+
   constructor(
     private readonly _workerUrl: string,
-    private readonly token: string | null = null,
-  ) {}
+    token: string | null = null,
+  ) {
+    this.token = token;
+  }
 
   get workerUrl(): string {
     return this._workerUrl;
   }
 
+  /** auth-context 가 idle 자동 재인증 콜백 주입. */
+  setIdleRefresh(fn: () => Promise<string | null>): void {
+    this.onIdleRefresh = fn;
+  }
+
+  /** Phase 4 Slice 6a — in-memory token 교체 (org switch / re-register 후). */
+  setToken(token: string): void {
+    this.token = token;
+  }
+
   private url(path: string): string {
     return `${this._workerUrl.replace(/\/$/, '')}${path}`;
   }
@@ -56,6 +181,32 @@ export class AthsraClient {
     return h;
   }
 
+  /**
+   * 인증 fetch + 자동 재인증. 401 (idle timeout / token revoke / unknown) 시 onIdleRefresh
+   * (keyring master pw 재인증) 호출 → token 갱신 → 1회 retry. 그 외 응답은 그대로 반환.
+   *
+   * keyring master pw 보유 = 재발급 권한 (athsra 인증 모델). idle 로 D1 에서 revoke 된
+   * token (이후 unknown) 도 살린다 — session_idle_timeout 만 잡으면 revoke 후 못 살림.
+   * pw 틀림/keyring 부재 시 register 가 실패 → onIdleRefresh 가 null → 원 401 그대로.
+   * retry 는 1회 (재발급 후에도 401 이면 그 응답 반환 — 무한 루프 방지).
+   */
+  private async authedFetch(path: string, init: RequestInit = {}): Promise<Response> {
+    const doFetch = (): Promise<Response> =>
+      fetch(this.url(path), {
+        ...init,
+        headers: this.headers(init.headers as Record<string, string> | undefined),
+      });
+    const res = await doFetch();
+    if (res.status === 401 && this.onIdleRefresh) {
+      const newToken = await this.onIdleRefresh();
+      if (newToken) {
+        this.token = newToken;
+        return doFetch();
+      }
+    }
+    return res;
+  }
+
   async health(): Promise<boolean> {
     try {
       const res = await fetch(this.url('/healthz'));
@@ -82,11 +233,139 @@ export class AthsraClient {
   }
 
   async whoami(): Promise<WhoamiResponse> {
-    const res = await fetch(this.url('/auth/whoami'), { headers: this.headers() });
+    const res = await this.authedFetch('/auth/whoami');
     if (!res.ok) throw new Error(`whoami ${res.status}: ${await res.text()}`);
     return (await res.json()) as WhoamiResponse;
   }
 
+  /**
+   * Phase 3a — 자기 master pw proof bootstrap-or-verify (POST /auth/proof, Bearer).
+   * proof = Argon2id(masterPw + GLOBAL_SALT) 단방향 해시 (평문 master pw 송신 X).
+   * 첫 호출 = bootstrap, 이후 = verify (불일치 시 worker 409 → throw).
+   */
+  async setProof(
+    proof: string,
+    globalSaltVersion?: string,
+  ): Promise<{ ok: boolean; bootstrap: boolean; userId: number; version_reset?: boolean }> {
+    const res = await fetch(this.url('/auth/proof'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify({ proof, global_salt_version: globalSaltVersion }),
+    });
+    if (!res.ok) throw new Error(`set proof ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      ok: boolean;
+      bootstrap: boolean;
+      userId: number;
+      version_reset?: boolean;
+    };
+  }
+
+  /**
+   * Phase 4 Slice 3 — caller 의 X25519 identity 키 row 조회 (GET /auth/keys). 없으면 null(404).
+   * client 가 master pw 로 wrapped_private_key 를 unwrap 해 org 공유 시크릿 복호에 사용.
+   */
+  async getKeys(): Promise<IdentityKeyRow | null> {
+    const res = await this.authedFetch('/auth/keys');
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`get keys ${res.status}: ${await res.text()}`);
+    return (await res.json()) as IdentityKeyRow;
+  }
+
+  /** Phase 4 Slice 3 — identity 키쌍 bootstrap (POST /auth/keys). 같은 pubkey 멱등, 다른 pubkey 409. */
+  async setKeys(row: IdentityKeyRow): Promise<{ ok: boolean; bootstrap: boolean }> {
+    const res = await fetch(this.url('/auth/keys'), {
+      method: 'POST',
+      headers: this.headers({ 'content-type': 'application/json' }),
+      body: JSON.stringify(row),
+    });
+    if (!res.ok) throw new Error(`set keys ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { ok: boolean; bootstrap: boolean };
+  }
+
+  /** Phase 4 Slice 3 — 타 user 의 public key 조회 (멤버에게 DEK ECDH-wrap 용). 없으면 null(404). */
+  async getPublicKey(userId: number): Promise<string | null> {
+    const res = await this.authedFetch(`/auth/keys/${userId}/public`);
+    if (res.status === 404) return null;
+    if (!res.ok) throw new Error(`get pubkey ${res.status}: ${await res.text()}`);
+    return ((await res.json()) as { public_key: string }).public_key;
+  }
+
+  // ─── Phase 4 Slice 6a — org 멀티테넌시 관리 ───
+
+  /** company org 생성 (생성자 = owner). */
+  async createOrg(
+    name: string,
+  ): Promise<{ id: number; slug: string; name: string; type: string; role: string }> {
+    const res = await this.authedFetch('/v1/orgs', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ name }),
+    });
+    if (!res.ok) throw new Error(`create org ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      id: number;
+      slug: string;
+      name: string;
+      type: string;
+      role: string;
+    };
+  }
+
+  /** 내가 멤버(active|pending)인 org 목록 (switcher 용). */
+  async listOrgs(): Promise<{ current_org_id: number | null; orgs: OrgSummary[] }> {
+    const res = await this.authedFetch('/v1/orgs');
+    if (!res.ok) throw new Error(`list orgs ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { current_org_id: number | null; orgs: OrgSummary[] };
+  }
+
+  /** 현재 org 의 멤버 목록. */
+  async listOrgMembers(): Promise<{ org_id: number; members: OrgMember[] }> {
+    const res = await this.authedFetch('/v1/orgs/current/members');
+    if (!res.ok) throw new Error(`list members ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { org_id: number; members: OrgMember[] };
+  }
+
+  /** 현재 org 에 멤버 초대 (owner/admin). 미존재 identifier → JIT pending user. */
+  async inviteMember(args: {
+    identifier: string;
+    role?: 'admin' | 'member';
+  }): Promise<{ user_id: number; role: string; status: string; jit_created: boolean }> {
+    const res = await this.authedFetch('/v1/orgs/current/members', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ identifier: args.identifier, role: args.role }),
+    });
+    if (!res.ok) throw new Error(`invite ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      user_id: number;
+      role: string;
+      status: string;
+      jit_created: boolean;
+    };
+  }
+
+  /** 현재 org 에서 멤버 제거(owner/admin) 또는 self-leave. */
+  async removeMember(
+    userId: number,
+  ): Promise<{ ok: boolean; user_id: number; status: string; revoked_tokens: number }> {
+    const res = await this.authedFetch(`/v1/orgs/current/members/${userId}`, { method: 'DELETE' });
+    if (!res.ok) throw new Error(`remove member ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      ok: boolean;
+      user_id: number;
+      status: string;
+      revoked_tokens: number;
+    };
+  }
+
+  /** org 컨텍스트 전환 — 새 token(orgId=target) re-mint + 호출 token revoke. */
+  async switchOrg(orgId: number): Promise<{ token: string; org_id: number; role: string }> {
+    const res = await this.authedFetch(`/v1/orgs/${orgId}/switch`, { method: 'POST' });
+    if (!res.ok) throw new Error(`switch org ${res.status}: ${await res.text()}`);
+    return (await res.json()) as { token: string; org_id: number; role: string };
+  }
+
   async revoke(targetToken?: string): Promise<{ ok: boolean; revoked: string; self?: boolean }> {
     const res = await fetch(this.url('/auth/revoke'), {
       method: 'POST',
@@ -97,6 +376,48 @@ export class AthsraClient {
     return (await res.json()) as { ok: boolean; revoked: string; self?: boolean };
   }
 
+  /** DR — BACKUP_STORE → STORE 복원. dry_run=!execute. execute 는 content-bound confirm 필수. */
+  async restoreR2(args: {
+    date: string;
+    scope: RestoreR2ScopeArg;
+    execute: boolean;
+    confirm?: string;
+  }): Promise<R2RestoreResult> {
+    const res = await this.authedFetch(`/v1/admin/restore/r2?dry_run=${!args.execute}`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ date: args.date, scope: args.scope, confirm: args.confirm }),
+    });
+    const body = (await res.json()) as R2RestoreResult & { error?: string };
+    if (!res.ok) throw new Error(`restore r2 ${res.status}: ${body.error ?? JSON.stringify(body)}`);
+    return body;
+  }
+
+  /** DR — 암호화 D1 dump 복원. SAFE 기본 / tokens·audit 는 includeOptin + tables 명시. */
+  async restoreD1(args: {
+    dumpKey: string;
+    tables?: string[];
+    includeOptin: boolean;
+    policy: 'upsert' | 'replace-all';
+    execute: boolean;
+    confirm?: string;
+  }): Promise<D1RestoreResult> {
+    const res = await this.authedFetch(`/v1/admin/restore/d1?dry_run=${!args.execute}`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        dump_key: args.dumpKey,
+        tables: args.tables,
+        include_optin: args.includeOptin,
+        policy: args.policy,
+        confirm: args.confirm,
+      }),
+    });
+    const body = (await res.json()) as D1RestoreResult & { error?: string };
+    if (!res.ok) throw new Error(`restore d1 ${res.status}: ${body.error ?? JSON.stringify(body)}`);
+    return body;
+  }
+
   async createServiceToken(args: {
     project: string;
     label: string;
@@ -162,14 +483,65 @@ export class AthsraClient {
     };
   }
 
+  /** Phase 3 P3 — device-login 시작 (unauth). device_code + user_code + verification_uri. */
+  async deviceCode(args: {
+    project: string;
+    perms?: 'read' | 'write';
+    label: string;
+  }): Promise<DeviceCodeResponse> {
+    const res = await fetch(this.url('/auth/device/code'), {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ project: args.project, perms: args.perms, label: args.label }),
+    });
+    if (!res.ok) throw new Error(`device code ${res.status}: ${await res.text()}`);
+    return (await res.json()) as DeviceCodeResponse;
+  }
+
+  /** Phase 3 P3 — device-login poll (unauth). 200 = token 수령, 400 = pending/terminal error. */
+  async devicePollToken(deviceCode: string): Promise<DevicePollResult> {
+    const res = await fetch(this.url('/auth/device/token'), {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ device_code: deviceCode }),
+    });
+    const body = (await res.json()) as Record<string, unknown>;
+    if (res.ok) {
+      return {
+        status: 'token',
+        token: typeof body.token === 'string' ? body.token : '',
+        recipientId: typeof body.recipient_id === 'string' ? body.recipient_id : '',
+        project: typeof body.project === 'string' ? body.project : '',
+        perms: body.perms === 'write' ? 'write' : 'read',
+      };
+    }
+    return {
+      status: 'pending',
+      error: typeof body.error === 'string' ? body.error : `http_${res.status}`,
+      interval: typeof body.interval === 'number' ? body.interval : undefined,
+    };
+  }
+
+  /**
+   * Phase 4 Slice 3 — rewrap 가 있으면 identity privkey 를 새 pw 재포장 재료를 같은 요청에 실어
+   * 원자적 갱신(별도 PUT 의 부분실패 = privkey 고아화 제거). identity 키 보유 user 는 필수.
+   */
   async rotateMaster(
     oldProof: string,
     newProof: string,
+    rewrap?: IdentityKeyRewrap,
   ): Promise<{ token: string; machineId: string; rotatedAt: string }> {
+    const body: Record<string, unknown> = { old_proof: oldProof, new_proof: newProof };
+    if (rewrap) {
+      body.new_wrapped_private_key = rewrap.wrapped_private_key;
+      body.new_key_salt = rewrap.key_salt;
+      body.new_wrap_nonce = rewrap.wrap_nonce;
+      body.new_kdf_params = rewrap.kdf_params;
+    }
     const res = await fetch(this.url('/auth/rotate-master'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
-      body: JSON.stringify({ old_proof: oldProof, new_proof: newProof }),
+      body: JSON.stringify(body),
     });
     if (!res.ok) throw new Error(`rotate-master ${res.status}: ${await res.text()}`);
     return (await res.json()) as { token: string; machineId: string; rotatedAt: string };
@@ -201,25 +573,23 @@ export class AthsraClient {
   }
 
   async getEnvelope(project: string): Promise<SecretEnvelopeAny | null> {
-    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
-      headers: this.headers(),
-    });
+    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}`);
     if (res.status === 404) return null;
     if (!res.ok) throw new Error(`fetch ${res.status}: ${await res.text()}`);
     return (await res.json()) as SecretEnvelopeAny;
   }
 
   async putEnvelope(project: string, envelope: SecretEnvelopeAny): Promise<void> {
-    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}`), {
+    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}`, {
       method: 'PUT',
-      headers: this.headers({ 'content-type': 'application/json' }),
+      headers: { 'content-type': 'application/json' },
       body: JSON.stringify(envelope),
     });
     if (!res.ok) throw new Error(`put ${res.status}: ${await res.text()}`);
   }
 
   async listProjects(): Promise<string[]> {
-    const res = await fetch(this.url('/v1/secrets'), { headers: this.headers() });
+    const res = await this.authedFetch('/v1/secrets');
     if (!res.ok) throw new Error(`list ${res.status}: ${await res.text()}`);
     const data = (await res.json()) as { projects: string[] };
     return data.projects;
@@ -234,12 +604,8 @@ export class AthsraClient {
     recoverable_versions?: number;
     removed_versions?: number;
   }> {
-    const url =
-      this.url(`/v1/secrets/${encodeURIComponent(project)}`) + (opts?.hard ? '?hard=true' : '');
-    const res = await fetch(url, {
-      method: 'DELETE',
-      headers: this.headers(),
-    });
+    const path = `/v1/secrets/${encodeURIComponent(project)}${opts?.hard ? '?hard=true' : ''}`;
+    const res = await this.authedFetch(path, { method: 'DELETE' });
     if (!res.ok) throw new Error(`delete ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
       soft?: boolean;
@@ -256,9 +622,7 @@ export class AthsraClient {
     versions: { version_id: string; updated_at: string; size: number }[];
     count: number;
   }> {
-    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/versions`), {
-      headers: this.headers(),
-    });
+    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/versions`);
     if (!res.ok) throw new Error(`versions ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
       project: string;
@@ -273,9 +637,9 @@ export class AthsraClient {
     project: string,
     versionId: string,
   ): Promise<{ ok: boolean; project: string; current_version: string }> {
-    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/rollback`), {
+    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/rollback`, {
       method: 'POST',
-      headers: this.headers({ 'content-type': 'application/json' }),
+      headers: { 'content-type': 'application/json' },
       body: JSON.stringify({ version_id: versionId }),
     });
     if (!res.ok) throw new Error(`rollback ${res.status}: ${await res.text()}`);
@@ -289,9 +653,8 @@ export class AthsraClient {
     deleted_at: string;
     deleted_by: string;
   }> {
-    const res = await fetch(this.url(`/v1/secrets/${encodeURIComponent(project)}/restore`), {
+    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/restore`, {
       method: 'POST',
-      headers: this.headers(),
     });
     if (!res.ok) throw new Error(`restore ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
@@ -309,8 +672,8 @@ export class AthsraClient {
     | { projects: string[]; count: number }
     | { projects: { project: string; active: boolean; deleted: boolean }[]; count: number }
   > {
-    const url = this.url('/v1/secrets') + (opts?.includeDeleted ? '?include_deleted=true' : '');
-    const res = await fetch(url, { headers: this.headers() });
+    const path = `/v1/secrets${opts?.includeDeleted ? '?include_deleted=true' : ''}`;
+    const res = await this.authedFetch(path);
     if (!res.ok) throw new Error(`list ${res.status}: ${await res.text()}`);
     return (await res.json()) as
       | { projects: string[]; count: number }
@@ -335,17 +698,14 @@ export class AthsraClient {
 
   async inviteUser(args: {
     identifier: string;
-    proof: string;
-    globalSaltVersion?: string;
     initialRole?: 'admin' | 'dev' | 'viewer' | 'auditor' | 'sa';
   }): Promise<{ ok: true; id: number; identifier: string; status: string; role: string }> {
+    // Phase 3a: invite 는 신원·접근 부여만 — master pw proof 는 유저가 직접 bootstrap.
     const res = await fetch(this.url('/v1/admin/users'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
       body: JSON.stringify({
         identifier: args.identifier,
-        proof: args.proof,
-        global_salt_version: args.globalSaltVersion,
         initial_role: args.initialRole,
       }),
     });
@@ -400,19 +760,23 @@ export class AthsraClient {
     if (!res.ok) throw new Error(`admin grant acl ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
       ok: true;
+      org_id: number;
       user_id: number;
       project: string;
       perms: string;
     };
   }
 
-  async revokeAcl(args: { project: string; userId: number }): Promise<{ ok: true }> {
+  async revokeAcl(args: {
+    project: string;
+    userId: number;
+  }): Promise<{ ok: true; org_id: number }> {
     const res = await fetch(
       this.url(`/v1/admin/projects/${encodeURIComponent(args.project)}/acl/${args.userId}`),
       { method: 'DELETE', headers: this.headers() },
     );
     if (!res.ok) throw new Error(`admin revoke acl ${res.status}: ${await res.text()}`);
-    return (await res.json()) as { ok: true };
+    return (await res.json()) as { ok: true; org_id: number };
   }
 
   /**
@@ -539,6 +903,7 @@ export class AthsraClient {
  */
 export interface CwWorkerRow {
   id: number;
+  orgId: number;
   project: string;
   workerName: string;
   accountId: string;

package/src/lib/colors.ts

@@ -0,0 +1,17 @@
+/**
+ * colors.ts — 최소 ANSI 색상 (terminal 출력 강조). NO_COLOR + non-TTY 존중.
+ *
+ * 2026-06-02 — dr (DR restore) + service-token list (만료 임박 강조) 공용.
+ */
+
+const ENABLED = process.env.NO_COLOR === undefined && process.stdout.isTTY !== false;
+
+function wrap(code: string, s: string): string {
+  return ENABLED ? `\x1b[${code}m${s}\x1b[0m` : s;
+}
+
+export const red = (s: string): string => wrap('31', s);
+export const yellow = (s: string): string => wrap('33', s);
+export const green = (s: string): string => wrap('32', s);
+export const dim = (s: string): string => wrap('2', s);
+export const bold = (s: string): string => wrap('1', s);

package/src/lib/config.ts

@@ -10,6 +10,12 @@ export interface Config {
   workerUrl: string;
   machineId: string;
   createdAt: string;
+  /**
+   * Phase 4 Slice 6a — 현재 활성 org (org switch 시 기록). 미설정 = 자기 personal org(기본).
+   * idle-refresh 가 re-register 후 이 값으로 다시 switch (안 그러면 personal org 로 reset).
+   */
+  orgId?: number;
+  orgSlug?: string;
 }
 
 export function ensureConfigDir(): void {

package/src/lib/env-format.ts

@@ -1,56 +1,8 @@
 /**
- * .env 형식 parser/serializer (KEY=value, # comment, blank lines).
- * Phase 0 minimal — escape, multiline, $expansion 미지원.
- */
-
-export function parseEnv(text: string): Record<string, string> {
-  const out: Record<string, string> = {};
-  for (const line of text.split('\n')) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
-    const eqIdx = trimmed.indexOf('=');
-    if (eqIdx < 0) continue;
-    const key = trimmed.slice(0, eqIdx).trim();
-    let value = trimmed.slice(eqIdx + 1).trim();
-    // strip surrounding quotes
-    if (
-      (value.startsWith('"') && value.endsWith('"')) ||
-      (value.startsWith("'") && value.endsWith("'"))
-    ) {
-      value = value.slice(1, -1);
-    }
-    out[key] = value;
-  }
-  return out;
-}
-
-export function serializeEnv(plain: Record<string, string>): string {
-  return Object.entries(plain)
-    .map(([k, v]) => `${k}=${v}`)
-    .join('\n');
-}
-
-/**
- * 빈 값 키 (value === '') 를 정상 키와 분리한다.
+ * .env 형식 parser/serializer — @athsra/crypto 로 이동 (CLI + dashboard 단일 source).
  *
- * athsra 는 빈 값 키를 "미설정" 으로 취급한다 — `run` 은 inject 를 건너뛰어
- * 부모 환경 변수를 보존하고, `ls`/`doctor` 는 `(empty)` 로 노출한다. 키 이름만
- * 등록되고 값이 누락된 산출물 (migration scaffolding) 이 유효한 부모 env 를
- * silently 덮어써 배포 인증을 깨뜨리는 사고를 차단하기 위한 "빈 값" 의 단일 정의.
+ * envelope plaintext 형식 (dotenv KEY=value) 은 암호화 envelope 의 내용 규격이므로
+ * crypto 패키지가 정본. 이 파일은 CLI 내부 사용처 (get/ls/doctor/run/set/envelope) 의
+ * 기존 import 경로 호환을 위한 re-export.
  */
-export function partitionEnv(plain: Record<string, string>): {
-  filled: Record<string, string>;
-  emptyKeys: string[];
-} {
-  const filled: Record<string, string> = {};
-  const emptyKeys: string[] = [];
-  for (const [key, value] of Object.entries(plain)) {
-    if (value === '') {
-      emptyKeys.push(key);
-    } else {
-      filled[key] = value;
-    }
-  }
-  emptyKeys.sort();
-  return { filled, emptyKeys };
-}
+export { parseEnv, partitionEnv, serializeEnv } from '@athsra/crypto';