@athsra/cli 1.0.2 → 1.0.3

package/src/commands/login.ts

@@ -1,15 +1,37 @@
-import { spawn } from 'node:child_process';
-import { createHash, randomBytes } from 'node:crypto';
-import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';
 import { hostname } from 'node:os';
-import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
-import { isValidPhrase, normalizePhrase, wordCount } from '../lib/bip39.ts';
+import {
+  deriveProof,
+  fromBase64,
+  isValidPhrase,
+  normalizePhrase,
+  toBase64,
+  wordCount,
+} from '@athsra/crypto';
+import { resolveProject } from '../lib/auto-project.ts';
 import { AthsraClient } from '../lib/client.ts';
 import { type Config, loadConfig, saveConfig } from '../lib/config.ts';
-import { probeKeyring, setMasterPw, setToken } from '../lib/keyring.ts';
+import { ensureKeypair } from '../lib/identity-key.ts';
+import { probeKeyring, setDeviceToken, setMasterPw, setToken } from '../lib/keyring.ts';
 import { consumeLegacySession } from '../lib/legacy-session.ts';
+import { openBrowser, runOidcPkceFlow, SSO_DEFAULTS } from '../lib/oidc-flow.ts';
 import { promptConfirm, promptPassword, promptText } from '../lib/prompt.ts';
 
+/**
+ * Phase 4 Slice 3 — login 후 X25519 identity 키쌍 보장 (best-effort). 키쌍은 org 공유 시크릿
+ * 복호용. 실패해도 login 자체는 성공 유지(다음 login 에 재시도) — provisioning 은 substrate 이고
+ * 실제 공유는 Slice 6. master pw 로 wrap 된 privkey 만 server 보관(평문 미노출).
+ */
+async function provisionIdentityKey(client: AthsraClient, masterPw: string): Promise<void> {
+  try {
+    const created = await ensureKeypair(client, masterPw);
+    console.log(created ? '  identity key: provisioned ✓' : '  identity key: present ✓');
+  } catch (err) {
+    console.warn(
+      `  identity key: provisioning deferred (${err instanceof Error ? err.message : String(err)})`,
+    );
+  }
+}
+
 /**
  * Phase 2.8 (2026-05-26) — Connect SSO 로그인 (OIDC PKCE).
  *
@@ -22,112 +44,9 @@ import { promptConfirm, promptPassword, promptText } from '../lib/prompt.ts';
  *   6) keyring 저장 + master pw prompt (envelope decrypt 용)
  *
  * E2EE 정합: SSO 는 worker 인증 layer 만. master pw 는 envelope decrypt 전용.
+ * PKCE 플로우 기계 부분(step 1-4)은 lib/oidc-flow.ts 로 분리 (2026-06-02 리팩토링).
  */
 
-const SSO_DEFAULTS = {
-  /** Connect authorize endpoint */
-  authorizeUrl: 'https://login.modfolio.io/authorize',
-  /** Connect token endpoint */
-  tokenUrl: 'https://login.modfolio.io/token',
-  /** Connect 측 CLI client (PKCE public, no secret). 사용자가 별도 등록. */
-  clientId: 'athsra-cli',
-  /** OIDC scope */
-  scope: 'openid profile email',
-  /** callback timeout (ms) — 사용자 browser 작업 대기 */
-  callbackTimeoutMs: 5 * 60 * 1000,
-};
-
-interface CallbackResult {
-  code: string;
-  state: string;
-}
-
-/** Start ephemeral loopback HTTP callback server. Closes after first valid callback or timeout. */
-async function waitForCallback(
-  expectedState: string,
-  port: number,
-  timeoutMs: number,
-): Promise<CallbackResult> {
-  return await new Promise<CallbackResult>((resolve, reject) => {
-    const server = createServer((req: IncomingMessage, res: ServerResponse) => {
-      const url = new URL(req.url ?? '/', `http://127.0.0.1:${port}`);
-      if (url.pathname !== '/callback') {
-        res.statusCode = 404;
-        res.end('not found');
-        return;
-      }
-      const code = url.searchParams.get('code');
-      const state = url.searchParams.get('state');
-      const error = url.searchParams.get('error');
-      if (error) {
-        res.statusCode = 400;
-        res.end(`Authorization failed: ${error}. Return to terminal.`);
-        server.close();
-        reject(new Error(`Connect authorize error: ${error}`));
-        return;
-      }
-      if (!code || !state) {
-        res.statusCode = 400;
-        res.end('Missing code or state. Return to terminal.');
-        server.close();
-        reject(new Error('Missing code or state in callback'));
-        return;
-      }
-      if (state !== expectedState) {
-        res.statusCode = 400;
-        res.end('State mismatch — possible CSRF. Return to terminal.');
-        server.close();
-        reject(new Error('State mismatch'));
-        return;
-      }
-      res.statusCode = 200;
-      res.setHeader('content-type', 'text/html; charset=utf-8');
-      res.end(
-        '<!doctype html><html><body style="font-family:system-ui;padding:2rem;">' +
-          '<h2>✓ athsra SSO 로그인 완료</h2>' +
-          '<p>터미널로 돌아가세요. 이 창은 닫아도 됩니다.</p>' +
-          '</body></html>',
-      );
-      server.close();
-      resolve({ code, state });
-    });
-    server.listen(port, '127.0.0.1');
-    setTimeout(() => {
-      server.close();
-      reject(new Error(`callback timeout after ${timeoutMs / 1000}s`));
-    }, timeoutMs);
-  });
-}
-
-function base64urlBuf(buf: Buffer): string {
-  return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-}
-
-function openBrowser(url: string): void {
-  const platform = process.platform;
-  const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
-  const args = platform === 'win32' ? ['/c', 'start', '', url] : [url];
-  spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
-}
-
-async function findFreePort(): Promise<number> {
-  // 49152-65535 ephemeral range. createServer port=0 자동 할당.
-  return await new Promise<number>((resolve, reject) => {
-    const server = createServer();
-    server.on('error', reject);
-    server.listen(0, '127.0.0.1', () => {
-      const address = server.address();
-      if (typeof address !== 'object' || address === null) {
-        server.close();
-        reject(new Error('no port'));
-        return;
-      }
-      const port = address.port;
-      server.close(() => resolve(port));
-    });
-  });
-}
-
 async function ssoLoginCmd(): Promise<number> {
   console.log('athsra login --sso (modfolio-connect OIDC PKCE)\n');
 
@@ -155,78 +74,28 @@ async function ssoLoginCmd(): Promise<number> {
     return 1;
   }
 
-  // 4. PKCE + state 생성
-  const codeVerifier = base64urlBuf(randomBytes(48));
-  const codeChallenge = base64urlBuf(createHash('sha256').update(codeVerifier).digest());
-  const state = base64urlBuf(randomBytes(16));
-
-  // 5. callback server start
-  let port: number;
+  // 4. OIDC PKCE 플로우 (browser → Connect /authorize → callback → /token) → access_token.
+  //    env override 해석 후 lib/oidc-flow.ts 에 위임. 실패 시 throw → `✗ ...` + exit 1.
+  let accessToken: string;
   try {
-    port = await findFreePort();
-  } catch (err) {
-    console.error(`✗ cannot allocate callback port: ${(err as Error).message}`);
-    return 1;
-  }
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-
-  // 6. browser open
-  const authorizeUrl = process.env.ATHSRA_SSO_AUTHORIZE_URL ?? SSO_DEFAULTS.authorizeUrl;
-  const clientId = process.env.ATHSRA_SSO_CLIENT_ID ?? SSO_DEFAULTS.clientId;
-  const params = new URLSearchParams({
-    client_id: clientId,
-    response_type: 'code',
-    code_challenge: codeChallenge,
-    code_challenge_method: 'S256',
-    state,
-    redirect_uri: redirectUri,
-    scope: SSO_DEFAULTS.scope,
-  });
-  const authUrl = `${authorizeUrl}?${params.toString()}`;
-  console.log(`opening browser: ${authUrl.slice(0, 80)}...`);
-  console.log(`callback: ${redirectUri}`);
-  console.log('(complete login in browser — terminal will resume when callback received)\n');
-  openBrowser(authUrl);
-
-  // 7. wait for callback
-  let callback: CallbackResult;
-  try {
-    callback = await waitForCallback(state, port, SSO_DEFAULTS.callbackTimeoutMs);
+    const flow = await runOidcPkceFlow({
+      authorizeUrl: process.env.ATHSRA_SSO_AUTHORIZE_URL ?? SSO_DEFAULTS.authorizeUrl,
+      tokenUrl: process.env.ATHSRA_SSO_TOKEN_URL ?? SSO_DEFAULTS.tokenUrl,
+      clientId: process.env.ATHSRA_SSO_CLIENT_ID ?? SSO_DEFAULTS.clientId,
+      scope: SSO_DEFAULTS.scope,
+      callbackTimeoutMs: SSO_DEFAULTS.callbackTimeoutMs,
+    });
+    accessToken = flow.accessToken;
   } catch (err) {
-    console.error(`✗ callback failed: ${(err as Error).message}`);
+    console.error(`✗ ${(err as Error).message}`);
     return 1;
   }
-  console.log('✓ callback received, exchanging code...');
 
-  // 8. token exchange (Connect /token)
-  const tokenUrl = process.env.ATHSRA_SSO_TOKEN_URL ?? SSO_DEFAULTS.tokenUrl;
-  const tokenRes = await fetch(tokenUrl, {
-    method: 'POST',
-    headers: { 'content-type': 'application/x-www-form-urlencoded' },
-    body: new URLSearchParams({
-      grant_type: 'authorization_code',
-      code: callback.code,
-      code_verifier: codeVerifier,
-      client_id: clientId,
-      redirect_uri: redirectUri,
-    }).toString(),
-  });
-  if (!tokenRes.ok) {
-    console.error(`✗ Connect token exchange failed: ${tokenRes.status} ${await tokenRes.text()}`);
-    return 1;
-  }
-  const tokenBody = (await tokenRes.json()) as { access_token?: string };
-  if (!tokenBody.access_token) {
-    console.error('✗ Connect token response missing access_token');
-    return 1;
-  }
-  console.log('✓ Connect access_token received');
-
-  // 9. worker /auth/sso (Connect token → athsra Bearer)
+  // 5. worker /auth/sso (Connect token → athsra Bearer)
   const ssoRes = await fetch(`${workerUrl}/auth/sso`, {
     method: 'POST',
     headers: { 'content-type': 'application/json' },
-    body: JSON.stringify({ access_token: tokenBody.access_token, label: machineId }),
+    body: JSON.stringify({ access_token: accessToken, label: machineId }),
   });
   if (!ssoRes.ok) {
     console.error(`✗ athsra worker SSO failed: ${ssoRes.status} ${await ssoRes.text()}`);
@@ -234,12 +103,13 @@ async function ssoLoginCmd(): Promise<number> {
   }
   const ssoBody = (await ssoRes.json()) as {
     token: string;
+    user_id: number;
     identifier: string;
     expires_at?: string;
     createdAt: string;
   };
 
-  // 10. master pw prompt (envelope decrypt 전용 — worker 에 송신 X)
+  // 6. master pw prompt (envelope decrypt 전용 — worker 에 송신 X)
   console.log('\n● Master password — envelope decrypt (E2EE, worker 노출 X)');
   const envPw = process.env.ATHSRA_MASTER_PW;
   let masterPw: string;
@@ -259,7 +129,35 @@ async function ssoLoginCmd(): Promise<number> {
     masterPw = normalizePhrase(masterPw);
   }
 
-  // 11. config + keyring 저장
+  // 6.5. master pw proof bootstrap-or-verify (POST /auth/proof) — Phase 3a.
+  //   proof = Argon2id(masterPw, perUserSalt(user_id, GLOBAL_SALT)) 단방향 해시 — 평문 송신 X (E2EE).
+  //   G-1: per-user salt 로 같은 pw 두 user 도 proof 가 유일. 첫 SSO = bootstrap, 재로그인 = 검증.
+  const info = await tempClient.info();
+  const proof = toBase64(deriveProof(masterPw, ssoBody.user_id, fromBase64(info.global_salt)));
+  try {
+    const pr = await new AthsraClient(workerUrl, ssoBody.token).setProof(
+      proof,
+      info.global_salt_version,
+    );
+    if (pr.version_reset) {
+      console.log('• Master password re-registered (GLOBAL_SALT changed).');
+    } else if (pr.bootstrap) {
+      console.log('• Master password set for this account ✓ (worker stores one-way proof only).');
+    } else {
+      console.log('• Master password verified ✓.');
+    }
+  } catch (err) {
+    const msg = (err as Error).message;
+    if (msg.includes('409')) {
+      console.error('✗ master password mismatch — 이 계정에 설정된 master pw 와 다릅니다.');
+      console.error('  올바른 master pw 로 다시 로그인하세요 (틀린 pw 는 저장하지 않습니다).');
+      return 1;
+    }
+    console.error(`✗ master password proof failed: ${msg}`);
+    return 1;
+  }
+
+  // 7. config + keyring 저장
   const config: Config = {
     workerUrl,
     machineId,
@@ -268,6 +166,7 @@ async function ssoLoginCmd(): Promise<number> {
   saveConfig(config);
   setMasterPw(machineId, masterPw);
   setToken(machineId, ssoBody.token);
+  await provisionIdentityKey(new AthsraClient(workerUrl, ssoBody.token), masterPw);
 
   console.log(`\n✓ SSO logged in (machine: ${machineId})`);
   console.log(`  identifier: ${ssoBody.identifier}`);
@@ -279,11 +178,149 @@ async function ssoLoginCmd(): Promise<number> {
   return 0;
 }
 
+/** 비-인터랙티브 agent 기본 worker (config/env 없을 때). production athsra worker. */
+const DEFAULT_WORKER_URL = 'https://athsra-worker.winterermod.workers.dev';
+
+interface DeviceArgs {
+  project?: string;
+  perms: 'read' | 'write';
+  noBrowser: boolean;
+}
+
+function parseDeviceArgs(args: string[]): DeviceArgs {
+  let project: string | undefined;
+  let perms: 'read' | 'write' = 'read';
+  let noBrowser = false;
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === '--project' || a === '-p') {
+      const v = args[i + 1];
+      if (v && !v.startsWith('-')) {
+        project = v;
+        i++;
+      }
+    } else if (a === '--write') {
+      perms = 'write';
+    } else if (a === '--perms') {
+      const v = args[i + 1];
+      if (v) {
+        perms = v === 'write' ? 'write' : 'read';
+        i++;
+      }
+    } else if (a === '--no-browser') {
+      noBrowser = true;
+    } else if (a && a !== '--device' && !a.startsWith('-') && !project) {
+      project = a;
+    }
+  }
+  return { project, perms, noBrowser };
+}
+
+const sleep = (ms: number): Promise<void> => new Promise((r) => setTimeout(r, ms));
+
+/**
+ * Phase 3 P3 (2026-05-31) — device-login (RFC 8628 적응).
+ *
+ * 비-TTY agent 가 master pw 인터랙티브 프롬프트 없이 project-scoped 인증.
+ * `athsra login --device [--project <p>] [--write]` → user_code + URL 출력 → 사용자가
+ * athsra.com/device 에서 1-click 승인 → poll 로 ats_* 수령 → keyring 저장.
+ * 이후 `athsra run <p>` 가 master pw 없이 동작.
+ */
+async function deviceLoginCmd(args: string[]): Promise<number> {
+  const { project: explicitProject, perms, noBrowser } = parseDeviceArgs(args);
+  // project: 명시 --project > cwd 자동 감지 (basename > .athsra > package.json)
+  const project = explicitProject ?? resolveProject([]).project ?? undefined;
+  if (!project) {
+    console.error(
+      'project 미지정 — `athsra login --device --project <name>` 또는 project repo 안에서 실행.',
+    );
+    return 1;
+  }
+
+  const probe = probeKeyring();
+  if (!probe.ok) {
+    console.error(`✗ keyring backend unavailable: ${probe.error ?? 'unknown'}`);
+    return 1;
+  }
+
+  const existing = loadConfig();
+  const workerUrl = process.env.ATHSRA_WORKER_URL ?? existing?.workerUrl ?? DEFAULT_WORKER_URL;
+  const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`;
+
+  const client = new AthsraClient(workerUrl);
+  if (!(await client.health())) {
+    console.error(`✗ worker unreachable: ${workerUrl}`);
+    return 1;
+  }
+
+  let dc: Awaited<ReturnType<typeof client.deviceCode>>;
+  try {
+    dc = await client.deviceCode({ project, perms, label: machineId });
+  } catch (err) {
+    console.error(`✗ device code 발급 실패: ${(err as Error).message}`);
+    return 1;
+  }
+
+  console.log('\n● athsra device-login — 브라우저에서 승인이 필요합니다\n');
+  console.log(`  1. 열기:  ${dc.verification_uri_complete}`);
+  console.log(`  2. 코드:  ${dc.user_code}   (project: ${project}, perms: ${perms})`);
+  console.log('\n  athsra.com 에 SSO 로그인 후 "승인" 클릭하면 자동 진행됩니다.');
+  console.log('  (master pw 는 그 브라우저에서 1회 — 이 기기엔 저장되지 않습니다)\n');
+  if (!noBrowser) openBrowser(dc.verification_uri_complete);
+
+  // poll
+  let interval = Math.max(1, dc.interval) * 1000;
+  const deadline = Date.now() + dc.expires_in * 1000;
+  process.stdout.write('  대기 중');
+  while (Date.now() < deadline) {
+    await sleep(interval);
+    let result: Awaited<ReturnType<typeof client.devicePollToken>>;
+    try {
+      result = await client.devicePollToken(dc.device_code);
+    } catch {
+      process.stdout.write('.');
+      continue;
+    }
+    if (result.status === 'token') {
+      setDeviceToken(project, result.token);
+      saveConfig({
+        workerUrl,
+        machineId,
+        createdAt: existing?.createdAt ?? new Date().toISOString(),
+      });
+      console.log('\n\n✓ device-login 완료');
+      console.log(`  project: ${result.project} (${result.perms})`);
+      console.log('  keyring: device token 저장 (master pw 불필요)');
+      console.log(`  사용:    athsra run ${result.project} -- <command>\n`);
+      return 0;
+    }
+    // pending / terminal
+    if (result.error === 'access_denied') {
+      console.error('\n\n✗ 승인이 거부되었습니다.');
+      return 1;
+    }
+    if (result.error === 'expired_token') {
+      console.error('\n\n✗ 요청이 만료되었습니다. `athsra login --device` 재시도.');
+      return 1;
+    }
+    if (result.error === 'slow_down') {
+      interval += 5000;
+    }
+    process.stdout.write('.');
+  }
+  console.error('\n\n✗ 승인 대기 시간 초과. `athsra login --device` 재시도.');
+  return 1;
+}
+
 const LOGIN_USAGE = [
-  'usage: athsra login [--sso]',
+  'usage: athsra login [--sso | --device]',
   '',
   '기본 (master pw + paper backup): athsra login',
   'SSO (modfolio-connect OIDC PKCE — Phase 2.8): athsra login --sso',
+  'device (비-TTY agent, master pw 불필요 — Phase 3 P3): athsra login --device [--project <p>] [--write]',
+  '',
+  'device-login: agent 가 user_code 출력 → 사용자가 athsra.com/device 에서 1-click 승인 →',
+  '  project-scoped ats_* 수령 (keyring 저장). master pw 는 승인 브라우저에서만 사용.',
   '',
   '환경변수:',
   '  ATHSRA_WORKER_URL           worker URL (config 우선)',
@@ -299,6 +336,9 @@ export async function loginCmd(args: string[]): Promise<number> {
     console.log(LOGIN_USAGE);
     return 0;
   }
+  if (args.includes('--device')) {
+    return deviceLoginCmd(args);
+  }
   if (args.includes('--sso')) {
     return ssoLoginCmd();
   }
@@ -407,8 +447,11 @@ export async function loginCmd(args: string[]): Promise<number> {
     console.log('  동일 master password 로 재 register 진행합니다.\n');
   }
 
-  // 7. master_pw_proof = Argon2id(pw + GLOBAL_SALT)
-  const proofBytes = deriveKey(masterPw, fromBase64(info.global_salt));
+  // 7. master_pw_proof = Argon2id(pw, perUserSalt(user_id, GLOBAL_SALT)) — G-1 per-user salt.
+  // password register 는 founding singleton(user 1) 전용(SSO 외 유일 경로) — userId=1 고정.
+  // 다중 사용자 self-serve password register 는 out-of-scope(SSO-gated 유지).
+  const FOUNDING_USER_ID = 1;
+  const proofBytes = deriveProof(masterPw, FOUNDING_USER_ID, fromBase64(info.global_salt));
   const proofBase64 = toBase64(proofBytes);
 
   // 8. register → token
@@ -435,6 +478,7 @@ export async function loginCmd(args: string[]): Promise<number> {
   saveConfig(config);
   setMasterPw(machineId, masterPw);
   setToken(machineId, reg.token);
+  await provisionIdentityKey(new AthsraClient(workerUrl, reg.token), masterPw);
 
   console.log(`\n✓ logged in (machine: ${machineId})`);
   console.log(`  worker:   ${workerUrl}`);

package/src/commands/manifest.ts

@@ -20,15 +20,11 @@ import {
   applyManifest,
   createManifest,
   loadManifest,
-  type SecretsManifest,
   manifestPath,
+  type SecretsManifest,
   saveManifest,
 } from '../lib/secrets-manifest.ts';
-import {
-  describeConflicts,
-  findConflicts,
-  scanWranglerConfig,
-} from '../lib/wrangler-scan.ts';
+import { describeConflicts, findConflicts, scanWranglerConfig } from '../lib/wrangler-scan.ts';
 
 const USAGE = [
   'usage: athsra manifest <subcommand> [options]',
@@ -335,10 +331,7 @@ async function cmdValidate(flags: ParsedFlags): Promise<number> {
   return applied.missing.length > 0 ? 1 : 0;
 }
 
-function modifyManifest(
-  flags: ParsedFlags,
-  op: 'add' | 'remove',
-): number {
+function modifyManifest(flags: ParsedFlags, op: 'add' | 'remove'): number {
   const keys = flags.positional;
   if (keys.length === 0) {
     console.error(`✗ usage: athsra manifest ${op} <KEY> [<KEY2>...] [--worker=<name>]`);