@athsra/cli 1.0.2 → 1.0.3

package/src/lib/mcp-tools/write.ts

@@ -0,0 +1,127 @@
+/**
+ * mcp-tools/write.ts — write MCP tool 핸들러 (`ATHSRA_MCP_WRITE=1` opt-in 시에만 dispatch).
+ *
+ * `commands/mcp.ts` 에서 분리 (2026-06-02 리팩토링). 동작 보존. secret 값은 응답에 미포함.
+ */
+
+import { inferAdoptContext } from '../adopt-context.ts';
+import { loadAuthContext } from '../auth-context.ts';
+import { readPlain, writePlain } from '../envelope.ts';
+import { createManifest, loadManifest, saveManifest } from '../secrets-manifest.ts';
+import { pickWorker, readString, readStringArray } from './args.ts';
+import { jsonError, jsonOk, notLoggedIn, type ToolTextResult } from './result.ts';
+
+export async function handleSetSecret(
+  args: Record<string, unknown> | undefined,
+): Promise<ToolTextResult> {
+  const project = readString(args, 'project');
+  const key = readString(args, 'key');
+  const value = readString(args, 'value');
+  if (!project || !key || value === undefined) {
+    return jsonError('missing required args: project, key, value');
+  }
+  const ctx = await loadAuthContext();
+  if (!ctx) return notLoggedIn();
+  if (ctx.kind !== 'user') {
+    return jsonError('service token cannot write — user token (master pw) required');
+  }
+  const existing = (await readPlain(ctx, project)) ?? {};
+  const updated: Record<string, string> = { ...existing, [key]: value };
+  await writePlain(ctx, project, updated);
+  // 보안: value 는 응답에 절대 포함 X — 키 이름만 confirm
+  return jsonOk({ project, key, action: 'set', total_keys: Object.keys(updated).length });
+}
+
+export async function handleUnsetSecret(
+  args: Record<string, unknown> | undefined,
+): Promise<ToolTextResult> {
+  const project = readString(args, 'project');
+  const key = readString(args, 'key');
+  if (!project || !key) return jsonError('missing required args: project, key');
+  const ctx = await loadAuthContext();
+  if (!ctx) return notLoggedIn();
+  if (ctx.kind !== 'user') {
+    return jsonError('service token cannot write — user token (master pw) required');
+  }
+  const existing = await readPlain(ctx, project);
+  if (!existing) return jsonError(`envelope '${project}' not found`);
+  if (!(key in existing)) {
+    return jsonOk({ project, key, action: 'noop', reason: 'key not present' });
+  }
+  const updated: Record<string, string> = { ...existing };
+  delete updated[key];
+  await writePlain(ctx, project, updated);
+  return jsonOk({ project, key, action: 'unset', total_keys: Object.keys(updated).length });
+}
+
+export function handleManifestInit(args: Record<string, unknown> | undefined): ToolTextResult {
+  const keys = readStringArray(args, 'keys');
+  if (!keys || keys.length === 0) return jsonError('missing required arg: keys (non-empty array)');
+  const at = readString(args, 'cwd') ?? process.cwd();
+  const worker = readString(args, 'worker');
+  const inferred = inferAdoptContext(at);
+  const picked = pickWorker(inferred.workers, worker);
+  if ('error' in picked) return jsonError(picked.error);
+  const existing = loadManifest({ workerCwd: picked.cwd });
+  if (existing.manifest) {
+    return jsonError(`manifest already exists at ${existing.path} — use athsra_manifest_modify`);
+  }
+  if (existing.error) {
+    return jsonError(`manifest invalid (${existing.path}): ${existing.error}`);
+  }
+  try {
+    const manifest = createManifest(keys);
+    const saved = saveManifest(picked.cwd, manifest);
+    return jsonOk({
+      worker: picked.name,
+      manifestPath: saved,
+      secrets: manifest.secrets,
+      count: manifest.secrets.length,
+    });
+  } catch (err) {
+    return jsonError(`createManifest failed: ${(err as Error).message}`);
+  }
+}
+
+export function handleManifestModify(args: Record<string, unknown> | undefined): ToolTextResult {
+  const op = readString(args, 'op');
+  const keys = readStringArray(args, 'keys');
+  if (!op || (op !== 'add' && op !== 'remove')) {
+    return jsonError("invalid 'op' — must be 'add' or 'remove'");
+  }
+  if (!keys || keys.length === 0) return jsonError('missing required arg: keys (non-empty array)');
+  const at = readString(args, 'cwd') ?? process.cwd();
+  const worker = readString(args, 'worker');
+  const inferred = inferAdoptContext(at);
+  const picked = pickWorker(inferred.workers, worker);
+  if ('error' in picked) return jsonError(picked.error);
+  const existing = loadManifest({ workerCwd: picked.cwd });
+  if (existing.error) {
+    return jsonError(`manifest invalid (${existing.path}): ${existing.error}`);
+  }
+  if (!existing.manifest) {
+    return jsonError(`no manifest at ${existing.path} — use athsra_manifest_init`);
+  }
+  const set = new Set(existing.manifest.secrets);
+  const before = set.size;
+  for (const k of keys) {
+    if (op === 'add') set.add(k);
+    else set.delete(k);
+  }
+  if (set.size === before) {
+    return jsonOk({ worker: picked.name, op, action: 'noop', secrets: existing.manifest.secrets });
+  }
+  try {
+    const manifest = createManifest(Array.from(set));
+    const saved = saveManifest(picked.cwd, manifest);
+    return jsonOk({
+      worker: picked.name,
+      op,
+      manifestPath: saved,
+      secrets: manifest.secrets,
+      count: manifest.secrets.length,
+    });
+  } catch (err) {
+    return jsonError(`createManifest failed: ${(err as Error).message}`);
+  }
+}

package/src/lib/oidc-flow.ts

@@ -0,0 +1,200 @@
+/**
+ * oidc-flow.ts — modfolio-connect SSO 의 OIDC PKCE 브라우저 플로우 (Phase 2.8).
+ *
+ * `commands/login.ts` 에서 분리 (2026-06-02 리팩토링) — 프로토콜 무관 OAuth redirect 기계 부분
+ * (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸
+ * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출).
+ *
+ * `openBrowser` 는 device-login (login.ts deviceLoginCmd) 도 사용 — 여기서 export (중복 사본 금지).
+ */
+
+import { spawn } from 'node:child_process';
+import { createHash, randomBytes } from 'node:crypto';
+import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';
+
+/** OIDC PKCE 플로우 엔드포인트 + 파라미터 (env override 는 호출부에서 해석해 주입). */
+export interface OidcFlowOptions {
+  /** Connect authorize endpoint */
+  authorizeUrl: string;
+  /** Connect token endpoint */
+  tokenUrl: string;
+  /** Connect 측 CLI client (PKCE public, no secret) */
+  clientId: string;
+  /** OIDC scope */
+  scope: string;
+  /** callback timeout (ms) — 사용자 browser 작업 대기 */
+  callbackTimeoutMs: number;
+}
+
+export const SSO_DEFAULTS: OidcFlowOptions = {
+  authorizeUrl: 'https://login.modfolio.io/authorize',
+  tokenUrl: 'https://login.modfolio.io/token',
+  /** Connect 측 CLI client (PKCE public, no secret). 사용자가 별도 등록. */
+  clientId: 'athsra-cli',
+  scope: 'openid profile email',
+  callbackTimeoutMs: 5 * 60 * 1000,
+};
+
+interface CallbackResult {
+  code: string;
+  state: string;
+}
+
+/** Start ephemeral loopback HTTP callback server. Closes after first valid callback or timeout. */
+async function waitForCallback(
+  expectedState: string,
+  port: number,
+  timeoutMs: number,
+): Promise<CallbackResult> {
+  return await new Promise<CallbackResult>((resolve, reject) => {
+    const server = createServer((req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url ?? '/', `http://127.0.0.1:${port}`);
+      if (url.pathname !== '/callback') {
+        res.statusCode = 404;
+        res.end('not found');
+        return;
+      }
+      const code = url.searchParams.get('code');
+      const state = url.searchParams.get('state');
+      const error = url.searchParams.get('error');
+      if (error) {
+        res.statusCode = 400;
+        res.end(`Authorization failed: ${error}. Return to terminal.`);
+        server.close();
+        reject(new Error(`Connect authorize error: ${error}`));
+        return;
+      }
+      if (!code || !state) {
+        res.statusCode = 400;
+        res.end('Missing code or state. Return to terminal.');
+        server.close();
+        reject(new Error('Missing code or state in callback'));
+        return;
+      }
+      if (state !== expectedState) {
+        res.statusCode = 400;
+        res.end('State mismatch — possible CSRF. Return to terminal.');
+        server.close();
+        reject(new Error('State mismatch'));
+        return;
+      }
+      res.statusCode = 200;
+      res.setHeader('content-type', 'text/html; charset=utf-8');
+      res.end(
+        '<!doctype html><html><body style="font-family:system-ui;padding:2rem;">' +
+          '<h2>✓ athsra SSO 로그인 완료</h2>' +
+          '<p>터미널로 돌아가세요. 이 창은 닫아도 됩니다.</p>' +
+          '</body></html>',
+      );
+      server.close();
+      resolve({ code, state });
+    });
+    server.listen(port, '127.0.0.1');
+    setTimeout(() => {
+      server.close();
+      reject(new Error(`callback timeout after ${timeoutMs / 1000}s`));
+    }, timeoutMs);
+  });
+}
+
+function base64urlBuf(buf: Buffer): string {
+  return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+export function openBrowser(url: string): void {
+  const platform = process.platform;
+  const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
+  const args = platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  spawn(cmd, args, { detached: true, stdio: 'ignore' }).unref();
+}
+
+async function findFreePort(): Promise<number> {
+  // 49152-65535 ephemeral range. createServer port=0 자동 할당.
+  return await new Promise<number>((resolve, reject) => {
+    const server = createServer();
+    server.on('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address();
+      if (typeof address !== 'object' || address === null) {
+        server.close();
+        reject(new Error('no port'));
+        return;
+      }
+      const port = address.port;
+      server.close(() => resolve(port));
+    });
+  });
+}
+
+/**
+ * OIDC PKCE 플로우 실행 (login.ts ssoLoginCmd 의 step 4-8):
+ *   4) PKCE code_verifier + challenge + state 생성
+ *   5) localhost callback HTTP server start (ephemeral port)
+ *   6) browser open → Connect /authorize
+ *   7) callback ?code= 대기
+ *   8) POST Connect /token (code + verifier) → access_token
+ *
+ * 실패 시 throw (호출부가 `✗ ${message}` 출력 + exit 1). 진행 로그는 stdout.
+ */
+export async function runOidcPkceFlow(opts: OidcFlowOptions): Promise<{ accessToken: string }> {
+  // 4. PKCE + state 생성
+  const codeVerifier = base64urlBuf(randomBytes(48));
+  const codeChallenge = base64urlBuf(createHash('sha256').update(codeVerifier).digest());
+  const state = base64urlBuf(randomBytes(16));
+
+  // 5. callback server start
+  let port: number;
+  try {
+    port = await findFreePort();
+  } catch (err) {
+    throw new Error(`cannot allocate callback port: ${(err as Error).message}`);
+  }
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+
+  // 6. browser open
+  const params = new URLSearchParams({
+    client_id: opts.clientId,
+    response_type: 'code',
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+    state,
+    redirect_uri: redirectUri,
+    scope: opts.scope,
+  });
+  const authUrl = `${opts.authorizeUrl}?${params.toString()}`;
+  console.log(`opening browser: ${authUrl.slice(0, 80)}...`);
+  console.log(`callback: ${redirectUri}`);
+  console.log('(complete login in browser — terminal will resume when callback received)\n');
+  openBrowser(authUrl);
+
+  // 7. wait for callback
+  let callback: CallbackResult;
+  try {
+    callback = await waitForCallback(state, port, opts.callbackTimeoutMs);
+  } catch (err) {
+    throw new Error(`callback failed: ${(err as Error).message}`);
+  }
+  console.log('✓ callback received, exchanging code...');
+
+  // 8. token exchange (Connect /token)
+  const tokenRes = await fetch(opts.tokenUrl, {
+    method: 'POST',
+    headers: { 'content-type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code: callback.code,
+      code_verifier: codeVerifier,
+      client_id: opts.clientId,
+      redirect_uri: redirectUri,
+    }).toString(),
+  });
+  if (!tokenRes.ok) {
+    throw new Error(`Connect token exchange failed: ${tokenRes.status} ${await tokenRes.text()}`);
+  }
+  const tokenBody = (await tokenRes.json()) as { access_token?: string };
+  if (!tokenBody.access_token) {
+    throw new Error('Connect token response missing access_token');
+  }
+  console.log('✓ Connect access_token received');
+  return { accessToken: tokenBody.access_token };
+}

package/src/lib/org-rewrap.ts

@@ -0,0 +1,230 @@
+/**
+ * org-rewrap.ts — Phase 4 Slice 6b. owner 가 org 공유 시크릿을 신규 멤버 public key 로 re-wrap.
+ *
+ * owner master pw 로 각 envelope 의 DEK 를 얻어(addMemberRecipient 가 master recipient 로 unwrap)
+ * 멤버 X25519 public key 로 ECDH-wrap → PUT. **멤버 master pw 불필요**(zero-knowledge 팀 공유의
+ * crux). idempotent — 이미 member recipient 있으면 skip. v1 envelope(단일 recipient)은 multi-
+ * recipient 미지원 → skip(먼저 `athsra migrate-envelopes`). 부분 실패는 failed[] 로 surface.
+ */
+import { fromBase64, type SecretEnvelopeV2 } from '@athsra/crypto';
+import {
+  addMemberRecipient,
+  addMemberRecipientAsMember,
+  memberRecipientId,
+  memberRecipientUserIds,
+  type RemainingMember,
+  removeMemberRecipient,
+  rotateEnvelopeDek,
+  unwrapPrivateKey,
+} from '@athsra/crypto/member';
+import type { AthsraClient } from './client.ts';
+
+export interface GrantResult {
+  granted: string[];
+  /** 이미 공유됨(member recipient 존재) — idempotent skip (replace 시엔 재포장). */
+  skipped: string[];
+  /** v1 envelope — multi-recipient 미지원, migrate 필요. */
+  legacyV1: string[];
+  failed: { project: string; error: string }[];
+}
+
+interface AdderIdentity {
+  userId: number;
+  privateKey: Uint8Array;
+}
+
+/**
+ * 현재 org 의 모든 (v2) 공유 시크릿에 memberUserId 를 recipient 로 추가/재포장.
+ * client 는 현재 org 컨텍스트(token.orgId)로 scoped. pubkey 부재(멤버 미 provisioning)면 throw.
+ *
+ * 호출자가 **owner**(master pw 로 master recipient unwrap)면 addMemberRecipient, **admin 멤버**
+ * (master 불가)면 본인 X25519 키로 addMemberRecipientAsMember (server recipient-continuity 가
+ * add=manager 강제). `replace`=true 면 기존 member recipient 를 제거 후 재포장(key reset 복구의
+ * stale wrap 교체 — recipient id set 불변).
+ */
+export async function grantOrgAccess(
+  client: AthsraClient,
+  masterPw: string,
+  memberUserId: number,
+  opts?: { replace?: boolean },
+): Promise<GrantResult> {
+  const pub = await client.getPublicKey(memberUserId);
+  if (!pub) {
+    throw new Error(
+      `member #${memberUserId} 는 아직 identity key 가 없습니다 — 그가 먼저 \`athsra login\` 으로 keypair 를 provisioning 해야 합니다.`,
+    );
+  }
+  const memberPub = fromBase64(pub);
+  const memberId = memberRecipientId(memberUserId);
+
+  // adder identity(member 경로용) — owner 면 master 경로가 성공해 미사용. lazy fetch 1회.
+  let adderCache: AdderIdentity | null | undefined;
+  const getAdder = async (): Promise<AdderIdentity | null> => {
+    if (adderCache !== undefined) return adderCache;
+    const me = await client.whoami();
+    const keyRow = await client.getKeys();
+    if (me.userId === undefined || !keyRow) {
+      adderCache = null;
+      return null;
+    }
+    try {
+      adderCache = {
+        userId: me.userId,
+        privateKey: await unwrapPrivateKey(
+          {
+            wrappedPrivateKey: keyRow.wrapped_private_key,
+            keySalt: keyRow.key_salt,
+            wrapNonce: keyRow.wrap_nonce,
+            kdfParams: keyRow.kdf_params,
+          },
+          masterPw,
+        ),
+      };
+    } catch {
+      adderCache = null;
+    }
+    return adderCache;
+  };
+
+  const addRecipient = async (env: SecretEnvelopeV2): Promise<SecretEnvelopeV2> => {
+    try {
+      return await addMemberRecipient(env, masterPw, memberPub, memberUserId); // owner master 경로
+    } catch (masterErr) {
+      const adder = await getAdder();
+      if (!adder) throw masterErr;
+      return addMemberRecipientAsMember(
+        env,
+        adder.privateKey,
+        adder.userId,
+        memberPub,
+        memberUserId,
+      );
+    }
+  };
+
+  const projects = await client.listProjects();
+  const result: GrantResult = { granted: [], skipped: [], legacyV1: [], failed: [] };
+  for (const project of projects) {
+    try {
+      const env = await client.getEnvelope(project);
+      if (!env) {
+        result.skipped.push(project);
+        continue;
+      }
+      if (env.version !== 2) {
+        result.legacyV1.push(project);
+        continue;
+      }
+      const has = env.recipients.some((r) => r.id === memberId);
+      if (has && !opts?.replace) {
+        result.skipped.push(project);
+        continue;
+      }
+      // replace: 기존(stale) recipient 제거 후 재포장. 신규: 그냥 추가.
+      const baseEnv = has ? removeMemberRecipient(env, memberUserId) : env;
+      const updated = await addRecipient(baseEnv);
+      await client.putEnvelope(project, updated);
+      result.granted.push(project);
+    } catch (err) {
+      result.failed.push({ project, error: (err as Error).message });
+    }
+  }
+  return result;
+}
+
+export interface RevokeRotateResult {
+  /** DEK 가 회전된 프로젝트. */
+  rotated: string[];
+  /** 제거 멤버가 recipient 아님(회전 불필요) 또는 envelope 부재 — 멱등 skip. */
+  skipped: string[];
+  /** v1 envelope — multi-recipient 모델 없음(제거 멤버가 recipient 일 수 없음). */
+  legacyV1: string[];
+  failed: { project: string; error: string }[];
+  /** DEK 회전으로 무효화된 service recipient (재발급 필요) — project 별. */
+  reissue: { project: string; serviceIds: string[] }[];
+}
+
+/**
+ * Phase 4 Slice 6 후속 — real revocation 스윕. 멤버 제거 후, 제거 멤버가 recipient 인 모든 (v2)
+ * 공유 시크릿에서 **DEK 를 회전**(rotateEnvelopeDek)하고 master + 잔존 active 멤버에게만 재wrap →
+ * PUT. 제거 멤버가 DEK 를 탈취했더라도 회전 이후 버전을 복호하지 못한다.
+ *
+ * owner 전용: rotateEnvelopeDek 가 master recipient 를 master pw 로 재wrap 하므로 master pw 보유
+ * (=owner)가 필요하다(server recipient-continuity 도 recipient 제거를 owner-only 로 강제). 잔존
+ * 대상은 **현재 active 멤버 ∩ 그 envelope 의 member recipient** — 과거 제거-미회전으로 남은 stale
+ * recipient 도 자연 정리된다. service recipient 는 token secret 부재로 재wrap 불가 → drop + reissue
+ * 로 보고. **멱등** — 제거 멤버가 이미 recipient 아닌 envelope 는 skip(부분 실패 후 재실행 안전).
+ */
+export async function rotateAfterRemoval(
+  client: AthsraClient,
+  masterPw: string,
+  removedUserId: number,
+): Promise<RevokeRotateResult> {
+  const removedId = memberRecipientId(removedUserId);
+  // 현재 active 멤버(제거 멤버는 이미 revoked 라 미포함) — 잔존 재wrap 대상의 allowlist.
+  const { members } = await client.listOrgMembers();
+  const activeIds = new Set(
+    members
+      .filter((m) => m.status === 'active' && m.user_id !== removedUserId)
+      .map((m) => m.user_id),
+  );
+
+  // 잔존 멤버 pubkey 캐시(여러 프로젝트 재사용). null = identity key 없음 → 그 project 회전 중단.
+  const pubCache = new Map<number, Uint8Array | null>();
+  const getPub = async (userId: number): Promise<Uint8Array | null> => {
+    const cached = pubCache.get(userId);
+    if (cached !== undefined) return cached;
+    const raw = await client.getPublicKey(userId);
+    const pub = raw ? fromBase64(raw) : null;
+    pubCache.set(userId, pub);
+    return pub;
+  };
+
+  const projects = await client.listProjects();
+  const result: RevokeRotateResult = {
+    rotated: [],
+    skipped: [],
+    legacyV1: [],
+    failed: [],
+    reissue: [],
+  };
+  for (const project of projects) {
+    try {
+      const env = await client.getEnvelope(project);
+      if (!env) {
+        result.skipped.push(project);
+        continue;
+      }
+      if (env.version !== 2) {
+        result.legacyV1.push(project);
+        continue;
+      }
+      if (!env.recipients.some((r) => r.id === removedId)) {
+        result.skipped.push(project); // 제거 멤버 없음 → 회전 불필요(멱등)
+        continue;
+      }
+      // 잔존 = 이 envelope 의 member recipient ∩ 현재 active 멤버 − 제거 멤버.
+      const remainingIds = memberRecipientUserIds(env).filter(
+        (id) => id !== removedUserId && activeIds.has(id),
+      );
+      const remaining: RemainingMember[] = [];
+      for (const id of remainingIds) {
+        const pub = await getPub(id);
+        if (!pub) {
+          // 잔존 멤버 키 부재 시 재wrap 불가 → 회전하면 그 멤버가 접근을 잃는다. 중단(fail).
+          throw new Error(`잔존 멤버 #${id} identity key 없음 — 접근 손실 방지로 회전 중단`);
+        }
+        remaining.push({ userId: id, publicKey: pub });
+      }
+      const { env: rotated, droppedServiceIds } = await rotateEnvelopeDek(env, masterPw, remaining);
+      await client.putEnvelope(project, rotated);
+      result.rotated.push(project);
+      if (droppedServiceIds.length) {
+        result.reissue.push({ project, serviceIds: droppedServiceIds });
+      }
+    } catch (err) {
+      result.failed.push({ project, error: (err as Error).message });
+    }
+  }
+  return result;
+}

package/src/lib/secrets-manifest.ts

@@ -153,10 +153,7 @@ export interface ApplyResult {
   excluded: string[];
 }
 
-export function applyManifest(
-  manifest: SecretsManifest,
-  envelopeKeys: string[],
-): ApplyResult {
+export function applyManifest(manifest: SecretsManifest, envelopeKeys: string[]): ApplyResult {
   const envSet = new Set(envelopeKeys);
   const manSet = new Set(manifest.secrets);
   const allowed: string[] = [];

package/src/lib/wrangler-scan.ts

@@ -192,10 +192,7 @@ export function scanWranglerConfig(workerCwd: string): WranglerIdentifiers | nul
  * 사람 가독 conflict 보고 — `describeConflicts(scan, ['JWKS_KEYS', 'JWKS_URI'])`
  *   → "JWKS_KEYS (kv_namespaces), JWKS_URI (vars)"
  */
-export function describeConflicts(
-  scan: WranglerIdentifiers,
-  conflicts: string[],
-): string {
+export function describeConflicts(scan: WranglerIdentifiers, conflicts: string[]): string {
   return conflicts
     .map((k) => {
       const types = scan.byType[k];
@@ -209,10 +206,7 @@ export function describeConflicts(
  * envelope/manifest key 목록에서 wrangler.jsonc 와 충돌하는 키만 반환 (alphabetical).
  * 정공법 helper — caller 는 conflicts.length>0 로 분기 + 보고.
  */
-export function findConflicts(
-  scan: WranglerIdentifiers,
-  keys: readonly string[],
-): string[] {
+export function findConflicts(scan: WranglerIdentifiers, keys: readonly string[]): string[] {
   const all = new Set(scan.all);
   const out: string[] = [];
   for (const k of keys) {

package/src/lib/bip39.ts

@@ -1,45 +0,0 @@
-import { generateMnemonic, mnemonicToEntropy, validateMnemonic } from '@scure/bip39';
-import { wordlist } from '@scure/bip39/wordlists/english.js';
-
-/**
- * BIP-39 12-word mnemonic phrase 표준 (128-bit entropy, 영문 wordlist).
- *
- * athsra master pw 의 권장 형식. random byte string 보다:
- *   - paper backup 쉬움 (12 단어 영문)
- *   - checksum 자동 검증 (오타 detect)
- *   - hardware wallet 호환 (Ledger / Trezor 표준)
- *
- * 주: BIP-39 표준 master pw 강제 X. 사용자 자유 phrase 도 그대로 작동.
- * `new-phrase` 명령으로 generate 후 `rotate-master` 또는 `login` 시 사용.
- */
-export function generatePhrase(): string {
-  return generateMnemonic(wordlist, 128);
-}
-
-export function isValidPhrase(phrase: string): boolean {
-  try {
-    return validateMnemonic(normalizePhrase(phrase), wordlist);
-  } catch {
-    return false;
-  }
-}
-
-/**
- * 입력 normalize: trim + lowercase + 다중 공백 → single space.
- * BIP-39 표준 비교 시 안정.
- */
-export function normalizePhrase(phrase: string): string {
-  return phrase.trim().toLowerCase().replace(/\s+/g, ' ');
-}
-
-/**
- * BIP-39 phrase → 16 bytes entropy (validate + return). 향후 hardware wallet
- * 통합 시 사용 (Phase 3+).
- */
-export function phraseToEntropy(phrase: string): Uint8Array {
-  return mnemonicToEntropy(normalizePhrase(phrase), wordlist);
-}
-
-export function wordCount(phrase: string): number {
-  return normalizePhrase(phrase).split(' ').filter(Boolean).length;
-}