npm - @athsra/cli - Versions diffs - 1.0.2 → 1.0.4 - Mend

@athsra/cli 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/package.json +2 -3
package/src/commands/admin.ts +11 -33
package/src/commands/adopt.ts +1 -5
package/src/commands/dr.ts +217 -0
package/src/commands/login.ts +223 -179
package/src/commands/manifest.ts +3 -10
package/src/commands/mcp.ts +69 -485
package/src/commands/new-phrase.ts +1 -1
package/src/commands/org.ts +363 -0
package/src/commands/rotate-master.ts +26 -7
package/src/commands/run.ts +2 -1
package/src/commands/service-token.ts +17 -6
package/src/index.ts +7 -0
package/src/lib/auth-context.ts +77 -18
package/src/lib/client.ts +396 -31
package/src/lib/colors.ts +17 -0
package/src/lib/config.ts +6 -0
package/src/lib/env-format.ts +5 -53
package/src/lib/envelope.ts +89 -3
package/src/lib/identity-key.ts +59 -0
package/src/lib/keyring.ts +26 -0
package/src/lib/mcp-tools/args.ts +60 -0
package/src/lib/mcp-tools/defs.ts +179 -0
package/src/lib/mcp-tools/read.ts +156 -0
package/src/lib/mcp-tools/result.ts +46 -0
package/src/lib/mcp-tools/write.ts +127 -0
package/src/lib/oidc-flow.ts +200 -0
package/src/lib/org-rewrap.ts +230 -0
package/src/lib/secrets-manifest.ts +1 -4
package/src/lib/wrangler-scan.ts +2 -8
package/src/lib/bip39.ts +0 -45

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",
@@ -43,10 +43,9 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@athsra/crypto": "^1.0.0",
+    "@athsra/crypto": "^1.0.1",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@napi-rs/keyring": "^1.1.6",
-    "@scure/bip39": "^2.2.0",
     "prompts": "^2.4.2"
   },
   "devDependencies": {

package/src/commands/admin.ts CHANGED Viewed

@@ -5,7 +5,7 @@
  *
  * 명령:
  *   athsra users list                                — 모든 user + role 표시
- *   athsra users invite <identifier> [--role=dev]    — 신규 user invite (master pw prompt)
+ *   athsra users invite <identifier> [--role=dev]    — 신규 user invite (신원·접근만)
  *   athsra role grant <user_id> <role>               — role grant
  *   athsra role revoke <user_id> <role>              — role revoke
  *   athsra project share <project> <user_id> --perms=<read|write>
@@ -14,9 +14,7 @@
  * role 종류: admin / dev / viewer / auditor / sa
  */
-import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { promptPassword } from '../lib/prompt.ts';
 const VALID_ROLES = ['admin', 'dev', 'viewer', 'auditor', 'sa'] as const;
 type RoleName = (typeof VALID_ROLES)[number];
@@ -98,43 +96,23 @@ async function inviteUserCmd(args: string[]): Promise<number> {
   const ctx = await getUserClient();
   if (!ctx) return 1;
-  // 신규 user 의 master pw 입력 — admin 이 사전에 받음 (out-of-band)
-  console.log(`신규 user '${identifier}' 의 master password 를 입력하세요.`);
-  console.log('  (이 값은 자체적으로 저장되지 않음 — Argon2id 후 worker 에 PROOF 만 전달)');
-  const masterPw = await promptPassword('new master password: ');
-  if (!masterPw || masterPw.length === 0) {
-    console.error('master password 비어있음 — 중단');
-    return 2;
-  }
-  const masterPwConfirm = await promptPassword('confirm master password: ');
-  if (masterPw !== masterPwConfirm) {
-    console.error('confirm mismatch — 중단');
-    return 2;
-  }
-  // proof = Argon2id(masterPw + GLOBAL_SALT)
-  const info = await ctx.client.info();
-  const proofBytes = deriveKey(masterPw, fromBase64(info.global_salt));
-  const proof = toBase64(proofBytes);
+  // Phase 3a: invite 는 신원·접근(user + role) 부여만. master pw 는 받지 않는다 —
+  // zero-knowledge 라 admin 은 유저 master pw 를 모르며, 유저가 첫 로그인 후 본인이 설정한다.
   try {
-    const res = await ctx.client.inviteUser({
-      identifier,
-      proof,
-      globalSaltVersion: info.global_salt_version,
-      initialRole: role,
-    });
+    const res = await ctx.client.inviteUser({ identifier, initialRole: role });
     console.log('✓ user invited');
     console.log(`  id:         #${res.id}`);
     console.log(`  identifier: ${res.identifier}`);
     console.log(`  status:     ${res.status}`);
     console.log(`  role:       ${res.role}`);
     console.log('');
-    console.log('다음 단계:');
-    console.log(`  1. 신규 user 가 본인 머신에서 \`athsra login\` 실행`);
-    console.log(`     (위 master pw 사용 → worker 의 admin user PROOF 와 다른 신규 PROOF 등록)`);
-    console.log(`  2. 추가 role 부여: athsra role grant ${res.id} <role>`);
-    console.log(`  3. project ACL: athsra project share <project> ${res.id} --perms=<read|write>`);
+    console.log('다음 단계 (신규 user 본인이 수행):');
+    console.log('  1. `athsra login --sso` (또는 athsra.com 로그인) — 본인 신원으로 인증');
+    console.log(
+      '  2. master password 설정 — 첫 로그인 시 본인 pw 로 자동 bootstrap (POST /auth/proof)',
+    );
+    console.log(`  3. 추가 role 부여(admin): athsra role grant ${res.id} <role>`);
+    console.log(`  4. project ACL: athsra project share <project> ${res.id} --perms=<read|write>`);
     return 0;
   } catch (err) {
     const msg = (err as Error).message;

package/src/commands/adopt.ts CHANGED Viewed

@@ -40,11 +40,6 @@ import { loadAuthContext } from '../lib/auth-context.ts';
 import { resolveProject } from '../lib/auto-project.ts';
 import { readPlain } from '../lib/envelope.ts';
 import { createManifest, loadManifest, saveManifest } from '../lib/secrets-manifest.ts';
-import {
-  describeConflicts,
-  findConflicts,
-  scanWranglerConfig,
-} from '../lib/wrangler-scan.ts';
 import {
   ensureRepoConnection,
   getLatestBuildToken,
@@ -53,6 +48,7 @@ import {
   triggerManualBuild,
   upsertTrigger,
 } from '../lib/workers-builds.ts';
+import { describeConflicts, findConflicts, scanWranglerConfig } from '../lib/wrangler-scan.ts';
 import {
   ManifestInvalidError,
   ManifestRequiredError,

package/src/commands/dr.ts ADDED Viewed

@@ -0,0 +1,217 @@
+/**
+ * dr.ts — `athsra dr` (Disaster Recovery operations).
+ *
+ * Phase 3 DR (2026-06-02). 기존 `athsra restore`(envelope tombstone 복원)와 다른 도메인 —
+ * 운영자가 catastrophic loss 후 BACKUP_STORE/암호화 dump 로부터 복원. worker `/v1/admin/restore/*`
+ * 호출 (admin role + webauthn 24h + content-bound confirm 3중 게이트).
+ *
+ * 안전 (정공법): **dry-run 기본**. `--execute` 만 주면 dry-run 먼저 돌려 confirm_token 출력 후
+ * 거부 — `--confirm=<token>` 명시해야 실제 복원. env escape (ATHSRA_*_CONFIRMED) 미제공 (restore
+ * 는 너무 위험 — token 항상 명시).
+ *
+ *   athsra dr restore-r2 --date=YYYY-MM-DD [--project=owner/name | --key=secrets/...] [--execute] [--confirm=<t>]
+ *   athsra dr restore-d1 --dump=d1-dumps/<ISO>.json.enc [--tables=t1,t2] [--include-optin]
+ *                        [--policy=upsert|replace-all] [--execute] [--confirm=<t>]
+ */
+import { loadAuthContext } from '../lib/auth-context.ts';
+import type { D1RestoreResult, R2RestoreResult, RestoreR2ScopeArg } from '../lib/client.ts';
+import { bold, dim, green, red } from '../lib/colors.ts';
+const DR_USAGE = [
+  'usage: athsra dr <restore-r2 | restore-d1> [opts]',
+  '',
+  'DR (Disaster Recovery) — backup 으로부터 복원. dry-run 기본, --execute --confirm 필요.',
+  '',
+  'restore-r2 — BACKUP_STORE 의 envelope 를 STORE 로 복원:',
+  '  --date=YYYY-MM-DD            backup day prefix (필수)',
+  '  --project=owner/name         단일 project scope (owner=숫자 namespace)',
+  '  --key=secrets/.../current.json  단일 key scope',
+  '  (scope 미지정 = full)',
+  '',
+  'restore-d1 — 암호화 D1 dump 복원:',
+  '  --dump=d1-dumps/<ISO>.json.enc   dump key (필수)',
+  '  --tables=auth_users,auth_roles   복원 테이블 (미지정 = SAFE 전체)',
+  '  --include-optin                  auth_tokens/auth_audit_log 허용 (위험)',
+  '  --policy=upsert|replace-all      기본 upsert (병합)',
+  '',
+  '공통: --execute (실복원), --confirm=<token> (dry-run 이 발급).',
+].join('\n');
+function flagVal(args: string[], name: string): string | undefined {
+  const pre = `--${name}=`;
+  const hit = args.find((a) => a.startsWith(pre));
+  return hit ? hit.slice(pre.length) : undefined;
+}
+function hasFlag(args: string[], name: string): boolean {
+  return args.includes(`--${name}`);
+}
+/** dry-run 후 안내할 execute 명령 줄 재구성 (--execute/--confirm 제거 후 token 부착). */
+function rebuildExecLine(sub: string, args: string[], token: string): string {
+  const base = args.filter((a) => a !== '--execute' && !a.startsWith('--confirm='));
+  return `athsra dr ${sub} ${base.join(' ')} --execute --confirm=${token}`
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+async function userClient() {
+  const ctx = await loadAuthContext();
+  if (!ctx) {
+    console.error('not logged in — run `athsra login` first');
+    return null;
+  }
+  if (ctx.kind !== 'user') {
+    console.error('dr 명령은 user token (master pw) 가 필요합니다 — service token 거부.');
+    return null;
+  }
+  return ctx;
+}
+function printR2DryRun(dr: R2RestoreResult, args: string[], scopeKind: string): void {
+  console.log(bold(`DRY-RUN restore-r2 — ${dr.date} (scope: ${scopeKind})`));
+  console.log(`  would restore: ${dr.would_restore ?? 0} object(s)`);
+  for (const k of (dr.sample_keys ?? []).slice(0, 10)) console.log(dim(`    ${k}`));
+  if (dr.confirm_token) {
+    console.log(`\n  to execute:\n    ${rebuildExecLine('restore-r2', args, dr.confirm_token)}`);
+  }
+}
+async function restoreR2Cmd(args: string[]): Promise<number> {
+  const date = flagVal(args, 'date');
+  if (!date) {
+    console.error('--date=YYYY-MM-DD required');
+    return 2;
+  }
+  const projectFlag = flagVal(args, 'project');
+  const keyFlag = flagVal(args, 'key');
+  if (projectFlag && keyFlag) {
+    console.error('--project 와 --key 는 동시 사용 불가');
+    return 2;
+  }
+  let scope: RestoreR2ScopeArg;
+  if (projectFlag) {
+    const [owner, project] = projectFlag.split('/');
+    if (!owner || !project) {
+      console.error('--project 는 owner/name 형식 (예: 1/myapp)');
+      return 2;
+    }
+    scope = { kind: 'project', owner, project };
+  } else if (keyFlag) {
+    scope = { kind: 'key', key: keyFlag };
+  } else {
+    scope = { kind: 'full' };
+  }
+  const execute = hasFlag(args, 'execute');
+  const confirm = flagVal(args, 'confirm');
+  const ctx = await userClient();
+  if (!ctx) return 1;
+  if (!execute || !confirm) {
+    const dr = await ctx.client.restoreR2({ date, scope, execute: false });
+    printR2DryRun(dr, args, scope.kind);
+    if (execute && !confirm) {
+      console.error(red('\n✗ --execute 에는 --confirm=<token> 필요 — 위 명령으로 재실행.'));
+      return 2;
+    }
+    return 0;
+  }
+  const res = await ctx.client.restoreR2({ date, scope, execute: true, confirm });
+  console.log(
+    `${res.ok ? green('✓') : red('✗')} restore-r2 execute — restored ${res.restored ?? 0}/${res.scanned ?? 0}, skipped ${res.skipped ?? 0}, errors ${res.errors ?? 0}`,
+  );
+  for (const f of res.failures ?? []) console.log(red(`  ✗ ${f.store_key}: ${f.error}`));
+  return res.ok ? 0 : 1;
+}
+function printD1DryRun(dr: D1RestoreResult, args: string[]): void {
+  console.log(bold(`DRY-RUN restore-d1 — ${dr.dump_key} (policy: ${dr.policy})`));
+  for (const [name, t] of Object.entries(dr.tables)) {
+    const filtered = t.filtered ? dim(` (filtered ${t.filtered})`) : '';
+    console.log(`  ${name}: dump ${t.dump_rows ?? 0} → current ${t.current_rows ?? 0}${filtered}`);
+  }
+  if (dr.security_warning) console.log(red(`\n  ⚠ ${dr.security_warning}`));
+  if (dr.confirm_token) {
+    console.log(`\n  to execute:\n    ${rebuildExecLine('restore-d1', args, dr.confirm_token)}`);
+  }
+}
+async function restoreD1Cmd(args: string[]): Promise<number> {
+  const dumpKey = flagVal(args, 'dump');
+  if (!dumpKey) {
+    console.error('--dump=d1-dumps/<ISO>.json.enc required');
+    return 2;
+  }
+  const tablesFlag = flagVal(args, 'tables');
+  const tables = tablesFlag
+    ? tablesFlag
+        .split(',')
+        .map((t) => t.trim())
+        .filter(Boolean)
+    : undefined;
+  const includeOptin = hasFlag(args, 'include-optin');
+  const policy: 'upsert' | 'replace-all' =
+    flagVal(args, 'policy') === 'replace-all' ? 'replace-all' : 'upsert';
+  const execute = hasFlag(args, 'execute');
+  const confirm = flagVal(args, 'confirm');
+  const ctx = await userClient();
+  if (!ctx) return 1;
+  if (!execute || !confirm) {
+    const dr = await ctx.client.restoreD1({
+      dumpKey,
+      tables,
+      includeOptin,
+      policy,
+      execute: false,
+    });
+    printD1DryRun(dr, args);
+    if (execute && !confirm) {
+      console.error(red('\n✗ --execute 에는 --confirm=<token> 필요 — 위 명령으로 재실행.'));
+      return 2;
+    }
+    return 0;
+  }
+  const res = await ctx.client.restoreD1({
+    dumpKey,
+    tables,
+    includeOptin,
+    policy,
+    execute: true,
+    confirm,
+  });
+  console.log(
+    `${res.ok ? green('✓') : red('✗')} restore-d1 execute — policy ${res.policy}, errors ${res.errors ?? 0}`,
+  );
+  for (const [name, t] of Object.entries(res.tables)) {
+    const status = t.error
+      ? red(`✗ ${t.error}`)
+      : green(`✓ written ${t.written ?? 0}${t.filtered ? `, filtered ${t.filtered}` : ''}`);
+    console.log(`  ${name}: ${status}`);
+  }
+  if (res.security_warning) console.log(red(`\n⚠ ${res.security_warning}`));
+  return res.ok ? 0 : 1;
+}
+export async function drCmd(args: string[]): Promise<number> {
+  const sub = args[0];
+  if (!sub || sub === '--help' || sub === '-h') {
+    console.log(DR_USAGE);
+    return 0;
+  }
+  const rest = args.slice(1);
+  switch (sub) {
+    case 'restore-r2':
+      return restoreR2Cmd(rest);
+    case 'restore-d1':
+      return restoreD1Cmd(rest);
+    default:
+      console.error(`unknown dr subcommand: ${sub}`);
+      console.log(DR_USAGE);
+      return 2;
+  }
+}