@athsra/cli 1.0.3 → 1.1.0

package/src/commands/run.ts

@@ -1,7 +1,7 @@
 import { spawn } from 'node:child_process';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { resolveProject } from '../lib/auto-project.ts';
-import { partitionEnv } from '../lib/env-format.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
+import { buildChildEnv } from '../lib/env-format.ts';
 import { readPlain } from '../lib/envelope.ts';
 
 const USAGE = [
@@ -9,6 +9,7 @@ const USAGE = [
   '',
   '<project> 자동 감지 (cwd 기반): basename(cwd) > .athsra > package.json athsra.project',
   '23 sibling repo 안에서: cd ~/code/<repo> && athsra run -- bun run dev',
+  CONFIG_USAGE_HINT,
 ].join('\n');
 
 export async function runCmd(args: string[]): Promise<number> {
@@ -19,7 +20,7 @@ export async function runCmd(args: string[]): Promise<number> {
   }
   // -- 앞 영역에서 project 추출 (auto-detect 가능). -- 뒤는 cmd.
   const beforeSep = args.slice(0, sepIdx);
-  const { project } = resolveProject(beforeSep);
+  const { project, config } = resolveProject(beforeSep);
   if (!project) {
     console.error(USAGE);
     return 2;
@@ -34,9 +35,9 @@ export async function runCmd(args: string[]): Promise<number> {
   const ctx = await loadAuthContext(project);
   if (!ctx) return 1;
 
-  const plain = await readPlain(ctx, project);
+  const plain = await readPlain(ctx, project, config);
   if (!plain) {
-    console.error(`project not found: ${project}`);
+    console.error(`project not found: ${project}${configTag(config)}`);
     return 1;
   }
 
@@ -64,22 +65,3 @@ export async function runCmd(args: string[]): Promise<number> {
     });
   });
 }
-
-/**
- * 자식 프로세스 env 를 만든다. 빈 값 secret 키는 inject 대상에서 제외해
- * 부모 환경 변수를 보존한다.
- *
- * 키 이름만 등록되고 값이 빈 secret (migration scaffolding 산출물) 을
- * `{ ...process.env, ...plain }` 로 합치면 부모 env 의 유효한 값 (예:
- * ~/.zshrc 의 CLOUDFLARE_API_TOKEN) 이 빈 문자열로 덮어써져 배포 인증이
- * 깨진다. 빈 값 키를 제외하면 부모 env 값이 그대로 살아남는다.
- *
- * @returns env — 자식 프로세스 env, skipped — 제외된 빈 값 키 (정렬됨)
- */
-export function buildChildEnv(
-  parentEnv: Record<string, string | undefined>,
-  plain: Record<string, string>,
-): { env: Record<string, string | undefined>; skipped: string[] } {
-  const { filled, emptyKeys } = partitionEnv(plain);
-  return { env: { ...parentEnv, ...filled }, skipped: emptyKeys };
-}

package/src/commands/service-token.ts

@@ -1,7 +1,10 @@
-import { addServiceRecipient, migrateV1ToV2, type SecretEnvelopeV2 } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
 import { resolveProject } from '../lib/auto-project.ts';
 import { red, yellow } from '../lib/colors.ts';
+import {
+  type CreatedServiceToken,
+  createServiceTokenWithRecipient,
+} from '../lib/service-tokens.ts';
 
 /** worker expiry-notify (apps/worker/src/queue/expiry-notify.ts) 의 최임박 threshold 와 동기. */
 const EXPIRING_SOON_DAYS = 14;
@@ -58,40 +61,21 @@ async function createCmd(args: string[]): Promise<number> {
     console.error('athsra service-token create 은 user token (master pw) 가 필요합니다.');
     return 1;
   }
-  const { masterPw, client } = ctx;
 
-  // envelope 확인 — 없으면 service token 발급 무의미
-  const envelope = await client.getEnvelope(project);
-  if (!envelope) {
-    console.error(
-      `project ${project} envelope 없음 — 먼저 \`athsra set ${project} KEY=value\` 실행.`,
-    );
+  // 발급 + recipient 추가 (lib/service-tokens.ts — MCP athsra_service_token_create 와 공용 경로)
+  let created: CreatedServiceToken;
+  try {
+    created = await createServiceTokenWithRecipient(ctx, {
+      project,
+      label,
+      perms,
+      expiresInDays: expiresDays,
+    });
+  } catch (err) {
+    console.error((err as Error).message);
     return 1;
   }
 
-  // worker 에 service token 발급
-  const created = await client.createServiceToken({
-    project,
-    label,
-    perms,
-    expiresInDays: expiresDays,
-  });
-
-  // envelope 에 recipient 추가 — v1 이면 v2 로 자동 migrate
-  let v2Envelope: SecretEnvelopeV2;
-  if (envelope.version === 1) {
-    v2Envelope = await migrateV1ToV2(envelope, masterPw);
-  } else {
-    v2Envelope = envelope;
-  }
-  const updated = await addServiceRecipient(
-    v2Envelope,
-    masterPw,
-    created.token,
-    created.recipient_id,
-  );
-  await client.putEnvelope(project, updated);
-
   console.log('\n✓ service token 발급 완료\n');
   console.log(`  token:        ${created.token}`);
   console.log(`  project:      ${created.project}`);

package/src/commands/set.ts

@@ -1,6 +1,6 @@
 import { readFileSync } from 'node:fs';
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { resolveProject } from '../lib/auto-project.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
 import { parseEnv, partitionEnv } from '../lib/env-format.ts';
 import { readPlain, writePlain } from '../lib/envelope.ts';
 
@@ -12,6 +12,7 @@ const USAGE = [
   '<project> 자동 감지 (cwd 기반):',
   '  --project=<x> > positional > .athsra file > package.json athsra.project > basename(cwd)',
   '23 sibling repo 안에서는 cd 한 후 project 인자 생략 가능 (basename 자동 사용).',
+  CONFIG_USAGE_HINT,
 ].join('\n');
 
 async function readStdin(): Promise<string> {
@@ -36,14 +37,14 @@ function parsePairsArg(pairs: string[]): Record<string, string> | null {
 }
 
 export async function setCmd(args: string[]): Promise<number> {
-  const { project, rest, source } = resolveProject(args);
+  const { project, config, rest, source } = resolveProject(args);
   if (!project) {
     console.error(USAGE);
     return 2;
   }
   // mutating 명령 — auto-detect 시점 source 안내 (실수 방지). positional/flag 면 silent.
   if (source !== 'positional' && source !== 'flag') {
-    console.log(`(project=${project} auto-detected from ${source})`);
+    console.log(`(project=${project}${configTag(config)} auto-detected from ${source})`);
   }
 
   let updates: Record<string, string>;
@@ -93,14 +94,14 @@ export async function setCmd(args: string[]): Promise<number> {
   }
 
   // read-modify-write — v1/v2 dispatcher 가 read 처리, write 는 항상 v2.
-  const plain: Record<string, string> = (await readPlain(ctx, project)) ?? {};
+  const plain: Record<string, string> = (await readPlain(ctx, project, config)) ?? {};
   for (const [k, v] of Object.entries(updates)) {
     plain[k] = v;
   }
-  await writePlain(ctx, project, plain);
+  await writePlain(ctx, project, plain, { config });
 
   console.log(
-    `✓ ${project}: ${updateCount} key${updateCount > 1 ? 's' : ''} set (${Object.keys(plain).length} total)`,
+    `✓ ${project}${configTag(config)}: ${updateCount} key${updateCount > 1 ? 's' : ''} set (${Object.keys(plain).length} total)`,
   );
   return 0;
 }

package/src/commands/unset.ts

@@ -1,16 +1,19 @@
 import { loadAuthContext } from '../lib/auth-context.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
 import { readPlain, writePlain } from '../lib/envelope.ts';
 
-const USAGE =
-  'usage: athsra unset <project> KEY1 [KEY2 ...]   # 해당 keys 만 제거 (envelope 그대로, 다른 keys 유지)';
+const USAGE = [
+  'usage: athsra unset <project>[:<env>] KEY1 [KEY2 ...]   # 해당 keys 만 제거 (envelope 그대로, 다른 keys 유지)',
+  CONFIG_USAGE_HINT,
+].join('\n');
 
 export async function unsetCmd(args: string[]): Promise<number> {
-  const project = args[0];
+  const { project, config, rest } = resolveProject(args, { requirePositional: true });
   if (!project) {
     console.error(USAGE);
     return 2;
   }
-  const keys = args.slice(1);
+  const keys = rest;
   if (keys.length === 0) {
     console.error('No keys to unset');
     return 2;
@@ -23,9 +26,9 @@ export async function unsetCmd(args: string[]): Promise<number> {
     return 1;
   }
 
-  const plain = await readPlain(ctx, project);
+  const plain = await readPlain(ctx, project, config);
   if (!plain) {
-    console.error(`project not found: ${project}`);
+    console.error(`project not found: ${project}${configTag(config)}`);
     return 1;
   }
 
@@ -45,9 +48,9 @@ export async function unsetCmd(args: string[]): Promise<number> {
     return 1;
   }
 
-  await writePlain(ctx, project, plain);
+  await writePlain(ctx, project, plain, { config });
   console.log(
-    `✓ ${project}: ${removed.length} key${removed.length > 1 ? 's' : ''} removed (${Object.keys(plain).length} remaining)`,
+    `✓ ${project}${configTag(config)}: ${removed.length} key${removed.length > 1 ? 's' : ''} removed (${Object.keys(plain).length} remaining)`,
   );
   return 0;
 }

package/src/commands/versions.ts

@@ -1,10 +1,11 @@
 import { loadAuthContext } from '../lib/auth-context.ts';
-import { resolveProject } from '../lib/auto-project.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
 
 const USAGE = [
   'usage: athsra versions [<project>]',
   '',
   '<project> 자동 감지 (cwd 기반): basename(cwd) > .athsra > package.json athsra.project',
+  CONFIG_USAGE_HINT,
 ].join('\n');
 
 /**
@@ -15,7 +16,7 @@ const USAGE = [
  *   - <project> 생략 시 cwd 기반 자동 감지
  */
 export async function versionsCmd(args: string[]): Promise<number> {
-  const { project } = resolveProject(args);
+  const { project, config } = resolveProject(args);
   if (!project) {
     console.error(USAGE);
     return 2;
@@ -24,20 +25,21 @@ export async function versionsCmd(args: string[]): Promise<number> {
   if (!ctx) return 1;
   const { client } = ctx;
 
-  const data = await client.listVersions(project);
+  const data = await client.listVersions(project, config);
+  const tag = configTag(config);
   if (data.tombstone) {
     console.log(
       `(deleted ${data.tombstone.deleted_at} by ${data.tombstone.deleted_by} — ${data.versions.length} version(s) recoverable)`,
     );
   }
   if (data.count === 0) {
-    console.log('(no versions — project never existed or hard-deleted)');
+    console.log(`(no versions${tag} — project never existed or hard-deleted)`);
     return 0;
   }
   for (const v of data.versions) {
     const marker = v.version_id === data.current_version ? '*' : ' ';
     console.log(`${marker} ${v.version_id}  ${v.updated_at}  (${v.size}B)`);
   }
-  console.log(`(${data.count} version${data.count > 1 ? 's' : ''})`);
+  console.log(`(${data.count} version${data.count > 1 ? 's' : ''}${tag})`);
   return 0;
 }

package/src/index.ts

@@ -28,7 +28,7 @@ import { setCmd } from './commands/set.ts';
 import { unsetCmd } from './commands/unset.ts';
 import { versionsCmd } from './commands/versions.ts';
 
-const VERSION = '1.0.0';
+const VERSION = '1.1.0';
 
 const commands: Record<string, (args: string[]) => Promise<number>> = {
   login: loginCmd,
@@ -70,14 +70,15 @@ if (!cmd || cmd === '--help' || cmd === '-h' || cmd === 'help') {
   console.log(`athsra v${VERSION} — E2EE secret manager on Cloudflare edge
 
 Usage:
-  athsra login                              master pw 입력 + 머신 등록 (Bearer token 발급)
+  athsra login                              브라우저 identity 로그인 (master pw 이 기기 미보관)
+  athsra login --password                   founding master pw 등록/재로그인 (OS keyring 저장)
   athsra logout [--full]                    keyring clear (worker token 유지). --full 시 config 도 삭제
   athsra init <project>                     신규 project 안내
   athsra adopt [<project>] [opts]           sibling repo envelope ↔ CF Worker + Workers Builds 1줄 onboarding
-  athsra set <project> KEY=value            secret 추가/수정 (다건 가능)
-  athsra unset <project> KEY [...]          특정 key 제거 (envelope 유지)
-  athsra get <project> [KEY]                값 출력 (single 또는 dump)
-  athsra ls [project] [--all]               project 또는 key 목록 (--all=deleted 포함)
+  athsra set <project>[:<env>] KEY=value    secret 추가/수정 (다건 가능)
+  athsra unset <project>[:<env>] KEY [...]  특정 key 제거 (envelope 유지)
+  athsra get <project>[:<env>] [KEY]        값 출력 (single 또는 dump)
+  athsra ls [project][:<env>] [--all|--configs]  project / key / 환경 목록
   athsra manifest {init|show|validate|add|remove}  sibling worker 의 secrets opt-in manifest (Option γ)
   athsra mcp                                Model Context Protocol stdio server (AI agent 통합)
   athsra run <project> -- <cmd>             env inject 후 명령 실행 (Doppler-style)
@@ -98,6 +99,9 @@ Usage:
   athsra restore <project>                  tombstone 제거 + 최신 version 활성화
   athsra purge <project>                    hard-delete (delete --hard 별칭, double-confirm)
 
+  환경(config): <project>:<env> 또는 --config=<env> 로 dev/staging/prod 분리 (기본 default).
+               모든 secret 명령 공통. 'athsra ls <project> --configs' 로 환경 목록 조회.
+
   athsra dr {restore-r2|restore-d1}         DR 복원 (backup→STORE / 암호화 D1 dump). dry-run 기본, --execute --confirm
 
   athsra rotate-master                      master pw 변경 (모든 projects re-encrypt)
@@ -108,7 +112,7 @@ Usage:
 
 Files / Storage:
   ~/.athsra/config.json                     worker URL + machine_id
-  OS keyring (libsecret/Keychain/Cred Manager)  master pw + Bearer token
+  OS keyring (libsecret/Keychain/Cred Manager)  identity key 또는 master pw + Bearer token
 
 Env vars (CI):
   ATHSRA_MASTER_PW             non-interactive login
@@ -120,7 +124,7 @@ Env vars (CI):
 Headless (service token — master pw 없이 scoped 복호):
   ATHSRA_TOKEN=ats_...  ATHSRA_WORKER_URL=https://...  athsra run <project> -- <cmd>
 
-Phase 1.x.8 = envelope v2 (DEK + multi-recipient) + service tokens for headless hosts.
+Phase 5 = identity device-login + MCP 3-tier tools + envelope member/self recipients.
 docs: github.com/modfolio/athsra
 `);
   process.exit(0);

package/src/lib/auth-context.ts

@@ -1,9 +1,10 @@
-import { deriveKey, fromBase64, toBase64 } from '@athsra/crypto';
+import { fromBase64 } from '@athsra/crypto';
+import { deriveMasterProof } from './auth-proof.ts';
 import { AthsraClient } from './client.ts';
-import { type Config, loadConfig } from './config.ts';
-import { getDeviceToken, getMasterPw, getToken, setToken } from './keyring.ts';
+import { type Config, loadConfig, saveConfig } from './config.ts';
+import { getDeviceToken, getIdentityKey, getMasterPw, getToken, setToken } from './keyring.ts';
 
-/** User token mode — keyring 의 master pw + Bearer token 보유, full access. */
+/** User token mode — keyring 의 master pw + Bearer token 보유. */
 export interface UserAuthContext {
   kind: 'user';
   config: Config;
@@ -27,7 +28,22 @@ export interface ServiceAuthContext {
   workerUrl: string;
 }
 
-export type AuthContext = UserAuthContext | ServiceAuthContext;
+/**
+ * Identity 디바이스 모드 (Phase 5) — keyring 의 identity X25519 private key + token. master pw 가
+ * 이 머신에 없어도 멤버 경로(member:me recipient)로 envelope 복호·재포장. token 은 atk_*(90일
+ * expiry, idle 면제) — 401 시 idle-refresh 불가(master pw 없음)이므로 `athsra login` 재온보딩.
+ */
+export interface IdentityAuthContext {
+  kind: 'identity';
+  config: Config;
+  /** keyring identity-priv → fromBase64. 멤버 복호/재포장에 사용 (worker 미노출). */
+  identityPrivateKey: Uint8Array;
+  userId: number;
+  token: string;
+  client: AthsraClient;
+}
+
+export type AuthContext = UserAuthContext | ServiceAuthContext | IdentityAuthContext;
 
 /**
  * 모든 인증 요구 commands 의 공통 진입점. 두 모드 자동 dispatch:
@@ -49,9 +65,12 @@ export async function loadAuthContext(project?: string): Promise<AuthContext | n
     return loadServiceContext(envToken);
   }
   // 2. user context (master pw + token, full access) — 보유 시 우선
-  const userCtx = loadUserContext();
+  const userCtx = await loadUserContext();
   if (userCtx) return userCtx;
-  // 3. project-scoped device token (device-login agent) — master pw 없는 머신
+  // 3. identity 디바이스 모드 (Phase 5) — master pw 없는 머신, identity privkey + atk_* 보유.
+  const identityCtx = loadIdentityContext();
+  if (identityCtx) return identityCtx;
+  // 4. project-scoped device token (device-login agent) — master pw 없는 머신
   //    Phase 3 P3: `athsra login --device --project <p>` 가 keyring 에 저장한 ats_*.
   if (project) {
     const deviceToken = getDeviceToken(project);
@@ -76,21 +95,38 @@ export async function loadAuthContext(project?: string): Promise<AuthContext | n
 }
 
 /** master pw + token 보유 시 user context. 미보유 시 조용히 null (호출자가 device/안내 처리). */
-function loadUserContext(): UserAuthContext | null {
-  const config = loadConfig();
+async function loadUserContext(): Promise<UserAuthContext | null> {
+  let config = loadConfig();
   if (!config) return null;
   const masterPw = getMasterPw(config.machineId);
   const token = getToken(config.machineId);
   if (!masterPw || !token) return null;
   const client = new AthsraClient(config.workerUrl, token);
-  // Phase 3 — idle timeout 자동 재인증. 401 session_idle_timeout 시 keyring master pw
-  // 로 silent re-register (proof = Argon2id(pw + GLOBAL_SALT)) → 새 token keyring 저장.
+
+  // Legacy config migration: older CLI versions did not persist userId. When the current token is
+  // still valid, backfill it from whoami so later proof operations use the authenticated user.
+  if (config.userId === undefined) {
+    try {
+      const me = await client.whoami();
+      if (me.userId !== undefined) {
+        config = { ...config, userId: me.userId };
+        saveConfig(config);
+      }
+    } catch {
+      // Token may already be idle-revoked. Keep fail-closed idle refresh below instead of guessing.
+    }
+  }
+
+  // Phase 3 — idle timeout 자동 재인증. founding password-login token 만 keyring master pw
+  // 로 silent re-register 가능. SSO/non-founding user 는 /auth/register 대상이 아니라 재로그인 필요.
   // 기기 잠금 (OS keyring 차단) 이 방어선이므로 작업 중엔 끊김 없이, 잠금 시엔 idle 유효.
   client.setIdleRefresh(async () => {
     try {
+      if (config.userId !== 1) return null;
       const info = await client.info();
-      const proof = toBase64(deriveKey(masterPw, fromBase64(info.global_salt)));
+      const proof = deriveMasterProof(masterPw, config.userId, info.global_salt);
       const reg = await client.register(proof, config.machineId);
+      if (reg.userId !== undefined && reg.userId !== config.userId) return null;
       let token = reg.token;
       // Phase 4 Slice 6a — re-register 는 자기 personal org 로 token 발급. switch 상태였으면
       // (config.orgId) 다시 그 org 로 전환 — 안 하면 idle 후 사용자 모르게 personal 컨텍스트로 reset.
@@ -117,6 +153,32 @@ function loadUserContext(): UserAuthContext | null {
   };
 }
 
+/**
+ * identity privkey + token 보유 시 identity context (master pw 없는 머신). config.userId 필수
+ * (member recipient 매칭). 미보유/손상 시 조용히 null (호출자가 device/안내 처리).
+ */
+function loadIdentityContext(): IdentityAuthContext | null {
+  const config = loadConfig();
+  if (!config || config.userId === undefined) return null;
+  const privB64 = getIdentityKey(config.machineId);
+  const token = getToken(config.machineId);
+  if (!privB64 || !token) return null;
+  let identityPrivateKey: Uint8Array;
+  try {
+    identityPrivateKey = fromBase64(privB64);
+  } catch {
+    return null;
+  }
+  return {
+    kind: 'identity',
+    config,
+    identityPrivateKey,
+    userId: config.userId,
+    token,
+    client: new AthsraClient(config.workerUrl, token),
+  };
+}
+
 async function loadServiceContext(
   token: string,
   opts?: { silent?: boolean },

package/src/lib/auth-proof.ts

@@ -0,0 +1,10 @@
+import { deriveProof, fromBase64, toBase64 } from '@athsra/crypto';
+
+/** G-1 auth proof — per-user salt + GLOBAL_SALT pepper, base64 wire format. */
+export function deriveMasterProof(
+  masterPw: string,
+  userId: number,
+  globalSaltBase64: string,
+): string {
+  return toBase64(deriveProof(masterPw, userId, fromBase64(globalSaltBase64)));
+}

package/src/lib/auto-project.ts

@@ -24,12 +24,28 @@ import { basename, join } from 'node:path';
 
 export interface ProjectResolution {
   project: string | undefined;
+  /** 환경(config) — 기본 'default'. Doppler 식 dev/staging/prod. `--config=` > `project:config` > .athsra > default. */
+  config: string;
   /** project 명이 args 에서 빠진 나머지 args (KEY=value pairs 또는 다른 인자) */
   rest: string[];
   /** 어디서 감지했는가 — 디버깅 / 사용자 안내용 */
   source: 'flag' | 'positional' | 'athsra-file' | 'package-json' | 'cwd' | 'none';
 }
 
+/** 사용자 출력용 config 라벨 — default 는 표시 안 함, 그 외는 ` [<config>]` (명령 결과·에러 공용). */
+export function configTag(config: string): string {
+  return config === 'default' ? '' : ` [${config}]`;
+}
+
+/** 사용자가 그대로 입력 가능한 project 참조 — default 는 project, 그 외는 project:config (명령 안내문 공용). */
+export function projectRef(project: string, config: string): string {
+  return config === 'default' ? project : `${project}:${config}`;
+}
+
+/** 모든 secret 명령 USAGE 하단에 붙는 통일 환경 안내 문구. */
+export const CONFIG_USAGE_HINT =
+  '환경(config): [--config=<env>] 또는 <project>:<env> 또는 .athsra 의 config= 줄 (기본 default)';
+
 /**
  * args 에서 --project=<x> flag 추출 + 나머지 args 반환.
  */
@@ -47,10 +63,21 @@ function extractProjectFlag(args: string[]): { project?: string; rest: string[]
   return project ? { project, rest } : { rest };
 }
 
+/** args 에서 --config=<x> flag 추출 + 나머지. */
+function extractConfigFlag(args: string[]): { config?: string; rest: string[] } {
+  const rest: string[] = [];
+  let config: string | undefined;
+  for (const arg of args) {
+    if (arg.startsWith('--config=')) config = arg.slice('--config='.length);
+    else rest.push(arg);
+  }
+  return config !== undefined ? { config, rest } : { rest };
+}
+
 /**
- * cwd 의 .athsra file 읽기 — `project=<name>` 한 줄 (다른 키 무시, 단순 KEY=value).
+ * cwd 의 .athsra file 에서 키 값 읽기 — `<key>=<value>` 한 줄 (단순 KEY=value). project/config 공용.
  */
-function readAthsraFile(cwd: string): string | undefined {
+function readAthsraKey(cwd: string, wantKey: string): string | undefined {
   const path = join(cwd, '.athsra');
   if (!existsSync(path)) return undefined;
   try {
@@ -62,7 +89,7 @@ function readAthsraFile(cwd: string): string | undefined {
       if (eq < 0) continue;
       const key = trimmed.slice(0, eq).trim();
       const value = trimmed.slice(eq + 1).trim();
-      if (key === 'project' && value) return value;
+      if (key === wantKey && value) return value;
     }
   } catch {
     /* ignore */
@@ -95,37 +122,54 @@ export function resolveProject(
   args: string[],
   opts?: { cwd?: string; requirePositional?: boolean },
 ): ProjectResolution {
+  const cwd = opts?.cwd ?? process.cwd();
+  // 0. --config=<x> flag 추출 (project 해석 전에 args 에서 제거)
+  const cfgFlag = extractConfigFlag(args);
+  let config = cfgFlag.config;
+
+  // config 통합 — project:config syntax(flag 없을 때) > .athsra config > default
+  const withConfig = (r: Omit<ProjectResolution, 'config'>): ProjectResolution => {
+    let project = r.project;
+    if (project?.includes(':')) {
+      const idx = project.indexOf(':');
+      const c = project.slice(idx + 1);
+      project = project.slice(0, idx);
+      if (config === undefined && c) config = c;
+    }
+    if (config === undefined) config = readAthsraKey(cwd, 'config');
+    return { ...r, project, config: config ?? 'default' };
+  };
+
   // 1. --project=<x> flag 우선
-  const flagResult = extractProjectFlag(args);
+  const flagResult = extractProjectFlag(cfgFlag.rest);
   if (flagResult.project) {
-    return { project: flagResult.project, rest: flagResult.rest, source: 'flag' };
+    return withConfig({ project: flagResult.project, rest: flagResult.rest, source: 'flag' });
   }
 
   const remaining = flagResult.rest;
 
-  // 2. positional <project> arg — 첫 자리 + `=` 없으면 project 로 인식
+  // 2. positional <project> arg — 첫 자리 + `=` 없으면 project 로 인식 (project:config 포함)
   if (remaining.length > 0 && remaining[0] !== undefined && !remaining[0].includes('=')) {
-    return { project: remaining[0], rest: remaining.slice(1), source: 'positional' };
+    return withConfig({ project: remaining[0], rest: remaining.slice(1), source: 'positional' });
   }
 
   if (opts?.requirePositional) {
-    return { project: undefined, rest: remaining, source: 'none' };
+    return withConfig({ project: undefined, rest: remaining, source: 'none' });
   }
 
   // 3. .athsra file (auto-detect)
-  const cwd = opts?.cwd ?? process.cwd();
-  const fromFile = readAthsraFile(cwd);
-  if (fromFile) return { project: fromFile, rest: remaining, source: 'athsra-file' };
+  const fromFile = readAthsraKey(cwd, 'project');
+  if (fromFile) return withConfig({ project: fromFile, rest: remaining, source: 'athsra-file' });
 
   // 4. package.json athsra.project
   const fromPkg = readPackageJsonProject(cwd);
-  if (fromPkg) return { project: fromPkg, rest: remaining, source: 'package-json' };
+  if (fromPkg) return withConfig({ project: fromPkg, rest: remaining, source: 'package-json' });
 
   // 5. basename(cwd) — 23 sibling 표준 = repo 명 = project 명
   const base = basename(cwd);
   if (base && base !== '/' && base !== '~' && base !== '.') {
-    return { project: base, rest: remaining, source: 'cwd' };
+    return withConfig({ project: base, rest: remaining, source: 'cwd' });
   }
 
-  return { project: undefined, rest: remaining, source: 'none' };
+  return withConfig({ project: undefined, rest: remaining, source: 'none' });
 }