@athsra/cli 1.0.4 → 1.1.1

package/src/lib/auto-project.ts

@@ -24,12 +24,28 @@ import { basename, join } from 'node:path';
 
 export interface ProjectResolution {
   project: string | undefined;
+  /** 환경(config) — 기본 'default'. Doppler 식 dev/staging/prod. `--config=` > `project:config` > .athsra > default. */
+  config: string;
   /** project 명이 args 에서 빠진 나머지 args (KEY=value pairs 또는 다른 인자) */
   rest: string[];
   /** 어디서 감지했는가 — 디버깅 / 사용자 안내용 */
   source: 'flag' | 'positional' | 'athsra-file' | 'package-json' | 'cwd' | 'none';
 }
 
+/** 사용자 출력용 config 라벨 — default 는 표시 안 함, 그 외는 ` [<config>]` (명령 결과·에러 공용). */
+export function configTag(config: string): string {
+  return config === 'default' ? '' : ` [${config}]`;
+}
+
+/** 사용자가 그대로 입력 가능한 project 참조 — default 는 project, 그 외는 project:config (명령 안내문 공용). */
+export function projectRef(project: string, config: string): string {
+  return config === 'default' ? project : `${project}:${config}`;
+}
+
+/** 모든 secret 명령 USAGE 하단에 붙는 통일 환경 안내 문구. */
+export const CONFIG_USAGE_HINT =
+  '환경(config): [--config=<env>] 또는 <project>:<env> 또는 .athsra 의 config= 줄 (기본 default)';
+
 /**
  * args 에서 --project=<x> flag 추출 + 나머지 args 반환.
  */
@@ -47,10 +63,21 @@ function extractProjectFlag(args: string[]): { project?: string; rest: string[]
   return project ? { project, rest } : { rest };
 }
 
+/** args 에서 --config=<x> flag 추출 + 나머지. */
+function extractConfigFlag(args: string[]): { config?: string; rest: string[] } {
+  const rest: string[] = [];
+  let config: string | undefined;
+  for (const arg of args) {
+    if (arg.startsWith('--config=')) config = arg.slice('--config='.length);
+    else rest.push(arg);
+  }
+  return config !== undefined ? { config, rest } : { rest };
+}
+
 /**
- * cwd 의 .athsra file 읽기 — `project=<name>` 한 줄 (다른 키 무시, 단순 KEY=value).
+ * cwd 의 .athsra file 에서 키 값 읽기 — `<key>=<value>` 한 줄 (단순 KEY=value). project/config 공용.
  */
-function readAthsraFile(cwd: string): string | undefined {
+function readAthsraKey(cwd: string, wantKey: string): string | undefined {
   const path = join(cwd, '.athsra');
   if (!existsSync(path)) return undefined;
   try {
@@ -62,7 +89,7 @@ function readAthsraFile(cwd: string): string | undefined {
       if (eq < 0) continue;
       const key = trimmed.slice(0, eq).trim();
       const value = trimmed.slice(eq + 1).trim();
-      if (key === 'project' && value) return value;
+      if (key === wantKey && value) return value;
     }
   } catch {
     /* ignore */
@@ -95,37 +122,54 @@ export function resolveProject(
   args: string[],
   opts?: { cwd?: string; requirePositional?: boolean },
 ): ProjectResolution {
+  const cwd = opts?.cwd ?? process.cwd();
+  // 0. --config=<x> flag 추출 (project 해석 전에 args 에서 제거)
+  const cfgFlag = extractConfigFlag(args);
+  let config = cfgFlag.config;
+
+  // config 통합 — project:config syntax(flag 없을 때) > .athsra config > default
+  const withConfig = (r: Omit<ProjectResolution, 'config'>): ProjectResolution => {
+    let project = r.project;
+    if (project?.includes(':')) {
+      const idx = project.indexOf(':');
+      const c = project.slice(idx + 1);
+      project = project.slice(0, idx);
+      if (config === undefined && c) config = c;
+    }
+    if (config === undefined) config = readAthsraKey(cwd, 'config');
+    return { ...r, project, config: config ?? 'default' };
+  };
+
   // 1. --project=<x> flag 우선
-  const flagResult = extractProjectFlag(args);
+  const flagResult = extractProjectFlag(cfgFlag.rest);
   if (flagResult.project) {
-    return { project: flagResult.project, rest: flagResult.rest, source: 'flag' };
+    return withConfig({ project: flagResult.project, rest: flagResult.rest, source: 'flag' });
   }
 
   const remaining = flagResult.rest;
 
-  // 2. positional <project> arg — 첫 자리 + `=` 없으면 project 로 인식
+  // 2. positional <project> arg — 첫 자리 + `=` 없으면 project 로 인식 (project:config 포함)
   if (remaining.length > 0 && remaining[0] !== undefined && !remaining[0].includes('=')) {
-    return { project: remaining[0], rest: remaining.slice(1), source: 'positional' };
+    return withConfig({ project: remaining[0], rest: remaining.slice(1), source: 'positional' });
   }
 
   if (opts?.requirePositional) {
-    return { project: undefined, rest: remaining, source: 'none' };
+    return withConfig({ project: undefined, rest: remaining, source: 'none' });
   }
 
   // 3. .athsra file (auto-detect)
-  const cwd = opts?.cwd ?? process.cwd();
-  const fromFile = readAthsraFile(cwd);
-  if (fromFile) return { project: fromFile, rest: remaining, source: 'athsra-file' };
+  const fromFile = readAthsraKey(cwd, 'project');
+  if (fromFile) return withConfig({ project: fromFile, rest: remaining, source: 'athsra-file' });
 
   // 4. package.json athsra.project
   const fromPkg = readPackageJsonProject(cwd);
-  if (fromPkg) return { project: fromPkg, rest: remaining, source: 'package-json' };
+  if (fromPkg) return withConfig({ project: fromPkg, rest: remaining, source: 'package-json' });
 
   // 5. basename(cwd) — 23 sibling 표준 = repo 명 = project 명
   const base = basename(cwd);
   if (base && base !== '/' && base !== '~' && base !== '.') {
-    return { project: base, rest: remaining, source: 'cwd' };
+    return withConfig({ project: base, rest: remaining, source: 'cwd' });
   }
 
-  return { project: undefined, rest: remaining, source: 'none' };
+  return withConfig({ project: undefined, rest: remaining, source: 'none' });
 }

package/src/lib/client.ts

@@ -17,6 +17,11 @@ export interface RegisterResponse {
   token: string;
   machineId: string;
   createdAt: string;
+  userId?: number;
+  /** 첫 proof 설정(검증 불가) — typo-guard 대상. */
+  bootstrap?: boolean;
+  /** 옛 스킴 proof → 현 스킴 자동 마이그레이션됨 (버전 업그레이드 무중단). */
+  migrated?: boolean;
 }
 
 /** Phase 4 Slice 3 — auth_user_keys row (GET/POST /auth/keys). worker 는 base64 형식만 저장. */
@@ -60,19 +65,31 @@ export interface DeviceCodeResponse {
   verification_uri_complete: string;
   expires_in: number;
   interval: number;
-  project: string;
-  perms: 'read' | 'write';
+  /** Phase 5 — kind:'user' 면 project/perms 는 null (identity 디바이스는 envelope-scope 없음). */
+  kind: 'service' | 'user';
+  project: string | null;
+  perms: 'read' | 'write' | null;
 }
 
-/** Phase 3 P3 — POST /auth/device/token (poll) 결과. */
+/** Phase 3 P3 / Phase 5 — POST /auth/device/token (poll) 결과 (service | user kind). */
 export type DevicePollResult =
   | {
       status: 'token';
+      tokenType: 'service';
       token: string;
       recipientId: string;
       project: string;
       perms: 'read' | 'write';
     }
+  | {
+      status: 'token';
+      tokenType: 'user';
+      token: string;
+      /** SealedBox JSON — 디바이스 privkey 로 unseal → identity privkey. */
+      sealedIdentityKey: string;
+      userId: number;
+      keyVersion: number;
+    }
   | { status: 'pending'; error: string; interval?: number };
 
 /**
@@ -222,11 +239,23 @@ export class AthsraClient {
     return (await res.json()) as WorkerInfo;
   }
 
-  async register(masterPwProof: string, label: string): Promise<RegisterResponse> {
+  /**
+   * @param legacyProofs - 옛 스킴 proof 후보 (버전 업그레이드 무중단 마이그레이션). 현 proof 가
+   *   mismatch 일 때 worker 가 이 중 하나로 검증 성공 시 저장 proof 를 현 스킴으로 자동 재작성.
+   */
+  async register(
+    masterPwProof: string,
+    label: string,
+    legacyProofs?: string[],
+  ): Promise<RegisterResponse> {
     const res = await fetch(this.url('/auth/register'), {
       method: 'POST',
       headers: { 'content-type': 'application/json' },
-      body: JSON.stringify({ master_pw_proof: masterPwProof, label }),
+      body: JSON.stringify({
+        master_pw_proof: masterPwProof,
+        label,
+        ...(legacyProofs && legacyProofs.length > 0 ? { legacy_proofs: legacyProofs } : {}),
+      }),
     });
     if (!res.ok) throw new Error(`register ${res.status}: ${await res.text()}`);
     return (await res.json()) as RegisterResponse;
@@ -240,7 +269,7 @@ export class AthsraClient {
 
   /**
    * Phase 3a — 자기 master pw proof bootstrap-or-verify (POST /auth/proof, Bearer).
-   * proof = Argon2id(masterPw + GLOBAL_SALT) 단방향 해시 (평문 master pw 송신 X).
+   * proof = deriveProof(masterPw, userId, GLOBAL_SALT) 단방향 해시 (평문 master pw 송신 X).
    * 첫 호출 = bootstrap, 이후 = verify (불일치 시 worker 409 → throw).
    */
   async setProof(
@@ -485,14 +514,21 @@ export class AthsraClient {
 
   /** Phase 3 P3 — device-login 시작 (unauth). device_code + user_code + verification_uri. */
   async deviceCode(args: {
-    project: string;
+    kind?: 'service' | 'user';
+    project?: string;
     perms?: 'read' | 'write';
     label: string;
+    /** kind:'user' — base64 32B 디바이스 X25519 public key. */
+    devicePublicKey?: string;
   }): Promise<DeviceCodeResponse> {
+    const body: Record<string, unknown> =
+      args.kind === 'user'
+        ? { kind: 'user', device_pub_key: args.devicePublicKey, label: args.label }
+        : { project: args.project, perms: args.perms, label: args.label };
     const res = await fetch(this.url('/auth/device/code'), {
       method: 'POST',
       headers: { 'content-type': 'application/json' },
-      body: JSON.stringify({ project: args.project, perms: args.perms, label: args.label }),
+      body: JSON.stringify(body),
     });
     if (!res.ok) throw new Error(`device code ${res.status}: ${await res.text()}`);
     return (await res.json()) as DeviceCodeResponse;
@@ -507,8 +543,20 @@ export class AthsraClient {
     });
     const body = (await res.json()) as Record<string, unknown>;
     if (res.ok) {
+      if (body.token_type === 'user') {
+        return {
+          status: 'token',
+          tokenType: 'user',
+          token: typeof body.token === 'string' ? body.token : '',
+          sealedIdentityKey:
+            typeof body.sealed_identity_key === 'string' ? body.sealed_identity_key : '',
+          userId: typeof body.user_id === 'number' ? body.user_id : 0,
+          keyVersion: typeof body.key_version === 'number' ? body.key_version : 1,
+        };
+      }
       return {
         status: 'token',
+        tokenType: 'service',
         token: typeof body.token === 'string' ? body.token : '',
         recipientId: typeof body.recipient_id === 'string' ? body.recipient_id : '',
         project: typeof body.project === 'string' ? body.project : '',
@@ -572,15 +620,33 @@ export class AthsraClient {
     };
   }
 
-  async getEnvelope(project: string): Promise<SecretEnvelopeAny | null> {
-    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}`);
+  /** secret route URL — config!=='default' 시에만 ?config= 추가 (default 는 생략, 하위호환·무중단). */
+  private secretPath(
+    project: string,
+    config: string,
+    sub = '',
+    extra?: Record<string, string>,
+  ): string {
+    const params = new URLSearchParams();
+    if (config && config !== 'default') params.set('config', config);
+    if (extra) for (const [k, v] of Object.entries(extra)) params.set(k, v);
+    const q = params.toString();
+    return `/v1/secrets/${encodeURIComponent(project)}${sub}${q ? `?${q}` : ''}`;
+  }
+
+  async getEnvelope(project: string, config = 'default'): Promise<SecretEnvelopeAny | null> {
+    const res = await this.authedFetch(this.secretPath(project, config));
     if (res.status === 404) return null;
     if (!res.ok) throw new Error(`fetch ${res.status}: ${await res.text()}`);
     return (await res.json()) as SecretEnvelopeAny;
   }
 
-  async putEnvelope(project: string, envelope: SecretEnvelopeAny): Promise<void> {
-    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}`, {
+  async putEnvelope(
+    project: string,
+    envelope: SecretEnvelopeAny,
+    config = 'default',
+  ): Promise<void> {
+    const res = await this.authedFetch(this.secretPath(project, config), {
       method: 'PUT',
       headers: { 'content-type': 'application/json' },
       body: JSON.stringify(envelope),
@@ -597,14 +663,19 @@ export class AthsraClient {
 
   async deleteProject(
     project: string,
-    opts?: { hard?: boolean },
+    opts?: { hard?: boolean; config?: string },
   ): Promise<{
     soft?: boolean;
     hard?: boolean;
     recoverable_versions?: number;
     removed_versions?: number;
   }> {
-    const path = `/v1/secrets/${encodeURIComponent(project)}${opts?.hard ? '?hard=true' : ''}`;
+    const path = this.secretPath(
+      project,
+      opts?.config ?? 'default',
+      '',
+      opts?.hard ? { hard: 'true' } : undefined,
+    );
     const res = await this.authedFetch(path, { method: 'DELETE' });
     if (!res.ok) throw new Error(`delete ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
@@ -615,14 +686,17 @@ export class AthsraClient {
     };
   }
 
-  async listVersions(project: string): Promise<{
+  async listVersions(
+    project: string,
+    config = 'default',
+  ): Promise<{
     project: string;
     current_version: string | null;
     tombstone: { deleted_at: string; deleted_by: string } | null;
     versions: { version_id: string; updated_at: string; size: number }[];
     count: number;
   }> {
-    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/versions`);
+    const res = await this.authedFetch(this.secretPath(project, config, '/versions'));
     if (!res.ok) throw new Error(`versions ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
       project: string;
@@ -636,8 +710,9 @@ export class AthsraClient {
   async rollbackProject(
     project: string,
     versionId: string,
+    config = 'default',
   ): Promise<{ ok: boolean; project: string; current_version: string }> {
-    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/rollback`, {
+    const res = await this.authedFetch(this.secretPath(project, config, '/rollback'), {
       method: 'POST',
       headers: { 'content-type': 'application/json' },
       body: JSON.stringify({ version_id: versionId }),
@@ -646,14 +721,17 @@ export class AthsraClient {
     return (await res.json()) as { ok: boolean; project: string; current_version: string };
   }
 
-  async restoreProject(project: string): Promise<{
+  async restoreProject(
+    project: string,
+    config = 'default',
+  ): Promise<{
     ok: boolean;
     project: string;
     restored_version: string;
     deleted_at: string;
     deleted_by: string;
   }> {
-    const res = await this.authedFetch(`/v1/secrets/${encodeURIComponent(project)}/restore`, {
+    const res = await this.authedFetch(this.secretPath(project, config, '/restore'), {
       method: 'POST',
     });
     if (!res.ok) throw new Error(`restore ${res.status}: ${await res.text()}`);
@@ -666,6 +744,21 @@ export class AthsraClient {
     };
   }
 
+  /** GET /:project/configs — 환경(config) 목록 + active/deleted. */
+  async listConfigs(project: string): Promise<{
+    project: string;
+    configs: { config: string; active: boolean; deleted: boolean }[];
+    count: number;
+  }> {
+    const res = await this.authedFetch(this.secretPath(project, 'default', '/configs'));
+    if (!res.ok) throw new Error(`configs ${res.status}: ${await res.text()}`);
+    return (await res.json()) as {
+      project: string;
+      configs: { config: string; active: boolean; deleted: boolean }[];
+      count: number;
+    };
+  }
+
   async listProjectsExtended(opts?: {
     includeDeleted?: boolean;
   }): Promise<

package/src/lib/config.ts

@@ -16,6 +16,8 @@ export interface Config {
    */
   orgId?: number;
   orgSlug?: string;
+  /** Phase 5 — identity 디바이스 모드 로그인 시 기록 (member 경로 복호의 per-user salt·recipient 매칭). */
+  userId?: number;
 }
 
 export function ensureConfigDir(): void {

package/src/lib/device-login.ts

@@ -0,0 +1,157 @@
+/**
+ * device-login.ts — Phase 5 B5. RFC 8628 device flow 의 공용 코어.
+ *
+ * `commands/login.ts` 의 identityLoginCmd/deviceLoginCmd poll 루프에서 추출 — CLI(블로킹 루프)와
+ * MCP in-chat 로그인(athsra_login_start/status 의 단발 step)이 같은 기계 부분을 소비한다.
+ *
+ * 보안 불변식: `IdentityFlow.deviceCode` 는 **프로세스 메모리 전용** — MCP 응답·로그·콘솔 어디에도
+ * 출력 금지 (탈취 시 토큰 가로채기 가능). user 에게 보여줄 것은 user_code/URL/fingerprint 뿐.
+ */
+import { hostname } from 'node:os';
+import { toBase64 } from '@athsra/crypto';
+import { deviceKeyFingerprint, generateDeviceKeypair } from '@athsra/crypto/device';
+import { AthsraClient, type DevicePollResult } from './client.ts';
+import { loadConfig, saveConfig } from './config.ts';
+import { unsealIdentityKey } from './identity-key.ts';
+import { probeKeyring, setIdentityKey, setToken } from './keyring.ts';
+
+/** 비-인터랙티브 agent 기본 worker (config/env 없을 때). production athsra worker. */
+export const DEFAULT_WORKER_URL = 'https://athsra-worker.winterermod.workers.dev';
+
+export type UserTokenResult = Extract<DevicePollResult, { status: 'token'; tokenType: 'user' }>;
+
+export interface IdentityFlow {
+  client: AthsraClient;
+  workerUrl: string;
+  machineId: string;
+  existingCreatedAt?: string;
+  /** 디바이스 X25519 privkey — sealed identity key unseal 용 (이 머신에만). */
+  devicePrivateKey: Uint8Array;
+  /** 디바이스 pubkey 지문 — 브라우저 화면과 대조 (phishing 가드). 공개 정보. */
+  fingerprint: string;
+  /** RFC 8628 device_code — 메모리 전용. 어떤 응답에도 미포함. */
+  deviceCode: string;
+  userCode: string;
+  verificationUriComplete: string;
+  expiresAt: number; // epoch ms
+  intervalMs: number;
+}
+
+/**
+ * identity device flow 시작: keyring probe → config/worker 해석 → 디바이스 키쌍 생성 →
+ * deviceCode(kind:user). 실패는 actionable Error throw (호출자가 ✗/MCP error 로 환원).
+ */
+export async function startIdentityFlow(): Promise<IdentityFlow> {
+  const probe = probeKeyring();
+  if (!probe.ok) {
+    throw new Error(
+      `keyring backend unavailable: ${probe.error ?? 'unknown'} — run \`athsra doctor\` for setup instructions (apt install + dbus).`,
+    );
+  }
+  const existing = loadConfig();
+  const workerUrl = process.env.ATHSRA_WORKER_URL ?? existing?.workerUrl ?? DEFAULT_WORKER_URL;
+  const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`;
+
+  const client = new AthsraClient(workerUrl);
+  if (!(await client.health())) {
+    throw new Error(`worker unreachable: ${workerUrl}`);
+  }
+
+  const deviceKp = generateDeviceKeypair();
+  const fingerprint = deviceKeyFingerprint(deviceKp.publicKey);
+  const dc = await client.deviceCode({
+    kind: 'user',
+    devicePublicKey: toBase64(deviceKp.publicKey),
+    label: machineId,
+  });
+
+  return {
+    client,
+    workerUrl,
+    machineId,
+    existingCreatedAt: existing?.createdAt,
+    devicePrivateKey: deviceKp.privateKey,
+    fingerprint,
+    deviceCode: dc.device_code,
+    userCode: dc.user_code,
+    verificationUriComplete: dc.verification_uri_complete,
+    expiresAt: Date.now() + dc.expires_in * 1000,
+    intervalMs: Math.max(1, dc.interval) * 1000,
+  };
+}
+
+export type PollStep =
+  | { step: 'token'; result: Extract<DevicePollResult, { status: 'token' }> }
+  | { step: 'pending' }
+  | { step: 'slow_down' }
+  | { step: 'denied' }
+  | { step: 'expired' }
+  /** 네트워크/일시 오류 — pending 취급 (다음 tick 재시도). */
+  | { step: 'network' };
+
+/** poll 1회 — MCP login_status 의 단발 step. 블로킹 루프는 runDevicePollLoop. */
+export async function pollDeviceTokenOnce(
+  client: AthsraClient,
+  deviceCode: string,
+): Promise<PollStep> {
+  let result: DevicePollResult;
+  try {
+    result = await client.devicePollToken(deviceCode);
+  } catch {
+    return { step: 'network' };
+  }
+  if (result.status === 'token') return { step: 'token', result };
+  if (result.error === 'access_denied') return { step: 'denied' };
+  if (result.error === 'expired_token') return { step: 'expired' };
+  if (result.error === 'slow_down') return { step: 'slow_down' };
+  return { step: 'pending' };
+}
+
+const sleep = (ms: number): Promise<void> => new Promise((r) => setTimeout(r, ms));
+
+/**
+ * 블로킹 poll 루프 (CLI) — token/denied/expired 또는 deadline 까지 반복.
+ * slow_down 시 interval +5s (RFC 8628). onTick 은 진행 표시('.') 용.
+ */
+export async function runDevicePollLoop(
+  client: AthsraClient,
+  deviceCode: string,
+  opts: { intervalMs: number; expiresAt: number; onTick?: () => void },
+): Promise<Extract<PollStep, { step: 'token' | 'denied' | 'expired' }> | { step: 'timeout' }> {
+  let interval = opts.intervalMs;
+  while (Date.now() < opts.expiresAt) {
+    await sleep(interval);
+    const r = await pollDeviceTokenOnce(client, deviceCode);
+    if (r.step === 'token' || r.step === 'denied' || r.step === 'expired') return r;
+    if (r.step === 'slow_down') interval += 5000;
+    opts.onTick?.();
+  }
+  return { step: 'timeout' };
+}
+
+/**
+ * identity 승인 완료 처리: sealed unseal(user_id 대조 — 키 혼선 차단) → keyring
+ * identity-priv + token → config.userId. master pw 는 이 기기에 절대 없음 (D-2).
+ */
+export async function completeIdentityLogin(args: {
+  result: UserTokenResult;
+  devicePrivateKey: Uint8Array;
+  machineId: string;
+  workerUrl: string;
+  existingCreatedAt?: string;
+}): Promise<{ userId: number }> {
+  const identityPrivB64 = await unsealIdentityKey(
+    args.result.sealedIdentityKey,
+    args.devicePrivateKey,
+    args.result.userId,
+  );
+  setIdentityKey(args.machineId, identityPrivB64);
+  setToken(args.machineId, args.result.token);
+  saveConfig({
+    workerUrl: args.workerUrl,
+    machineId: args.machineId,
+    createdAt: args.existingCreatedAt ?? new Date().toISOString(),
+    userId: args.result.userId,
+  });
+  return { userId: args.result.userId };
+}

package/src/lib/env-format.ts

@@ -5,4 +5,4 @@
  * crypto 패키지가 정본. 이 파일은 CLI 내부 사용처 (get/ls/doctor/run/set/envelope) 의
  * 기존 import 경로 호환을 위한 re-export.
  */
-export { parseEnv, partitionEnv, serializeEnv } from '@athsra/crypto';
+export { buildChildEnv, parseEnv, partitionEnv, serializeEnv } from '@athsra/crypto';