@athsra/cli 1.1.1 → 1.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",

package/src/commands/doctor.ts

@@ -1,7 +1,7 @@
 import { existsSync } from 'node:fs';
 import type { UserAuthContext } from '../lib/auth-context.ts';
 import { AthsraClient } from '../lib/client.ts';
-import { CONFIG_FILE, loadConfig, SESSION_FILE } from '../lib/config.ts';
+import { configFile, loadConfig, sessionFile } from '../lib/config.ts';
 import { partitionEnv } from '../lib/env-format.ts';
 import { readPlain } from '../lib/envelope.ts';
 import { getMasterPw, getToken, probeKeyring } from '../lib/keyring.ts';
@@ -23,7 +23,8 @@ export async function doctorCmd(args: string[]): Promise<number> {
   );
 
   const config = loadConfig();
-  console.log(`  config:           ${existsSync(CONFIG_FILE) ? '✓' : '✗'} ${CONFIG_FILE}`);
+  const cfgFile = configFile();
+  console.log(`  config:           ${existsSync(cfgFile) ? '✓' : '✗'} ${cfgFile}`);
   if (!config) {
     console.log('  (run `athsra login` first)');
     return kr.ok ? 0 : 1;
@@ -32,8 +33,9 @@ export async function doctorCmd(args: string[]): Promise<number> {
   console.log(`  machine:          ${config.machineId}`);
   console.log(`  created:          ${config.createdAt}`);
 
-  if (existsSync(SESSION_FILE)) {
-    console.log(`  ⚠ legacy:        ${SESSION_FILE} 잔존 (next \`athsra login\` 시 자동 제거).`);
+  const sessFile = sessionFile();
+  if (existsSync(sessFile)) {
+    console.log(`  ⚠ legacy:        ${sessFile} 잔존 (next \`athsra login\` 시 자동 제거).`);
   }
 
   const masterPw = kr.ok ? getMasterPw(config.machineId) : null;

package/src/commands/login.ts

@@ -137,10 +137,14 @@ async function ssoLoginCmd(): Promise<number> {
   //   G-1: per-user salt 로 같은 pw 두 user 도 proof 가 유일. 첫 SSO = bootstrap, 재로그인 = 검증.
   const info = await tempClient.info();
   const proof = deriveMasterProof(masterPw, ssoBody.user_id, info.global_salt);
+  // 버전 업그레이드 무중단: 저장 proof 가 옛 스킴(gen-0)이면 worker 가 이 후보로 검증 후 G-1 자동
+  // 재작성. legacy proof 는 per-user salt 없는 gen-0 이라 userId 불필요 — 그대로 사용.
+  const legacyProofs = deriveLegacyMasterProofs(masterPw, info.global_salt);
   try {
     const pr = await new AthsraClient(workerUrl, ssoBody.token).setProof(
       proof,
       info.global_salt_version,
+      legacyProofs,
     );
     if (pr.userId !== ssoBody.user_id) {
       console.error(`✗ proof user mismatch (${pr.userId} ≠ ${ssoBody.user_id}) — 재로그인 필요.`);
@@ -148,6 +152,10 @@ async function ssoLoginCmd(): Promise<number> {
     }
     if (pr.version_reset) {
       console.log('• Master password re-registered (GLOBAL_SALT changed).');
+    } else if (pr.migrated) {
+      console.log(
+        '• Master password 옛 스킴 → 현 스킴 자동 마이그레이션 ✓ (버전 업그레이드 무중단).',
+      );
     } else if (pr.bootstrap) {
       console.log('• Master password set for this account ✓ (worker stores one-way proof only).');
     } else {

package/src/commands/recipients.ts

@@ -0,0 +1,56 @@
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
+
+const USAGE = [
+  'usage: athsra recipients <project>[:<env>]',
+  '',
+  'envelope 의 recipient 목록(읽기 전용) — master / member / service token 분포 감사.',
+  '값·평문 미노출 (recipient kind·id 만 표시). service recipient_id 는 비밀 아님',
+  '(whoami / service-token list 가 이미 노출).',
+  '',
+  CONFIG_USAGE_HINT,
+].join('\n');
+
+/**
+ * 인시던트 후속(2026-06-14) — envelope recipient 구조 운영 가시성. founding sweep / rotate-master /
+ * 멤버 removal 후 service:* recipient 가 보존/탈락됐는지 `athsra service-token list` 와 대조 감사.
+ * getEnvelope 가 이미 recipients[] 를 주므로 복호 불필요 → 모든 인증 모드(user/identity/service)에서 동작.
+ */
+export async function recipientsCmd(args: string[]): Promise<number> {
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(USAGE);
+    return 0;
+  }
+  const { project, config } = resolveProject(args, { requirePositional: true });
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+
+  const ctx = await loadAuthContext(project);
+  if (!ctx) return 1;
+
+  const env = await ctx.client.getEnvelope(project, config);
+  if (!env) {
+    console.error(`project not found: ${project}${configTag(config)}`);
+    return 1;
+  }
+
+  const tag = configTag(config);
+  if (env.version !== 2) {
+    console.log(
+      `${project}${tag}: v1 envelope — single master recipient (run \`athsra rotate-master\` → v2)`,
+    );
+    return 0;
+  }
+
+  console.log(`${project}${tag} — ${env.recipients.length} recipient(s):`);
+  for (const r of env.recipients) {
+    console.log(`  ${r.kind.padEnd(8)} ${r.id}`);
+  }
+  const master = env.recipients.filter((r) => r.kind === 'master').length;
+  const service = env.recipients.filter((r) => r.kind === 'service').length;
+  const member = env.recipients.filter((r) => r.kind === 'member').length;
+  console.log(`\n요약: master ${master} · service ${service} · member ${member}`);
+  return 0;
+}

package/src/index.ts

@@ -18,6 +18,7 @@ import { migrateEnvelopesCmd } from './commands/migrate-envelopes.ts';
 import { newPhraseCmd } from './commands/new-phrase.ts';
 import { orgCmd } from './commands/org.ts';
 import { purgeCmd } from './commands/purge.ts';
+import { recipientsCmd } from './commands/recipients.ts';
 import { restoreCmd } from './commands/restore.ts';
 import { revokeCmd } from './commands/revoke.ts';
 import { rollbackCmd } from './commands/rollback.ts';
@@ -28,7 +29,7 @@ import { setCmd } from './commands/set.ts';
 import { unsetCmd } from './commands/unset.ts';
 import { versionsCmd } from './commands/versions.ts';
 
-const VERSION = '1.1.1';
+const VERSION = '1.1.2';
 
 const commands: Record<string, (args: string[]) => Promise<number>> = {
   login: loginCmd,
@@ -45,6 +46,7 @@ const commands: Record<string, (args: string[]) => Promise<number>> = {
   doctor: doctorCmd,
   'service-token': serviceTokenCmd,
   audit: auditCmd,
+  recipients: recipientsCmd,
   dr: drCmd,
   users: usersCmd,
   role: roleCmd,
@@ -86,6 +88,7 @@ Usage:
   athsra service-token create <p> --label=<l>  scoped service token 발급 (master pw 없이도 복호, headless 용)
   athsra service-token list [<project>]     발급한 service token 메타 (revoke·만료 점검용)
   athsra service-token revoke <token>       service token 무효화
+  athsra recipients <project>[:<env>]       envelope recipient 목록 감사 (master/member/service, 읽기 전용)
   athsra audit [--actor=...] [--action=...]  audit log 조회 (--all=cursor follow, --format=table|json|jsonl)
   athsra users {list|invite <id> [--role=R]}  RBAC: user 목록 / 신규 invite (admin role 필요)
   athsra role {grant|revoke} <user_id> <R>    role 부여/제거 (admin/dev/viewer/auditor/sa)

package/src/lib/client.ts

@@ -271,15 +271,30 @@ export class AthsraClient {
    * Phase 3a — 자기 master pw proof bootstrap-or-verify (POST /auth/proof, Bearer).
    * proof = deriveProof(masterPw, userId, GLOBAL_SALT) 단방향 해시 (평문 master pw 송신 X).
    * 첫 호출 = bootstrap, 이후 = verify (불일치 시 worker 409 → throw).
+   *
+   * @param legacyProofs - 옛 스킴(gen-0) proof 후보 (버전 업그레이드 무중단 마이그레이션). 현 proof
+   *   가 mismatch 일 때 worker 가 이 중 하나로 검증 성공 시 자기 row 를 현 스킴(G-1)으로 자동 재작성
+   *   (migrated:true). register 의 legacy_proofs 와 동일 의미론.
    */
   async setProof(
     proof: string,
     globalSaltVersion?: string,
-  ): Promise<{ ok: boolean; bootstrap: boolean; userId: number; version_reset?: boolean }> {
+    legacyProofs?: string[],
+  ): Promise<{
+    ok: boolean;
+    bootstrap: boolean;
+    userId: number;
+    version_reset?: boolean;
+    migrated?: boolean;
+  }> {
     const res = await fetch(this.url('/auth/proof'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
-      body: JSON.stringify({ proof, global_salt_version: globalSaltVersion }),
+      body: JSON.stringify({
+        proof,
+        global_salt_version: globalSaltVersion,
+        ...(legacyProofs && legacyProofs.length > 0 ? { legacy_proofs: legacyProofs } : {}),
+      }),
     });
     if (!res.ok) throw new Error(`set proof ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
@@ -287,6 +302,7 @@ export class AthsraClient {
       bootstrap: boolean;
       userId: number;
       version_reset?: boolean;
+      migrated?: boolean;
     };
   }
 

package/src/lib/config.ts

@@ -2,9 +2,20 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
-export const CONFIG_DIR = join(homedir(), '.athsra');
-export const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
-export const SESSION_FILE = join(CONFIG_DIR, 'session');
+/**
+ * config 디렉터리 — 호출 시점 해석. `ATHSRA_CONFIG_DIR` 로 override (테스트 격리 / 개발자 개인
+ * 분리). 미설정 = `~/.athsra`. 경로를 모듈 로드 시점 상수가 아닌 함수로 둬 env override 가
+ * 호출마다 반영된다(테스트가 tmp 디렉터리로 안전히 격리 가능 — 실 config 오염 차단).
+ */
+export function configDir(): string {
+  return process.env.ATHSRA_CONFIG_DIR ?? join(homedir(), '.athsra');
+}
+export function configFile(): string {
+  return join(configDir(), 'config.json');
+}
+export function sessionFile(): string {
+  return join(configDir(), 'session');
+}
 
 export interface Config {
   workerUrl: string;
@@ -21,17 +32,19 @@ export interface Config {
 }
 
 export function ensureConfigDir(): void {
-  if (!existsSync(CONFIG_DIR)) {
-    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  const dir = configDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
 }
 
 export function loadConfig(): Config | null {
-  if (!existsSync(CONFIG_FILE)) return null;
-  return JSON.parse(readFileSync(CONFIG_FILE, 'utf-8')) as Config;
+  const file = configFile();
+  if (!existsSync(file)) return null;
+  return JSON.parse(readFileSync(file, 'utf-8')) as Config;
 }
 
 export function saveConfig(config: Config): void {
   ensureConfigDir();
-  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+  writeFileSync(configFile(), JSON.stringify(config, null, 2), { mode: 0o600 });
 }

package/src/lib/device-login.ts

@@ -13,7 +13,7 @@ import { deviceKeyFingerprint, generateDeviceKeypair } from '@athsra/crypto/devi
 import { AthsraClient, type DevicePollResult } from './client.ts';
 import { loadConfig, saveConfig } from './config.ts';
 import { unsealIdentityKey } from './identity-key.ts';
-import { probeKeyring, setIdentityKey, setToken } from './keyring.ts';
+import { clearMasterPw, probeKeyring, setIdentityKey, setToken } from './keyring.ts';
 
 /** 비-인터랙티브 agent 기본 worker (config/env 없을 때). production athsra worker. */
 export const DEFAULT_WORKER_URL = 'https://athsra-worker.winterermod.workers.dev';
@@ -147,6 +147,10 @@ export async function completeIdentityLogin(args: {
   );
   setIdentityKey(args.machineId, identityPrivB64);
   setToken(args.machineId, args.result.token);
+  // identity 모드는 정의상 이 기기에 master pw 없음 (D-2). 과거 password/SSO 로그인이 남긴 stale
+  // master-pw 를 제거 — 안 그러면 loadAuthContext 가 user-mode(캐시 master-pw)를 identity-mode
+  // 보다 먼저 반환해 identity 의도를 가린다(우선순위 버그 근본 차단). clearMasterPw 는 멱등.
+  clearMasterPw(args.machineId);
   saveConfig({
     workerUrl: args.workerUrl,
     machineId: args.machineId,

package/src/lib/legacy-session.ts

@@ -1,5 +1,5 @@
 import { existsSync, readFileSync, unlinkSync } from 'node:fs';
-import { SESSION_FILE } from './config.ts';
+import { sessionFile } from './config.ts';
 
 interface LegacySession {
   masterPw: string;
@@ -14,10 +14,11 @@ interface LegacySession {
  * 기존 사용자 1회 migration 후 영구 deprecated.
  */
 export function consumeLegacySession(): { masterPw: string } | null {
-  if (!existsSync(SESSION_FILE)) return null;
+  const file = sessionFile();
+  if (!existsSync(file)) return null;
   let parsed: LegacySession | null = null;
   try {
-    const raw = readFileSync(SESSION_FILE, 'utf-8');
+    const raw = readFileSync(file, 'utf-8');
     if (raw) {
       const json = JSON.parse(raw) as LegacySession;
       if (typeof json.masterPw === 'string' && json.masterPw.length > 0) {
@@ -28,7 +29,7 @@ export function consumeLegacySession(): { masterPw: string } | null {
     /* fall through to delete */
   }
   try {
-    unlinkSync(SESSION_FILE);
+    unlinkSync(file);
   } catch {
     /* ignore */
   }