@athsra/cli 1.1.1 → 1.1.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "1.1.1",
+  "version": "1.1.3",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",

package/src/commands/doctor.ts

@@ -1,7 +1,7 @@
 import { existsSync } from 'node:fs';
 import type { UserAuthContext } from '../lib/auth-context.ts';
 import { AthsraClient } from '../lib/client.ts';
-import { CONFIG_FILE, loadConfig, SESSION_FILE } from '../lib/config.ts';
+import { configFile, loadConfig, sessionFile } from '../lib/config.ts';
 import { partitionEnv } from '../lib/env-format.ts';
 import { readPlain } from '../lib/envelope.ts';
 import { getMasterPw, getToken, probeKeyring } from '../lib/keyring.ts';
@@ -23,7 +23,8 @@ export async function doctorCmd(args: string[]): Promise<number> {
   );
 
   const config = loadConfig();
-  console.log(`  config:           ${existsSync(CONFIG_FILE) ? '✓' : '✗'} ${CONFIG_FILE}`);
+  const cfgFile = configFile();
+  console.log(`  config:           ${existsSync(cfgFile) ? '✓' : '✗'} ${cfgFile}`);
   if (!config) {
     console.log('  (run `athsra login` first)');
     return kr.ok ? 0 : 1;
@@ -32,8 +33,9 @@ export async function doctorCmd(args: string[]): Promise<number> {
   console.log(`  machine:          ${config.machineId}`);
   console.log(`  created:          ${config.createdAt}`);
 
-  if (existsSync(SESSION_FILE)) {
-    console.log(`  ⚠ legacy:        ${SESSION_FILE} 잔존 (next \`athsra login\` 시 자동 제거).`);
+  const sessFile = sessionFile();
+  if (existsSync(sessFile)) {
+    console.log(`  ⚠ legacy:        ${sessFile} 잔존 (next \`athsra login\` 시 자동 제거).`);
   }
 
   const masterPw = kr.ok ? getMasterPw(config.machineId) : null;

package/src/commands/login.ts

@@ -137,10 +137,14 @@ async function ssoLoginCmd(): Promise<number> {
   //   G-1: per-user salt 로 같은 pw 두 user 도 proof 가 유일. 첫 SSO = bootstrap, 재로그인 = 검증.
   const info = await tempClient.info();
   const proof = deriveMasterProof(masterPw, ssoBody.user_id, info.global_salt);
+  // 버전 업그레이드 무중단: 저장 proof 가 옛 스킴(gen-0)이면 worker 가 이 후보로 검증 후 G-1 자동
+  // 재작성. legacy proof 는 per-user salt 없는 gen-0 이라 userId 불필요 — 그대로 사용.
+  const legacyProofs = deriveLegacyMasterProofs(masterPw, info.global_salt);
   try {
     const pr = await new AthsraClient(workerUrl, ssoBody.token).setProof(
       proof,
       info.global_salt_version,
+      legacyProofs,
     );
     if (pr.userId !== ssoBody.user_id) {
       console.error(`✗ proof user mismatch (${pr.userId} ≠ ${ssoBody.user_id}) — 재로그인 필요.`);
@@ -148,6 +152,10 @@ async function ssoLoginCmd(): Promise<number> {
     }
     if (pr.version_reset) {
       console.log('• Master password re-registered (GLOBAL_SALT changed).');
+    } else if (pr.migrated) {
+      console.log(
+        '• Master password 옛 스킴 → 현 스킴 자동 마이그레이션 ✓ (버전 업그레이드 무중단).',
+      );
     } else if (pr.bootstrap) {
       console.log('• Master password set for this account ✓ (worker stores one-way proof only).');
     } else {

package/src/commands/recipients.ts

@@ -0,0 +1,168 @@
+import { removeRecipient, type SecretEnvelopeV2 } from '@athsra/crypto';
+import { loadAuthContext } from '../lib/auth-context.ts';
+import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
+import { promptConfirm } from '../lib/prompt.ts';
+
+const USAGE = [
+  'usage: athsra recipients <project>[:<env>]                  # recipient 목록 (읽기 전용)',
+  '   or: athsra recipients prune-orphans [<project>] [--apply]  # orphan service recipient 정리',
+  '',
+  'envelope 의 recipient 목록(읽기 전용) — master / member / service token 분포 감사.',
+  '값·평문 미노출 (recipient kind·id 만 표시). service recipient_id 는 비밀 아님',
+  '(whoami / service-token list 가 이미 노출).',
+  '',
+  CONFIG_USAGE_HINT,
+].join('\n');
+
+const PRUNE_USAGE = [
+  'usage: athsra recipients prune-orphans [<project>[:<env>]] [--apply|--yes]',
+  '',
+  'auth_tokens 에 없는 service recipient(orphan — revoke/만료 후 envelope 에 남은 메타)를 제거.',
+  'master/member recipient 는 절대 건드리지 않는다. DEK 는 회전하지 않음(메타 정리 — 완전 re-key 는',
+  '`athsra rotate-master`). project 생략 시 전 project 를 default 환경에서 스윕.',
+  '',
+  '기본은 dry-run(변경 없음). 실제 제거는 --apply (confirm: --yes 또는 ATHSRA_PRUNE_CONFIRMED=1).',
+  '제거는 org owner 권한 필요(worker 강제) — user(master-pw) 컨텍스트에서 실행.',
+  '',
+  CONFIG_USAGE_HINT,
+].join('\n');
+
+/**
+ * 인시던트 후속(2026-06-14) — envelope recipient 구조 운영 가시성 + orphan 정리.
+ *   - `athsra recipients <project>`            : recipient 분포 감사 (읽기 전용, 모든 인증 모드).
+ *   - `athsra recipients prune-orphans [...]`  : auth_tokens 에 없는 service recipient 정리.
+ * getEnvelope 가 이미 recipients[] 를 주므로 복호 불필요.
+ */
+export async function recipientsCmd(args: string[]): Promise<number> {
+  if (args[0] === 'prune-orphans') return pruneOrphansCmd(args.slice(1));
+  return listRecipientsCmd(args);
+}
+
+async function listRecipientsCmd(args: string[]): Promise<number> {
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(USAGE);
+    return 0;
+  }
+  const { project, config } = resolveProject(args, { requirePositional: true });
+  if (!project) {
+    console.error(USAGE);
+    return 2;
+  }
+
+  const ctx = await loadAuthContext(project);
+  if (!ctx) return 1;
+
+  const env = await ctx.client.getEnvelope(project, config);
+  if (!env) {
+    console.error(`project not found: ${project}${configTag(config)}`);
+    return 1;
+  }
+
+  const tag = configTag(config);
+  if (env.version !== 2) {
+    console.log(
+      `${project}${tag}: v1 envelope — single master recipient (run \`athsra rotate-master\` → v2)`,
+    );
+    return 0;
+  }
+
+  console.log(`${project}${tag} — ${env.recipients.length} recipient(s):`);
+  for (const r of env.recipients) {
+    console.log(`  ${r.kind.padEnd(8)} ${r.id}`);
+  }
+  const master = env.recipients.filter((r) => r.kind === 'master').length;
+  const service = env.recipients.filter((r) => r.kind === 'service').length;
+  const member = env.recipients.filter((r) => r.kind === 'member').length;
+  console.log(`\n요약: master ${master} · service ${service} · member ${member}`);
+  return 0;
+}
+
+/**
+ * orphan service recipient 정리 — auth_tokens 에 살아있는 service token 의 recipient_id 와
+ * envelope 의 service recipient 를 대조해, DB 에 없는 service recipient(revoke/만료 후 envelope 에
+ * 남은 메타)만 제거한다. master/member 는 절대 건드리지 않는다(removeRecipient 가 master 제거 차단,
+ * 우리는 kind==='service' 만 후보로 둠). DEK 미회전 — 메타 정리(완전 re-key 는 rotate-master).
+ */
+async function pruneOrphansCmd(args: string[]): Promise<number> {
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(PRUNE_USAGE);
+    return 0;
+  }
+  const apply = args.includes('--apply');
+  const yes = args.includes('--yes') || args.includes('-y');
+  const positional = args.filter((a) => !a.startsWith('-'));
+  const { project, config } = resolveProject(positional, { requirePositional: true });
+
+  const ctx = await loadAuthContext(project);
+  if (!ctx) return 1;
+  const { client } = ctx;
+
+  // 살아있는 service token 의 recipient_id 집합 (전 project — recipient_id 는 전역 유일).
+  let live: Set<string>;
+  try {
+    const { tokens } = await client.listServiceTokens();
+    live = new Set(tokens.map((t) => t.recipient_id));
+  } catch (err) {
+    console.error(`service-token list 조회 실패: ${(err as Error).message}`);
+    return 1;
+  }
+
+  const targets = project ? [project] : await client.listProjects();
+  let totalOrphans = 0;
+  let prunedProjects = 0;
+
+  for (const proj of targets) {
+    const env = await client.getEnvelope(proj, config);
+    if (env?.version !== 2) continue;
+    const orphans = env.recipients.filter((r) => r.kind === 'service' && !live.has(r.id));
+    if (orphans.length === 0) continue;
+    totalOrphans += orphans.length;
+    const tag = configTag(config);
+
+    console.log(`${proj}${tag} — orphan service recipient(s) (auth_tokens 에 없음):`);
+    for (const r of orphans) console.log(`  service  ${r.id}`);
+
+    if (!apply) {
+      console.log('');
+      continue;
+    }
+
+    // confirm (dry-run 이 아닌 실제 제거).
+    if (!yes && process.env.ATHSRA_PRUNE_CONFIRMED !== '1') {
+      const ok = await promptConfirm(
+        `${proj}${tag}: 위 ${orphans.length} orphan service recipient 제거? (master/member 보존, DEK 불변)`,
+        false,
+      );
+      if (!ok) {
+        console.log('  건너뜀.\n');
+        continue;
+      }
+    }
+
+    let pruned: SecretEnvelopeV2 = env;
+    for (const r of orphans) pruned = removeRecipient(pruned, r.id);
+    try {
+      await client.putEnvelope(proj, pruned, config);
+    } catch (err) {
+      console.error(
+        `  ✗ ${proj}${tag} 저장 실패 (owner 권한 필요할 수 있음): ${(err as Error).message}\n`,
+      );
+      continue;
+    }
+    prunedProjects += 1;
+    console.log(`  ✓ ${orphans.length} recipient(s) 제거 — master/member 보존, DEK 불변.\n`);
+  }
+
+  if (totalOrphans === 0) {
+    console.log(
+      'orphan service recipient 없음 (모든 service recipient 가 살아있는 token 과 일치).',
+    );
+    return 0;
+  }
+  if (!apply) {
+    console.log(`총 ${totalOrphans} orphan. dry-run (변경 없음). 제거하려면 --apply.`);
+  } else {
+    console.log(`완료: ${prunedProjects} project 에서 orphan 제거.`);
+  }
+  return 0;
+}

package/src/commands/service-token.ts

@@ -1,9 +1,11 @@
+import { removeRecipient } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
 import { resolveProject } from '../lib/auto-project.ts';
 import { red, yellow } from '../lib/colors.ts';
 import {
   type CreatedServiceToken,
   createServiceTokenWithRecipient,
+  createServiceTokenWithRecipientAsMember,
 } from '../lib/service-tokens.ts';
 
 /** worker expiry-notify (apps/worker/src/queue/expiry-notify.ts) 의 최임박 threshold 와 동기. */
@@ -17,6 +19,8 @@ const USAGE = [
   '',
   'service token = scoped + revocable + master-pw 없이 envelope 복호 가능한 token.',
   '  → headless 호스트 (NAS Docker, CI, 자동화) 용 — E2EE 유지, master pw 유출 X.',
+  '발급 컨텍스트: user(master pw) 또는 identity(`athsra login` 브라우저 — AI-native, master pw 불요).',
+  '  identity 모드는 v2 envelope + 본인 member recipient 전제(master pw 머신서 1회 준비).',
 ].join('\n');
 
 async function createCmd(args: string[]): Promise<number> {
@@ -57,20 +61,32 @@ async function createCmd(args: string[]): Promise<number> {
 
   const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  if (ctx.kind !== 'user') {
-    console.error('athsra service-token create 은 user token (master pw) 가 필요합니다.');
+  if (ctx.kind === 'service') {
+    console.error(
+      'service token 으로는 다른 service token 을 발급할 수 없습니다 — user(master pw) 또는 identity(device login) 컨텍스트 필요.',
+    );
     return 1;
   }
 
-  // 발급 + recipient 추가 (lib/service-tokens.ts — MCP athsra_service_token_create 와 공용 경로)
+  // 발급 + recipient 추가 (lib/service-tokens.ts — MCP athsra_service_token_create 와 공용 경로).
+  // user 모드(master pw) → master recipient 로 DEK unwrap. identity 모드(device login, master pw
+  // 부재) → 본인 raw identity privkey(member 경로)로 DEK unwrap (AI-native onboarding).
   let created: CreatedServiceToken;
   try {
-    created = await createServiceTokenWithRecipient(ctx, {
-      project,
-      label,
-      perms,
-      expiresInDays: expiresDays,
-    });
+    created =
+      ctx.kind === 'identity'
+        ? await createServiceTokenWithRecipientAsMember(ctx, {
+            project,
+            label,
+            perms,
+            expiresInDays: expiresDays,
+          })
+        : await createServiceTokenWithRecipient(ctx, {
+            project,
+            label,
+            perms,
+            expiresInDays: expiresDays,
+          });
   } catch (err) {
     console.error((err as Error).message);
     return 1;
@@ -113,9 +129,27 @@ async function revokeCmd(args: string[]): Promise<number> {
 
   const res = await client.revoke(token);
   console.log(`✓ revoked: ${res.revoked}`);
-  console.log(
-    '  envelope 의 recipient entry 는 그대로 남지만 보안상 무해 (worker auth 가 hash 로 거부).',
-  );
+
+  // 근본수정(2026-06-15): revoke 후 envelope 의 service recipient 동반 정리 → orphan recipient
+  // 재발 차단. worker 가 service token 의 recipient_id + project 를 반환. removeRecipient 는
+  // master/member 미접근(service 만). PUT 은 owner 권한 필요(worker 강제) → 실패 시 best-effort
+  // 안내(prune-orphans 로 폴백). const 캡처로 closure narrowing 유지.
+  const recipientId = res.recipient_id;
+  const project = res.project;
+  if (recipientId && project) {
+    try {
+      const env = await client.getEnvelope(project);
+      if (env?.version === 2 && env.recipients.some((r) => r.id === recipientId)) {
+        await client.putEnvelope(project, removeRecipient(env, recipientId));
+        console.log(`  ✓ envelope service recipient 정리: ${recipientId} (${project})`);
+      }
+    } catch (err) {
+      console.log(
+        `  ⚠ envelope recipient ${recipientId} 남음 (${(err as Error).message}) — ` +
+          `\`athsra recipients prune-orphans ${project}\` 로 정리하세요.`,
+      );
+    }
+  }
   return 0;
 }
 
@@ -124,8 +158,10 @@ async function listCmd(args: string[]): Promise<number> {
 
   const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  if (ctx.kind !== 'user') {
-    console.error('athsra service-token list 는 user token (master pw) 가 필요합니다.');
+  if (ctx.kind === 'service') {
+    console.error(
+      'service token 으로는 목록 조회 불가 — user(master pw) 또는 identity(device login) 필요.',
+    );
     return 1;
   }
   const { client } = ctx;

package/src/index.ts

@@ -18,6 +18,7 @@ import { migrateEnvelopesCmd } from './commands/migrate-envelopes.ts';
 import { newPhraseCmd } from './commands/new-phrase.ts';
 import { orgCmd } from './commands/org.ts';
 import { purgeCmd } from './commands/purge.ts';
+import { recipientsCmd } from './commands/recipients.ts';
 import { restoreCmd } from './commands/restore.ts';
 import { revokeCmd } from './commands/revoke.ts';
 import { rollbackCmd } from './commands/rollback.ts';
@@ -28,7 +29,7 @@ import { setCmd } from './commands/set.ts';
 import { unsetCmd } from './commands/unset.ts';
 import { versionsCmd } from './commands/versions.ts';
 
-const VERSION = '1.1.1';
+const VERSION = '1.1.3';
 
 const commands: Record<string, (args: string[]) => Promise<number>> = {
   login: loginCmd,
@@ -45,6 +46,7 @@ const commands: Record<string, (args: string[]) => Promise<number>> = {
   doctor: doctorCmd,
   'service-token': serviceTokenCmd,
   audit: auditCmd,
+  recipients: recipientsCmd,
   dr: drCmd,
   users: usersCmd,
   role: roleCmd,
@@ -86,6 +88,8 @@ Usage:
   athsra service-token create <p> --label=<l>  scoped service token 발급 (master pw 없이도 복호, headless 용)
   athsra service-token list [<project>]     발급한 service token 메타 (revoke·만료 점검용)
   athsra service-token revoke <token>       service token 무효화
+  athsra recipients <project>[:<env>]       envelope recipient 목록 감사 (master/member/service, 읽기 전용)
+  athsra recipients prune-orphans [<p>] [--apply]  auth_tokens 에 없는 orphan service recipient 정리 (dry-run 기본)
   athsra audit [--actor=...] [--action=...]  audit log 조회 (--all=cursor follow, --format=table|json|jsonl)
   athsra users {list|invite <id> [--role=R]}  RBAC: user 목록 / 신규 invite (admin role 필요)
   athsra role {grant|revoke} <user_id> <R>    role 부여/제거 (admin/dev/viewer/auditor/sa)

package/src/lib/client.ts

@@ -271,15 +271,30 @@ export class AthsraClient {
    * Phase 3a — 자기 master pw proof bootstrap-or-verify (POST /auth/proof, Bearer).
    * proof = deriveProof(masterPw, userId, GLOBAL_SALT) 단방향 해시 (평문 master pw 송신 X).
    * 첫 호출 = bootstrap, 이후 = verify (불일치 시 worker 409 → throw).
+   *
+   * @param legacyProofs - 옛 스킴(gen-0) proof 후보 (버전 업그레이드 무중단 마이그레이션). 현 proof
+   *   가 mismatch 일 때 worker 가 이 중 하나로 검증 성공 시 자기 row 를 현 스킴(G-1)으로 자동 재작성
+   *   (migrated:true). register 의 legacy_proofs 와 동일 의미론.
    */
   async setProof(
     proof: string,
     globalSaltVersion?: string,
-  ): Promise<{ ok: boolean; bootstrap: boolean; userId: number; version_reset?: boolean }> {
+    legacyProofs?: string[],
+  ): Promise<{
+    ok: boolean;
+    bootstrap: boolean;
+    userId: number;
+    version_reset?: boolean;
+    migrated?: boolean;
+  }> {
     const res = await fetch(this.url('/auth/proof'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
-      body: JSON.stringify({ proof, global_salt_version: globalSaltVersion }),
+      body: JSON.stringify({
+        proof,
+        global_salt_version: globalSaltVersion,
+        ...(legacyProofs && legacyProofs.length > 0 ? { legacy_proofs: legacyProofs } : {}),
+      }),
     });
     if (!res.ok) throw new Error(`set proof ${res.status}: ${await res.text()}`);
     return (await res.json()) as {
@@ -287,6 +302,7 @@ export class AthsraClient {
       bootstrap: boolean;
       userId: number;
       version_reset?: boolean;
+      migrated?: boolean;
     };
   }
 
@@ -395,14 +411,27 @@ export class AthsraClient {
     return (await res.json()) as { token: string; org_id: number; role: string };
   }
 
-  async revoke(targetToken?: string): Promise<{ ok: boolean; revoked: string; self?: boolean }> {
+  async revoke(targetToken?: string): Promise<{
+    ok: boolean;
+    revoked: string;
+    self?: boolean;
+    /** service token revoke 시 worker 가 동반 반환 — CLI 가 envelope recipient 정리에 사용. */
+    recipient_id?: string;
+    project?: string;
+  }> {
     const res = await fetch(this.url('/auth/revoke'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
       body: JSON.stringify(targetToken ? { token: targetToken } : {}),
     });
     if (!res.ok) throw new Error(`revoke ${res.status}: ${await res.text()}`);
-    return (await res.json()) as { ok: boolean; revoked: string; self?: boolean };
+    return (await res.json()) as {
+      ok: boolean;
+      revoked: string;
+      self?: boolean;
+      recipient_id?: string;
+      project?: string;
+    };
   }
 
   /** DR — BACKUP_STORE → STORE 복원. dry_run=!execute. execute 는 content-bound confirm 필수. */

package/src/lib/config.ts

@@ -2,9 +2,20 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
-export const CONFIG_DIR = join(homedir(), '.athsra');
-export const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
-export const SESSION_FILE = join(CONFIG_DIR, 'session');
+/**
+ * config 디렉터리 — 호출 시점 해석. `ATHSRA_CONFIG_DIR` 로 override (테스트 격리 / 개발자 개인
+ * 분리). 미설정 = `~/.athsra`. 경로를 모듈 로드 시점 상수가 아닌 함수로 둬 env override 가
+ * 호출마다 반영된다(테스트가 tmp 디렉터리로 안전히 격리 가능 — 실 config 오염 차단).
+ */
+export function configDir(): string {
+  return process.env.ATHSRA_CONFIG_DIR ?? join(homedir(), '.athsra');
+}
+export function configFile(): string {
+  return join(configDir(), 'config.json');
+}
+export function sessionFile(): string {
+  return join(configDir(), 'session');
+}
 
 export interface Config {
   workerUrl: string;
@@ -21,17 +32,19 @@ export interface Config {
 }
 
 export function ensureConfigDir(): void {
-  if (!existsSync(CONFIG_DIR)) {
-    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  const dir = configDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
 }
 
 export function loadConfig(): Config | null {
-  if (!existsSync(CONFIG_FILE)) return null;
-  return JSON.parse(readFileSync(CONFIG_FILE, 'utf-8')) as Config;
+  const file = configFile();
+  if (!existsSync(file)) return null;
+  return JSON.parse(readFileSync(file, 'utf-8')) as Config;
 }
 
 export function saveConfig(config: Config): void {
   ensureConfigDir();
-  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+  writeFileSync(configFile(), JSON.stringify(config, null, 2), { mode: 0o600 });
 }

package/src/lib/device-login.ts

@@ -13,7 +13,7 @@ import { deviceKeyFingerprint, generateDeviceKeypair } from '@athsra/crypto/devi
 import { AthsraClient, type DevicePollResult } from './client.ts';
 import { loadConfig, saveConfig } from './config.ts';
 import { unsealIdentityKey } from './identity-key.ts';
-import { probeKeyring, setIdentityKey, setToken } from './keyring.ts';
+import { clearMasterPw, probeKeyring, setIdentityKey, setToken } from './keyring.ts';
 
 /** 비-인터랙티브 agent 기본 worker (config/env 없을 때). production athsra worker. */
 export const DEFAULT_WORKER_URL = 'https://athsra-worker.winterermod.workers.dev';
@@ -147,6 +147,10 @@ export async function completeIdentityLogin(args: {
   );
   setIdentityKey(args.machineId, identityPrivB64);
   setToken(args.machineId, args.result.token);
+  // identity 모드는 정의상 이 기기에 master pw 없음 (D-2). 과거 password/SSO 로그인이 남긴 stale
+  // master-pw 를 제거 — 안 그러면 loadAuthContext 가 user-mode(캐시 master-pw)를 identity-mode
+  // 보다 먼저 반환해 identity 의도를 가린다(우선순위 버그 근본 차단). clearMasterPw 는 멱등.
+  clearMasterPw(args.machineId);
   saveConfig({
     workerUrl: args.workerUrl,
     machineId: args.machineId,

package/src/lib/legacy-session.ts

@@ -1,5 +1,5 @@
 import { existsSync, readFileSync, unlinkSync } from 'node:fs';
-import { SESSION_FILE } from './config.ts';
+import { sessionFile } from './config.ts';
 
 interface LegacySession {
   masterPw: string;
@@ -14,10 +14,11 @@ interface LegacySession {
  * 기존 사용자 1회 migration 후 영구 deprecated.
  */
 export function consumeLegacySession(): { masterPw: string } | null {
-  if (!existsSync(SESSION_FILE)) return null;
+  const file = sessionFile();
+  if (!existsSync(file)) return null;
   let parsed: LegacySession | null = null;
   try {
-    const raw = readFileSync(SESSION_FILE, 'utf-8');
+    const raw = readFileSync(file, 'utf-8');
     if (raw) {
       const json = JSON.parse(raw) as LegacySession;
       if (typeof json.masterPw === 'string' && json.masterPw.length > 0) {
@@ -28,7 +29,7 @@ export function consumeLegacySession(): { masterPw: string } | null {
     /* fall through to delete */
   }
   try {
-    unlinkSync(SESSION_FILE);
+    unlinkSync(file);
   } catch {
     /* ignore */
   }

package/src/lib/mcp-tools/admin.ts

@@ -8,19 +8,24 @@
  * → loadAuthContext → kind 가드 → client 호출 → jsonOk.
  *
  * kind 가드 2단 (epic D-2):
- *   - **master pw 소비 3종** (org_remove_member 의 owner DEK 회전 / project_share 의 envelope
- *     재포장 / service_token_create 의 recipient wrap) 은 user(master pw) 전용 — identity
- *     디바이스에선 masterPwDenied 로 actionable 거부 (master pw 는 그 머신에 영원히 없음).
- *   - 나머지 4종은 user|identity (둘 다 user-급 토큰) — service token 은 7종 전부 거부.
+ *   - **master pw 소비 2종** (org_remove_member 의 owner DEK 회전 / project_share 의 envelope
+ *     재포장) 은 user(master pw) 전용 — identity 디바이스에선 masterPwDenied 로 actionable 거부.
+ *   - service_token_create 는 user(master 경로) | identity(member 경로, 본인 raw privkey 로 DEK
+ *     unwrap — AI-native onboarding) 둘 다 — service token 만 거부.
+ *   - 나머지는 user|identity (둘 다 user-급 토큰) — service token 은 7종 전부 거부.
  *
  * 시크릿 값 무노출 (epic D-1) — 유일 예외는 service_token_create 의 1회성 ats_* 반환
  * (ONE-TIME EXPOSURE warning 동반). 그 외 응답은 메타데이터만.
  */
 
+import { removeRecipient } from '@athsra/crypto';
 import { loadAuthContext } from '../auth-context.ts';
 import type { AthsraClient } from '../client.ts';
 import { grantOrgAccess, rotateAfterRemoval } from '../org-rewrap.ts';
-import { createServiceTokenWithRecipient } from '../service-tokens.ts';
+import {
+  createServiceTokenWithRecipient,
+  createServiceTokenWithRecipientAsMember,
+} from '../service-tokens.ts';
 import { readInteger, readString } from './args.ts';
 import { requireConfirm } from './confirm.ts';
 import { jsonError, jsonOk, notLoggedIn, type ToolTextResult } from './result.ts';
@@ -191,7 +196,7 @@ export async function handleProjectUnshare(
 /**
  * athsra_service_token_create — scoped service token 발급 + envelope recipient 추가.
  * expires_days 필수 1..365 (MCP 발급 자격증명은 반드시 만료). 유일한 자격증명-반환 도구.
- * master pw 소비 — identity 거부.
+ * user(master pw) 또는 identity(device login, member 경로 — AI-native) 컨텍스트. service 거부.
  */
 export async function handleServiceTokenCreate(
   args: Record<string, unknown> | undefined,
@@ -211,13 +216,21 @@ export async function handleServiceTokenCreate(
   }
   const ctx = await loadAuthContext();
   if (!ctx) return notLoggedIn();
-  if (ctx.kind !== 'user') return masterPwDenied('service_token_create', ctx.kind);
-  const created = await createServiceTokenWithRecipient(ctx, {
-    project,
-    label,
-    perms,
-    expiresInDays: expiresDays,
-  });
+  if (ctx.kind === 'service') return masterPwDenied('service_token_create', 'service');
+  const created =
+    ctx.kind === 'identity'
+      ? await createServiceTokenWithRecipientAsMember(ctx, {
+          project,
+          label,
+          perms,
+          expiresInDays: expiresDays,
+        })
+      : await createServiceTokenWithRecipient(ctx, {
+          project,
+          label,
+          perms,
+          expiresInDays: expiresDays,
+        });
   return jsonOk({
     ...created,
     warning:
@@ -238,10 +251,29 @@ export async function handleServiceTokenRevoke(
   if (!ctx) return notLoggedIn();
   if (ctx.kind === 'service') return masterPwDenied('service_token_revoke', 'service');
   const res = await ctx.client.revoke(token);
+  // 근본수정: revoke 후 envelope service recipient 동반 정리(orphan 재발 차단). best-effort —
+  // PUT 은 owner 강제. const 캡처로 closure narrowing 유지.
+  const recipientId = res.recipient_id;
+  const project = res.project;
+  let recipientCleaned = false;
+  if (recipientId && project) {
+    try {
+      const env = await ctx.client.getEnvelope(project);
+      if (env?.version === 2 && env.recipients.some((r) => r.id === recipientId)) {
+        await ctx.client.putEnvelope(project, removeRecipient(env, recipientId));
+        recipientCleaned = true;
+      }
+    } catch {
+      // best-effort — prune-orphans 로 폴백 (note 로 안내).
+    }
+  }
   return jsonOk({
     ok: res.ok,
     revoked: res.revoked,
-    note: 'worker auth rejects the token immediately; the stale envelope recipient entry left behind is harmless.',
+    recipient_cleaned: recipientCleaned,
+    note: recipientCleaned
+      ? 'worker auth rejects the token immediately; the envelope service recipient was also pruned.'
+      : 'worker auth rejects the token immediately. If a stale service recipient remains, run `athsra recipients prune-orphans <project>`.',
   });
 }
 

package/src/lib/service-tokens.ts

@@ -3,11 +3,15 @@
  *
  * `commands/service-token.ts` createCmd 에서 추출 — CLI 와 MCP(athsra_service_token_create)가
  * 같은 경로를 소비해 드리프트를 막는다. 발급(worker) → v1→v2 migrate(필요 시) →
- * addServiceRecipient(DEK 를 token secret 으로 wrap) → putEnvelope. master pw 필수
- * (recipient 추가에 master recipient DEK unwrap 이 필요) — identity 디바이스 불가.
+ * addServiceRecipient(DEK 를 token secret 으로 wrap) → putEnvelope.
+ *
+ * 두 경로: (1) user(master pw) — master recipient 로 DEK unwrap (v1 자동 migrate 가능). (2) identity
+ * 디바이스(master pw 부재) — 본인 raw identity privkey(member:userId 경로)로 DEK unwrap. AI-native
+ * onboarding: `athsra login`(브라우저) 후 master pw 없이도 발급(member recipient 존재 + v2 전제).
  */
 import { addServiceRecipient, migrateV1ToV2, type SecretEnvelopeV2 } from '@athsra/crypto';
-import type { UserAuthContext } from './auth-context.ts';
+import { addServiceRecipientAsMember } from '@athsra/crypto/member';
+import type { IdentityAuthContext, UserAuthContext } from './auth-context.ts';
 
 export interface CreatedServiceToken {
   token: string;
@@ -60,3 +64,52 @@ export async function createServiceTokenWithRecipient(
 
   return created;
 }
+
+/**
+ * identity 디바이스 모드(master pw 부재) 발급 — 본인 raw identity privkey(member:userId 경로)로
+ * DEK 를 unwrap 해 service token secret 으로 wrap. v1 envelope / member recipient 부재 시 throw
+ * (둘 다 master pw 머신에서 1회 준비 필요 — v1→v2 마이그레이션, migrate-envelopes --self). recipient
+ * 추가는 worker 가 owner/admin 강제 — founding identity 디바이스(owner)는 자기 project 에 발급 가능.
+ */
+export async function createServiceTokenWithRecipientAsMember(
+  ctx: Pick<IdentityAuthContext, 'client' | 'identityPrivateKey' | 'userId'>,
+  args: { project: string; label: string; perms: 'read' | 'write'; expiresInDays?: number },
+): Promise<CreatedServiceToken> {
+  const { client, identityPrivateKey, userId } = ctx;
+
+  const envelope = await client.getEnvelope(args.project);
+  if (!envelope) {
+    throw new Error(
+      `project ${args.project} envelope 없음 — master pw 머신에서 \`athsra set ${args.project} KEY=value\` 1회 실행.`,
+    );
+  }
+  if (envelope.version !== 2) {
+    throw new Error(
+      `identity 모드 발급은 v2 envelope 필요 — master pw 머신에서 \`athsra set ${args.project} ...\` 1회로 v1→v2 마이그레이션 후 재시도.`,
+    );
+  }
+  if (!envelope.recipients.some((r) => r.id === `member:${userId}`)) {
+    throw new Error(
+      `member:${userId} recipient 없음 — master pw 머신에서 \`athsra migrate-envelopes --self\` 1회 실행 후 재시도.`,
+    );
+  }
+
+  const created = await client.createServiceToken({
+    project: args.project,
+    label: args.label,
+    perms: args.perms,
+    expiresInDays: args.expiresInDays,
+  });
+
+  // raw identity privkey 로 member:userId recipient 의 DEK 를 unwrap → token secret 으로 wrap.
+  const updated = await addServiceRecipientAsMember(
+    envelope,
+    identityPrivateKey,
+    userId,
+    created.token,
+    created.recipient_id,
+  );
+  await client.putEnvelope(args.project, updated);
+
+  return created;
+}