npm - @athsra/cli - Versions diffs - 1.1.2 → 1.1.3 - Mend

@athsra/cli 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/src/commands/recipients.ts +116 -4
package/src/commands/service-token.ts +50 -14
package/src/index.ts +2 -1
package/src/lib/client.ts +15 -2
package/src/lib/mcp-tools/admin.ts +46 -14
package/src/lib/service-tokens.ts +56 -3

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@athsra/cli",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.",
   "type": "module",
   "main": "./src/index.ts",

package/src/commands/recipients.ts CHANGED Viewed

@@ -1,8 +1,11 @@
+import { removeRecipient, type SecretEnvelopeV2 } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
 import { CONFIG_USAGE_HINT, configTag, resolveProject } from '../lib/auto-project.ts';
+import { promptConfirm } from '../lib/prompt.ts';
 const USAGE = [
-  'usage: athsra recipients <project>[:<env>]',
+  'usage: athsra recipients <project>[:<env>]                  # recipient 목록 (읽기 전용)',
+  '   or: athsra recipients prune-orphans [<project>] [--apply]  # orphan service recipient 정리',
   '',
   'envelope 의 recipient 목록(읽기 전용) — master / member / service token 분포 감사.',
   '값·평문 미노출 (recipient kind·id 만 표시). service recipient_id 는 비밀 아님',
@@ -11,12 +14,31 @@ const USAGE = [
   CONFIG_USAGE_HINT,
 ].join('\n');
+const PRUNE_USAGE = [
+  'usage: athsra recipients prune-orphans [<project>[:<env>]] [--apply|--yes]',
+  '',
+  'auth_tokens 에 없는 service recipient(orphan — revoke/만료 후 envelope 에 남은 메타)를 제거.',
+  'master/member recipient 는 절대 건드리지 않는다. DEK 는 회전하지 않음(메타 정리 — 완전 re-key 는',
+  '`athsra rotate-master`). project 생략 시 전 project 를 default 환경에서 스윕.',
+  '',
+  '기본은 dry-run(변경 없음). 실제 제거는 --apply (confirm: --yes 또는 ATHSRA_PRUNE_CONFIRMED=1).',
+  '제거는 org owner 권한 필요(worker 강제) — user(master-pw) 컨텍스트에서 실행.',
+  '',
+  CONFIG_USAGE_HINT,
+].join('\n');
 /**
- * 인시던트 후속(2026-06-14) — envelope recipient 구조 운영 가시성. founding sweep / rotate-master /
- * 멤버 removal 후 service:* recipient 가 보존/탈락됐는지 `athsra service-token list` 와 대조 감사.
- * getEnvelope 가 이미 recipients[] 를 주므로 복호 불필요 → 모든 인증 모드(user/identity/service)에서 동작.
+ * 인시던트 후속(2026-06-14) — envelope recipient 구조 운영 가시성 + orphan 정리.
+ *   - `athsra recipients <project>`            : recipient 분포 감사 (읽기 전용, 모든 인증 모드).
+ *   - `athsra recipients prune-orphans [...]`  : auth_tokens 에 없는 service recipient 정리.
+ * getEnvelope 가 이미 recipients[] 를 주므로 복호 불필요.
  */
 export async function recipientsCmd(args: string[]): Promise<number> {
+  if (args[0] === 'prune-orphans') return pruneOrphansCmd(args.slice(1));
+  return listRecipientsCmd(args);
+}
+async function listRecipientsCmd(args: string[]): Promise<number> {
   if (args.includes('--help') || args.includes('-h')) {
     console.log(USAGE);
     return 0;
@@ -54,3 +76,93 @@ export async function recipientsCmd(args: string[]): Promise<number> {
   console.log(`\n요약: master ${master} · service ${service} · member ${member}`);
   return 0;
 }
+/**
+ * orphan service recipient 정리 — auth_tokens 에 살아있는 service token 의 recipient_id 와
+ * envelope 의 service recipient 를 대조해, DB 에 없는 service recipient(revoke/만료 후 envelope 에
+ * 남은 메타)만 제거한다. master/member 는 절대 건드리지 않는다(removeRecipient 가 master 제거 차단,
+ * 우리는 kind==='service' 만 후보로 둠). DEK 미회전 — 메타 정리(완전 re-key 는 rotate-master).
+ */
+async function pruneOrphansCmd(args: string[]): Promise<number> {
+  if (args.includes('--help') || args.includes('-h')) {
+    console.log(PRUNE_USAGE);
+    return 0;
+  }
+  const apply = args.includes('--apply');
+  const yes = args.includes('--yes') || args.includes('-y');
+  const positional = args.filter((a) => !a.startsWith('-'));
+  const { project, config } = resolveProject(positional, { requirePositional: true });
+  const ctx = await loadAuthContext(project);
+  if (!ctx) return 1;
+  const { client } = ctx;
+  // 살아있는 service token 의 recipient_id 집합 (전 project — recipient_id 는 전역 유일).
+  let live: Set<string>;
+  try {
+    const { tokens } = await client.listServiceTokens();
+    live = new Set(tokens.map((t) => t.recipient_id));
+  } catch (err) {
+    console.error(`service-token list 조회 실패: ${(err as Error).message}`);
+    return 1;
+  }
+  const targets = project ? [project] : await client.listProjects();
+  let totalOrphans = 0;
+  let prunedProjects = 0;
+  for (const proj of targets) {
+    const env = await client.getEnvelope(proj, config);
+    if (env?.version !== 2) continue;
+    const orphans = env.recipients.filter((r) => r.kind === 'service' && !live.has(r.id));
+    if (orphans.length === 0) continue;
+    totalOrphans += orphans.length;
+    const tag = configTag(config);
+    console.log(`${proj}${tag} — orphan service recipient(s) (auth_tokens 에 없음):`);
+    for (const r of orphans) console.log(`  service  ${r.id}`);
+    if (!apply) {
+      console.log('');
+      continue;
+    }
+    // confirm (dry-run 이 아닌 실제 제거).
+    if (!yes && process.env.ATHSRA_PRUNE_CONFIRMED !== '1') {
+      const ok = await promptConfirm(
+        `${proj}${tag}: 위 ${orphans.length} orphan service recipient 제거? (master/member 보존, DEK 불변)`,
+        false,
+      );
+      if (!ok) {
+        console.log('  건너뜀.\n');
+        continue;
+      }
+    }
+    let pruned: SecretEnvelopeV2 = env;
+    for (const r of orphans) pruned = removeRecipient(pruned, r.id);
+    try {
+      await client.putEnvelope(proj, pruned, config);
+    } catch (err) {
+      console.error(
+        `  ✗ ${proj}${tag} 저장 실패 (owner 권한 필요할 수 있음): ${(err as Error).message}\n`,
+      );
+      continue;
+    }
+    prunedProjects += 1;
+    console.log(`  ✓ ${orphans.length} recipient(s) 제거 — master/member 보존, DEK 불변.\n`);
+  }
+  if (totalOrphans === 0) {
+    console.log(
+      'orphan service recipient 없음 (모든 service recipient 가 살아있는 token 과 일치).',
+    );
+    return 0;
+  }
+  if (!apply) {
+    console.log(`총 ${totalOrphans} orphan. dry-run (변경 없음). 제거하려면 --apply.`);
+  } else {
+    console.log(`완료: ${prunedProjects} project 에서 orphan 제거.`);
+  }
+  return 0;
+}

package/src/commands/service-token.ts CHANGED Viewed

@@ -1,9 +1,11 @@
+import { removeRecipient } from '@athsra/crypto';
 import { loadAuthContext } from '../lib/auth-context.ts';
 import { resolveProject } from '../lib/auto-project.ts';
 import { red, yellow } from '../lib/colors.ts';
 import {
   type CreatedServiceToken,
   createServiceTokenWithRecipient,
+  createServiceTokenWithRecipientAsMember,
 } from '../lib/service-tokens.ts';
 /** worker expiry-notify (apps/worker/src/queue/expiry-notify.ts) 의 최임박 threshold 와 동기. */
@@ -17,6 +19,8 @@ const USAGE = [
   '',
   'service token = scoped + revocable + master-pw 없이 envelope 복호 가능한 token.',
   '  → headless 호스트 (NAS Docker, CI, 자동화) 용 — E2EE 유지, master pw 유출 X.',
+  '발급 컨텍스트: user(master pw) 또는 identity(`athsra login` 브라우저 — AI-native, master pw 불요).',
+  '  identity 모드는 v2 envelope + 본인 member recipient 전제(master pw 머신서 1회 준비).',
 ].join('\n');
 async function createCmd(args: string[]): Promise<number> {
@@ -57,20 +61,32 @@ async function createCmd(args: string[]): Promise<number> {
   const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  if (ctx.kind !== 'user') {
-    console.error('athsra service-token create 은 user token (master pw) 가 필요합니다.');
+  if (ctx.kind === 'service') {
+    console.error(
+      'service token 으로는 다른 service token 을 발급할 수 없습니다 — user(master pw) 또는 identity(device login) 컨텍스트 필요.',
+    );
     return 1;
   }
-  // 발급 + recipient 추가 (lib/service-tokens.ts — MCP athsra_service_token_create 와 공용 경로)
+  // 발급 + recipient 추가 (lib/service-tokens.ts — MCP athsra_service_token_create 와 공용 경로).
+  // user 모드(master pw) → master recipient 로 DEK unwrap. identity 모드(device login, master pw
+  // 부재) → 본인 raw identity privkey(member 경로)로 DEK unwrap (AI-native onboarding).
   let created: CreatedServiceToken;
   try {
-    created = await createServiceTokenWithRecipient(ctx, {
-      project,
-      label,
-      perms,
-      expiresInDays: expiresDays,
-    });
+    created =
+      ctx.kind === 'identity'
+        ? await createServiceTokenWithRecipientAsMember(ctx, {
+            project,
+            label,
+            perms,
+            expiresInDays: expiresDays,
+          })
+        : await createServiceTokenWithRecipient(ctx, {
+            project,
+            label,
+            perms,
+            expiresInDays: expiresDays,
+          });
   } catch (err) {
     console.error((err as Error).message);
     return 1;
@@ -113,9 +129,27 @@ async function revokeCmd(args: string[]): Promise<number> {
   const res = await client.revoke(token);
   console.log(`✓ revoked: ${res.revoked}`);
-  console.log(
-    '  envelope 의 recipient entry 는 그대로 남지만 보안상 무해 (worker auth 가 hash 로 거부).',
-  );
+  // 근본수정(2026-06-15): revoke 후 envelope 의 service recipient 동반 정리 → orphan recipient
+  // 재발 차단. worker 가 service token 의 recipient_id + project 를 반환. removeRecipient 는
+  // master/member 미접근(service 만). PUT 은 owner 권한 필요(worker 강제) → 실패 시 best-effort
+  // 안내(prune-orphans 로 폴백). const 캡처로 closure narrowing 유지.
+  const recipientId = res.recipient_id;
+  const project = res.project;
+  if (recipientId && project) {
+    try {
+      const env = await client.getEnvelope(project);
+      if (env?.version === 2 && env.recipients.some((r) => r.id === recipientId)) {
+        await client.putEnvelope(project, removeRecipient(env, recipientId));
+        console.log(`  ✓ envelope service recipient 정리: ${recipientId} (${project})`);
+      }
+    } catch (err) {
+      console.log(
+        `  ⚠ envelope recipient ${recipientId} 남음 (${(err as Error).message}) — ` +
+          `\`athsra recipients prune-orphans ${project}\` 로 정리하세요.`,
+      );
+    }
+  }
   return 0;
 }
@@ -124,8 +158,10 @@ async function listCmd(args: string[]): Promise<number> {
   const ctx = await loadAuthContext();
   if (!ctx) return 1;
-  if (ctx.kind !== 'user') {
-    console.error('athsra service-token list 는 user token (master pw) 가 필요합니다.');
+  if (ctx.kind === 'service') {
+    console.error(
+      'service token 으로는 목록 조회 불가 — user(master pw) 또는 identity(device login) 필요.',
+    );
     return 1;
   }
   const { client } = ctx;

package/src/index.ts CHANGED Viewed

@@ -29,7 +29,7 @@ import { setCmd } from './commands/set.ts';
 import { unsetCmd } from './commands/unset.ts';
 import { versionsCmd } from './commands/versions.ts';
-const VERSION = '1.1.2';
+const VERSION = '1.1.3';
 const commands: Record<string, (args: string[]) => Promise<number>> = {
   login: loginCmd,
@@ -89,6 +89,7 @@ Usage:
   athsra service-token list [<project>]     발급한 service token 메타 (revoke·만료 점검용)
   athsra service-token revoke <token>       service token 무효화
   athsra recipients <project>[:<env>]       envelope recipient 목록 감사 (master/member/service, 읽기 전용)
+  athsra recipients prune-orphans [<p>] [--apply]  auth_tokens 에 없는 orphan service recipient 정리 (dry-run 기본)
   athsra audit [--actor=...] [--action=...]  audit log 조회 (--all=cursor follow, --format=table|json|jsonl)
   athsra users {list|invite <id> [--role=R]}  RBAC: user 목록 / 신규 invite (admin role 필요)
   athsra role {grant|revoke} <user_id> <R>    role 부여/제거 (admin/dev/viewer/auditor/sa)

package/src/lib/client.ts CHANGED Viewed

@@ -411,14 +411,27 @@ export class AthsraClient {
     return (await res.json()) as { token: string; org_id: number; role: string };
   }
-  async revoke(targetToken?: string): Promise<{ ok: boolean; revoked: string; self?: boolean }> {
+  async revoke(targetToken?: string): Promise<{
+    ok: boolean;
+    revoked: string;
+    self?: boolean;
+    /** service token revoke 시 worker 가 동반 반환 — CLI 가 envelope recipient 정리에 사용. */
+    recipient_id?: string;
+    project?: string;
+  }> {
     const res = await fetch(this.url('/auth/revoke'), {
       method: 'POST',
       headers: this.headers({ 'content-type': 'application/json' }),
       body: JSON.stringify(targetToken ? { token: targetToken } : {}),
     });
     if (!res.ok) throw new Error(`revoke ${res.status}: ${await res.text()}`);
-    return (await res.json()) as { ok: boolean; revoked: string; self?: boolean };
+    return (await res.json()) as {
+      ok: boolean;
+      revoked: string;
+      self?: boolean;
+      recipient_id?: string;
+      project?: string;
+    };
   }
   /** DR — BACKUP_STORE → STORE 복원. dry_run=!execute. execute 는 content-bound confirm 필수. */

package/src/lib/mcp-tools/admin.ts CHANGED Viewed

@@ -8,19 +8,24 @@
  * → loadAuthContext → kind 가드 → client 호출 → jsonOk.
  *
  * kind 가드 2단 (epic D-2):
- *   - **master pw 소비 3종** (org_remove_member 의 owner DEK 회전 / project_share 의 envelope
- *     재포장 / service_token_create 의 recipient wrap) 은 user(master pw) 전용 — identity
- *     디바이스에선 masterPwDenied 로 actionable 거부 (master pw 는 그 머신에 영원히 없음).
- *   - 나머지 4종은 user|identity (둘 다 user-급 토큰) — service token 은 7종 전부 거부.
+ *   - **master pw 소비 2종** (org_remove_member 의 owner DEK 회전 / project_share 의 envelope
+ *     재포장) 은 user(master pw) 전용 — identity 디바이스에선 masterPwDenied 로 actionable 거부.
+ *   - service_token_create 는 user(master 경로) | identity(member 경로, 본인 raw privkey 로 DEK
+ *     unwrap — AI-native onboarding) 둘 다 — service token 만 거부.
+ *   - 나머지는 user|identity (둘 다 user-급 토큰) — service token 은 7종 전부 거부.
  *
  * 시크릿 값 무노출 (epic D-1) — 유일 예외는 service_token_create 의 1회성 ats_* 반환
  * (ONE-TIME EXPOSURE warning 동반). 그 외 응답은 메타데이터만.
  */
+import { removeRecipient } from '@athsra/crypto';
 import { loadAuthContext } from '../auth-context.ts';
 import type { AthsraClient } from '../client.ts';
 import { grantOrgAccess, rotateAfterRemoval } from '../org-rewrap.ts';
-import { createServiceTokenWithRecipient } from '../service-tokens.ts';
+import {
+  createServiceTokenWithRecipient,
+  createServiceTokenWithRecipientAsMember,
+} from '../service-tokens.ts';
 import { readInteger, readString } from './args.ts';
 import { requireConfirm } from './confirm.ts';
 import { jsonError, jsonOk, notLoggedIn, type ToolTextResult } from './result.ts';
@@ -191,7 +196,7 @@ export async function handleProjectUnshare(
 /**
  * athsra_service_token_create — scoped service token 발급 + envelope recipient 추가.
  * expires_days 필수 1..365 (MCP 발급 자격증명은 반드시 만료). 유일한 자격증명-반환 도구.
- * master pw 소비 — identity 거부.
+ * user(master pw) 또는 identity(device login, member 경로 — AI-native) 컨텍스트. service 거부.
  */
 export async function handleServiceTokenCreate(
   args: Record<string, unknown> | undefined,
@@ -211,13 +216,21 @@ export async function handleServiceTokenCreate(
   }
   const ctx = await loadAuthContext();
   if (!ctx) return notLoggedIn();
-  if (ctx.kind !== 'user') return masterPwDenied('service_token_create', ctx.kind);
-  const created = await createServiceTokenWithRecipient(ctx, {
-    project,
-    label,
-    perms,
-    expiresInDays: expiresDays,
-  });
+  if (ctx.kind === 'service') return masterPwDenied('service_token_create', 'service');
+  const created =
+    ctx.kind === 'identity'
+      ? await createServiceTokenWithRecipientAsMember(ctx, {
+          project,
+          label,
+          perms,
+          expiresInDays: expiresDays,
+        })
+      : await createServiceTokenWithRecipient(ctx, {
+          project,
+          label,
+          perms,
+          expiresInDays: expiresDays,
+        });
   return jsonOk({
     ...created,
     warning:
@@ -238,10 +251,29 @@ export async function handleServiceTokenRevoke(
   if (!ctx) return notLoggedIn();
   if (ctx.kind === 'service') return masterPwDenied('service_token_revoke', 'service');
   const res = await ctx.client.revoke(token);
+  // 근본수정: revoke 후 envelope service recipient 동반 정리(orphan 재발 차단). best-effort —
+  // PUT 은 owner 강제. const 캡처로 closure narrowing 유지.
+  const recipientId = res.recipient_id;
+  const project = res.project;
+  let recipientCleaned = false;
+  if (recipientId && project) {
+    try {
+      const env = await ctx.client.getEnvelope(project);
+      if (env?.version === 2 && env.recipients.some((r) => r.id === recipientId)) {
+        await ctx.client.putEnvelope(project, removeRecipient(env, recipientId));
+        recipientCleaned = true;
+      }
+    } catch {
+      // best-effort — prune-orphans 로 폴백 (note 로 안내).
+    }
+  }
   return jsonOk({
     ok: res.ok,
     revoked: res.revoked,
-    note: 'worker auth rejects the token immediately; the stale envelope recipient entry left behind is harmless.',
+    recipient_cleaned: recipientCleaned,
+    note: recipientCleaned
+      ? 'worker auth rejects the token immediately; the envelope service recipient was also pruned.'
+      : 'worker auth rejects the token immediately. If a stale service recipient remains, run `athsra recipients prune-orphans <project>`.',
   });
 }

package/src/lib/service-tokens.ts CHANGED Viewed

@@ -3,11 +3,15 @@
  *
  * `commands/service-token.ts` createCmd 에서 추출 — CLI 와 MCP(athsra_service_token_create)가
  * 같은 경로를 소비해 드리프트를 막는다. 발급(worker) → v1→v2 migrate(필요 시) →
- * addServiceRecipient(DEK 를 token secret 으로 wrap) → putEnvelope. master pw 필수
- * (recipient 추가에 master recipient DEK unwrap 이 필요) — identity 디바이스 불가.
+ * addServiceRecipient(DEK 를 token secret 으로 wrap) → putEnvelope.
+ *
+ * 두 경로: (1) user(master pw) — master recipient 로 DEK unwrap (v1 자동 migrate 가능). (2) identity
+ * 디바이스(master pw 부재) — 본인 raw identity privkey(member:userId 경로)로 DEK unwrap. AI-native
+ * onboarding: `athsra login`(브라우저) 후 master pw 없이도 발급(member recipient 존재 + v2 전제).
  */
 import { addServiceRecipient, migrateV1ToV2, type SecretEnvelopeV2 } from '@athsra/crypto';
-import type { UserAuthContext } from './auth-context.ts';
+import { addServiceRecipientAsMember } from '@athsra/crypto/member';
+import type { IdentityAuthContext, UserAuthContext } from './auth-context.ts';
 export interface CreatedServiceToken {
   token: string;
@@ -60,3 +64,52 @@ export async function createServiceTokenWithRecipient(
   return created;
 }
+/**
+ * identity 디바이스 모드(master pw 부재) 발급 — 본인 raw identity privkey(member:userId 경로)로
+ * DEK 를 unwrap 해 service token secret 으로 wrap. v1 envelope / member recipient 부재 시 throw
+ * (둘 다 master pw 머신에서 1회 준비 필요 — v1→v2 마이그레이션, migrate-envelopes --self). recipient
+ * 추가는 worker 가 owner/admin 강제 — founding identity 디바이스(owner)는 자기 project 에 발급 가능.
+ */
+export async function createServiceTokenWithRecipientAsMember(
+  ctx: Pick<IdentityAuthContext, 'client' | 'identityPrivateKey' | 'userId'>,
+  args: { project: string; label: string; perms: 'read' | 'write'; expiresInDays?: number },
+): Promise<CreatedServiceToken> {
+  const { client, identityPrivateKey, userId } = ctx;
+  const envelope = await client.getEnvelope(args.project);
+  if (!envelope) {
+    throw new Error(
+      `project ${args.project} envelope 없음 — master pw 머신에서 \`athsra set ${args.project} KEY=value\` 1회 실행.`,
+    );
+  }
+  if (envelope.version !== 2) {
+    throw new Error(
+      `identity 모드 발급은 v2 envelope 필요 — master pw 머신에서 \`athsra set ${args.project} ...\` 1회로 v1→v2 마이그레이션 후 재시도.`,
+    );
+  }
+  if (!envelope.recipients.some((r) => r.id === `member:${userId}`)) {
+    throw new Error(
+      `member:${userId} recipient 없음 — master pw 머신에서 \`athsra migrate-envelopes --self\` 1회 실행 후 재시도.`,
+    );
+  }
+  const created = await client.createServiceToken({
+    project: args.project,
+    label: args.label,
+    perms: args.perms,
+    expiresInDays: args.expiresInDays,
+  });
+  // raw identity privkey 로 member:userId recipient 의 DEK 를 unwrap → token secret 으로 wrap.
+  const updated = await addServiceRecipientAsMember(
+    envelope,
+    identityPrivateKey,
+    userId,
+    created.token,
+    created.recipient_id,
+  );
+  await client.putEnvelope(args.project, updated);
+  return created;
+}