fix(env): PR #22 round1 codex/gemini 指摘対応

- bundle.py: manifest version チェックを厳密一致 (!=) に変更し、
  0 や負数の未知スキーマを拒否 (codex major 指摘)
- cli.py: import --identity の help を "(all existing ones)" に修正
  (codex minor 指摘、resolve_identity_specs は全鍵を返す)
- io_import.py: --identity と --passphrase-* の同時指定を
  _validate_options で拒否 (gemini major 指摘)
- テスト追加: version=0/-1 の拒否、identity+passphrase 排他チェック

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: takemi-ohama

lib/devbase/cli.py

@@ -179,7 +179,7 @@ def _add_env_parser(subparsers):
                             metavar='FILE', dest='identities',
                             help=("age / OpenSSH private key file (repeatable). "
                                   "Default: ~/.ssh/id_ed25519, then ~/.ssh/id_rsa "
-                                  "(first existing one)"))
+                                  "(all existing ones)"))
     env_import.add_argument('--passphrase-env', metavar='VAR', default=None,
                             help='Read passphrase from environment variable VAR')
     env_import.add_argument('--passphrase-stdin', action='store_true',

lib/devbase/env/bundle.py

@@ -164,10 +164,10 @@ def _validate_manifest(manifest: Dict, members: Dict[str, bytes]) -> None:
     version = manifest.get('version')
     if not isinstance(version, int):
         raise BundleError("manifest.version が不正です")
-    if version > SUPPORTED_MANIFEST_VERSION:
+    if version != SUPPORTED_MANIFEST_VERSION:
         raise BundleError(
             f"manifest.version={version} はこの devbase ではサポートされていません "
-            f"(対応最大={SUPPORTED_MANIFEST_VERSION})。devbase 本体を更新してください"
+            f"(対応={SUPPORTED_MANIFEST_VERSION})。devbase 本体を更新してください"
         )
 
     files = manifest.get('files') or []

lib/devbase/env/io_import.py

@@ -85,6 +85,10 @@ def _validate_options(opts: ImportOptions) -> None:
         )
     if opts.passphrase_env and opts.passphrase_stdin:
         raise ImportError("--passphrase-env と --passphrase-stdin は併用できません")
+    if opts.identities and (opts.passphrase_env or opts.passphrase_stdin):
+        raise ImportError(
+            "--identity と --passphrase-env/--passphrase-stdin は併用できません"
+        )
 
 
 def _decrypt_if_needed(blob: bytes, opts: ImportOptions) -> bytes:

tests/cli/test_env_import.py

@@ -206,6 +206,18 @@ def test_import_rejects_both_passphrase_env_and_stdin(dest_root):
             source='/dev/null', passphrase_env='X', passphrase_stdin=True))
 
 
+def test_import_rejects_identity_with_passphrase(dest_root):
+    """--identity と --passphrase-env/--passphrase-stdin の同時指定は拒否される"""
+    with pytest.raises(ImportBundleError, match="--identity と --passphrase"):
+        import_bundle(dest_root, ImportOptions(
+            source='/dev/null', identities=['/tmp/fake.key'],
+            passphrase_env='X'))
+    with pytest.raises(ImportBundleError, match="--identity と --passphrase"):
+        import_bundle(dest_root, ImportOptions(
+            source='/tmp/dummy', identities=['/tmp/fake.key'],
+            passphrase_stdin=True))
+
+
 def test_read_passphrase_uses_getpass_on_tty(monkeypatch):
     """tty 入力時は getpass.getpass を使い stdin.readline は呼ばない (エコー抑止)"""
     fake_stdin = io.StringIO("should-not-be-read\n")

tests/env/test_bundle.py

@@ -49,7 +49,12 @@ def test_unpack_rejects_corrupted_sha256():
         bundle.unpack(out.getvalue())
 
 
-def test_unpack_rejects_unknown_version():
+@pytest.mark.parametrize("bad_version", [
+    bundle.SUPPORTED_MANIFEST_VERSION + 1,
+    0,
+    -1,
+])
+def test_unpack_rejects_unknown_version(bad_version):
     entries = [_entry("env/global.env", b"FOO=bar\n")]
     blob = bundle.pack(entries)
 
@@ -62,7 +67,7 @@ def test_unpack_rejects_unknown_version():
             data = tin.extractfile(info).read()
             if info.name == bundle.MANIFEST_NAME:
                 m = yaml.safe_load(data)
-                m["version"] = bundle.SUPPORTED_MANIFEST_VERSION + 1
+                m["version"] = bad_version
                 data = yaml.safe_dump(m).encode("utf-8")
                 info.size = len(data)
             tout.addfile(info, io.BytesIO(data))