unbound-cli 0.8.0 → 0.8.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.8.0",
+  "version": "0.8.1",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/login.js

@@ -9,9 +9,10 @@ function register(program) {
     .command('login')
     .description('Authenticate with Unbound. Opens a browser for interactive login, or use --api-key for CI/CD environments.')
     .option('--api-key <key>', 'Authenticate with an API key directly (non-interactive)')
-    .addOption(new Option('--base-url <url>', 'Set a custom backend URL (also persists to config)').hideHelp())
-    .addOption(new Option('--frontend-url <url>', 'Set a custom frontend URL (also persists to config)').hideHelp())
-    .addOption(new Option('--gateway-url <url>', 'Set a custom gateway URL (also persists to config)').hideHelp())
+    .option('--gateway-url <url>', 'Tenant AI gateway URL (e.g. https://api.acme.com). Persisted to config.')
+    .option('--frontend-url <url>', 'Tenant frontend URL (e.g. https://gateway.acme.com). Persisted to config.')
+    .option('--backend-url <url>', 'Tenant backend REST API URL (e.g. https://backend.acme.com). Persisted to config.')
+    .addOption(new Option('--base-url <url>', 'Hidden alias of --backend-url, kept for back-compat.').hideHelp())
     .option('--domain <domain>', 'Use a custom domain for login (e.g. custom.example.com)')
     .addHelpText('after', `
 Authentication methods:
@@ -24,26 +25,33 @@ Authentication methods:
     Non-interactive login for CI/CD or automation. Stores the provided
     API key directly without browser interaction.
 
+Tenant deployments (URL flags persist to ~/.unbound/config.json):
+  Pass --gateway-url, --frontend-url, --backend-url at login time and the
+  CLI stores them all at once — no separate config step needed.
+
 Options:
   --domain sets a custom domain for organizations with self-hosted frontends.
-
-Tenant deployments:
-  Before logging in to a non-default Unbound tenant, set all three URLs:
-    $ unbound config urls <gateway-url> <frontend-url> <backend-url>
-    $ unbound login --api-key <YOUR_API_KEY>
+  Bare hostnames (e.g. "api.acme.com") are auto-prefixed with https://.
 
 Examples:
   $ unbound login                              # Login via default gateway
-  $ unbound login --domain custom.example.com  # Login via custom domain
   $ unbound login --api-key sk-abc123          # Non-interactive login
-  $ unbound config urls https://api.acme.com https://gateway.acme.com https://backend.acme.com \\
-      && unbound login --api-key sk-abc123     # Tenant onboarding
+  $ unbound login --api-key sk-abc123 \\
+      --gateway-url https://api.acme.com \\
+      --frontend-url https://gateway.acme.com \\
+      --backend-url https://backend.acme.com   # Tenant onboarding (one shot)
+  $ unbound login --domain custom.example.com  # Login via custom domain
 `)
     .action(async (opts) => {
       try {
-        if (opts.baseUrl) config.setBaseUrl(opts.baseUrl);
-        if (opts.frontendUrl) config.setFrontendUrl(opts.frontendUrl);
-        if (opts.gatewayUrl) config.setGatewayUrl(opts.gatewayUrl);
+        // --backend-url is the canonical visible flag; --base-url is a hidden
+        // back-compat alias. setUrls writes all provided URLs atomically so
+        // a malformed --frontend-url can't leave a fresh --backend-url half-applied.
+        config.setUrls({
+          backend: opts.backendUrl || opts.baseUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
 
         let apiKey;
 

package/src/commands/onboard.js

@@ -50,11 +50,22 @@ Examples:
 `)
     .action(async (opts) => {
       let setupSucceeded = false;
-      const backendUrl = opts.backendUrl || config.getBaseUrl();
-      const frontendUrl = opts.frontendUrl || config.getFrontendUrl();
-      const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
-      const discoveryDomain = opts.domain || backendUrl;
+      let discoveryDomain;
       try {
+        // Persist explicitly-passed URL flags BEFORE login so tenant URLs land
+        // in config before any backend call (whoami, setup completion ping) uses
+        // them. setUrls is atomic — a malformed URL throws before any disk write,
+        // so the three URLs never end up out of sync.
+        config.setUrls({
+          backend: opts.backendUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        const backendUrl = config.getBaseUrl();
+        const frontendUrl = config.getFrontendUrl();
+        const gatewayUrl = config.getGatewayUrl();
+        discoveryDomain = opts.domain || backendUrl;
+
         await ensureLoggedIn({ apiKey: opts.apiKey });
         const apiKey = config.getApiKey();
 
@@ -111,10 +122,19 @@ Examples:
 `)
     .action(async (opts) => {
       let setupSucceeded = false;
-      const backendUrl = opts.backendUrl || config.getBaseUrl();
-      const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
-      const discoveryDomain = opts.domain || backendUrl;
+      let discoveryDomain;
       try {
+        // Persist explicitly-passed URL flags so subsequent commands on this
+        // device (e.g. unbound discover, unbound setup) hit the same tenant.
+        // setUrls is atomic — a malformed URL throws before any disk write.
+        config.setUrls({
+          backend: opts.backendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        const backendUrl = config.getBaseUrl();
+        const gatewayUrl = config.getGatewayUrl();
+        discoveryDomain = opts.domain || backendUrl;
+
         checkRoot('onboard-mdm');
 
         console.log('');

package/src/commands/setup.js

@@ -367,11 +367,21 @@ automatically to authenticate before proceeding.
 `)
     .action(async (tools, opts) => {
       try {
+        // Persist explicitly-passed URL flags BEFORE ensureLoggedIn runs so a
+        // tenant-onboarding `unbound setup --gateway-url ... --api-key ...` lands
+        // tenant URLs in config before any backend call uses them. setUrls is
+        // atomic — no partial writes if any value is malformed.
+        config.setUrls({
+          backend: opts.backendUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
+
         await ensureLoggedIn({ apiKey: opts.apiKey });
         const apiKey = config.getApiKey();
-        const backendUrl = opts.backendUrl || config.getBaseUrl();
-        const frontendUrl = opts.frontendUrl || config.getFrontendUrl();
-        const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
+        const backendUrl = config.getBaseUrl();
+        const frontendUrl = config.getFrontendUrl();
+        const gatewayUrl = config.getGatewayUrl();
         const urlOpts = { backendUrl, frontendUrl, gatewayUrl };
 
         // --all expands to the default bundle. Cannot be combined with explicit tool names.
@@ -583,8 +593,15 @@ Examples:
         // --backend-url, --frontend-url, --gateway-url are defined only on the parent `setup` command.
         // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
         const globalOpts = command.optsWithGlobals();
-        const backendUrl = globalOpts.backendUrl || config.getBaseUrl();
-        const gatewayUrl = globalOpts.gatewayUrl || config.getGatewayUrl();
+        // Persist explicitly-passed URL flags so this MDM run also configures
+        // the CLI for any subsequent non-MDM commands on the same machine.
+        // setUrls is atomic — no partial writes if any value is malformed.
+        config.setUrls({
+          backend: globalOpts.backendUrl,
+          gateway: globalOpts.gatewayUrl,
+        });
+        const backendUrl = config.getBaseUrl();
+        const gatewayUrl = config.getGatewayUrl();
 
         if (globalOpts.all && tools.length > 0) {
           output.error('Cannot combine --all with specific tool names. Use one or the other.');

package/src/config.js

@@ -103,12 +103,24 @@ function setGatewayUrl(url) {
   return config.gateway_url;
 }
 
-function setUrls({ gateway, frontend, backend }) {
-  const normalized = {
-    gateway_url: normalizeUrl(gateway),
-    frontend_url: normalizeUrl(frontend),
-    base_url: normalizeUrl(backend),
-  };
+/**
+ * Atomic multi-URL setter. Accepts any subset of `{gateway, frontend, backend}`
+ * (each field is independently optional). Normalizes every provided value up
+ * front; if any one is invalid it throws BEFORE touching disk so the caller
+ * never lands a partial write that leaves the three URLs out of sync.
+ *
+ * Use this from any code path that may persist more than one URL flag in the
+ * same command (login/setup/onboard) so a malformed --frontend-url can't
+ * succeed in writing a fresh --backend-url first.
+ *
+ * Returns an object with only the keys that were updated, normalized.
+ */
+function setUrls({ gateway, frontend, backend } = {}) {
+  const normalized = {};
+  if (gateway !== undefined) normalized.gateway_url = normalizeUrl(gateway);
+  if (frontend !== undefined) normalized.frontend_url = normalizeUrl(frontend);
+  if (backend !== undefined) normalized.base_url = normalizeUrl(backend);
+  if (Object.keys(normalized).length === 0) return normalized;
   const config = readConfig();
   Object.assign(config, normalized);
   writeConfig(config);
@@ -125,16 +137,26 @@ function isLoggedIn() {
   return !!getApiKey();
 }
 
+/**
+ * Refreshes cached user identity (email, org_name) from a backend response.
+ * Always overwrites when the response carries a non-empty value so that
+ * switching tenants under the same API key (or rotating the key to a new org)
+ * shows the correct organization in `whoami` / `status` instead of stale data.
+ * Defensive: leaves an existing cached value untouched if the response field
+ * is missing or empty, so a partial API response can't blank the local config.
+ */
 function backfillUserInfo(apiResponse) {
   if (!apiResponse) return;
   const cfg = readConfig();
   let changed = false;
-  if (!cfg.email && apiResponse.email) {
-    cfg.email = apiResponse.email;
+  const apiEmail = apiResponse.email;
+  if (apiEmail && cfg.email !== apiEmail) {
+    cfg.email = apiEmail;
     changed = true;
   }
-  if (!cfg.org_name && (apiResponse.org_name || apiResponse.organization_name || apiResponse.organization)) {
-    cfg.org_name = apiResponse.org_name || apiResponse.organization_name || apiResponse.organization;
+  const apiOrg = apiResponse.org_name || apiResponse.organization_name || apiResponse.organization;
+  if (apiOrg && cfg.org_name !== apiOrg) {
+    cfg.org_name = apiOrg;
     changed = true;
   }
   if (changed) writeConfig(cfg);

package/src/index.js

@@ -32,12 +32,17 @@ AUTHENTICATION
   $ unbound whoami                         Show current user and organization
   $ unbound status                         Show CLI status and API connectivity
 
-  Tenant deployments — set all three URLs once, then log in with an API key:
-  $ unbound config urls <gateway-url> <frontend-url> <backend-url>
-  $ unbound login --api-key <YOUR_API_KEY>
+  Tenant deployments — pass URL flags on login; they persist to ~/.unbound/config.json:
+  $ unbound login --api-key <YOUR_API_KEY> \\
+      --gateway-url <gw> --frontend-url <fe> --backend-url <be>
   Example:
-  $ unbound config urls https://api.acme.com https://gateway.acme.com https://backend.acme.com
-  $ unbound login --api-key sk-...
+  $ unbound login --api-key sk-... \\
+      --gateway-url https://api.acme.com \\
+      --frontend-url https://gateway.acme.com \\
+      --backend-url https://backend.acme.com
+
+  Or set URLs separately (any time):
+  $ unbound config urls <gateway-url> <frontend-url> <backend-url>
 
 ONBOARDING (one-step install + discover)
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>

package/test/config-normalize-url.test.js

@@ -96,3 +96,104 @@ test('setBaseUrl/setFrontendUrl/setGatewayUrl return the normalized written valu
     fs.rmSync(tmp, { recursive: true, force: true });
   }
 });
+
+// WEB-4103 (PR #22 review): setUrls must be atomic — if any URL fails
+// normalization, NONE of them should be persisted. Previously, separate
+// setBaseUrl/setFrontendUrl/setGatewayUrl calls did sequential writes,
+// so a malformed --frontend-url would land --backend-url half-applied.
+test('setUrls is atomic — partial failure leaves config unchanged', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  process.env.HOME = tmp;
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    // Seed a known starting state (simulating an existing tenant config).
+    c.writeConfig({
+      api_key: 'sk-x',
+      base_url: 'https://old-backend.example.com',
+      frontend_url: 'https://old-frontend.example.com',
+      gateway_url: 'https://old-gateway.example.com',
+    });
+
+    // Attempt to set all three; the frontend URL is malformed.
+    assert.throws(
+      () => c.setUrls({
+        backend: 'https://new-backend.example.com',
+        frontend: 'javascript:alert(1)',
+        gateway: 'https://new-gateway.example.com',
+      }),
+      /Invalid URL|http or https/,
+    );
+
+    // Critical: NO field should have been persisted — all three still old.
+    const cfg = c.readConfig();
+    assert.equal(cfg.base_url, 'https://old-backend.example.com');
+    assert.equal(cfg.frontend_url, 'https://old-frontend.example.com');
+    assert.equal(cfg.gateway_url, 'https://old-gateway.example.com');
+
+    // Partial input still works atomically.
+    c.setUrls({ backend: 'new.example.com' });
+    assert.equal(c.readConfig().base_url, 'https://new.example.com');
+    assert.equal(c.readConfig().frontend_url, 'https://old-frontend.example.com');
+
+    // Empty input is a no-op.
+    const result = c.setUrls({});
+    assert.deepEqual(result, {});
+    c.setUrls();
+  } finally {
+    process.env.HOME = origHome;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// WEB-4103: backfillUserInfo must refresh email/org_name when the API returns
+// a different value (e.g. user switched tenants), not just fill if missing.
+// Defensive: must NOT blank the cached value on a partial/empty API response.
+test('backfillUserInfo refreshes stale email/org but preserves on empty', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  process.env.HOME = tmp;
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    // Seed config as if the user logged in to org1 yesterday.
+    c.writeConfig({ api_key: 'sk-x', email: 'user@old.com', org_name: 'OldOrg' });
+
+    // API now returns the new tenant's identity → cache must update.
+    c.backfillUserInfo({ email: 'user@new.com', org_name: 'NewOrg' });
+    assert.equal(c.readConfig().email, 'user@new.com');
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+
+    // Subsequent call with same data → no-op (idempotent).
+    c.backfillUserInfo({ email: 'user@new.com', org_name: 'NewOrg' });
+    assert.equal(c.readConfig().email, 'user@new.com');
+
+    // Partial / missing API response → cache preserved, NOT blanked.
+    c.backfillUserInfo({ email: 'user@new.com' });
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+    c.backfillUserInfo({});
+    assert.equal(c.readConfig().email, 'user@new.com');
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+
+    // Backend returning the legacy `organization_name` key still works.
+    c.backfillUserInfo({ organization_name: 'AnotherOrg' });
+    assert.equal(c.readConfig().org_name, 'AnotherOrg');
+
+    // Null / undefined input is a safe no-op.
+    c.backfillUserInfo(null);
+    c.backfillUserInfo(undefined);
+    assert.equal(c.readConfig().email, 'user@new.com');
+  } finally {
+    process.env.HOME = origHome;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});