unbound-cli 0.8.0 → 0.8.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/api.js

@@ -29,15 +29,18 @@ class ApiError extends Error {
   }
 }
 
-function request(method, path, { body, query, apiKey } = {}) {
-  const baseUrl = config.getBaseUrl();
+function request(method, path, { body, query, apiKey, baseUrl } = {}) {
+  // Explicit baseUrl wins over env-var-aware getBaseUrl(). Used by login /
+  // setup / onboard so a user's just-passed --backend-url isn't shadowed by a
+  // stale UNBOUND_API_URL env var from a prior shell session.
+  const resolvedBaseUrl = baseUrl || config.getBaseUrl();
   const key = apiKey || config.getApiKey();
 
   if (!key) {
     return Promise.reject(new Error('Not logged in. Run `unbound login` first.'));
   }
 
-  const url = new URL(path, baseUrl);
+  const url = new URL(path, resolvedBaseUrl);
   if (query) {
     for (const [k, v] of Object.entries(query)) {
       if (v !== undefined && v !== null) {

package/src/auth.js

@@ -107,13 +107,17 @@ async function loginWithBrowser(frontendUrl) {
  * Shows a spinner during validation and a success message with user info.
  *
  * @param {string} apiKey - The API key to validate and store
+ * @param {object} [opts]
+ * @param {string} [opts.baseUrl] - Explicit backend URL override. Used when the
+ *   caller just persisted a tenant URL via setUrls and wants validation to hit
+ *   that exact backend, regardless of any stale UNBOUND_API_URL env var.
  * @returns {Promise<true>}
  */
-async function loginWithApiKey(apiKey) {
+async function loginWithApiKey(apiKey, { baseUrl } = {}) {
   const spin = output.spinner('Authenticating...');
   let response;
   try {
-    response = await api.get('/api/v1/users/privileges/', { apiKey });
+    response = await api.get('/api/v1/users/privileges/', { apiKey, baseUrl });
   } catch (err) {
     let msg;
     if (err.statusCode === 401 || err.statusCode === 403) {
@@ -143,10 +147,14 @@ async function loginWithApiKey(apiKey) {
  * Ensures the user is logged in. If an apiKey is provided, validates and
  * stores it first. If not logged in, triggers browser-based login.
  * Returns true if logged in (or just logged in), false on failure.
+ *
+ * `baseUrl` and `frontendUrl` are explicit overrides for the URLs to validate
+ * against / open in the browser. Used by login/setup/onboard so a just-passed
+ * --backend-url / --frontend-url isn't shadowed by a stale env var.
  */
-async function ensureLoggedIn({ apiKey } = {}) {
+async function ensureLoggedIn({ apiKey, baseUrl, frontendUrl } = {}) {
   if (apiKey) {
-    await loginWithApiKey(apiKey);
+    await loginWithApiKey(apiKey, { baseUrl });
     return true;
   }
 
@@ -155,8 +163,7 @@ async function ensureLoggedIn({ apiKey } = {}) {
   }
 
   output.warn('Not logged in. Opening browser to authenticate...');
-  const frontendUrl = config.getFrontendUrl();
-  const result = await loginWithBrowser(frontendUrl);
+  const result = await loginWithBrowser(frontendUrl || config.getFrontendUrl());
 
   const parts = [];
   if (result.email) parts.push(`as ${result.email}`);

package/src/commands/login.js

@@ -9,9 +9,10 @@ function register(program) {
     .command('login')
     .description('Authenticate with Unbound. Opens a browser for interactive login, or use --api-key for CI/CD environments.')
     .option('--api-key <key>', 'Authenticate with an API key directly (non-interactive)')
-    .addOption(new Option('--base-url <url>', 'Set a custom backend URL (also persists to config)').hideHelp())
-    .addOption(new Option('--frontend-url <url>', 'Set a custom frontend URL (also persists to config)').hideHelp())
-    .addOption(new Option('--gateway-url <url>', 'Set a custom gateway URL (also persists to config)').hideHelp())
+    .option('--gateway-url <url>', 'Tenant AI gateway URL (e.g. https://api.acme.com). Persisted to config.')
+    .option('--frontend-url <url>', 'Tenant frontend URL (e.g. https://gateway.acme.com). Persisted to config.')
+    .option('--backend-url <url>', 'Tenant backend REST API URL (e.g. https://backend.acme.com). Persisted to config.')
+    .addOption(new Option('--base-url <url>', 'Hidden alias of --backend-url, kept for back-compat.').hideHelp())
     .option('--domain <domain>', 'Use a custom domain for login (e.g. custom.example.com)')
     .addHelpText('after', `
 Authentication methods:
@@ -24,32 +25,43 @@ Authentication methods:
     Non-interactive login for CI/CD or automation. Stores the provided
     API key directly without browser interaction.
 
+Tenant deployments (URL flags persist to ~/.unbound/config.json):
+  Pass --gateway-url, --frontend-url, --backend-url at login time and the
+  CLI stores them all at once — no separate config step needed.
+
 Options:
   --domain sets a custom domain for organizations with self-hosted frontends.
-
-Tenant deployments:
-  Before logging in to a non-default Unbound tenant, set all three URLs:
-    $ unbound config urls <gateway-url> <frontend-url> <backend-url>
-    $ unbound login --api-key <YOUR_API_KEY>
+  Bare hostnames (e.g. "api.acme.com") are auto-prefixed with https://.
 
 Examples:
   $ unbound login                              # Login via default gateway
-  $ unbound login --domain custom.example.com  # Login via custom domain
   $ unbound login --api-key sk-abc123          # Non-interactive login
-  $ unbound config urls https://api.acme.com https://gateway.acme.com https://backend.acme.com \\
-      && unbound login --api-key sk-abc123     # Tenant onboarding
+  $ unbound login --api-key sk-abc123 \\
+      --gateway-url https://api.acme.com \\
+      --frontend-url https://gateway.acme.com \\
+      --backend-url https://backend.acme.com   # Tenant onboarding (one shot)
+  $ unbound login --domain custom.example.com  # Login via custom domain
 `)
     .action(async (opts) => {
       try {
-        if (opts.baseUrl) config.setBaseUrl(opts.baseUrl);
-        if (opts.frontendUrl) config.setFrontendUrl(opts.frontendUrl);
-        if (opts.gatewayUrl) config.setGatewayUrl(opts.gatewayUrl);
-
-        let apiKey;
+        // --backend-url is the canonical visible flag; --base-url is a hidden
+        // back-compat alias. setUrls writes all provided URLs atomically so
+        // a malformed --frontend-url can't leave a fresh --backend-url half-applied.
+        const written = config.setUrls({
+          backend: opts.backendUrl || opts.baseUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        // Prefer just-persisted values over env-var-aware getters so a stale
+        // UNBOUND_*_URL from a prior shell session can't shadow the user's
+        // explicit --backend-url / --frontend-url and route validation at the
+        // wrong tenant.
+        const explicitBaseUrl = written.base_url;
+        const explicitFrontendUrl = written.frontend_url;
 
         if (opts.apiKey) {
           try {
-            await loginWithApiKey(opts.apiKey);
+            await loginWithApiKey(opts.apiKey, { baseUrl: explicitBaseUrl });
           } catch {
             process.exitCode = 1;
             return;
@@ -61,12 +73,13 @@ Examples:
           if (opts.domain) {
             frontendUrl = opts.domain.startsWith('http') ? opts.domain : `https://${opts.domain}`;
           } else {
-            frontendUrl = config.getFrontendUrl();
+            frontendUrl = explicitFrontendUrl || config.getFrontendUrl();
           }
           await loginWithBrowser(frontendUrl);
-          apiKey = config.getApiKey();
-          // Validate the stored key
-          await api.get('/api/v1/users/privileges/');
+          // Validate the just-stored key against the explicit backend if one
+          // was just persisted; otherwise fall back to the env-var-aware
+          // getter. api.get reads the stored key from config internally.
+          await api.get('/api/v1/users/privileges/', { baseUrl: explicitBaseUrl });
         }
 
         const cfg = config.readConfig();

package/src/commands/onboard.js

@@ -50,12 +50,31 @@ Examples:
 `)
     .action(async (opts) => {
       let setupSucceeded = false;
-      const backendUrl = opts.backendUrl || config.getBaseUrl();
-      const frontendUrl = opts.frontendUrl || config.getFrontendUrl();
-      const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
-      const discoveryDomain = opts.domain || backendUrl;
+      let discoveryDomain;
       try {
-        await ensureLoggedIn({ apiKey: opts.apiKey });
+        // Persist URLs first, then login, then setup — order matters so the
+        // login validates against the new backend and setup wires tools at the
+        // new gateway. setUrls is atomic; a malformed URL throws before any
+        // disk write so the three URLs never end up out of sync.
+        const written = config.setUrls({
+          backend: opts.backendUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        // Prefer the values we JUST persisted over the env-var-aware getters —
+        // a stale UNBOUND_*_URL from a prior shell session could otherwise
+        // silently shadow the user's explicit --*-url flag and route login or
+        // setup at the wrong tenant.
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const frontendUrl = written.frontend_url || config.getFrontendUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
+        discoveryDomain = opts.domain || backendUrl;
+
+        await ensureLoggedIn({
+          apiKey: opts.apiKey,
+          baseUrl: written.base_url,
+          frontendUrl: written.frontend_url,
+        });
         const apiKey = config.getApiKey();
 
         console.log('');
@@ -111,10 +130,20 @@ Examples:
 `)
     .action(async (opts) => {
       let setupSucceeded = false;
-      const backendUrl = opts.backendUrl || config.getBaseUrl();
-      const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
-      const discoveryDomain = opts.domain || backendUrl;
+      let discoveryDomain;
       try {
+        // Persist URLs first, then login, then setup — order matters so this
+        // MDM run wires tools at the new tenant. Prefer just-written values
+        // over env-var-aware getters so a stale UNBOUND_*_URL can't shadow the
+        // user's explicit --*-url flag.
+        const written = config.setUrls({
+          backend: opts.backendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
+        discoveryDomain = opts.domain || backendUrl;
+
         checkRoot('onboard-mdm');
 
         console.log('');

package/src/commands/setup.js

@@ -367,11 +367,26 @@ automatically to authenticate before proceeding.
 `)
     .action(async (tools, opts) => {
       try {
-        await ensureLoggedIn({ apiKey: opts.apiKey });
+        // Persist URLs first, login, then setup. setUrls is atomic; a malformed
+        // URL throws before any disk write.
+        const written = config.setUrls({
+          backend: opts.backendUrl,
+          frontend: opts.frontendUrl,
+          gateway: opts.gatewayUrl,
+        });
+        // Prefer just-persisted values over env-var-aware getters so a stale
+        // UNBOUND_*_URL from a prior shell session can't silently shadow the
+        // user's explicit --*-url flag and route login/setup at the wrong tenant.
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const frontendUrl = written.frontend_url || config.getFrontendUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
+
+        await ensureLoggedIn({
+          apiKey: opts.apiKey,
+          baseUrl: written.base_url,
+          frontendUrl: written.frontend_url,
+        });
         const apiKey = config.getApiKey();
-        const backendUrl = opts.backendUrl || config.getBaseUrl();
-        const frontendUrl = opts.frontendUrl || config.getFrontendUrl();
-        const gatewayUrl = opts.gatewayUrl || config.getGatewayUrl();
         const urlOpts = { backendUrl, frontendUrl, gatewayUrl };
 
         // --all expands to the default bundle. Cannot be combined with explicit tool names.
@@ -583,8 +598,16 @@ Examples:
         // --backend-url, --frontend-url, --gateway-url are defined only on the parent `setup` command.
         // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
         const globalOpts = command.optsWithGlobals();
-        const backendUrl = globalOpts.backendUrl || config.getBaseUrl();
-        const gatewayUrl = globalOpts.gatewayUrl || config.getGatewayUrl();
+        // Persist URLs first so this MDM run wires tools at the new tenant
+        // and any subsequent non-MDM command on the same machine inherits.
+        // Prefer just-persisted values over env-var-aware getters so a stale
+        // UNBOUND_*_URL can't shadow the explicit --*-url flag.
+        const written = config.setUrls({
+          backend: globalOpts.backendUrl,
+          gateway: globalOpts.gatewayUrl,
+        });
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
 
         if (globalOpts.all && tools.length > 0) {
           output.error('Cannot combine --all with specific tool names. Use one or the other.');

package/src/config.js

@@ -103,12 +103,24 @@ function setGatewayUrl(url) {
   return config.gateway_url;
 }
 
-function setUrls({ gateway, frontend, backend }) {
-  const normalized = {
-    gateway_url: normalizeUrl(gateway),
-    frontend_url: normalizeUrl(frontend),
-    base_url: normalizeUrl(backend),
-  };
+/**
+ * Atomic multi-URL setter. Accepts any subset of `{gateway, frontend, backend}`
+ * (each field is independently optional). Normalizes every provided value up
+ * front; if any one is invalid it throws BEFORE touching disk so the caller
+ * never lands a partial write that leaves the three URLs out of sync.
+ *
+ * Use this from any code path that may persist more than one URL flag in the
+ * same command (login/setup/onboard) so a malformed --frontend-url can't
+ * succeed in writing a fresh --backend-url first.
+ *
+ * Returns an object with only the keys that were updated, normalized.
+ */
+function setUrls({ gateway, frontend, backend } = {}) {
+  const normalized = {};
+  if (gateway !== undefined) normalized.gateway_url = normalizeUrl(gateway);
+  if (frontend !== undefined) normalized.frontend_url = normalizeUrl(frontend);
+  if (backend !== undefined) normalized.base_url = normalizeUrl(backend);
+  if (Object.keys(normalized).length === 0) return normalized;
   const config = readConfig();
   Object.assign(config, normalized);
   writeConfig(config);
@@ -125,16 +137,26 @@ function isLoggedIn() {
   return !!getApiKey();
 }
 
+/**
+ * Refreshes cached user identity (email, org_name) from a backend response.
+ * Always overwrites when the response carries a non-empty value so that
+ * switching tenants under the same API key (or rotating the key to a new org)
+ * shows the correct organization in `whoami` / `status` instead of stale data.
+ * Defensive: leaves an existing cached value untouched if the response field
+ * is missing or empty, so a partial API response can't blank the local config.
+ */
 function backfillUserInfo(apiResponse) {
   if (!apiResponse) return;
   const cfg = readConfig();
   let changed = false;
-  if (!cfg.email && apiResponse.email) {
-    cfg.email = apiResponse.email;
+  const apiEmail = apiResponse.email;
+  if (apiEmail && cfg.email !== apiEmail) {
+    cfg.email = apiEmail;
     changed = true;
   }
-  if (!cfg.org_name && (apiResponse.org_name || apiResponse.organization_name || apiResponse.organization)) {
-    cfg.org_name = apiResponse.org_name || apiResponse.organization_name || apiResponse.organization;
+  const apiOrg = apiResponse.org_name || apiResponse.organization_name || apiResponse.organization;
+  if (apiOrg && cfg.org_name !== apiOrg) {
+    cfg.org_name = apiOrg;
     changed = true;
   }
   if (changed) writeConfig(cfg);

package/src/index.js

@@ -32,12 +32,17 @@ AUTHENTICATION
   $ unbound whoami                         Show current user and organization
   $ unbound status                         Show CLI status and API connectivity
 
-  Tenant deployments — set all three URLs once, then log in with an API key:
-  $ unbound config urls <gateway-url> <frontend-url> <backend-url>
-  $ unbound login --api-key <YOUR_API_KEY>
+  Tenant deployments — pass URL flags on login; they persist to ~/.unbound/config.json:
+  $ unbound login --api-key <YOUR_API_KEY> \\
+      --gateway-url <gw> --frontend-url <fe> --backend-url <be>
   Example:
-  $ unbound config urls https://api.acme.com https://gateway.acme.com https://backend.acme.com
-  $ unbound login --api-key sk-...
+  $ unbound login --api-key sk-... \\
+      --gateway-url https://api.acme.com \\
+      --frontend-url https://gateway.acme.com \\
+      --backend-url https://backend.acme.com
+
+  Or set URLs separately (any time):
+  $ unbound config urls <gateway-url> <frontend-url> <backend-url>
 
 ONBOARDING (one-step install + discover)
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>

package/test/config-normalize-url.test.js

@@ -96,3 +96,147 @@ test('setBaseUrl/setFrontendUrl/setGatewayUrl return the normalized written valu
     fs.rmSync(tmp, { recursive: true, force: true });
   }
 });
+
+// WEB-4103 (PR #22 review): setUrls must be atomic — if any URL fails
+// normalization, NONE of them should be persisted. Previously, separate
+// setBaseUrl/setFrontendUrl/setGatewayUrl calls did sequential writes,
+// so a malformed --frontend-url would land --backend-url half-applied.
+test('setUrls is atomic — partial failure leaves config unchanged', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  process.env.HOME = tmp;
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    // Seed a known starting state (simulating an existing tenant config).
+    c.writeConfig({
+      api_key: 'sk-x',
+      base_url: 'https://old-backend.example.com',
+      frontend_url: 'https://old-frontend.example.com',
+      gateway_url: 'https://old-gateway.example.com',
+    });
+
+    // Attempt to set all three; the frontend URL is malformed.
+    assert.throws(
+      () => c.setUrls({
+        backend: 'https://new-backend.example.com',
+        frontend: 'javascript:alert(1)',
+        gateway: 'https://new-gateway.example.com',
+      }),
+      /Invalid URL|http or https/,
+    );
+
+    // Critical: NO field should have been persisted — all three still old.
+    const cfg = c.readConfig();
+    assert.equal(cfg.base_url, 'https://old-backend.example.com');
+    assert.equal(cfg.frontend_url, 'https://old-frontend.example.com');
+    assert.equal(cfg.gateway_url, 'https://old-gateway.example.com');
+
+    // Partial input still works atomically.
+    c.setUrls({ backend: 'new.example.com' });
+    assert.equal(c.readConfig().base_url, 'https://new.example.com');
+    assert.equal(c.readConfig().frontend_url, 'https://old-frontend.example.com');
+
+    // Empty input is a no-op.
+    const result = c.setUrls({});
+    assert.deepEqual(result, {});
+    c.setUrls();
+  } finally {
+    process.env.HOME = origHome;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// WEB-4107: setUrls returns the just-written values so callers can use them
+// directly instead of going back through getBaseUrl/etc. (which give env-var
+// precedence over config). A stale UNBOUND_*_URL from a prior shell session
+// would otherwise silently shadow the user's explicit --*-url flag.
+test('setUrls return value reflects what was persisted, bypassing env-var shadowing', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  const origGw = process.env.UNBOUND_GATEWAY_URL;
+  const origBe = process.env.UNBOUND_API_URL;
+  process.env.HOME = tmp;
+  // Stale env vars from a prior tenant — these would otherwise win in getXxxUrl().
+  process.env.UNBOUND_GATEWAY_URL = 'https://gw.STALE.com';
+  process.env.UNBOUND_API_URL     = 'https://be.STALE.com';
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    const written = c.setUrls({
+      backend: 'be.NEW.com',
+      frontend: 'fe.NEW.com',
+      gateway: 'gw.NEW.com',
+    });
+    // The return value reflects WHAT WAS WRITTEN — the user's explicit input.
+    assert.equal(written.base_url, 'https://be.new.com');
+    assert.equal(written.frontend_url, 'https://fe.new.com');
+    assert.equal(written.gateway_url, 'https://gw.new.com');
+    // The getters would still respect the env vars (existing convention).
+    // Callers that need the user's intent must use the setUrls return value.
+    assert.equal(c.getGatewayUrl(), 'https://gw.STALE.com');
+    assert.equal(c.getBaseUrl(),    'https://be.STALE.com');
+  } finally {
+    process.env.HOME = origHome;
+    if (origGw === undefined) delete process.env.UNBOUND_GATEWAY_URL;
+    else process.env.UNBOUND_GATEWAY_URL = origGw;
+    if (origBe === undefined) delete process.env.UNBOUND_API_URL;
+    else process.env.UNBOUND_API_URL = origBe;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// WEB-4103: backfillUserInfo must refresh email/org_name when the API returns
+// a different value (e.g. user switched tenants), not just fill if missing.
+// Defensive: must NOT blank the cached value on a partial/empty API response.
+test('backfillUserInfo refreshes stale email/org but preserves on empty', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  process.env.HOME = tmp;
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    // Seed config as if the user logged in to org1 yesterday.
+    c.writeConfig({ api_key: 'sk-x', email: 'user@old.com', org_name: 'OldOrg' });
+
+    // API now returns the new tenant's identity → cache must update.
+    c.backfillUserInfo({ email: 'user@new.com', org_name: 'NewOrg' });
+    assert.equal(c.readConfig().email, 'user@new.com');
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+
+    // Subsequent call with same data → no-op (idempotent).
+    c.backfillUserInfo({ email: 'user@new.com', org_name: 'NewOrg' });
+    assert.equal(c.readConfig().email, 'user@new.com');
+
+    // Partial / missing API response → cache preserved, NOT blanked.
+    c.backfillUserInfo({ email: 'user@new.com' });
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+    c.backfillUserInfo({});
+    assert.equal(c.readConfig().email, 'user@new.com');
+    assert.equal(c.readConfig().org_name, 'NewOrg');
+
+    // Backend returning the legacy `organization_name` key still works.
+    c.backfillUserInfo({ organization_name: 'AnotherOrg' });
+    assert.equal(c.readConfig().org_name, 'AnotherOrg');
+
+    // Null / undefined input is a safe no-op.
+    c.backfillUserInfo(null);
+    c.backfillUserInfo(undefined);
+    assert.equal(c.readConfig().email, 'user@new.com');
+  } finally {
+    process.env.HOME = origHome;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});