unbound-cli 0.8.1 → 0.9.0

package/src/commands/onboard.js

@@ -52,21 +52,29 @@ Examples:
       let setupSucceeded = false;
       let discoveryDomain;
       try {
-        // Persist explicitly-passed URL flags BEFORE login so tenant URLs land
-        // in config before any backend call (whoami, setup completion ping) uses
-        // them. setUrls is atomic — a malformed URL throws before any disk write,
-        // so the three URLs never end up out of sync.
-        config.setUrls({
+        // Persist URLs first, then login, then setup — order matters so the
+        // login validates against the new backend and setup wires tools at the
+        // new gateway. setUrls is atomic; a malformed URL throws before any
+        // disk write so the three URLs never end up out of sync.
+        const written = config.setUrls({
           backend: opts.backendUrl,
           frontend: opts.frontendUrl,
           gateway: opts.gatewayUrl,
         });
-        const backendUrl = config.getBaseUrl();
-        const frontendUrl = config.getFrontendUrl();
-        const gatewayUrl = config.getGatewayUrl();
+        // Prefer the values we JUST persisted over the env-var-aware getters —
+        // a stale UNBOUND_*_URL from a prior shell session could otherwise
+        // silently shadow the user's explicit --*-url flag and route login or
+        // setup at the wrong tenant.
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const frontendUrl = written.frontend_url || config.getFrontendUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
         discoveryDomain = opts.domain || backendUrl;
 
-        await ensureLoggedIn({ apiKey: opts.apiKey });
+        await ensureLoggedIn({
+          apiKey: opts.apiKey,
+          baseUrl: written.base_url,
+          frontendUrl: written.frontend_url,
+        });
         const apiKey = config.getApiKey();
 
         console.log('');
@@ -124,15 +132,16 @@ Examples:
       let setupSucceeded = false;
       let discoveryDomain;
       try {
-        // Persist explicitly-passed URL flags so subsequent commands on this
-        // device (e.g. unbound discover, unbound setup) hit the same tenant.
-        // setUrls is atomic — a malformed URL throws before any disk write.
-        config.setUrls({
+        // Persist URLs first, then login, then setup — order matters so this
+        // MDM run wires tools at the new tenant. Prefer just-written values
+        // over env-var-aware getters so a stale UNBOUND_*_URL can't shadow the
+        // user's explicit --*-url flag.
+        const written = config.setUrls({
           backend: opts.backendUrl,
           gateway: opts.gatewayUrl,
         });
-        const backendUrl = config.getBaseUrl();
-        const gatewayUrl = config.getGatewayUrl();
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
         discoveryDomain = opts.domain || backendUrl;
 
         checkRoot('onboard-mdm');

package/src/commands/setup.js

@@ -367,21 +367,26 @@ automatically to authenticate before proceeding.
 `)
     .action(async (tools, opts) => {
       try {
-        // Persist explicitly-passed URL flags BEFORE ensureLoggedIn runs so a
-        // tenant-onboarding `unbound setup --gateway-url ... --api-key ...` lands
-        // tenant URLs in config before any backend call uses them. setUrls is
-        // atomic — no partial writes if any value is malformed.
-        config.setUrls({
+        // Persist URLs first, login, then setup. setUrls is atomic; a malformed
+        // URL throws before any disk write.
+        const written = config.setUrls({
           backend: opts.backendUrl,
           frontend: opts.frontendUrl,
           gateway: opts.gatewayUrl,
         });
-
-        await ensureLoggedIn({ apiKey: opts.apiKey });
+        // Prefer just-persisted values over env-var-aware getters so a stale
+        // UNBOUND_*_URL from a prior shell session can't silently shadow the
+        // user's explicit --*-url flag and route login/setup at the wrong tenant.
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const frontendUrl = written.frontend_url || config.getFrontendUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
+
+        await ensureLoggedIn({
+          apiKey: opts.apiKey,
+          baseUrl: written.base_url,
+          frontendUrl: written.frontend_url,
+        });
         const apiKey = config.getApiKey();
-        const backendUrl = config.getBaseUrl();
-        const frontendUrl = config.getFrontendUrl();
-        const gatewayUrl = config.getGatewayUrl();
         const urlOpts = { backendUrl, frontendUrl, gatewayUrl };
 
         // --all expands to the default bundle. Cannot be combined with explicit tool names.
@@ -593,15 +598,16 @@ Examples:
         // --backend-url, --frontend-url, --gateway-url are defined only on the parent `setup` command.
         // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
         const globalOpts = command.optsWithGlobals();
-        // Persist explicitly-passed URL flags so this MDM run also configures
-        // the CLI for any subsequent non-MDM commands on the same machine.
-        // setUrls is atomic — no partial writes if any value is malformed.
-        config.setUrls({
+        // Persist URLs first so this MDM run wires tools at the new tenant
+        // and any subsequent non-MDM command on the same machine inherits.
+        // Prefer just-persisted values over env-var-aware getters so a stale
+        // UNBOUND_*_URL can't shadow the explicit --*-url flag.
+        const written = config.setUrls({
           backend: globalOpts.backendUrl,
           gateway: globalOpts.gatewayUrl,
         });
-        const backendUrl = config.getBaseUrl();
-        const gatewayUrl = config.getGatewayUrl();
+        const backendUrl = written.base_url || config.getBaseUrl();
+        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
 
         if (globalOpts.all && tools.length > 0) {
           output.error('Cannot combine --all with specific tool names. Use one or the other.');

package/src/index.js

@@ -181,6 +181,7 @@ require('./commands/setup').register(program);
 require('./commands/discover').register(program);
 require('./commands/onboard').register(program);
 require('./commands/chat').register(program);
+require('./commands/oacb').register(program);
 
 // config command for managing CLI settings
 const configCmd = program

package/test/config-normalize-url.test.js

@@ -151,6 +151,49 @@ test('setUrls is atomic — partial failure leaves config unchanged', () => {
   }
 });
 
+// WEB-4107: setUrls returns the just-written values so callers can use them
+// directly instead of going back through getBaseUrl/etc. (which give env-var
+// precedence over config). A stale UNBOUND_*_URL from a prior shell session
+// would otherwise silently shadow the user's explicit --*-url flag.
+test('setUrls return value reflects what was persisted, bypassing env-var shadowing', () => {
+  const fs = require('node:fs');
+  const os = require('node:os');
+  const path = require('node:path');
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-cli-test-'));
+  const origHome = process.env.HOME;
+  const origGw = process.env.UNBOUND_GATEWAY_URL;
+  const origBe = process.env.UNBOUND_API_URL;
+  process.env.HOME = tmp;
+  // Stale env vars from a prior tenant — these would otherwise win in getXxxUrl().
+  process.env.UNBOUND_GATEWAY_URL = 'https://gw.STALE.com';
+  process.env.UNBOUND_API_URL     = 'https://be.STALE.com';
+  delete require.cache[require.resolve('../src/config')];
+  const c = require('../src/config');
+  try {
+    const written = c.setUrls({
+      backend: 'be.NEW.com',
+      frontend: 'fe.NEW.com',
+      gateway: 'gw.NEW.com',
+    });
+    // The return value reflects WHAT WAS WRITTEN — the user's explicit input.
+    assert.equal(written.base_url, 'https://be.new.com');
+    assert.equal(written.frontend_url, 'https://fe.new.com');
+    assert.equal(written.gateway_url, 'https://gw.new.com');
+    // The getters would still respect the env vars (existing convention).
+    // Callers that need the user's intent must use the setUrls return value.
+    assert.equal(c.getGatewayUrl(), 'https://gw.STALE.com');
+    assert.equal(c.getBaseUrl(),    'https://be.STALE.com');
+  } finally {
+    process.env.HOME = origHome;
+    if (origGw === undefined) delete process.env.UNBOUND_GATEWAY_URL;
+    else process.env.UNBOUND_GATEWAY_URL = origGw;
+    if (origBe === undefined) delete process.env.UNBOUND_API_URL;
+    else process.env.UNBOUND_API_URL = origBe;
+    delete require.cache[require.resolve('../src/config')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
 // WEB-4103: backfillUserInfo must refresh email/org_name when the API returns
 // a different value (e.g. user switched tenants), not just fill if missing.
 // Defensive: must NOT blank the cached value on a partial/empty API response.

package/test/oacb.test.js

@@ -0,0 +1,307 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const os = require('node:os');
+const path = require('node:path');
+
+const {
+  validateTier,
+  isVersionSupported,
+  computeGaps,
+  mergeOverrides,
+  computeDeepDiff,
+  buildOacbHookEntries,
+  ruleIdFromPattern,
+  classifyRule,
+  hasOacbHook,
+} = require('../src/commands/oacb').__test__;
+
+// ─── validateTier ─────────────────────────────────────────────────────────────
+
+test('validateTier: accepts all four valid tiers', () => {
+  for (const t of ['shadow', 'baseline', 'strict', 'paranoid']) {
+    assert.doesNotThrow(() => validateTier(t));
+  }
+});
+
+test('validateTier: rejects unknown tier', () => {
+  assert.throws(() => validateTier('custom'), /Invalid tier/);
+});
+
+test('validateTier: rejects empty string', () => {
+  assert.throws(() => validateTier(''), /Invalid tier/);
+});
+
+// ─── isVersionSupported ───────────────────────────────────────────────────────
+
+test('isVersionSupported: supported version returns true', () => {
+  assert.equal(isVersionSupported('2.1.83'), true);
+  assert.equal(isVersionSupported('2.5.0'), true);
+  assert.equal(isVersionSupported('2.99.0'), true);
+});
+
+test('isVersionSupported: version below floor returns false', () => {
+  assert.equal(isVersionSupported('2.1.82'), false);
+  assert.equal(isVersionSupported('2.0.99'), false);
+  assert.equal(isVersionSupported('1.99.0'), false);
+});
+
+test('isVersionSupported: v3+ returns false', () => {
+  assert.equal(isVersionSupported('3.0.0'), false);
+  assert.equal(isVersionSupported('3.1.0'), false);
+});
+
+test('isVersionSupported: non-semver string returns false', () => {
+  assert.equal(isVersionSupported(''), false);
+  assert.equal(isVersionSupported('latest'), false);
+});
+
+test('isVersionSupported: handles version prefix in claude --version output', () => {
+  // `claude --version` may return "2.3.7" or "claude 2.3.7" — match by first semver
+  assert.equal(isVersionSupported('claude 2.3.7'), true);
+  assert.equal(isVersionSupported('claude 1.0.0'), false);
+});
+
+// ─── ruleIdFromPattern / classifyRule ────────────────────────────────────────
+
+test('ruleIdFromPattern: RM pattern', () => {
+  assert.equal(ruleIdFromPattern('Bash(rm -rf /*)'), 'OACB-RM-001');
+});
+
+test('ruleIdFromPattern: TF pattern', () => {
+  assert.equal(ruleIdFromPattern('Bash(terraform destroy *)'), 'OACB-TF-001');
+});
+
+test('ruleIdFromPattern: credential read pattern', () => {
+  assert.equal(ruleIdFromPattern('Read(**/.aws/credentials)'), 'OACB-READ-001');
+});
+
+test('classifyRule: rm maps to ASI02', () => {
+  assert.equal(classifyRule('Bash(rm -rf /*)'), 'ASI02');
+});
+
+test('classifyRule: credential read maps to ASI07', () => {
+  assert.equal(classifyRule('Read(**/.env)'), 'ASI07');
+});
+
+// ─── mergeOverrides ───────────────────────────────────────────────────────────
+
+test('mergeOverrides: scalar override wins', () => {
+  const base = { a: 1, b: 2 };
+  const override = { b: 99 };
+  assert.deepEqual(mergeOverrides(base, override), { a: 1, b: 99 });
+});
+
+test('mergeOverrides: array union (no duplicates)', () => {
+  const base = { deny: ['A', 'B'] };
+  const override = { deny: ['B', 'C'] };
+  const result = mergeOverrides(base, override);
+  assert.deepEqual(result.deny.sort(), ['A', 'B', 'C']);
+});
+
+test('mergeOverrides: nested object recurses', () => {
+  const base = { permissions: { deny: ['A'], defaultMode: 'acceptEdits' } };
+  const override = { permissions: { deny: ['B'], defaultMode: 'auto' } };
+  const result = mergeOverrides(base, override);
+  assert.deepEqual(result.permissions.deny.sort(), ['A', 'B']);
+  assert.equal(result.permissions.defaultMode, 'auto');
+});
+
+test('mergeOverrides: _oacbMeta key is skipped', () => {
+  const base = { a: 1 };
+  const override = { a: 2, _oacbMeta: { tier: 'baseline' } };
+  const result = mergeOverrides(base, override);
+  assert.equal(result.a, 2);
+  assert.equal(result._oacbMeta, undefined);
+});
+
+test('mergeOverrides: does not mutate base', () => {
+  const base = { deny: ['A'] };
+  mergeOverrides(base, { deny: ['B'] });
+  assert.deepEqual(base.deny, ['A']);
+});
+
+// ─── computeDeepDiff ─────────────────────────────────────────────────────────
+
+test('computeDeepDiff: identical objects produce empty diff', () => {
+  const obj = { permissions: { deny: ['A'] }, autoMode: { environment: [] } };
+  assert.deepEqual(computeDeepDiff(obj, obj), {});
+});
+
+test('computeDeepDiff: added key', () => {
+  const a = { x: 1 };
+  const b = { x: 1, y: 2 };
+  assert.deepEqual(computeDeepDiff(a, b), { y: { added: 2 } });
+});
+
+test('computeDeepDiff: removed key', () => {
+  const a = { x: 1, y: 2 };
+  const b = { x: 1 };
+  assert.deepEqual(computeDeepDiff(a, b), { y: { removed: 2 } });
+});
+
+test('computeDeepDiff: changed scalar', () => {
+  assert.deepEqual(computeDeepDiff({ a: 1 }, { a: 2 }), { a: { from: 1, to: 2 } });
+});
+
+test('computeDeepDiff: array diff shows added/removed items', () => {
+  const a = { deny: ['A', 'B'] };
+  const b = { deny: ['A', 'C'] };
+  const diff = computeDeepDiff(a, b);
+  assert.deepEqual(diff.deny.added, ['C']);
+  assert.deepEqual(diff.deny.removed, ['B']);
+});
+
+test('computeDeepDiff: _-prefixed keys are skipped', () => {
+  const a = { _oacb: { tier: 'shadow' }, x: 1 };
+  const b = { _oacb: { tier: 'baseline' }, x: 1 };
+  assert.deepEqual(computeDeepDiff(a, b), {});
+});
+
+// ─── computeGaps ─────────────────────────────────────────────────────────────
+
+const BASELINE_FIXTURE = {
+  _oacb: { tier: 'baseline' },
+  permissions: {
+    deny: ['Bash(rm -rf /*)', 'Bash(terraform destroy *)'],
+    disableBypassPermissionsMode: 'disable',
+  },
+  autoMode: {},
+  hooks: {
+    PreToolUse: [
+      {
+        matcher: 'Bash',
+        hooks: [{ type: 'command', command: '/usr/local/share/oacb/hooks/oacb-enforce.sh', timeout: 5000 }],
+      },
+    ],
+  },
+};
+
+test('computeGaps: fully-compliant settings → no gaps', () => {
+  const current = {
+    permissions: {
+      deny: ['Bash(rm -rf /*)', 'Bash(terraform destroy *)'],
+      disableBypassPermissionsMode: 'disable',
+    },
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.claude/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  assert.deepEqual(computeGaps(current, BASELINE_FIXTURE), []);
+});
+
+test('computeGaps: missing deny rule reports a gap', () => {
+  const current = {
+    permissions: {
+      deny: ['Bash(rm -rf /*)'], // missing terraform destroy
+      disableBypassPermissionsMode: 'disable',
+    },
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.claude/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const gaps = computeGaps(current, BASELINE_FIXTURE);
+  assert.ok(gaps.some(g => g.ruleId === 'OACB-TF-001'), 'expected OACB-TF-001 gap');
+});
+
+test('computeGaps: missing hook reports OACB-HOOK-001', () => {
+  const current = {
+    permissions: { deny: ['Bash(rm -rf /*)', 'Bash(terraform destroy *)'], disableBypassPermissionsMode: 'disable' },
+    hooks: {}, // no hooks
+  };
+  const gaps = computeGaps(current, BASELINE_FIXTURE);
+  assert.ok(gaps.some(g => g.ruleId === 'OACB-HOOK-001'), 'expected OACB-HOOK-001 gap');
+});
+
+test('computeGaps: wrong disableBypassPermissionsMode reports OACB-BYPASS-001', () => {
+  const current = {
+    permissions: {
+      deny: ['Bash(rm -rf /*)', 'Bash(terraform destroy *)'],
+      disableBypassPermissionsMode: 'enable', // wrong
+    },
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.claude/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const gaps = computeGaps(current, BASELINE_FIXTURE);
+  assert.ok(gaps.some(g => g.ruleId === 'OACB-BYPASS-001'), 'expected OACB-BYPASS-001 gap');
+});
+
+test('computeGaps: empty current settings reports multiple gaps', () => {
+  const gaps = computeGaps({}, BASELINE_FIXTURE);
+  assert.ok(gaps.length > 0, 'expected gaps for empty settings');
+});
+
+test('computeGaps: deduplicates gap by rule ID', () => {
+  // Both rm patterns map to OACB-RM-001 — should report it only once
+  const baseline = {
+    _oacb: { tier: 'baseline' },
+    permissions: {
+      deny: ['Bash(rm -rf /*)', 'Bash(rm -rf ~*)', 'Bash(rm -fr /*)'],
+      disableBypassPermissionsMode: 'disable',
+    },
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: '/usr/local/share/oacb/hooks/oacb-enforce.sh' }] },
+      ],
+    },
+  };
+  const current = {
+    permissions: { deny: [], disableBypassPermissionsMode: 'disable' },
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.claude/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const gaps = computeGaps(current, baseline);
+  const rmGaps = gaps.filter(g => g.ruleId === 'OACB-RM-001');
+  assert.equal(rmGaps.length, 1, 'OACB-RM-001 should appear exactly once');
+});
+
+// ─── buildOacbHookEntries ─────────────────────────────────────────────────────
+
+test('buildOacbHookEntries: hook paths are rewritten to ~/.claude/hooks/', () => {
+  const hooks = buildOacbHookEntries(BASELINE_FIXTURE);
+  const hookCmd = hooks.PreToolUse[0].hooks[0].command;
+  const expectedPath = path.join(os.homedir(), '.claude', 'hooks', 'oacb-enforce.sh');
+  assert.equal(hookCmd, expectedPath);
+});
+
+test('buildOacbHookEntries: does not mutate original baseline', () => {
+  const originalCmd = BASELINE_FIXTURE.hooks.PreToolUse[0].hooks[0].command;
+  buildOacbHookEntries(BASELINE_FIXTURE);
+  assert.equal(BASELINE_FIXTURE.hooks.PreToolUse[0].hooks[0].command, originalCmd);
+});
+
+test('buildOacbHookEntries: returns all hook events from baseline', () => {
+  const hooks = buildOacbHookEntries(BASELINE_FIXTURE);
+  assert.ok(Array.isArray(hooks.PreToolUse), 'PreToolUse should be present');
+});
+
+// ─── hasOacbHook ─────────────────────────────────────────────────────────────
+
+test('hasOacbHook: detects hook present in settings', () => {
+  const settings = {
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: '/Users/test/.claude/hooks/oacb-enforce.sh' }] },
+      ],
+    },
+  };
+  assert.equal(hasOacbHook(settings, 'PreToolUse', 'oacb-enforce.sh'), true);
+});
+
+test('hasOacbHook: returns false when hook not present', () => {
+  const settings = { hooks: { PreToolUse: [] } };
+  assert.equal(hasOacbHook(settings, 'PreToolUse', 'oacb-enforce.sh'), false);
+});
+
+test('hasOacbHook: returns false when event not present', () => {
+  assert.equal(hasOacbHook({}, 'PreToolUse', 'oacb-enforce.sh'), false);
+});