npm - unbound-cli - Versions diffs - 0.9.9 → 1.1.0 - Mend

unbound-cli 0.9.9 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.9.9",
+  "version": "1.1.0",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/policy.js CHANGED Viewed

@@ -1503,7 +1503,7 @@ Learn more: ${DOCS_TOOL}
     .command('create-mcp')
     .description('Create an MCP_TOOL policy: monitor or block MCP server tool calls.')
     .requiredOption('--name <name>', 'Policy name (required)')
-    .requiredOption('--mcp-server <server>', 'MCP server name (e.g. Linear, Slack). See `policy tool mcp-servers`.')
+    .requiredOption('--mcp-server <server>', 'MCP server name as shown by `policy tool mcp-servers` (e.g. linear, github). Resolved to its canonical group automatically.')
     .option('--mcp-tool <tool>', 'Specific tool name on the MCP server (e.g. create_issue). Mutually exclusive with --mcp-action-type.')
     .option('--mcp-action-type <type>', `Match by tool action type: ${MCP_ACTION_TYPES.join(' | ')}. Mutually exclusive with --mcp-tool.`)
     .requiredOption('--action <action>', `Action to take: ${TOOL_ACTIONS.join(' | ')}`)
@@ -1516,12 +1516,15 @@ Learn more: ${DOCS_TOOL}
 Examples:
   Match a specific tool on a server:
   $ unbound policy tool create-mcp --name "Block Linear writes" \\
-      --mcp-server Linear --mcp-tool create_issue --action BLOCK \\
+      --mcp-server linear --mcp-tool create_issue --action BLOCK \\
       --custom-message "Issue creation is blocked. Contact admin."
   Match all destructive tools on a server:
   $ unbound policy tool create-mcp --name "Audit all destructive Slack" \\
-      --mcp-server Slack --mcp-action-type destructive --action AUDIT
+      --mcp-server slack --mcp-action-type destructive --action AUDIT
+The server name is resolved to its canonical group automatically, so pass the
+name exactly as listed by \`policy tool mcp-servers\` (matching is case-insensitive).
 Discover valid MCP servers and their tools: unbound policy tool mcp-servers
 Learn more: ${DOCS_TOOL}

package/src/commands/setup.js CHANGED Viewed

@@ -7,6 +7,7 @@ const https = require('https');
 const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
+const { confirm } = require('../utils');
 const SETUP_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/setup/refs/heads/main';
@@ -59,6 +60,17 @@ const SETUP_TOOL_MAP = {
   'codex-gateway':            { label: 'Codex (gateway)',            script: 'codex/gateway/setup.py' },
 };
+/**
+ * Resolves the tool list for `setup --all`. Installing uses the subscription
+ * bundle (one mode per tool, no Gemini CLI), but clearing must remove EVERY
+ * tool Unbound can configure — both modes plus Gemini CLI — so a prior
+ * gateway-mode or Gemini setup isn't silently left behind. Mirrors the
+ * `setup mdm --all` split.
+ */
+function resolveSetupAllTools(clear) {
+  return clear ? Object.keys(SETUP_TOOL_MAP) : [...SETUP_ALL_TOOLS];
+}
 // Instruction-only tools (display config values, no setup scripts)
 const INSTRUCTION_TOOLS = {
   'roo-code':      { label: 'Roo Code',     values: (apiKey) => [['API Provider', 'unbound'], ['API Key', apiKey]] },
@@ -341,6 +353,30 @@ async function runBatch(tools, runFn, { clear = false } = {}) {
   return true;
 }
+/**
+ * Clears a set of tools best-effort: a single tool failing does not abort the
+ * rest (unlike runBatch, which stops on first failure). Used by `uninstall`,
+ * where the goal is to remove as much as possible. Returns the labels that failed.
+ */
+async function clearToolsBestEffort(layer, tools, { mdm, backendUrl, gatewayUrl, frontendUrl } = {}) {
+  const failed = [];
+  for (const tool of tools) {
+    const s = output.spinner(`Clearing ${layer}: ${tool.label}...`);
+    try {
+      // frontendUrl is forwarded for parity with `setup --clear`; buildScriptArgs
+      // only appends --domain for non-MDM tools, so MDM clears stay unaffected.
+      const args = buildScriptArgs(null, { backendUrl, gatewayUrl, frontendUrl, clear: true, mdm });
+      await runScriptPiped(tool.script, args);
+      s.succeed(`${layer}: ${tool.label}`);
+    } catch (err) {
+      const reason = (err.message || 'failed').split('\n')[0].slice(0, 80);
+      s.fail(`${layer}: ${tool.label} (${reason})`);
+      failed.push(tool.label);
+    }
+  }
+  return failed;
+}
 function register(program) {
   const setup = program
     .command('setup')
@@ -403,6 +439,10 @@ Examples:
   $ unbound setup copilot --clear                          Remove GitHub Copilot config
   $ unbound setup claude-code --clear                      Remove BOTH Claude Code modes (subscription + gateway)
   $ unbound setup codex --clear                            Remove BOTH Codex modes (subscription + gateway)
+  $ unbound setup --all --clear                            Remove EVERY tool's config (both modes + Gemini CLI)
+  To also remove MDM config for all users and wipe credentials, use:
+  $ sudo unbound nuke
   Interactive:
   $ unbound setup                                          Select tools interactively
@@ -447,7 +487,7 @@ requires authentication.
             process.exitCode = 1;
             return;
           }
-          tools = [...SETUP_ALL_TOOLS];
+          tools = resolveSetupAllTools(opts.clear);
         }
         // No tools specified → interactive multi-select (existing flow)
@@ -792,6 +832,100 @@ Clear examples (no API key required):
         process.exitCode = 1;
       }
     });
+  // --- Full uninstall ---
+  program
+    .command('nuke')
+    .alias('uninstall')
+    .description(
+      'Remove Unbound and start fresh. By default clears every user-level AND ' +
+      'MDM (system-level) tool configuration plus stored credentials (requires ' +
+      "root). Use --user to clear only this user's tools and credentials (no root)."
+    )
+    .option('-y, --yes', 'Skip the confirmation prompt')
+    .option('--user', "Clear only THIS user's tool config and credentials — skip MDM (no root required)")
+    .addHelpText('after', `
+Two modes:
+  Default (requires root)   Clears every user-level and MDM (system-level) tool
+                            config for all users on the device, then deletes
+                            credentials.
+  --user (no root)          Clears only the current user's tool config, then
+                            deletes credentials. Leaves MDM config untouched
+                            (removing system-level config needs root).
+What it clears:
+  - USER-level tool config — Cursor, GitHub Copilot, Claude Code (subscription +
+    gateway), Gemini CLI, Codex (subscription + gateway).                [both modes]
+  - MDM (system-level) tool config across all users on the device.    [default only]
+  - Stored credentials and settings (~/.unbound/config.json).            [both modes]
+After it finishes, run \`unbound login\` (or \`unbound onboard\`) to set things up
+fresh. Clearing never contacts the Unbound API, so no API key is needed.
+Examples:
+  $ sudo unbound nuke                       Remove everything on the device (asks to confirm)
+  $ sudo unbound nuke --yes                 Remove everything, no confirmation
+  $ unbound nuke --user                     Clear only your tools + credentials (no sudo)
+  $ unbound nuke --user --yes               Same, no confirmation
+  $ sudo unbound uninstall                  'uninstall' is an alias for 'nuke'
+`)
+    .action(async (opts) => {
+      try {
+        // Root is only required for the MDM clears (system-level, all users).
+        // --user mode skips them, so it doesn't need root. On native Windows the
+        // Python MDM scripts do their own admin check, so skip the uid check there.
+        if (!opts.user && process.platform !== 'win32' && (typeof process.getuid !== 'function' || process.getuid() !== 0)) {
+          output.error('nuke removes system-level MDM config for all users, so it must run as root. Run with: sudo unbound nuke — or use `unbound nuke --user` to clear just your own tools and credentials without root.');
+          process.exitCode = 1;
+          return;
+        }
+        if (!opts.yes) {
+          output.warn(opts.user
+            ? 'This removes your user-level Unbound tool configuration and deletes your stored credentials.'
+            : 'This removes ALL Unbound tool configuration on this device (user-level and MDM) and deletes your stored credentials.');
+          const ok = await confirm('Continue?');
+          if (!ok) {
+            output.info('Cancelled. Nothing was changed.');
+            return;
+          }
+        }
+        // Resolve URLs before wiping config so the clear scripts get consistent
+        // flags. Clearing is URL-independent, but this matches the other clear paths.
+        const backendUrl = config.getBaseUrl();
+        const gatewayUrl = config.getGatewayUrl();
+        const frontendUrl = config.getFrontendUrl();
+        console.log('');
+        const userTools = Object.keys(SETUP_TOOL_MAP).map(name => ({ name, ...SETUP_TOOL_MAP[name] }));
+        const userFailed = await clearToolsBestEffort('user', userTools, { mdm: false, backendUrl, gatewayUrl, frontendUrl });
+        // MDM clears are skipped in --user mode (they need root and touch all users).
+        let mdmFailed = [];
+        if (!opts.user) {
+          const mdmTools = Object.keys(MDM_TOOLS).map(name => ({ name, ...MDM_TOOLS[name] }));
+          mdmFailed = await clearToolsBestEffort('mdm', mdmTools, { mdm: true, backendUrl, gatewayUrl });
+        }
+        // Wipe credentials + settings last, regardless of tool-clear outcomes.
+        config.clearConfig();
+        output.success('Stored credentials and settings removed.');
+        console.log('');
+        const failed = [...userFailed, ...mdmFailed];
+        const scope = opts.user ? 'for your user' : 'on this device';
+        if (failed.length === 0) {
+          output.success(`Unbound removed ${scope}. The CLI is back to a fresh state — run "unbound login" to start over.`);
+        } else {
+          output.warn(`Done ${scope}, but ${failed.length} tool clear(s) reported issues: ${failed.join(', ')}. Credentials were still removed.`);
+        }
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
 }
 /**
@@ -849,4 +983,5 @@ module.exports = {
   MDM_ALL_TOOLS,
   buildScriptArgs,
   scriptSupportsBackfill,
+  resolveSetupAllTools,
 };

package/src/index.js CHANGED Viewed

@@ -73,18 +73,23 @@ TOOL SETUP
   $ unbound setup kilo-code                Show Kilo Code config values
   $ unbound setup custom-access            Show API key and base URL
-  Remove configuration:
+  Remove configuration (no API key needed to clear):
   $ unbound setup cursor --clear           Remove Unbound config for Cursor
   $ unbound setup copilot --clear          Remove Unbound config for GitHub Copilot
   $ unbound setup claude-code --clear      Remove Unbound config for Claude Code
   $ unbound setup gemini-cli --clear       Remove Unbound config for Gemini CLI
   $ unbound setup codex --clear            Remove Unbound config for Codex
+  $ unbound setup --all --clear            Remove config for every tool
+  Full uninstall (all tools + credentials):
+  $ sudo unbound nuke                      Wipe everything on the device (MDM + user); requires root
+  $ unbound nuke --user                    Wipe just your tools + credentials (no sudo)
 MDM SETUP (admin, requires root)
   $ sudo unbound setup mdm --admin-api-key KEY --all
   $ sudo unbound setup mdm --admin-api-key KEY cursor copilot codex-subscription
   $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription codex-subscription gemini-cli
-  $ sudo unbound setup mdm --admin-api-key KEY --clear cursor codex-subscription
+  $ sudo unbound setup mdm --clear cursor codex-subscription   (no API key needed to clear)
 MDM AI TOOLS DISCOVERY
   --domain defaults to the configured backend URL (set via "unbound config set-backend-url")

package/test/setup-args.test.js CHANGED Viewed

@@ -1,6 +1,6 @@
 const { test } = require('node:test');
 const assert = require('node:assert/strict');
-const { buildScriptArgs, scriptSupportsBackfill } = require('../src/commands/setup');
+const { buildScriptArgs, scriptSupportsBackfill, resolveSetupAllTools } = require('../src/commands/setup');
 // shellEscape single-quotes every value, so a real key surfaces as
 // --api-key '<key>' at the head of the argv tail.
@@ -102,3 +102,46 @@ test('buildScriptArgs: result is always trimmed', () => {
     assert.equal(args, args.trim(), JSON.stringify([key, opts]));
   }
 });
+// WEB-4587: clearing never needs an API key — including the MDM path. The
+// help/examples say so, and buildScriptArgs must back that up: clear+mdm with
+// no key emits --clear, no --api-key, no --domain (MDM has no browser auth).
+test('buildScriptArgs: mdm clear without key emits --clear and no --api-key/--domain', () => {
+  const args = buildScriptArgs(null, {
+    clear: true,
+    mdm: true,
+    backendUrl: 'https://backend.acme.com',
+    gatewayUrl: 'https://gateway.acme.com',
+    frontendUrl: 'https://gateway.acme.com',
+  });
+  assert.ok(args.includes('--clear'), args);
+  assert.ok(!args.includes('--api-key'), args);
+  assert.ok(!args.includes('--domain'), args); // mdm:true never passes the frontend URL
+});
+// WEB-4587 core fix: `setup --all --clear` must remove EVERY tool Unbound can
+// configure, not just the subscription install bundle. Otherwise a prior
+// gateway-mode or Gemini CLI setup is silently left behind.
+test('resolveSetupAllTools(false): install bundle is subscription-only, no gateway/gemini', () => {
+  const tools = resolveSetupAllTools(false);
+  // Membership + length (order-independent) so reordering SETUP_ALL_TOOLS doesn't break this.
+  assert.equal(tools.length, 4, `expected 4 tools, got ${tools.join(',')}`);
+  for (const t of ['cursor', 'claude-code-subscription', 'codex-subscription', 'copilot']) {
+    assert.ok(tools.includes(t), `install bundle missing ${t}: ${tools.join(',')}`);
+  }
+  assert.ok(!tools.includes('claude-code-gateway'), tools.join(','));
+  assert.ok(!tools.includes('codex-gateway'), tools.join(','));
+  assert.ok(!tools.includes('gemini-cli'), tools.join(','));
+});
+test('resolveSetupAllTools(true): clear-all covers every tool incl. gateway modes + gemini', () => {
+  const tools = resolveSetupAllTools(true);
+  for (const t of ['cursor', 'copilot', 'claude-code-subscription', 'claude-code-gateway',
+                   'gemini-cli', 'codex-subscription', 'codex-gateway']) {
+    assert.ok(tools.includes(t), `clear-all missing ${t}: ${tools.join(',')}`);
+  }
+  // The clear set must be a superset of the install bundle.
+  for (const t of resolveSetupAllTools(false)) {
+    assert.ok(tools.includes(t), `clear-all missing install-bundle tool ${t}`);
+  }
+});