unbound-cli 1.1.2 → 1.1.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/auth.js

@@ -7,6 +7,7 @@ const { URL } = require('url');
 const config = require('./config');
 const output = require('./output');
 const api = require('./api');
+const { getDeviceSerial } = require('./device-serial');
 
 /**
  * Opens the browser for authentication and waits for the callback.
@@ -117,7 +118,13 @@ async function loginWithApiKey(apiKey, { baseUrl } = {}) {
   const spin = output.spinner('Authenticating...');
   let response;
   try {
-    response = await api.get('/api/v1/users/privileges/', { apiKey, baseUrl });
+    // Report this machine's serial so the backend can map the device to the
+    // authenticated user. Optional + best-effort: omitted when undeterminable.
+    // Awaited (not sync) so the probe never blocks the spinner on a cache miss.
+    const deviceSerial = await getDeviceSerial();
+    response = await api.get('/api/v1/users/privileges/', {
+      apiKey, baseUrl, query: { device_serial: deviceSerial },
+    });
   } catch (err) {
     let msg;
     if (err.statusCode === 401 || err.statusCode === 403) {

package/src/commands/login.js

@@ -3,6 +3,7 @@ const config = require('../config');
 const output = require('../output');
 const api = require('../api');
 const { loginWithBrowser, loginWithApiKey } = require('../auth');
+const { getDeviceSerial } = require('../device-serial');
 
 function register(program) {
   program
@@ -79,7 +80,10 @@ Examples:
           // Validate the just-stored key against the explicit backend if one
           // was just persisted; otherwise fall back to the env-var-aware
           // getter. api.get reads the stored key from config internally.
-          await api.get('/api/v1/users/privileges/', { baseUrl: explicitBaseUrl });
+          const deviceSerial = await getDeviceSerial();
+          await api.get('/api/v1/users/privileges/', {
+            baseUrl: explicitBaseUrl, query: { device_serial: deviceSerial },
+          });
         }
 
         const cfg = config.readConfig();

package/src/commands/status.js

@@ -1,6 +1,7 @@
 const config = require('../config');
 const api = require('../api');
 const output = require('../output');
+const { getDeviceSerial } = require('../device-serial');
 
 function register(program) {
   program
@@ -36,7 +37,10 @@ Examples:
         if (loggedIn) {
           const spin = output.spinner('Checking API connectivity...');
           try {
-            const privileges = await api.get('/api/v1/users/privileges/');
+            const deviceSerial = await getDeviceSerial();
+            const privileges = await api.get('/api/v1/users/privileges/', {
+              query: { device_serial: deviceSerial },
+            });
             config.backfillUserInfo(privileges);
             spin.stop();
             connectivity = 'Connected';

package/src/commands/whoami.js

@@ -1,6 +1,7 @@
 const config = require('../config');
 const api = require('../api');
 const output = require('../output');
+const { getDeviceSerial } = require('../device-serial');
 
 function roleFromPrivileges(privileges) {
   if (privileges.is_admin) return 'Admin';
@@ -34,7 +35,10 @@ Examples:
       const cfg = config.readConfig();
       const spin = output.spinner('Fetching user info...');
       try {
-        const privileges = await api.get('/api/v1/users/privileges/');
+        const deviceSerial = await getDeviceSerial();
+        const privileges = await api.get('/api/v1/users/privileges/', {
+          query: { device_serial: deviceSerial },
+        });
         spin.stop();
         config.backfillUserInfo(privileges);
 

package/src/device-serial.js

@@ -0,0 +1,159 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const { CONFIG_DIR } = require('./config');
+
+const execFileAsync = promisify(execFile);
+
+// Shared with the endpoint hooks: they cache the same value under this key so a
+// machine reports one identity across the CLI and the installed hooks.
+const IDENTITY_CACHE_FILE = path.join(CONFIG_DIR, 'identity.json');
+const PROBE_TIMEOUT_MS = 3000;
+
+// DMI/BIOS serial fields are often unset on VMs and OEM boards and come back as a
+// shared sentinel (with a zero exit code), which would map many machines onto one
+// fake serial. Treat these as "no serial" and fall through. Mirrors the hooks +
+// discovery scanner so all three agree on a machine's identity.
+const PLACEHOLDER_SERIALS = new Set([
+  '', '0', '00000000', '000000000', '0000000000', 'none', 'na', 'n/a',
+  'unknown', 'default', 'default string', 'to be filled by o.e.m.',
+  'to be filled by oem', 'system serial number', 'serial number',
+  'not applicable', 'not specified', 'not available', 'oem', 'o.e.m.',
+  'invalid', '123456789', 'xxxxxxxx',
+]);
+
+// Best-effort serial is intentionally non-fatal, so failures are swallowed rather
+// than surfaced to the user. Set UNBOUND_DEBUG=1 to trace why a serial was omitted.
+function debug(msg) {
+  if (process.env.UNBOUND_DEBUG) {
+    try { process.stderr.write(`[unbound] device-serial: ${msg}\n`); } catch { /* ignore */ }
+  }
+}
+
+function isValidSerial(value) {
+  return typeof value === 'string'
+    && value.trim() !== ''
+    && !PLACEHOLDER_SERIALS.has(value.trim().toLowerCase());
+}
+
+// Run a probe command asynchronously so the event loop (and the caller's spinner)
+// stays alive during the probe. Bounded by a timeout, never throws, resolves to
+// stdout or null (nonzero exit / timeout / missing binary all map to null).
+async function run(cmd, args) {
+  try {
+    const { stdout } = await execFileAsync(cmd, args, {
+      timeout: PROBE_TIMEOUT_MS, windowsHide: true, encoding: 'utf8',
+    });
+    return typeof stdout === 'string' ? stdout : null;
+  } catch (err) {
+    debug(`probe '${cmd}' failed: ${err && err.message}`);
+    return null;
+  }
+}
+
+// Best-effort hardware serial, mirroring the MDM setup scripts and discovery
+// scanner. Filters OEM/VM placeholders so two machines never collide on the same
+// fake serial, falling through to a stable per-install id (machine-id / MachineGuid).
+async function probeSerial() {
+  const platform = os.platform();
+
+  if (platform === 'darwin') {
+    const out = await run('system_profiler', ['SPHardwareDataType']);
+    if (out) {
+      for (const line of out.split('\n')) {
+        if (line.includes('Serial Number')) {
+          const idx = line.indexOf(': ');
+          if (idx !== -1) {
+            const value = line.slice(idx + 2).trim();
+            if (isValidSerial(value)) return value;
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  if (platform === 'linux') {
+    const dmi = await run('dmidecode', ['-s', 'system-serial-number']); // needs root; falls through otherwise
+    if (dmi && isValidSerial(dmi)) return dmi.trim();
+    for (const p of ['/etc/machine-id', '/var/lib/dbus/machine-id']) {
+      try {
+        const value = fs.readFileSync(p, 'utf8').trim();
+        if (isValidSerial(value)) return value;
+      } catch {
+        // try the next path
+      }
+    }
+    return null;
+  }
+
+  if (platform === 'win32') {
+    const bios = await run('powershell', ['-NoProfile', '-Command',
+      '(Get-CimInstance -ClassName Win32_BIOS).SerialNumber']);
+    if (bios && isValidSerial(bios)) return bios.trim();
+    const guid = await run('powershell', ['-NoProfile', '-Command',
+      "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Cryptography').MachineGuid"]);
+    if (guid && isValidSerial(guid)) return guid.trim();
+    return null;
+  }
+
+  debug(`unsupported platform: ${platform}`);
+  return null;
+}
+
+function readCache() {
+  try {
+    const data = JSON.parse(fs.readFileSync(IDENTITY_CACHE_FILE, 'utf8'));
+    if (data && typeof data === 'object') return data;
+  } catch (err) {
+    if (err.code !== 'ENOENT') debug(`cache read failed: ${err.message}`);
+  }
+  return {};
+}
+
+// Merge + atomic write so a torn file can't corrupt the cache the hooks share.
+function writeCache(data) {
+  try {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    const tmp = path.join(CONFIG_DIR, `.identity.${process.pid}.tmp`);
+    fs.writeFileSync(tmp, JSON.stringify(data), { mode: 0o600 });
+    fs.renameSync(tmp, IDENTITY_CACHE_FILE);
+  } catch (err) {
+    // an unwritable cache is fine — we still return the probed value
+    debug(`cache write failed: ${err.message}`);
+  }
+}
+
+/**
+ * Best-effort hardware serial, shared with the endpoint hooks via
+ * ~/.unbound/identity.json. Reads the cache first (instant); probes asynchronously
+ * and persists only when missing, so the caller's spinner keeps animating. Never
+ * throws — resolves to null when the serial can't be determined, so callers simply
+ * omit it from the request. Set UNBOUND_DEBUG=1 to trace omissions.
+ */
+async function getDeviceSerial() {
+  try {
+    const data = readCache();
+    // Validate the cached value, not just its presence — an older CLI or hook could
+    // have persisted a placeholder (e.g. "System Serial Number"). Treat junk as a
+    // miss and re-probe, so a polluted cache self-heals instead of leaking a sentinel.
+    const cached = data.device_serial;
+    if (isValidSerial(cached)) return cached.trim();
+
+    const serial = await probeSerial();
+    if (serial) {
+      data.device_serial = serial;
+      writeCache(data);
+    } else {
+      debug('no serial could be determined; omitting device_serial');
+    }
+    return serial || null;
+  } catch (err) {
+    debug(`getDeviceSerial failed: ${err && err.message}`);
+    return null;
+  }
+}
+
+module.exports = { getDeviceSerial, isValidSerial };

package/test/device-serial.test.js

@@ -0,0 +1,37 @@
+const { test } = require('node:test');
+const assert = require('node:assert');
+const { isValidSerial, getDeviceSerial } = require('../src/device-serial');
+
+test('isValidSerial: accepts real hardware serials', () => {
+  assert.equal(isValidSerial('M6KYTR4M2Q'), true);
+  assert.equal(isValidSerial('DP4Y2K37VV'), true);
+  // Parallels VM serial (spaces are part of the value, not a separator)
+  assert.equal(isValidSerial('Parallels-74 09 F2 8A 55 09 40 3D AA 13 19 BD CC 96 0F 0B'), true);
+});
+
+test('isValidSerial: rejects OEM/VM placeholder sentinels', () => {
+  for (const junk of [
+    '', '0', '00000000', 'To Be Filled By O.E.M.', 'System Serial Number',
+    'Default String', 'None', 'N/A', 'unknown', 'invalid', '123456789',
+  ]) {
+    assert.equal(isValidSerial(junk), false, `expected placeholder rejected: ${JSON.stringify(junk)}`);
+  }
+});
+
+test('isValidSerial: placeholder match is case- and whitespace-insensitive', () => {
+  assert.equal(isValidSerial('  to be filled by o.e.m.  '), false);
+  assert.equal(isValidSerial('SYSTEM SERIAL NUMBER'), false);
+});
+
+test('isValidSerial: rejects non-string input', () => {
+  assert.equal(isValidSerial(null), false);
+  assert.equal(isValidSerial(undefined), false);
+  assert.equal(isValidSerial(12345), false);
+  assert.equal(isValidSerial({}), false);
+});
+
+test('getDeviceSerial: is async and resolves to a string or null without throwing', async () => {
+  const result = await getDeviceSerial();
+  assert.ok(result === null || (typeof result === 'string' && result.length > 0),
+    `expected string|null, got ${typeof result}: ${JSON.stringify(result)}`);
+});