unbound-cli 1.1.2 → 1.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.2",
+  "version": "1.1.5",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/auth.js

@@ -7,6 +7,7 @@ const { URL } = require('url');
 const config = require('./config');
 const output = require('./output');
 const api = require('./api');
+const { getDeviceSerial } = require('./device-serial');
 
 /**
  * Opens the browser for authentication and waits for the callback.
@@ -117,7 +118,13 @@ async function loginWithApiKey(apiKey, { baseUrl } = {}) {
   const spin = output.spinner('Authenticating...');
   let response;
   try {
-    response = await api.get('/api/v1/users/privileges/', { apiKey, baseUrl });
+    // Report this machine's serial so the backend can map the device to the
+    // authenticated user. Optional + best-effort: omitted when undeterminable.
+    // Awaited (not sync) so the probe never blocks the spinner on a cache miss.
+    const deviceSerial = await getDeviceSerial();
+    response = await api.get('/api/v1/users/privileges/', {
+      apiKey, baseUrl, query: { device_serial: deviceSerial },
+    });
   } catch (err) {
     let msg;
     if (err.statusCode === 401 || err.statusCode === 403) {

package/src/commands/login.js

@@ -3,6 +3,7 @@ const config = require('../config');
 const output = require('../output');
 const api = require('../api');
 const { loginWithBrowser, loginWithApiKey } = require('../auth');
+const { getDeviceSerial } = require('../device-serial');
 
 function register(program) {
   program
@@ -79,7 +80,10 @@ Examples:
           // Validate the just-stored key against the explicit backend if one
           // was just persisted; otherwise fall back to the env-var-aware
           // getter. api.get reads the stored key from config internally.
-          await api.get('/api/v1/users/privileges/', { baseUrl: explicitBaseUrl });
+          const deviceSerial = await getDeviceSerial();
+          await api.get('/api/v1/users/privileges/', {
+            baseUrl: explicitBaseUrl, query: { device_serial: deviceSerial },
+          });
         }
 
         const cfg = config.readConfig();

package/src/commands/oacb.js

@@ -12,8 +12,8 @@ const output = require('../output');
 const crypto = require('node:crypto');
 
 const OACB_RAW_BASE = 'https://raw.githubusercontent.com/websentry-ai/oacb';
-const OACB_PINNED_REF = 'v0.2.0';
-const PKG_VERSION = '0.2.0';
+const OACB_PINNED_REF = 'v0.2.1';
+const PKG_VERSION = '0.2.1';
 const TIERS = ['shadow', 'receipts', 'baseline', 'strict', 'paranoid'];
 const AGENTS = ['claude-code', 'codex'];
 
@@ -334,7 +334,10 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
       } else {
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
-        const oacbHooks = buildOacbHookEntries(effective);
+        // Mirror the real apply path so the printed policy matches what
+        // would actually land in settings.json.
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -360,7 +363,8 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
         output.info(`--dry-run: showing what would be merged into ${CLAUDE_SETTINGS_PATH}`);
-        const oacbHooks = buildOacbHookEntries(effective);
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -443,9 +447,13 @@ async function _applyClaudeCode({ baseline, tier, overrides, localHooks }) {
   }
 
   const expires = tier === 'receipts' ? computeExpiryDate(30) : null;
+  const extraEnv = {
+    OACB_SHARED_DIR: CLAUDE_HOOKS_DIR,
+    ...(expires ? { OACB_EXPIRES: expires } : {}),
+  };
   const settingsSpin = output.spinner(`Merging OACB settings into ${CLAUDE_SETTINGS_PATH}...`);
   try {
-    await writeSettingsOverlay(effective, tier, expires ? { OACB_EXPIRES: expires } : undefined);
+    await writeSettingsOverlay(effective, tier, extraEnv);
     settingsSpin.succeed(`Updated ${CLAUDE_SETTINGS_PATH} (backup at ${CLAUDE_SETTINGS_BACKUP_PATH})`);
   } catch (e) {
     settingsSpin.fail(`Settings write failed: ${e.message}`);
@@ -663,20 +671,44 @@ async function handleRemove({ agent, dryRun }) {
 
   const cleaned = deepClone(settings);
 
+  // Read the pre-apply backup, if present. We use it to avoid stripping
+  // user rules that happened to overlap with OACB's contribution — without
+  // it, a user who had `Bash(git status *)` before apply would lose it
+  // after remove, because the same string is in OACB's allowlist.
+  let preState = { deny: new Set(), ask: new Set(), allow: new Set() };
+  try {
+    const backup = JSON.parse(await fs.readFile(CLAUDE_SETTINGS_BACKUP_PATH, 'utf8'));
+    preState = {
+      deny: new Set(backup.permissions?.deny || []),
+      ask: new Set(backup.permissions?.ask || []),
+      allow: new Set(backup.permissions?.allow || []),
+    };
+  } catch (_) {
+    // No backup → current (less-careful) behavior is the only option.
+  }
+
   if (contribution.permissions && cleaned.permissions) {
     const contributedDeny = new Set(contribution.permissions.deny || []);
     const contributedAsk = new Set(contribution.permissions.ask || []);
     const contributedAllow = new Set(contribution.permissions.allow || []);
+    // Strip only rules that are BOTH in OACB's contribution AND NOT in the
+    // user's pre-apply backup. Rules the user had before are preserved.
     if (cleaned.permissions.deny) {
-      cleaned.permissions.deny = cleaned.permissions.deny.filter(r => !contributedDeny.has(r));
+      cleaned.permissions.deny = cleaned.permissions.deny.filter(
+        r => !contributedDeny.has(r) || preState.deny.has(r)
+      );
       if (!cleaned.permissions.deny.length) delete cleaned.permissions.deny;
     }
     if (cleaned.permissions.ask) {
-      cleaned.permissions.ask = cleaned.permissions.ask.filter(r => !contributedAsk.has(r));
+      cleaned.permissions.ask = cleaned.permissions.ask.filter(
+        r => !contributedAsk.has(r) || preState.ask.has(r)
+      );
       if (!cleaned.permissions.ask.length) delete cleaned.permissions.ask;
     }
     if (cleaned.permissions.allow) {
-      cleaned.permissions.allow = cleaned.permissions.allow.filter(r => !contributedAllow.has(r));
+      cleaned.permissions.allow = cleaned.permissions.allow.filter(
+        r => !contributedAllow.has(r) || preState.allow.has(r)
+      );
       if (!cleaned.permissions.allow.length) delete cleaned.permissions.allow;
     }
 
@@ -719,9 +751,10 @@ async function handleRemove({ agent, dryRun }) {
     output.info('--dry-run: showing cleaned settings.json (not written)');
     process.stdout.write(JSON.stringify(cleaned, null, 2) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CLAUDE_HOOKS_DIR, name)}\n`);
     }
+    output.info(`Backup file that would be deleted: ${CLAUDE_SETTINGS_BACKUP_PATH}`);
     return;
   }
 
@@ -729,6 +762,9 @@ async function handleRemove({ agent, dryRun }) {
   output.success(`Wrote cleaned ${CLAUDE_SETTINGS_PATH}`);
 
   try { await fs.unlink(CONSENT_RECEIPT_PATH); } catch (_) {}
+  // The backup is no longer load-bearing after a successful remove — clean it
+  // up so the user's ~/.claude/ doesn't accumulate stale OACB state.
+  try { await fs.unlink(CLAUDE_SETTINGS_BACKUP_PATH); } catch (_) {}
 
   await _deleteHooks(CLAUDE_HOOKS_DIR);
   output.success('OACB removed from Claude Code. Run `unbound oacb check` to verify clean state.');
@@ -759,13 +795,13 @@ async function _removeCodex({ dryRun }) {
     }
   }
 
-  const cleaned = stripOacbFromCodexConfig(existing);
+  const cleaned = stripOacbFromCodexConfig(existing, meta?.preState);
 
   if (dryRun) {
     output.info(`--dry-run: showing cleaned ${CODEX_CONFIG_PATH} (not written)`);
     process.stdout.write(TOML.stringify(cleaned) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CODEX_HOOKS_DIR, name)}\n`);
     }
     return;
@@ -781,11 +817,17 @@ async function _removeCodex({ dryRun }) {
   output.success('OACB removed from Codex. Run `unbound oacb check` to verify clean state.');
 }
 
+// Files _deleteHooks unlinks: the five named hooks + the shared core that
+// `installHooks` now places alongside hooks for both agents (v1.1.4+). Without
+// the shared core in this list, `oacb remove` would leak the 22KB
+// oacb-enforce-core.sh file in the user's hooks dir.
+const REMOVABLE_HOOK_FILES = [...HOOK_NAMES, 'oacb-enforce-core.sh'];
+
 async function _deleteHooks(hooksDir) {
   const deleted = [];
   const missing = [];
   await Promise.all(
-    HOOK_NAMES.map(async (name) => {
+    REMOVABLE_HOOK_FILES.map(async (name) => {
       try { await fs.unlink(path.join(hooksDir, name)); deleted.push(name); }
       catch (_) { missing.push(name); }
     })
@@ -984,20 +1026,18 @@ async function installHooks(localDir, agent = 'claude-code') {
     })
   );
 
-  // Codex hooks source a shared core that is not bundled per-agent.
+  // Both agents' enforce.sh source a shared core that is not bundled per-agent.
   // Install it alongside the agent hooks so OACB_SHARED_DIR can resolve locally.
-  if (agent === 'codex') {
-    let coreContent;
-    if (localDir) {
-      const sharedDir = process.env.OACB_SHARED_DIR
-        || path.resolve(localDir, '..', '..', 'shared');
-      coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
-    } else {
-      const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
-      coreContent = await api.getRaw(url);
-    }
-    await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
+  let coreContent;
+  if (localDir) {
+    const sharedDir = process.env.OACB_SHARED_DIR
+      || path.resolve(localDir, '..', '..', 'shared');
+    coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
+  } else {
+    const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
+    coreContent = await api.getRaw(url);
   }
+  await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
 }
 
 // Build the OACB hook entries with agent-specific local paths.
@@ -1071,7 +1111,7 @@ function mergeCodexConfig(existing, oacbConfig, extraEnv) {
 // Pure: strip OACB hook entries from a parsed Codex TOML config.
 // Policy scalars (approval_policy, sandbox_mode) are left in place —
 // they may have been set by the user independently.
-function stripOacbFromCodexConfig(existing) {
+function stripOacbFromCodexConfig(existing, preState) {
   const result = Object.assign({}, existing);
   const oacbHookRe = /oacb-[^/\\]+\.sh/;
 
@@ -1087,6 +1127,25 @@ function stripOacbFromCodexConfig(existing) {
     if (!Object.keys(result.hooks).length) delete result.hooks;
   }
 
+  // Restore scalars/blocks OACB overwrote during apply. preState is the
+  // snapshot writeCodexConfig captures on the FIRST apply (idempotent
+  // across re-applies). null means "user had no value here" → delete.
+  if (preState) {
+    for (const scalar of ['approval_policy', 'sandbox_mode']) {
+      if (preState[scalar] === null || preState[scalar] === undefined) {
+        delete result[scalar];
+      } else {
+        result[scalar] = preState[scalar];
+      }
+    }
+    if (preState.shell_environment_policy === null
+        || preState.shell_environment_policy === undefined) {
+      delete result.shell_environment_policy;
+    } else {
+      result.shell_environment_policy = preState.shell_environment_policy;
+    }
+  }
+
   return result;
 }
 
@@ -1098,6 +1157,30 @@ async function writeCodexConfig(oacbConfig, tier) {
     existing = TOML.parse(await fs.readFile(CODEX_CONFIG_PATH, 'utf8'));
   } catch (_) {}
 
+  // Capture the pre-apply state of fields OACB overwrites so `oacb remove` can
+  // restore them. Without this, a user who set approval_policy="untrusted"
+  // before OACB ends up with the OACB tier's value (e.g. "on-request") after
+  // an apply/remove cycle. A `null` entry in preState distinguishes "user had
+  // no value" (delete on remove) from "user had this value" (restore on remove).
+  // Only persist the first such snapshot — re-running apply must not overwrite
+  // the original user state with our own.
+  let preState;
+  let prevMeta = null;
+  try {
+    prevMeta = JSON.parse(await fs.readFile(CODEX_META_PATH, 'utf8'));
+  } catch (_) {}
+  if (prevMeta && prevMeta.preState) {
+    preState = prevMeta.preState;
+  } else {
+    preState = {
+      approval_policy: existing.approval_policy ?? null,
+      sandbox_mode: existing.sandbox_mode ?? null,
+      shell_environment_policy: existing.shell_environment_policy
+        ? deepClone(existing.shell_environment_policy)
+        : null,
+    };
+  }
+
   const extraEnv = {
     OACB_SHARED_DIR: CODEX_HOOKS_DIR,
     ...(tier === 'receipts' ? { OACB_EXPIRES: computeExpiryDate(30) } : {}),
@@ -1114,6 +1197,7 @@ async function writeCodexConfig(oacbConfig, tier) {
     ts: new Date().toISOString(),
     oacb_version: PKG_VERSION,
     agent: 'codex',
+    preState,
     ...(tier === 'receipts' ? { expires: computeExpiryDate(30) } : {}),
   }, null, 2) + '\n', { mode: 0o600 });
 
@@ -1778,6 +1862,7 @@ module.exports = {
     writeConsentReceipt,
     handleWhy,
     handleStatus,
+    REMOVABLE_HOOK_FILES,
     RULE_REGISTRY,
   },
 };

package/src/commands/status.js

@@ -1,6 +1,7 @@
 const config = require('../config');
 const api = require('../api');
 const output = require('../output');
+const { getDeviceSerial } = require('../device-serial');
 
 function register(program) {
   program
@@ -36,7 +37,10 @@ Examples:
         if (loggedIn) {
           const spin = output.spinner('Checking API connectivity...');
           try {
-            const privileges = await api.get('/api/v1/users/privileges/');
+            const deviceSerial = await getDeviceSerial();
+            const privileges = await api.get('/api/v1/users/privileges/', {
+              query: { device_serial: deviceSerial },
+            });
             config.backfillUserInfo(privileges);
             spin.stop();
             connectivity = 'Connected';

package/src/commands/whoami.js

@@ -1,6 +1,7 @@
 const config = require('../config');
 const api = require('../api');
 const output = require('../output');
+const { getDeviceSerial } = require('../device-serial');
 
 function roleFromPrivileges(privileges) {
   if (privileges.is_admin) return 'Admin';
@@ -34,7 +35,10 @@ Examples:
       const cfg = config.readConfig();
       const spin = output.spinner('Fetching user info...');
       try {
-        const privileges = await api.get('/api/v1/users/privileges/');
+        const deviceSerial = await getDeviceSerial();
+        const privileges = await api.get('/api/v1/users/privileges/', {
+          query: { device_serial: deviceSerial },
+        });
         spin.stop();
         config.backfillUserInfo(privileges);
 

package/src/device-serial.js

@@ -0,0 +1,159 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const { CONFIG_DIR } = require('./config');
+
+const execFileAsync = promisify(execFile);
+
+// Shared with the endpoint hooks: they cache the same value under this key so a
+// machine reports one identity across the CLI and the installed hooks.
+const IDENTITY_CACHE_FILE = path.join(CONFIG_DIR, 'identity.json');
+const PROBE_TIMEOUT_MS = 3000;
+
+// DMI/BIOS serial fields are often unset on VMs and OEM boards and come back as a
+// shared sentinel (with a zero exit code), which would map many machines onto one
+// fake serial. Treat these as "no serial" and fall through. Mirrors the hooks +
+// discovery scanner so all three agree on a machine's identity.
+const PLACEHOLDER_SERIALS = new Set([
+  '', '0', '00000000', '000000000', '0000000000', 'none', 'na', 'n/a',
+  'unknown', 'default', 'default string', 'to be filled by o.e.m.',
+  'to be filled by oem', 'system serial number', 'serial number',
+  'not applicable', 'not specified', 'not available', 'oem', 'o.e.m.',
+  'invalid', '123456789', 'xxxxxxxx',
+]);
+
+// Best-effort serial is intentionally non-fatal, so failures are swallowed rather
+// than surfaced to the user. Set UNBOUND_DEBUG=1 to trace why a serial was omitted.
+function debug(msg) {
+  if (process.env.UNBOUND_DEBUG) {
+    try { process.stderr.write(`[unbound] device-serial: ${msg}\n`); } catch { /* ignore */ }
+  }
+}
+
+function isValidSerial(value) {
+  return typeof value === 'string'
+    && value.trim() !== ''
+    && !PLACEHOLDER_SERIALS.has(value.trim().toLowerCase());
+}
+
+// Run a probe command asynchronously so the event loop (and the caller's spinner)
+// stays alive during the probe. Bounded by a timeout, never throws, resolves to
+// stdout or null (nonzero exit / timeout / missing binary all map to null).
+async function run(cmd, args) {
+  try {
+    const { stdout } = await execFileAsync(cmd, args, {
+      timeout: PROBE_TIMEOUT_MS, windowsHide: true, encoding: 'utf8',
+    });
+    return typeof stdout === 'string' ? stdout : null;
+  } catch (err) {
+    debug(`probe '${cmd}' failed: ${err && err.message}`);
+    return null;
+  }
+}
+
+// Best-effort hardware serial, mirroring the MDM setup scripts and discovery
+// scanner. Filters OEM/VM placeholders so two machines never collide on the same
+// fake serial, falling through to a stable per-install id (machine-id / MachineGuid).
+async function probeSerial() {
+  const platform = os.platform();
+
+  if (platform === 'darwin') {
+    const out = await run('system_profiler', ['SPHardwareDataType']);
+    if (out) {
+      for (const line of out.split('\n')) {
+        if (line.includes('Serial Number')) {
+          const idx = line.indexOf(': ');
+          if (idx !== -1) {
+            const value = line.slice(idx + 2).trim();
+            if (isValidSerial(value)) return value;
+          }
+        }
+      }
+    }
+    return null;
+  }
+
+  if (platform === 'linux') {
+    const dmi = await run('dmidecode', ['-s', 'system-serial-number']); // needs root; falls through otherwise
+    if (dmi && isValidSerial(dmi)) return dmi.trim();
+    for (const p of ['/etc/machine-id', '/var/lib/dbus/machine-id']) {
+      try {
+        const value = fs.readFileSync(p, 'utf8').trim();
+        if (isValidSerial(value)) return value;
+      } catch {
+        // try the next path
+      }
+    }
+    return null;
+  }
+
+  if (platform === 'win32') {
+    const bios = await run('powershell', ['-NoProfile', '-Command',
+      '(Get-CimInstance -ClassName Win32_BIOS).SerialNumber']);
+    if (bios && isValidSerial(bios)) return bios.trim();
+    const guid = await run('powershell', ['-NoProfile', '-Command',
+      "(Get-ItemProperty 'HKLM:\\SOFTWARE\\Microsoft\\Cryptography').MachineGuid"]);
+    if (guid && isValidSerial(guid)) return guid.trim();
+    return null;
+  }
+
+  debug(`unsupported platform: ${platform}`);
+  return null;
+}
+
+function readCache() {
+  try {
+    const data = JSON.parse(fs.readFileSync(IDENTITY_CACHE_FILE, 'utf8'));
+    if (data && typeof data === 'object') return data;
+  } catch (err) {
+    if (err.code !== 'ENOENT') debug(`cache read failed: ${err.message}`);
+  }
+  return {};
+}
+
+// Merge + atomic write so a torn file can't corrupt the cache the hooks share.
+function writeCache(data) {
+  try {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    const tmp = path.join(CONFIG_DIR, `.identity.${process.pid}.tmp`);
+    fs.writeFileSync(tmp, JSON.stringify(data), { mode: 0o600 });
+    fs.renameSync(tmp, IDENTITY_CACHE_FILE);
+  } catch (err) {
+    // an unwritable cache is fine — we still return the probed value
+    debug(`cache write failed: ${err.message}`);
+  }
+}
+
+/**
+ * Best-effort hardware serial, shared with the endpoint hooks via
+ * ~/.unbound/identity.json. Reads the cache first (instant); probes asynchronously
+ * and persists only when missing, so the caller's spinner keeps animating. Never
+ * throws — resolves to null when the serial can't be determined, so callers simply
+ * omit it from the request. Set UNBOUND_DEBUG=1 to trace omissions.
+ */
+async function getDeviceSerial() {
+  try {
+    const data = readCache();
+    // Validate the cached value, not just its presence — an older CLI or hook could
+    // have persisted a placeholder (e.g. "System Serial Number"). Treat junk as a
+    // miss and re-probe, so a polluted cache self-heals instead of leaking a sentinel.
+    const cached = data.device_serial;
+    if (isValidSerial(cached)) return cached.trim();
+
+    const serial = await probeSerial();
+    if (serial) {
+      data.device_serial = serial;
+      writeCache(data);
+    } else {
+      debug('no serial could be determined; omitting device_serial');
+    }
+    return serial || null;
+  } catch (err) {
+    debug(`getDeviceSerial failed: ${err && err.message}`);
+    return null;
+  }
+}
+
+module.exports = { getDeviceSerial, isValidSerial };

package/test/device-serial.test.js

@@ -0,0 +1,37 @@
+const { test } = require('node:test');
+const assert = require('node:assert');
+const { isValidSerial, getDeviceSerial } = require('../src/device-serial');
+
+test('isValidSerial: accepts real hardware serials', () => {
+  assert.equal(isValidSerial('M6KYTR4M2Q'), true);
+  assert.equal(isValidSerial('DP4Y2K37VV'), true);
+  // Parallels VM serial (spaces are part of the value, not a separator)
+  assert.equal(isValidSerial('Parallels-74 09 F2 8A 55 09 40 3D AA 13 19 BD CC 96 0F 0B'), true);
+});
+
+test('isValidSerial: rejects OEM/VM placeholder sentinels', () => {
+  for (const junk of [
+    '', '0', '00000000', 'To Be Filled By O.E.M.', 'System Serial Number',
+    'Default String', 'None', 'N/A', 'unknown', 'invalid', '123456789',
+  ]) {
+    assert.equal(isValidSerial(junk), false, `expected placeholder rejected: ${JSON.stringify(junk)}`);
+  }
+});
+
+test('isValidSerial: placeholder match is case- and whitespace-insensitive', () => {
+  assert.equal(isValidSerial('  to be filled by o.e.m.  '), false);
+  assert.equal(isValidSerial('SYSTEM SERIAL NUMBER'), false);
+});
+
+test('isValidSerial: rejects non-string input', () => {
+  assert.equal(isValidSerial(null), false);
+  assert.equal(isValidSerial(undefined), false);
+  assert.equal(isValidSerial(12345), false);
+  assert.equal(isValidSerial({}), false);
+});
+
+test('getDeviceSerial: is async and resolves to a string or null without throwing', async () => {
+  const result = await getDeviceSerial();
+  assert.ok(result === null || (typeof result === 'string' && result.length > 0),
+    `expected string|null, got ${typeof result}: ${JSON.stringify(result)}`);
+});

package/test/oacb.test.js

@@ -23,6 +23,7 @@ const {
   writeConsentReceipt,
   handleWhy,
   handleStatus,
+  REMOVABLE_HOOK_FILES,
   RULE_REGISTRY,
 } = require('../src/commands/oacb').__test__;
 
@@ -521,6 +522,67 @@ test('stripOacbFromCodexConfig: leaves approval_policy and sandbox_mode in place
   assert.equal(result.sandbox_mode, 'read-only');
 });
 
+test('stripOacbFromCodexConfig: with preState, restores scalars to pre-apply values', () => {
+  const config = {
+    approval_policy: 'on-request',  // set by OACB shadow tier
+    sandbox_mode: 'workspace-write',
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.codex/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const preState = { approval_policy: 'untrusted', sandbox_mode: 'read-only' };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, 'untrusted', 'must restore pre-apply approval_policy');
+  assert.equal(result.sandbox_mode, 'read-only', 'must restore pre-apply sandbox_mode');
+});
+
+test('stripOacbFromCodexConfig: with preState=null entry, deletes the field', () => {
+  // Pre-apply user had no approval_policy → OACB added one → remove deletes it
+  const config = { approval_policy: 'on-request', sandbox_mode: 'workspace-write' };
+  const preState = { approval_policy: null, sandbox_mode: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, undefined);
+  assert.equal(result.sandbox_mode, undefined);
+});
+
+test('stripOacbFromCodexConfig: with preState, restores shell_environment_policy', () => {
+  const config = {
+    shell_environment_policy: {
+      inherit: 'core',
+      exclude: ['AWS_*', '*_SECRET*'],  // added by OACB apply
+    },
+  };
+  const preState = {
+    shell_environment_policy: { inherit: 'core' },  // user's original
+  };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.deepEqual(result.shell_environment_policy, { inherit: 'core' });
+});
+
+test('stripOacbFromCodexConfig: with preState.shell_environment_policy=null, deletes the block', () => {
+  const config = {
+    shell_environment_policy: { inherit: 'core', exclude: ['AWS_*'] },
+  };
+  const preState = { shell_environment_policy: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.shell_environment_policy, undefined);
+});
+
+// ─── REMOVABLE_HOOK_FILES (F1: shared-core leak fix) ──────────────────────────
+
+test('REMOVABLE_HOOK_FILES: includes oacb-enforce-core.sh to prevent leak after remove', () => {
+  assert.ok(REMOVABLE_HOOK_FILES.includes('oacb-enforce-core.sh'),
+    'oacb-enforce-core.sh must be in the unlink set so it does not leak in the hooks dir after `oacb remove`');
+  // All five named hooks must also be there.
+  for (const h of ['oacb-enforce.sh', 'oacb-prompt-guard.sh', 'oacb-mcp-guard.sh', 'oacb-config-audit.sh', 'oacb-post-tool.sh']) {
+    assert.ok(REMOVABLE_HOOK_FILES.includes(h), `${h} must be in REMOVABLE_HOOK_FILES`);
+  }
+  // And nothing else: no globs, no user files.
+  assert.equal(REMOVABLE_HOOK_FILES.length, 6, 'REMOVABLE_HOOK_FILES should be exactly 6 (5 hooks + 1 shared core)');
+});
+
 test('stripOacbFromCodexConfig: no-op on config with no OACB hooks', () => {
   const config = {
     approval_policy: 'on-request',