unbound-cli 1.1.3 → 1.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/oacb.js

@@ -12,8 +12,8 @@ const output = require('../output');
 const crypto = require('node:crypto');
 
 const OACB_RAW_BASE = 'https://raw.githubusercontent.com/websentry-ai/oacb';
-const OACB_PINNED_REF = 'v0.2.0';
-const PKG_VERSION = '0.2.0';
+const OACB_PINNED_REF = 'v0.2.1';
+const PKG_VERSION = '0.2.1';
 const TIERS = ['shadow', 'receipts', 'baseline', 'strict', 'paranoid'];
 const AGENTS = ['claude-code', 'codex'];
 
@@ -334,7 +334,10 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
       } else {
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
-        const oacbHooks = buildOacbHookEntries(effective);
+        // Mirror the real apply path so the printed policy matches what
+        // would actually land in settings.json.
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -360,7 +363,8 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
         output.info(`--dry-run: showing what would be merged into ${CLAUDE_SETTINGS_PATH}`);
-        const oacbHooks = buildOacbHookEntries(effective);
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -443,9 +447,13 @@ async function _applyClaudeCode({ baseline, tier, overrides, localHooks }) {
   }
 
   const expires = tier === 'receipts' ? computeExpiryDate(30) : null;
+  const extraEnv = {
+    OACB_SHARED_DIR: CLAUDE_HOOKS_DIR,
+    ...(expires ? { OACB_EXPIRES: expires } : {}),
+  };
   const settingsSpin = output.spinner(`Merging OACB settings into ${CLAUDE_SETTINGS_PATH}...`);
   try {
-    await writeSettingsOverlay(effective, tier, expires ? { OACB_EXPIRES: expires } : undefined);
+    await writeSettingsOverlay(effective, tier, extraEnv);
     settingsSpin.succeed(`Updated ${CLAUDE_SETTINGS_PATH} (backup at ${CLAUDE_SETTINGS_BACKUP_PATH})`);
   } catch (e) {
     settingsSpin.fail(`Settings write failed: ${e.message}`);
@@ -663,20 +671,44 @@ async function handleRemove({ agent, dryRun }) {
 
   const cleaned = deepClone(settings);
 
+  // Read the pre-apply backup, if present. We use it to avoid stripping
+  // user rules that happened to overlap with OACB's contribution — without
+  // it, a user who had `Bash(git status *)` before apply would lose it
+  // after remove, because the same string is in OACB's allowlist.
+  let preState = { deny: new Set(), ask: new Set(), allow: new Set() };
+  try {
+    const backup = JSON.parse(await fs.readFile(CLAUDE_SETTINGS_BACKUP_PATH, 'utf8'));
+    preState = {
+      deny: new Set(backup.permissions?.deny || []),
+      ask: new Set(backup.permissions?.ask || []),
+      allow: new Set(backup.permissions?.allow || []),
+    };
+  } catch (_) {
+    // No backup → current (less-careful) behavior is the only option.
+  }
+
   if (contribution.permissions && cleaned.permissions) {
     const contributedDeny = new Set(contribution.permissions.deny || []);
     const contributedAsk = new Set(contribution.permissions.ask || []);
     const contributedAllow = new Set(contribution.permissions.allow || []);
+    // Strip only rules that are BOTH in OACB's contribution AND NOT in the
+    // user's pre-apply backup. Rules the user had before are preserved.
     if (cleaned.permissions.deny) {
-      cleaned.permissions.deny = cleaned.permissions.deny.filter(r => !contributedDeny.has(r));
+      cleaned.permissions.deny = cleaned.permissions.deny.filter(
+        r => !contributedDeny.has(r) || preState.deny.has(r)
+      );
       if (!cleaned.permissions.deny.length) delete cleaned.permissions.deny;
     }
     if (cleaned.permissions.ask) {
-      cleaned.permissions.ask = cleaned.permissions.ask.filter(r => !contributedAsk.has(r));
+      cleaned.permissions.ask = cleaned.permissions.ask.filter(
+        r => !contributedAsk.has(r) || preState.ask.has(r)
+      );
       if (!cleaned.permissions.ask.length) delete cleaned.permissions.ask;
     }
     if (cleaned.permissions.allow) {
-      cleaned.permissions.allow = cleaned.permissions.allow.filter(r => !contributedAllow.has(r));
+      cleaned.permissions.allow = cleaned.permissions.allow.filter(
+        r => !contributedAllow.has(r) || preState.allow.has(r)
+      );
       if (!cleaned.permissions.allow.length) delete cleaned.permissions.allow;
     }
 
@@ -719,9 +751,10 @@ async function handleRemove({ agent, dryRun }) {
     output.info('--dry-run: showing cleaned settings.json (not written)');
     process.stdout.write(JSON.stringify(cleaned, null, 2) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CLAUDE_HOOKS_DIR, name)}\n`);
     }
+    output.info(`Backup file that would be deleted: ${CLAUDE_SETTINGS_BACKUP_PATH}`);
     return;
   }
 
@@ -729,6 +762,9 @@ async function handleRemove({ agent, dryRun }) {
   output.success(`Wrote cleaned ${CLAUDE_SETTINGS_PATH}`);
 
   try { await fs.unlink(CONSENT_RECEIPT_PATH); } catch (_) {}
+  // The backup is no longer load-bearing after a successful remove — clean it
+  // up so the user's ~/.claude/ doesn't accumulate stale OACB state.
+  try { await fs.unlink(CLAUDE_SETTINGS_BACKUP_PATH); } catch (_) {}
 
   await _deleteHooks(CLAUDE_HOOKS_DIR);
   output.success('OACB removed from Claude Code. Run `unbound oacb check` to verify clean state.');
@@ -759,13 +795,13 @@ async function _removeCodex({ dryRun }) {
     }
   }
 
-  const cleaned = stripOacbFromCodexConfig(existing);
+  const cleaned = stripOacbFromCodexConfig(existing, meta?.preState);
 
   if (dryRun) {
     output.info(`--dry-run: showing cleaned ${CODEX_CONFIG_PATH} (not written)`);
     process.stdout.write(TOML.stringify(cleaned) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CODEX_HOOKS_DIR, name)}\n`);
     }
     return;
@@ -781,11 +817,17 @@ async function _removeCodex({ dryRun }) {
   output.success('OACB removed from Codex. Run `unbound oacb check` to verify clean state.');
 }
 
+// Files _deleteHooks unlinks: the five named hooks + the shared core that
+// `installHooks` now places alongside hooks for both agents (v1.1.4+). Without
+// the shared core in this list, `oacb remove` would leak the 22KB
+// oacb-enforce-core.sh file in the user's hooks dir.
+const REMOVABLE_HOOK_FILES = [...HOOK_NAMES, 'oacb-enforce-core.sh'];
+
 async function _deleteHooks(hooksDir) {
   const deleted = [];
   const missing = [];
   await Promise.all(
-    HOOK_NAMES.map(async (name) => {
+    REMOVABLE_HOOK_FILES.map(async (name) => {
       try { await fs.unlink(path.join(hooksDir, name)); deleted.push(name); }
       catch (_) { missing.push(name); }
     })
@@ -984,20 +1026,18 @@ async function installHooks(localDir, agent = 'claude-code') {
     })
   );
 
-  // Codex hooks source a shared core that is not bundled per-agent.
+  // Both agents' enforce.sh source a shared core that is not bundled per-agent.
   // Install it alongside the agent hooks so OACB_SHARED_DIR can resolve locally.
-  if (agent === 'codex') {
-    let coreContent;
-    if (localDir) {
-      const sharedDir = process.env.OACB_SHARED_DIR
-        || path.resolve(localDir, '..', '..', 'shared');
-      coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
-    } else {
-      const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
-      coreContent = await api.getRaw(url);
-    }
-    await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
+  let coreContent;
+  if (localDir) {
+    const sharedDir = process.env.OACB_SHARED_DIR
+      || path.resolve(localDir, '..', '..', 'shared');
+    coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
+  } else {
+    const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
+    coreContent = await api.getRaw(url);
   }
+  await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
 }
 
 // Build the OACB hook entries with agent-specific local paths.
@@ -1071,7 +1111,7 @@ function mergeCodexConfig(existing, oacbConfig, extraEnv) {
 // Pure: strip OACB hook entries from a parsed Codex TOML config.
 // Policy scalars (approval_policy, sandbox_mode) are left in place —
 // they may have been set by the user independently.
-function stripOacbFromCodexConfig(existing) {
+function stripOacbFromCodexConfig(existing, preState) {
   const result = Object.assign({}, existing);
   const oacbHookRe = /oacb-[^/\\]+\.sh/;
 
@@ -1087,6 +1127,25 @@ function stripOacbFromCodexConfig(existing) {
     if (!Object.keys(result.hooks).length) delete result.hooks;
   }
 
+  // Restore scalars/blocks OACB overwrote during apply. preState is the
+  // snapshot writeCodexConfig captures on the FIRST apply (idempotent
+  // across re-applies). null means "user had no value here" → delete.
+  if (preState) {
+    for (const scalar of ['approval_policy', 'sandbox_mode']) {
+      if (preState[scalar] === null || preState[scalar] === undefined) {
+        delete result[scalar];
+      } else {
+        result[scalar] = preState[scalar];
+      }
+    }
+    if (preState.shell_environment_policy === null
+        || preState.shell_environment_policy === undefined) {
+      delete result.shell_environment_policy;
+    } else {
+      result.shell_environment_policy = preState.shell_environment_policy;
+    }
+  }
+
   return result;
 }
 
@@ -1098,6 +1157,30 @@ async function writeCodexConfig(oacbConfig, tier) {
     existing = TOML.parse(await fs.readFile(CODEX_CONFIG_PATH, 'utf8'));
   } catch (_) {}
 
+  // Capture the pre-apply state of fields OACB overwrites so `oacb remove` can
+  // restore them. Without this, a user who set approval_policy="untrusted"
+  // before OACB ends up with the OACB tier's value (e.g. "on-request") after
+  // an apply/remove cycle. A `null` entry in preState distinguishes "user had
+  // no value" (delete on remove) from "user had this value" (restore on remove).
+  // Only persist the first such snapshot — re-running apply must not overwrite
+  // the original user state with our own.
+  let preState;
+  let prevMeta = null;
+  try {
+    prevMeta = JSON.parse(await fs.readFile(CODEX_META_PATH, 'utf8'));
+  } catch (_) {}
+  if (prevMeta && prevMeta.preState) {
+    preState = prevMeta.preState;
+  } else {
+    preState = {
+      approval_policy: existing.approval_policy ?? null,
+      sandbox_mode: existing.sandbox_mode ?? null,
+      shell_environment_policy: existing.shell_environment_policy
+        ? deepClone(existing.shell_environment_policy)
+        : null,
+    };
+  }
+
   const extraEnv = {
     OACB_SHARED_DIR: CODEX_HOOKS_DIR,
     ...(tier === 'receipts' ? { OACB_EXPIRES: computeExpiryDate(30) } : {}),
@@ -1114,6 +1197,7 @@ async function writeCodexConfig(oacbConfig, tier) {
     ts: new Date().toISOString(),
     oacb_version: PKG_VERSION,
     agent: 'codex',
+    preState,
     ...(tier === 'receipts' ? { expires: computeExpiryDate(30) } : {}),
   }, null, 2) + '\n', { mode: 0o600 });
 
@@ -1778,6 +1862,7 @@ module.exports = {
     writeConsentReceipt,
     handleWhy,
     handleStatus,
+    REMOVABLE_HOOK_FILES,
     RULE_REGISTRY,
   },
 };

package/test/oacb.test.js

@@ -23,6 +23,7 @@ const {
   writeConsentReceipt,
   handleWhy,
   handleStatus,
+  REMOVABLE_HOOK_FILES,
   RULE_REGISTRY,
 } = require('../src/commands/oacb').__test__;
 
@@ -521,6 +522,67 @@ test('stripOacbFromCodexConfig: leaves approval_policy and sandbox_mode in place
   assert.equal(result.sandbox_mode, 'read-only');
 });
 
+test('stripOacbFromCodexConfig: with preState, restores scalars to pre-apply values', () => {
+  const config = {
+    approval_policy: 'on-request',  // set by OACB shadow tier
+    sandbox_mode: 'workspace-write',
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.codex/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const preState = { approval_policy: 'untrusted', sandbox_mode: 'read-only' };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, 'untrusted', 'must restore pre-apply approval_policy');
+  assert.equal(result.sandbox_mode, 'read-only', 'must restore pre-apply sandbox_mode');
+});
+
+test('stripOacbFromCodexConfig: with preState=null entry, deletes the field', () => {
+  // Pre-apply user had no approval_policy → OACB added one → remove deletes it
+  const config = { approval_policy: 'on-request', sandbox_mode: 'workspace-write' };
+  const preState = { approval_policy: null, sandbox_mode: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, undefined);
+  assert.equal(result.sandbox_mode, undefined);
+});
+
+test('stripOacbFromCodexConfig: with preState, restores shell_environment_policy', () => {
+  const config = {
+    shell_environment_policy: {
+      inherit: 'core',
+      exclude: ['AWS_*', '*_SECRET*'],  // added by OACB apply
+    },
+  };
+  const preState = {
+    shell_environment_policy: { inherit: 'core' },  // user's original
+  };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.deepEqual(result.shell_environment_policy, { inherit: 'core' });
+});
+
+test('stripOacbFromCodexConfig: with preState.shell_environment_policy=null, deletes the block', () => {
+  const config = {
+    shell_environment_policy: { inherit: 'core', exclude: ['AWS_*'] },
+  };
+  const preState = { shell_environment_policy: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.shell_environment_policy, undefined);
+});
+
+// ─── REMOVABLE_HOOK_FILES (F1: shared-core leak fix) ──────────────────────────
+
+test('REMOVABLE_HOOK_FILES: includes oacb-enforce-core.sh to prevent leak after remove', () => {
+  assert.ok(REMOVABLE_HOOK_FILES.includes('oacb-enforce-core.sh'),
+    'oacb-enforce-core.sh must be in the unlink set so it does not leak in the hooks dir after `oacb remove`');
+  // All five named hooks must also be there.
+  for (const h of ['oacb-enforce.sh', 'oacb-prompt-guard.sh', 'oacb-mcp-guard.sh', 'oacb-config-audit.sh', 'oacb-post-tool.sh']) {
+    assert.ok(REMOVABLE_HOOK_FILES.includes(h), `${h} must be in REMOVABLE_HOOK_FILES`);
+  }
+  // And nothing else: no globs, no user files.
+  assert.equal(REMOVABLE_HOOK_FILES.length, 6, 'REMOVABLE_HOOK_FILES should be exactly 6 (5 hooks + 1 shared core)');
+});
+
 test('stripOacbFromCodexConfig: no-op on config with no OACB hooks', () => {
   const config = {
     approval_policy: 'on-request',