unbound-cli 1.1.3 → 1.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.3",
+  "version": "1.1.6",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/oacb.js

@@ -12,8 +12,8 @@ const output = require('../output');
 const crypto = require('node:crypto');
 
 const OACB_RAW_BASE = 'https://raw.githubusercontent.com/websentry-ai/oacb';
-const OACB_PINNED_REF = 'v0.2.0';
-const PKG_VERSION = '0.2.0';
+const OACB_PINNED_REF = 'v0.2.1';
+const PKG_VERSION = '0.2.1';
 const TIERS = ['shadow', 'receipts', 'baseline', 'strict', 'paranoid'];
 const AGENTS = ['claude-code', 'codex'];
 
@@ -334,7 +334,10 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
       } else {
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
-        const oacbHooks = buildOacbHookEntries(effective);
+        // Mirror the real apply path so the printed policy matches what
+        // would actually land in settings.json.
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -360,7 +363,8 @@ async function handleApply({ agent: agentFlag, tier, overrides, dryRun, previewO
         let effective = deepClone(baseline);
         if (overrides) effective = mergeOverrides(effective, JSON.parse(await fs.readFile(overrides, 'utf8')));
         output.info(`--dry-run: showing what would be merged into ${CLAUDE_SETTINGS_PATH}`);
-        const oacbHooks = buildOacbHookEntries(effective);
+        const extraEnv = { OACB_SHARED_DIR: CLAUDE_HOOKS_DIR };
+        const oacbHooks = buildOacbHookEntries(effective, extraEnv);
         process.stdout.write(JSON.stringify({
           _oacbMeta: { tier, appliedAt: '<now>', ref: OACB_PINNED_REF },
           permissions: effective.permissions,
@@ -443,9 +447,13 @@ async function _applyClaudeCode({ baseline, tier, overrides, localHooks }) {
   }
 
   const expires = tier === 'receipts' ? computeExpiryDate(30) : null;
+  const extraEnv = {
+    OACB_SHARED_DIR: CLAUDE_HOOKS_DIR,
+    ...(expires ? { OACB_EXPIRES: expires } : {}),
+  };
   const settingsSpin = output.spinner(`Merging OACB settings into ${CLAUDE_SETTINGS_PATH}...`);
   try {
-    await writeSettingsOverlay(effective, tier, expires ? { OACB_EXPIRES: expires } : undefined);
+    await writeSettingsOverlay(effective, tier, extraEnv);
     settingsSpin.succeed(`Updated ${CLAUDE_SETTINGS_PATH} (backup at ${CLAUDE_SETTINGS_BACKUP_PATH})`);
   } catch (e) {
     settingsSpin.fail(`Settings write failed: ${e.message}`);
@@ -663,20 +671,44 @@ async function handleRemove({ agent, dryRun }) {
 
   const cleaned = deepClone(settings);
 
+  // Read the pre-apply backup, if present. We use it to avoid stripping
+  // user rules that happened to overlap with OACB's contribution — without
+  // it, a user who had `Bash(git status *)` before apply would lose it
+  // after remove, because the same string is in OACB's allowlist.
+  let preState = { deny: new Set(), ask: new Set(), allow: new Set() };
+  try {
+    const backup = JSON.parse(await fs.readFile(CLAUDE_SETTINGS_BACKUP_PATH, 'utf8'));
+    preState = {
+      deny: new Set(backup.permissions?.deny || []),
+      ask: new Set(backup.permissions?.ask || []),
+      allow: new Set(backup.permissions?.allow || []),
+    };
+  } catch (_) {
+    // No backup → current (less-careful) behavior is the only option.
+  }
+
   if (contribution.permissions && cleaned.permissions) {
     const contributedDeny = new Set(contribution.permissions.deny || []);
     const contributedAsk = new Set(contribution.permissions.ask || []);
     const contributedAllow = new Set(contribution.permissions.allow || []);
+    // Strip only rules that are BOTH in OACB's contribution AND NOT in the
+    // user's pre-apply backup. Rules the user had before are preserved.
     if (cleaned.permissions.deny) {
-      cleaned.permissions.deny = cleaned.permissions.deny.filter(r => !contributedDeny.has(r));
+      cleaned.permissions.deny = cleaned.permissions.deny.filter(
+        r => !contributedDeny.has(r) || preState.deny.has(r)
+      );
       if (!cleaned.permissions.deny.length) delete cleaned.permissions.deny;
     }
     if (cleaned.permissions.ask) {
-      cleaned.permissions.ask = cleaned.permissions.ask.filter(r => !contributedAsk.has(r));
+      cleaned.permissions.ask = cleaned.permissions.ask.filter(
+        r => !contributedAsk.has(r) || preState.ask.has(r)
+      );
       if (!cleaned.permissions.ask.length) delete cleaned.permissions.ask;
     }
     if (cleaned.permissions.allow) {
-      cleaned.permissions.allow = cleaned.permissions.allow.filter(r => !contributedAllow.has(r));
+      cleaned.permissions.allow = cleaned.permissions.allow.filter(
+        r => !contributedAllow.has(r) || preState.allow.has(r)
+      );
       if (!cleaned.permissions.allow.length) delete cleaned.permissions.allow;
     }
 
@@ -719,9 +751,10 @@ async function handleRemove({ agent, dryRun }) {
     output.info('--dry-run: showing cleaned settings.json (not written)');
     process.stdout.write(JSON.stringify(cleaned, null, 2) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CLAUDE_HOOKS_DIR, name)}\n`);
     }
+    output.info(`Backup file that would be deleted: ${CLAUDE_SETTINGS_BACKUP_PATH}`);
     return;
   }
 
@@ -729,6 +762,9 @@ async function handleRemove({ agent, dryRun }) {
   output.success(`Wrote cleaned ${CLAUDE_SETTINGS_PATH}`);
 
   try { await fs.unlink(CONSENT_RECEIPT_PATH); } catch (_) {}
+  // The backup is no longer load-bearing after a successful remove — clean it
+  // up so the user's ~/.claude/ doesn't accumulate stale OACB state.
+  try { await fs.unlink(CLAUDE_SETTINGS_BACKUP_PATH); } catch (_) {}
 
   await _deleteHooks(CLAUDE_HOOKS_DIR);
   output.success('OACB removed from Claude Code. Run `unbound oacb check` to verify clean state.');
@@ -759,13 +795,13 @@ async function _removeCodex({ dryRun }) {
     }
   }
 
-  const cleaned = stripOacbFromCodexConfig(existing);
+  const cleaned = stripOacbFromCodexConfig(existing, meta?.preState);
 
   if (dryRun) {
     output.info(`--dry-run: showing cleaned ${CODEX_CONFIG_PATH} (not written)`);
     process.stdout.write(TOML.stringify(cleaned) + '\n');
     output.info('Hook scripts that would be deleted:');
-    for (const name of HOOK_NAMES) {
+    for (const name of REMOVABLE_HOOK_FILES) {
       process.stdout.write(`  ${path.join(CODEX_HOOKS_DIR, name)}\n`);
     }
     return;
@@ -781,11 +817,17 @@ async function _removeCodex({ dryRun }) {
   output.success('OACB removed from Codex. Run `unbound oacb check` to verify clean state.');
 }
 
+// Files _deleteHooks unlinks: the five named hooks + the shared core that
+// `installHooks` now places alongside hooks for both agents (v1.1.4+). Without
+// the shared core in this list, `oacb remove` would leak the 22KB
+// oacb-enforce-core.sh file in the user's hooks dir.
+const REMOVABLE_HOOK_FILES = [...HOOK_NAMES, 'oacb-enforce-core.sh'];
+
 async function _deleteHooks(hooksDir) {
   const deleted = [];
   const missing = [];
   await Promise.all(
-    HOOK_NAMES.map(async (name) => {
+    REMOVABLE_HOOK_FILES.map(async (name) => {
       try { await fs.unlink(path.join(hooksDir, name)); deleted.push(name); }
       catch (_) { missing.push(name); }
     })
@@ -984,20 +1026,18 @@ async function installHooks(localDir, agent = 'claude-code') {
     })
   );
 
-  // Codex hooks source a shared core that is not bundled per-agent.
+  // Both agents' enforce.sh source a shared core that is not bundled per-agent.
   // Install it alongside the agent hooks so OACB_SHARED_DIR can resolve locally.
-  if (agent === 'codex') {
-    let coreContent;
-    if (localDir) {
-      const sharedDir = process.env.OACB_SHARED_DIR
-        || path.resolve(localDir, '..', '..', 'shared');
-      coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
-    } else {
-      const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
-      coreContent = await api.getRaw(url);
-    }
-    await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
+  let coreContent;
+  if (localDir) {
+    const sharedDir = process.env.OACB_SHARED_DIR
+      || path.resolve(localDir, '..', '..', 'shared');
+    coreContent = await fs.readFile(path.join(sharedDir, 'oacb-enforce-core.sh'), 'utf8');
+  } else {
+    const url = `${OACB_RAW_BASE}/${OACB_PINNED_REF}/baseline/shared/oacb-enforce-core.sh`;
+    coreContent = await api.getRaw(url);
   }
+  await fs.writeFile(path.join(hooksDir, 'oacb-enforce-core.sh'), coreContent, { mode: 0o755 });
 }
 
 // Build the OACB hook entries with agent-specific local paths.
@@ -1071,7 +1111,7 @@ function mergeCodexConfig(existing, oacbConfig, extraEnv) {
 // Pure: strip OACB hook entries from a parsed Codex TOML config.
 // Policy scalars (approval_policy, sandbox_mode) are left in place —
 // they may have been set by the user independently.
-function stripOacbFromCodexConfig(existing) {
+function stripOacbFromCodexConfig(existing, preState) {
   const result = Object.assign({}, existing);
   const oacbHookRe = /oacb-[^/\\]+\.sh/;
 
@@ -1087,6 +1127,25 @@ function stripOacbFromCodexConfig(existing) {
     if (!Object.keys(result.hooks).length) delete result.hooks;
   }
 
+  // Restore scalars/blocks OACB overwrote during apply. preState is the
+  // snapshot writeCodexConfig captures on the FIRST apply (idempotent
+  // across re-applies). null means "user had no value here" → delete.
+  if (preState) {
+    for (const scalar of ['approval_policy', 'sandbox_mode']) {
+      if (preState[scalar] === null || preState[scalar] === undefined) {
+        delete result[scalar];
+      } else {
+        result[scalar] = preState[scalar];
+      }
+    }
+    if (preState.shell_environment_policy === null
+        || preState.shell_environment_policy === undefined) {
+      delete result.shell_environment_policy;
+    } else {
+      result.shell_environment_policy = preState.shell_environment_policy;
+    }
+  }
+
   return result;
 }
 
@@ -1098,6 +1157,30 @@ async function writeCodexConfig(oacbConfig, tier) {
     existing = TOML.parse(await fs.readFile(CODEX_CONFIG_PATH, 'utf8'));
   } catch (_) {}
 
+  // Capture the pre-apply state of fields OACB overwrites so `oacb remove` can
+  // restore them. Without this, a user who set approval_policy="untrusted"
+  // before OACB ends up with the OACB tier's value (e.g. "on-request") after
+  // an apply/remove cycle. A `null` entry in preState distinguishes "user had
+  // no value" (delete on remove) from "user had this value" (restore on remove).
+  // Only persist the first such snapshot — re-running apply must not overwrite
+  // the original user state with our own.
+  let preState;
+  let prevMeta = null;
+  try {
+    prevMeta = JSON.parse(await fs.readFile(CODEX_META_PATH, 'utf8'));
+  } catch (_) {}
+  if (prevMeta && prevMeta.preState) {
+    preState = prevMeta.preState;
+  } else {
+    preState = {
+      approval_policy: existing.approval_policy ?? null,
+      sandbox_mode: existing.sandbox_mode ?? null,
+      shell_environment_policy: existing.shell_environment_policy
+        ? deepClone(existing.shell_environment_policy)
+        : null,
+    };
+  }
+
   const extraEnv = {
     OACB_SHARED_DIR: CODEX_HOOKS_DIR,
     ...(tier === 'receipts' ? { OACB_EXPIRES: computeExpiryDate(30) } : {}),
@@ -1114,6 +1197,7 @@ async function writeCodexConfig(oacbConfig, tier) {
     ts: new Date().toISOString(),
     oacb_version: PKG_VERSION,
     agent: 'codex',
+    preState,
     ...(tier === 'receipts' ? { expires: computeExpiryDate(30) } : {}),
   }, null, 2) + '\n', { mode: 0o600 });
 
@@ -1778,6 +1862,7 @@ module.exports = {
     writeConsentReceipt,
     handleWhy,
     handleStatus,
+    REMOVABLE_HOOK_FILES,
     RULE_REGISTRY,
   },
 };

package/src/commands/onboard.js

@@ -101,7 +101,7 @@ Examples:
 
         console.log('');
         output.info('Step 1/2: Installing tool bundle');
-        const ok = await runSetupAllBundle(apiKey, {
+        const { ok, skipped } = await runSetupAllBundle(apiKey, {
           backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -127,7 +127,9 @@ Examples:
         }
 
         console.log('');
-        output.success('Onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'Onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'Onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (discoverySucceeded && opts.setCron) {
@@ -237,7 +239,7 @@ Examples:
 
         console.log('');
         output.info('Step 1/2: Installing MDM tool bundle');
-        const ok = await runMdmSetupAllBundle(adminApiKey, {
+        const { ok, skipped } = await runMdmSetupAllBundle(adminApiKey, {
           backendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -249,7 +251,9 @@ Examples:
         await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
 
         console.log('');
-        output.success('MDM onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'MDM onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'MDM onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (setupSucceeded) {

package/src/commands/setup.js

@@ -11,6 +11,14 @@ const { confirm } = require('../utils');
 
 const SETUP_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/setup/refs/heads/main';
 
+// A setup script exits with this code when it detects an existing MDM (managed)
+// install for that tool and skips itself. It is a deliberate, non-fatal signal —
+// not a failure — so the CLI suppresses the script's own output and reports the
+// skip cleanly instead. Must stay in sync with the setup repo's setup.py scripts.
+// Only emitted by setup runs: the scripts run the MDM check AFTER the --clear
+// branch, so clear/nuke operations never produce this code.
+const EXIT_MDM_PRESENT = 3;
+
 // WSL reports as Linux via uname; only native Windows (cmd.exe / PowerShell)
 // takes the Windows code path. WSL keeps using the Linux curl|python3 pipe.
 function isWindowsNative() {
@@ -200,7 +208,9 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
   await downloadToFile(url, tmp);
   const py = resolveWindowsPython();
   try {
-    await new Promise((resolve, reject) => {
+    // `return await` so the resolved value (e.g. { mdmSkipped: true }) reaches
+    // the caller; the finally below still runs before the function returns.
+    return await new Promise((resolve, reject) => {
       const child = spawn(py.cmd, [...py.prefix, tmp, ...parsePosixArgs(args)], {
         stdio: capture ? ['pipe', 'pipe', 'pipe'] : 'inherit',
         shell: false,
@@ -215,6 +225,8 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
       }
       child.on('close', (code) => {
         if (code === 0) return resolve();
+        // Managed by MDM — drop any captured output and signal a skip.
+        if (code === EXIT_MDM_PRESENT) return resolve({ mdmSkipped: true });
         const err = new Error(out.trim() || `Setup script failed with exit code ${code}`);
         if (capture) err.setupOutput = out.trim();
         reject(err);
@@ -276,12 +288,14 @@ async function runSetupScript(scriptPath, apiKey, { clear = false, backendUrl, f
   const args = buildScriptArgs(apiKey, { backendUrl, frontendUrl, gatewayUrl, clear, backfill });
   console.log('');
   if (isWindowsNative()) {
-    await runPythonScriptWindows(scriptPath, args, { capture: false });
-    return;
+    return runPythonScriptWindows(scriptPath, args, { capture: false });
   }
   try {
     execSync(buildSetupCommand(scriptPath, args), { stdio: 'inherit' });
   } catch (err) {
+    // Managed by MDM — the script already printed its one-line notice (stdio is
+    // inherited here). Signal a skip so the caller can add the CLI notice.
+    if (err.status === EXIT_MDM_PRESENT) return { mdmSkipped: true };
     throw new Error(`Setup script failed with exit code ${err.status || 1}. Check the output above for details.`);
   }
 }
@@ -309,6 +323,9 @@ function runScriptPiped(scriptPath, args) {
     child.on('close', (code) => {
       if (code === 0) {
         resolve();
+      } else if (code === EXIT_MDM_PRESENT) {
+        // Managed by MDM — drop the captured script output and signal a skip.
+        resolve({ mdmSkipped: true });
       } else {
         const err = new Error(captured.trim() || `Setup failed with exit code ${code}`);
         err.setupOutput = captured.trim();
@@ -350,24 +367,61 @@ function hasRootPrivileges() {
 }
 
 /**
- * Runs a batch of tools sequentially with spinners.
- * Stops on first failure. Returns true if all succeeded.
+ * Prints a clear, red, end-of-run notice for tools that were skipped because an
+ * MDM (organization-managed) setup is already present. Kept separate so callers
+ * can surface it at the very end of their flow.
+ */
+function reportMdmSkips(labels) {
+  if (!labels || labels.length === 0) return;
+  console.error('');
+  console.error(output.colors.bold(output.colors.red(
+    `✗ Skipped — managed by your organization (MDM): ${labels.join(', ')}`)));
+  console.error(output.colors.red("  User-level setup can't override MDM. Contact your IT admin to change it."));
+}
+
+/**
+ * Runs a batch of tools sequentially with spinners. Stops on the first hard
+ * failure. A tool that reports an MDM skip is NOT a failure — it's collected and
+ * surfaced (in red) at the end, and the batch continues. Returns
+ * { ok, skipped } — ok is false only on a hard failure; skipped is the list of
+ * MDM-managed tool labels so callers can qualify their own success message.
+ * When `summary` is set, a green success line is printed for the configured
+ * tools before the MDM notice.
  */
-async function runBatch(tools, runFn, { clear = false } = {}) {
+async function runBatch(tools, runFn, { clear = false, summary = null } = {}) {
   const action = clear ? 'Clearing' : 'Setting up';
+  const mdmSkipped = [];
   for (const tool of tools) {
     const s = output.spinner(`${action} ${tool.label}...`);
     try {
-      await runFn(tool);
-      s.succeed(tool.label);
+      const result = await runFn(tool);
+      if (result && result.mdmSkipped) {
+        // Stop the spinner and leave an inline marker so the tool doesn't just
+        // vanish mid-batch; the actionable red summary still prints at the end.
+        s.stop();
+        console.error(output.colors.dim(`  Skipped ${tool.label} — managed by MDM`));
+        mdmSkipped.push(tool.label);
+      } else {
+        s.succeed(tool.label);
+      }
     } catch (err) {
       s.fail(`Failed: ${tool.label}`);
       if (err.setupOutput) console.error('\n' + err.setupOutput);
       process.exitCode = 1;
-      return false;
+      // Still surface any tools skipped before this failure so the notice isn't lost.
+      reportMdmSkips(mdmSkipped);
+      return { ok: false, skipped: mdmSkipped };
     }
   }
-  return true;
+  const configured = tools.length - mdmSkipped.length;
+  if (summary && configured > 0) {
+    console.log('');
+    // Some tools may have been MDM-managed, so report the actual count and the
+    // matching verb. (clear never produces skips, but keep the verb consistent.)
+    output.success(mdmSkipped.length ? `${configured} of ${tools.length} tools ${clear ? 'cleared' : 'configured'}` : summary);
+  }
+  reportMdmSkips(mdmSkipped);
+  return { ok: true, skipped: mdmSkipped };
 }
 
 /**
@@ -468,6 +522,11 @@ Examples:
 When setting up, if you are not logged in and --api-key is not provided, the
 browser opens automatically to authenticate first. Clearing (--clear) never
 requires authentication.
+
+If an MDM (organization-managed) setup is already present for a tool, user-level
+setup for that tool is skipped automatically — the managed configuration already
+enforces Unbound for every user on the device. To change it, an administrator
+must update the MDM configuration.
 `)
     .action(async (tools, opts) => {
       try {
@@ -527,18 +586,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(selectedTools, (tool) => {
+          await runBatch(selectedTools, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
-          if (!ok) return;
-
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           return;
         }
 
@@ -604,7 +659,8 @@ requires authentication.
             const { script, label } = SETUP_TOOL_MAP[toolName];
             const backfill = opts.backfill && scriptSupportsBackfill(script);
             if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-            await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            const r = await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            if (r && r.mdmSkipped) reportMdmSkips([label]);
           } else if (MODE_TOOLS[toolName]) {
             const mode = MODE_TOOLS[toolName];
             if (opts.clear) {
@@ -621,7 +677,8 @@ requires authentication.
               const { script, label } = SETUP_TOOL_MAP[resolved];
               const backfill = opts.backfill && scriptSupportsBackfill(script);
               if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-              await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              const r = await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              if (r && r.mdmSkipped) reportMdmSkips([label]);
             }
           } else if (INSTRUCTION_TOOLS[toolName]) {
             output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
@@ -664,14 +721,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(resolvedScripts, (tool) => {
+          const { ok } = await runBatch(resolvedScripts, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           if (!ok) return;
         }
 
@@ -682,10 +739,6 @@ requires authentication.
           output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
         }
 
-        if (resolvedScripts.length > 0) {
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
-        }
       } catch (err) {
         if (err.message === 'Selection cancelled') return;
         if (!err.displayed) output.error(err.message);
@@ -832,7 +885,7 @@ Clear examples (no API key required):
           }
         }
 
-        const ok = await runBatch(
+        const { ok } = await runBatch(
           resolvedTools,
           (tool) => {
             const toolArgs = buildScriptArgs(adminApiKey, {
@@ -844,12 +897,9 @@ Clear examples (no API key required):
             });
             return runScriptPiped(tool.script, toolArgs);
           },
-          { clear: globalOpts.clear }
+          { clear: globalOpts.clear, summary: globalOpts.clear ? 'All tools cleared' : 'All tools configured' }
         );
         if (!ok) return;
-
-        console.log('');
-        output.success(globalOpts.clear ? 'All tools cleared' : 'All tools configured');
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;

package/src/output.js

@@ -349,4 +349,4 @@ function multiSelect(message, options) {
   });
 }
 
-module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect };
+module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect, colors: c };

package/test/oacb.test.js

@@ -23,6 +23,7 @@ const {
   writeConsentReceipt,
   handleWhy,
   handleStatus,
+  REMOVABLE_HOOK_FILES,
   RULE_REGISTRY,
 } = require('../src/commands/oacb').__test__;
 
@@ -521,6 +522,67 @@ test('stripOacbFromCodexConfig: leaves approval_policy and sandbox_mode in place
   assert.equal(result.sandbox_mode, 'read-only');
 });
 
+test('stripOacbFromCodexConfig: with preState, restores scalars to pre-apply values', () => {
+  const config = {
+    approval_policy: 'on-request',  // set by OACB shadow tier
+    sandbox_mode: 'workspace-write',
+    hooks: {
+      PreToolUse: [
+        { hooks: [{ type: 'command', command: `${os.homedir()}/.codex/hooks/oacb-enforce.sh` }] },
+      ],
+    },
+  };
+  const preState = { approval_policy: 'untrusted', sandbox_mode: 'read-only' };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, 'untrusted', 'must restore pre-apply approval_policy');
+  assert.equal(result.sandbox_mode, 'read-only', 'must restore pre-apply sandbox_mode');
+});
+
+test('stripOacbFromCodexConfig: with preState=null entry, deletes the field', () => {
+  // Pre-apply user had no approval_policy → OACB added one → remove deletes it
+  const config = { approval_policy: 'on-request', sandbox_mode: 'workspace-write' };
+  const preState = { approval_policy: null, sandbox_mode: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.approval_policy, undefined);
+  assert.equal(result.sandbox_mode, undefined);
+});
+
+test('stripOacbFromCodexConfig: with preState, restores shell_environment_policy', () => {
+  const config = {
+    shell_environment_policy: {
+      inherit: 'core',
+      exclude: ['AWS_*', '*_SECRET*'],  // added by OACB apply
+    },
+  };
+  const preState = {
+    shell_environment_policy: { inherit: 'core' },  // user's original
+  };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.deepEqual(result.shell_environment_policy, { inherit: 'core' });
+});
+
+test('stripOacbFromCodexConfig: with preState.shell_environment_policy=null, deletes the block', () => {
+  const config = {
+    shell_environment_policy: { inherit: 'core', exclude: ['AWS_*'] },
+  };
+  const preState = { shell_environment_policy: null };
+  const result = stripOacbFromCodexConfig(config, preState);
+  assert.equal(result.shell_environment_policy, undefined);
+});
+
+// ─── REMOVABLE_HOOK_FILES (F1: shared-core leak fix) ──────────────────────────
+
+test('REMOVABLE_HOOK_FILES: includes oacb-enforce-core.sh to prevent leak after remove', () => {
+  assert.ok(REMOVABLE_HOOK_FILES.includes('oacb-enforce-core.sh'),
+    'oacb-enforce-core.sh must be in the unlink set so it does not leak in the hooks dir after `oacb remove`');
+  // All five named hooks must also be there.
+  for (const h of ['oacb-enforce.sh', 'oacb-prompt-guard.sh', 'oacb-mcp-guard.sh', 'oacb-config-audit.sh', 'oacb-post-tool.sh']) {
+    assert.ok(REMOVABLE_HOOK_FILES.includes(h), `${h} must be in REMOVABLE_HOOK_FILES`);
+  }
+  // And nothing else: no globs, no user files.
+  assert.equal(REMOVABLE_HOOK_FILES.length, 6, 'REMOVABLE_HOOK_FILES should be exactly 6 (5 hooks + 1 shared core)');
+});
+
 test('stripOacbFromCodexConfig: no-op on config with no OACB hooks', () => {
   const config = {
     approval_policy: 'on-request',