npm - unbound-cli - Versions diffs - 1.1.8 → 1.3.0 - Mend

unbound-cli 1.1.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/LOCAL_DEV.md +10 -10
package/README.md +8 -8
package/package.json +1 -1
package/src/commands/chat.js +2 -2
package/src/commands/doctor.js +198 -0
package/src/commands/onboard.js +112 -161
package/src/commands/setup.js +106 -180
package/src/commands/status.js +42 -2
package/src/config.js +1 -1
package/src/index.js +12 -12
package/src/toolHealth.js +288 -0
package/test/command-merge.test.js +44 -0
package/test/doctor-exit.test.js +31 -0
package/test/onboard-scope.test.js +114 -0
package/test/tool-health.test.js +210 -0
package/src/commands/whoami.js +0 -65

package/test/tool-health.test.js ADDED Viewed

@@ -0,0 +1,210 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { statusOf } = require('../src/toolHealth');
+// --- statusOf rollup (pure): structural artifacts decide install-state; aux
+// wiring only downgrades an installed tool to tampered. ---
+const chk = (kind, ok) => ({ kind, ok });
+test('statusOf: no structural artifact present → not-installed (dangling env ignored)', () => {
+  assert.equal(statusOf([chk('structural', false), chk('structural', false), chk('aux', true)]), 'not-installed');
+});
+test('statusOf: all structural + all aux present → healthy', () => {
+  assert.equal(statusOf([chk('structural', true), chk('structural', true), chk('aux', true)]), 'healthy');
+});
+test('statusOf: structural partially present → tampered', () => {
+  assert.equal(statusOf([chk('structural', true), chk('structural', false), chk('aux', true)]), 'tampered');
+});
+test('statusOf: structural complete but wiring (aux) missing → tampered', () => {
+  assert.equal(statusOf([chk('structural', true), chk('structural', true), chk('aux', false)]), 'tampered');
+});
+// --- detectTools integration: fabricate a tool's on-disk artifacts in a temp
+// HOME and assert the per-tool status. toolHealth reads os.homedir() at load
+// (which honors $HOME on POSIX), so we re-require it under the temp home. ---
+function withHome(fn) {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-doctor-'));
+  const origHome = process.env.HOME;
+  process.env.HOME = tmp;
+  delete require.cache[require.resolve('../src/toolHealth')];
+  try {
+    return fn(tmp, require('../src/toolHealth'));
+  } finally {
+    if (origHome === undefined) delete process.env.HOME;
+    else process.env.HOME = origHome;
+    delete require.cache[require.resolve('../src/toolHealth')];
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+}
+function writeFile(p, content) {
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, content);
+}
+test('detectTools: cursor with config + script + env → healthy', () => {
+  withHome((tmp, th) => {
+    const script = path.join(tmp, '.cursor', 'hooks', 'unbound.py');
+    writeFile(path.join(tmp, '.cursor', 'hooks.json'), JSON.stringify({ hooks: { PreToolUse: [{ command: script }] } }));
+    writeFile(script, '# unbound');
+    process.env.UNBOUND_CURSOR_API_KEY = 'k';
+    try {
+      const cursor = th.detectTools({ apiKey: 'k' }).find((t) => t.key === 'cursor');
+      assert.equal(cursor.status, 'healthy');
+    } finally {
+      delete process.env.UNBOUND_CURSOR_API_KEY;
+    }
+  });
+});
+test('detectTools: cursor config + script present but env key blank → tampered (empty != set)', () => {
+  withHome((tmp, th) => {
+    const script = path.join(tmp, '.cursor', 'hooks', 'unbound.py');
+    writeFile(path.join(tmp, '.cursor', 'hooks.json'), JSON.stringify({ hooks: { PreToolUse: [{ command: script }] } }));
+    writeFile(script, '# unbound');
+    process.env.UNBOUND_CURSOR_API_KEY = ''; // explicitly blanked, not absent
+    try {
+      const cursor = th.detectTools({ apiKey: 'k' }).find((t) => t.key === 'cursor');
+      assert.equal(cursor.status, 'tampered');
+    } finally {
+      delete process.env.UNBOUND_CURSOR_API_KEY;
+    }
+  });
+});
+test('detectTools: cursor env key differs from the configured key → tampered, not healthy', () => {
+  withHome((tmp, th) => {
+    const script = path.join(tmp, '.cursor', 'hooks', 'unbound.py');
+    writeFile(path.join(tmp, '.cursor', 'hooks.json'), JSON.stringify({ hooks: { PreToolUse: [{ command: script }] } }));
+    writeFile(script, '# unbound');
+    process.env.UNBOUND_CURSOR_API_KEY = 'stale-key';
+    try {
+      const cursor = th.detectTools({ apiKey: 'current-key' }).find((t) => t.key === 'cursor');
+      assert.equal(cursor.status, 'tampered');
+    } finally {
+      delete process.env.UNBOUND_CURSOR_API_KEY;
+    }
+  });
+});
+test('detectTools: cursor with only the hook script (no config) → tampered', () => {
+  withHome((tmp, th) => {
+    writeFile(path.join(tmp, '.cursor', 'hooks', 'unbound.py'), '# unbound');
+    const cursor = th.detectTools({ apiKey: 'k' }).find((t) => t.key === 'cursor');
+    assert.equal(cursor.status, 'tampered');
+  });
+});
+test('detectTools: cursor with a config that lacks the Unbound marker → not-installed', () => {
+  withHome((tmp, th) => {
+    writeFile(path.join(tmp, '.cursor', 'hooks.json'), JSON.stringify({ hooks: {} })); // no unbound.py reference
+    const cursor = th.detectTools({ apiKey: 'k' }).find((t) => t.label === 'Cursor');
+    assert.equal(cursor.status, 'not-installed');
+  });
+});
+test('detectTools: claude-code collapses to ONE line and reports the installed mode (gateway)', () => {
+  withHome((tmp, th) => {
+    const helper = path.join(tmp, '.claude', 'anthropic_key.sh');
+    writeFile(path.join(tmp, '.claude', 'settings.json'), JSON.stringify({ apiKeyHelper: helper }));
+    writeFile(helper, 'echo $UNBOUND_API_KEY');
+    const claude = th.detectTools({ apiKey: 'k' }).filter((t) => t.family === 'claude-code');
+    assert.equal(claude.length, 1, 'one collapsed claude-code line');
+    assert.equal(claude[0].mode, 'gateway');
+    assert.notEqual(claude[0].status, 'not-installed');
+  });
+});
+test('detectTools: both claude-code modes present at once → one line, flagged as a conflict', () => {
+  withHome((tmp, th) => {
+    const helper = path.join(tmp, '.claude', 'anthropic_key.sh');
+    // settings.json references BOTH an unbound.py hook AND the gateway key helper.
+    writeFile(path.join(tmp, '.claude', 'settings.json'), JSON.stringify({
+      hooks: { PreToolUse: [{ command: path.join(tmp, '.claude', 'hooks', 'unbound.py') }] },
+      apiKeyHelper: helper,
+    }));
+    const claude = th.detectTools({ apiKey: 'k' }).filter((t) => t.family === 'claude-code');
+    assert.equal(claude.length, 1, 'still one collapsed line');
+    assert.equal(claude[0].conflict, true, 'conflict flagged');
+    assert.equal(claude[0].status, 'tampered', 'prefers the tampered variant so --fix cleans it up');
+  });
+});
+// --- MDM (org-managed) scenarios, exercised via the _mdmDirs test override ---
+test('MDM: managed config references unbound + hook present → managed by MDM', () => {
+  withHome((tmp, th) => {
+    const mdmDir = path.join(tmp, 'mdm', 'ClaudeCode');
+    writeFile(path.join(mdmDir, 'managed-settings.json'), JSON.stringify({ hooks: { PreToolUse: [{ command: path.join(mdmDir, 'hooks', 'unbound.py') }] } }));
+    writeFile(path.join(mdmDir, 'hooks', 'unbound.py'), '#');
+    const t = th.detectTools({ apiKey: 'k', _mdmDirs: { 'claude-code': mdmDir } }).find((x) => x.family === 'claude-code');
+    assert.equal(t.status, 'managed-by-mdm');
+    assert.equal(t.scope, 'mdm');
+  });
+});
+test('MDM: managed config references unbound but hook missing → tampered (mdm scope)', () => {
+  withHome((tmp, th) => {
+    const mdmDir = path.join(tmp, 'mdm', 'ClaudeCode');
+    writeFile(path.join(mdmDir, 'managed-settings.json'), JSON.stringify({ hooks: { x: [{ command: path.join(mdmDir, 'hooks', 'unbound.py') }] } }));
+    const t = th.detectTools({ apiKey: 'k', _mdmDirs: { 'claude-code': mdmDir } }).find((x) => x.family === 'claude-code');
+    assert.equal(t.status, 'tampered');
+    assert.equal(t.scope, 'mdm');
+  });
+});
+test('MDM: a generic managed-settings.json without an unbound reference → not installed (no false positive)', () => {
+  withHome((tmp, th) => {
+    const mdmDir = path.join(tmp, 'mdm', 'ClaudeCode');
+    writeFile(path.join(mdmDir, 'managed-settings.json'), JSON.stringify({ permissions: { allow: ['*'] } }));
+    const t = th.detectTools({ apiKey: 'k', _mdmDirs: { 'claude-code': mdmDir } }).find((x) => x.label === 'Claude Code');
+    assert.equal(t.status, 'not-installed');
+  });
+});
+test('MDM: a user-level install takes precedence over an MDM config', () => {
+  withHome((tmp, th) => {
+    writeFile(path.join(tmp, '.claude', 'settings.json'), JSON.stringify({ hooks: { x: [{ command: path.join(tmp, '.claude', 'hooks', 'unbound.py') }] } }));
+    writeFile(path.join(tmp, '.claude', 'hooks', 'unbound.py'), '#');
+    const mdmDir = path.join(tmp, 'mdm', 'ClaudeCode');
+    writeFile(path.join(mdmDir, 'managed-settings.json'), JSON.stringify({ hooks: { x: [{ command: path.join(mdmDir, 'hooks', 'unbound.py') }] } }));
+    process.env.UNBOUND_CLAUDE_API_KEY = 'k';
+    try {
+      const t = th.detectTools({ apiKey: 'k', _mdmDirs: { 'claude-code': mdmDir } }).find((x) => x.family === 'claude-code');
+      assert.notEqual(t.scope, 'mdm');
+      assert.equal(t.status, 'healthy');
+      assert.equal(t.mode, 'subscription');
+    } finally { delete process.env.UNBOUND_CLAUDE_API_KEY; }
+  });
+});
+test('codex subscription: hooks.json + script present but the feature flag is off → tampered', () => {
+  withHome((tmp, th) => {
+    writeFile(path.join(tmp, '.codex', 'hooks.json'), JSON.stringify({ hooks: { x: [{ command: path.join(tmp, '.codex', 'hooks', 'unbound.py') }] } }));
+    writeFile(path.join(tmp, '.codex', 'hooks', 'unbound.py'), '#');
+    writeFile(path.join(tmp, '.codex', 'config.toml'), 'model = "gpt-5"\n');
+    const t = th.detectTools({ apiKey: 'k' }).find((x) => x.family === 'codex');
+    assert.equal(t.status, 'tampered');
+  });
+});
+test('copilot has no MDM scope — even with a managed dir it never reports managed-by-mdm', () => {
+  withHome((tmp, th) => {
+    const t = th.detectTools({ apiKey: 'k', _mdmDirs: { copilot: path.join(tmp, 'mdm', 'Copilot') } }).find((x) => x.family === 'copilot');
+    assert.equal(t.status, 'not-installed');
+    assert.notEqual(t.scope, 'mdm');
+  });
+});
+test('only four tools are reported (Gemini CLI is omitted)', () => {
+  withHome((tmp, th) => {
+    const keys = th.detectTools({ apiKey: 'k' }).map((t) => t.family);
+    assert.deepEqual(new Set(keys), new Set(['cursor', 'claude-code', 'codex', 'copilot']));
+  });
+});

package/src/commands/whoami.js DELETED Viewed

@@ -1,65 +0,0 @@
-const config = require('../config');
-const api = require('../api');
-const output = require('../output');
-const { getDeviceSerial } = require('../device-serial');
-function roleFromPrivileges(privileges) {
-  if (privileges.is_admin) return 'Admin';
-  if (privileges.is_manager) return 'Manager';
-  if (privileges.is_member) return 'Member';
-  return 'Unknown';
-}
-function register(program) {
-  program
-    .command('whoami')
-    .description('Display the currently authenticated user, organization, and role. Requires an active login session.')
-    .addHelpText('after', `
-Output fields:
-  Email        - The authenticated user's email address
-  Organization - The organization the user belongs to
-  Role         - One of: Admin, Manager, Member
-Examples:
-  $ unbound whoami
-  $ unbound whoami --json
-`)
-    .option('--json', 'Output raw JSON')
-    .action(async (opts) => {
-      if (!config.isLoggedIn()) {
-        output.error('Not logged in. Run `unbound login` first.');
-        process.exitCode = 1;
-        return;
-      }
-      const cfg = config.readConfig();
-      const spin = output.spinner('Fetching user info...');
-      try {
-        const deviceSerial = await getDeviceSerial();
-        const privileges = await api.get('/api/v1/users/privileges/', {
-          query: { device_serial: deviceSerial },
-        });
-        spin.stop();
-        config.backfillUserInfo(privileges);
-        const role = roleFromPrivileges(privileges);
-        const freshCfg = config.readConfig();
-        if (opts.json) {
-          output.json({ email: freshCfg.email || null, organization: freshCfg.org_name || null, role });
-          return;
-        }
-        output.keyValue([
-          ['Email', freshCfg.email || '-'],
-          ['Organization', freshCfg.org_name || '-'],
-          ['Role', role],
-        ]);
-      } catch (err) {
-        spin.fail(err.message);
-        process.exitCode = 1;
-      }
-    });
-}
-module.exports = { register };