unbound-cli 1.3.1 → 1.4.0

package/README.md

@@ -196,15 +196,21 @@ unbound policy security create --name "429 Fallback" --sub-type error-code-routi
 Tool policy examples:
 
 ```bash
+# AI-assisted (preferred): describe the policy in natural language.
+unbound policy tool create-terminal --prompt "block rm -rf"
+
+# AI-assisted MCP policy: describe the service and intent in natural language.
+unbound policy tool create-mcp --prompt "audit all Linear writes"
+
 # See what command families and MCP servers are available
 unbound policy tool families
 unbound policy tool mcp-servers
 
-# Block destructive shell commands
+# Flag-based fallback: block destructive shell commands explicitly
 unbound policy tool create-terminal --name "Block rm -rf" --command-family filesystem \
     --field command='rm -rf*' --action BLOCK --custom-message "Destructive command blocked."
 
-# Audit Linear write operations via MCP
+# Flag-based MCP fallback: audit Linear write operations
 unbound policy tool create-mcp --name "Audit Linear writes" --mcp-server Linear \
     --mcp-action-type write --action AUDIT
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/policy.js

@@ -311,6 +311,16 @@ function parseFieldSpec(spec) {
   return [spec.slice(0, eq), spec.slice(eq + 1)];
 }
 
+// "ANY" is a wildcard across all fields; it can't be ANDed with other conditions.
+// Mirrors the backend rule so the CLI fails fast before the API call. The check is
+// case-insensitive so `--field Any=*`/`--field any=*` are caught too.
+function assertAnyExclusive(configObj) {
+  const keys = Object.keys(configObj || {});
+  if (keys.length > 1 && keys.some((k) => k.toUpperCase() === 'ANY')) {
+    throw new Error("The 'ANY' field cannot be combined with other --field conditions (ANY already matches every field).");
+  }
+}
+
 /**
  * Convert a `--sub-type` flag (kebab-case) to the backend's snake_case form.
  */
@@ -1419,18 +1429,27 @@ Subcommands:
   tool
     .command('create-terminal')
     .description('Create a TERMINAL_COMMAND policy: monitor or block shell commands run by AI coding tools.')
-    .requiredOption('--name <name>', 'Policy name (required)')
-    .requiredOption('--command-family <family>', 'Command family (e.g. git, filesystem, network). See `policy tool families`.')
-    .option('--field <key=pattern>', 'Match field: <key>=<pattern>. Repeatable. At least one required unless --config is used.', (val, prev = []) => [...prev, val])
-    .requiredOption('--action <action>', `Action to take: ${TOOL_ACTIONS.join(' | ')}`)
+    .option('--prompt <text>', 'Natural-language description; routes through Unbound AI assist. Mutually exclusive with --command-family/--field/--config. Compatible with --name/--description/--action overrides.')
+    .option('--name <name>', 'Policy name (required unless --prompt is used)')
+    .option('--command-family <family>', 'Command family (e.g. git, filesystem, network). See `policy tool families`.')
+    .option('--field <key=pattern>', 'Match field: <key>=<pattern>. Repeatable — multiple --field are ANDed (all must match), one per field, for a more specific policy. At least one required unless --config is used.', (val, prev = []) => [...prev, val])
+    .option('--action <action>', `Action to take: ${TOOL_ACTIONS.join(' | ')}`)
     .option('--description <text>', 'Human-readable description')
     .option('--custom-message <text>', 'Message shown to the user when the policy fires. Required when --action is BLOCK or WARN.')
     .option('--group <names|ids>', 'Comma-separated user group names or IDs to scope this policy to')
     .option('--disabled', 'Create the policy in disabled state')
     .option('--config <json>', 'Advanced: raw config JSON (skips --field builder)')
+    .option('--yes', 'Skip the confirmation prompt for --prompt flows (preview is still printed)')
     .option('--json', 'Output raw JSON of the created policy')
     .addHelpText('after', `
 Examples:
+  # AI-assisted (preferred): describe the policy in natural language.
+  $ unbound policy tool create-terminal --prompt "block rm -rf"
+
+  # AI-assisted, with manual overrides for name and action:
+  $ unbound policy tool create-terminal --prompt "block rm -rf" \\
+      --name "Block recursive deletes" --action WARN
+
   $ unbound policy tool create-terminal --name "Block rm -rf" \\
       --command-family filesystem --field command='rm -rf*' --action BLOCK \\
       --custom-message "Destructive commands are blocked."
@@ -1438,9 +1457,11 @@ Examples:
   $ unbound policy tool create-terminal --name "Audit git push" \\
       --command-family git --field command='git push*' --action AUDIT
 
-  $ unbound policy tool create-terminal --name "Warn curl" \\
-      --command-family network --field command='curl*' --action WARN \\
-      --custom-message "Outbound HTTP calls are being audited."
+  # Multiple --field are ANDed — this fires only on a push to main on origin:
+  $ unbound policy tool create-terminal --name "Block push to main on origin" \\
+      --command-family git_action \\
+      --field operation=push --field branch=main --field remote='*origin*' \\
+      --action BLOCK --custom-message "Pushing to main on origin is blocked."
 
 Discover valid command families and their fields: unbound policy tool families
 Learn more: ${DOCS_TOOL}
@@ -1448,6 +1469,83 @@ Learn more: ${DOCS_TOOL}
     .action(async (opts) => {
       try {
         requireLogin();
+
+        if (opts.prompt !== undefined) {
+          if (typeof opts.prompt !== 'string' || opts.prompt.trim() === '') {
+            output.error('--prompt cannot be empty.');
+            process.exitCode = 2;
+            return;
+          }
+          // --name, --description, --action are now allowed as AI overrides (merged in mergeAiAndFlags).
+          // --command-family, --field, --config remain mutex with --prompt because they're AI
+          // classification territory; if the AI gets them wrong, the right answer is re-prompting,
+          // not flag overrides (which would need catalog validation we don't want to add here).
+          const mutex = ['commandFamily', 'field', 'config'];
+          for (const k of mutex) {
+            if (opts[k]) {
+              throw new Error('Pass --prompt for AI-assist or the field flags for explicit creation, not both.');
+            }
+          }
+          if (opts.group) {
+            let formData;
+            try {
+              formData = await loadFormData();
+            } catch (err) {
+              const { routeBackendError } = require('../lib/policy-ai-assist');
+              const routed = routeBackendError(err);
+              output.error(routed.message);
+              process.exitCode = routed.exitCode;
+              return;
+            }
+            opts.scopeUserGroupIds = resolveByName(formData.user_groups || [], opts.group, { kind: 'user group' });
+          }
+          const { runTerminalPromptCreate } = require('../lib/policy-ai-assist');
+          let result;
+          try {
+            result = await runTerminalPromptCreate(opts);
+          } catch (err) {
+            if (err.exitCode === 0) {
+              output.warn(err.message);
+              return;
+            }
+            output.error(err.message);
+            process.exitCode = err.exitCode || 1;
+            return;
+          }
+          if (!result.confirmed) {
+            output.warn('Aborted.');
+            return;
+          }
+          const body = result.body;
+          let data;
+          try {
+            data = await api.post('/api/v1/command-policies/', { body });
+          } catch (err) {
+            const { routeBackendError } = require('../lib/policy-ai-assist');
+            const routed = routeBackendError(err);
+            output.error(routed.message);
+            process.exitCode = routed.exitCode;
+            return;
+          }
+          if (opts.json) {
+            output.json(data);
+            return;
+          }
+          output.success(`Terminal policy${body.name ? ` "${body.name}"` : ''} created.`);
+          displayToolPolicy(unwrapToolPolicy(data));
+          return;
+        }
+
+        if (!opts.name) {
+          throw new Error('--name is required (or use --prompt for AI assist).');
+        }
+        if (!opts.commandFamily) {
+          throw new Error('--command-family is required (or use --prompt for AI assist).');
+        }
+        if (!opts.action) {
+          throw new Error('--action is required (or use --prompt for AI assist).');
+        }
+
         const action = normalizeAction(opts.action, TOOL_ACTIONS, '--action');
         if ((action === 'BLOCK' || action === 'WARN') && !opts.customMessage) {
           throw new Error('--custom-message is required when --action is BLOCK or WARN.');
@@ -1469,6 +1567,7 @@ Learn more: ${DOCS_TOOL}
             configObj[k] = v;
           }
         }
+        assertAnyExclusive(configObj);
 
         const body = {
           name: opts.name,
@@ -1502,24 +1601,35 @@ Learn more: ${DOCS_TOOL}
   tool
     .command('create-mcp')
     .description('Create an MCP_TOOL policy: monitor or block MCP server tool calls.')
-    .requiredOption('--name <name>', 'Policy name (required)')
-    .requiredOption('--mcp-server <server>', 'MCP server name as shown by `policy tool mcp-servers` (e.g. linear, github). Resolved to its canonical group automatically.')
+    .option('--prompt <text>', 'Natural-language description; routes through Unbound AI assist. Mutually exclusive with --mcp-server/--mcp-tool/--mcp-action-type/--config. Compatible with --name/--description/--action overrides.')
+    .option('--name <name>', 'Policy name (required unless --prompt is used). Override AI suggestion when used with --prompt.')
+    .option('--mcp-server <server>', 'MCP server name as shown by `policy tool mcp-servers` (e.g. linear, github). Resolved to its canonical group automatically.')
     .option('--mcp-tool <tool>', 'Specific tool name on the MCP server (e.g. create_issue). Mutually exclusive with --mcp-action-type.')
     .option('--mcp-action-type <type>', `Match by tool action type: ${MCP_ACTION_TYPES.join(' | ')}. Mutually exclusive with --mcp-tool.`)
-    .requiredOption('--action <action>', `Action to take: ${TOOL_ACTIONS.join(' | ')}`)
-    .option('--description <text>', 'Human-readable description')
-    .option('--custom-message <text>', 'Message shown to the user when the policy fires. Required when --action is BLOCK or WARN.')
+    .option('--action <action>', `Action to take: ${TOOL_ACTIONS.join(' | ')}. Override AI suggestion when used with --prompt.`)
+    .option('--description <text>', 'Human-readable description. Override AI suggestion when used with --prompt.')
+    .option('--custom-message <text>', 'Message shown to the user when the policy fires. Required when --action is BLOCK or WARN. Override AI suggestion when used with --prompt.')
     .option('--group <names|ids>', 'Comma-separated user group names or IDs to scope this policy to')
     .option('--disabled', 'Create the policy in disabled state')
+    .option('--config <json>', 'Advanced: raw config JSON')
+    .option('--yes', 'Skip the confirmation prompt for --prompt flows (preview is still printed)')
     .option('--json', 'Output raw JSON of the created policy')
     .addHelpText('after', `
 Examples:
-  Match a specific tool on a server:
+  # AI-assisted (preferred): describe the policy in natural language.
+  $ unbound policy tool create-mcp --prompt "audit all Linear writes"
+
+  # AI-assisted, with manual overrides for name and action:
+  $ unbound policy tool create-mcp --prompt "audit all Linear writes" \\
+      --name "Audit Linear writes" --action WARN \\
+      --custom-message "Linear writes are monitored."
+
+  # Match a specific tool on a server (flag-based fallback):
   $ unbound policy tool create-mcp --name "Block Linear writes" \\
       --mcp-server linear --mcp-tool create_issue --action BLOCK \\
       --custom-message "Issue creation is blocked. Contact admin."
 
-  Match all destructive tools on a server:
+  # Match all destructive tools on a server:
   $ unbound policy tool create-mcp --name "Audit all destructive Slack" \\
       --mcp-server slack --mcp-action-type destructive --action AUDIT
 
@@ -1532,6 +1642,79 @@ Learn more: ${DOCS_TOOL}
     .action(async (opts) => {
       try {
         requireLogin();
+
+        if (opts.prompt !== undefined) {
+          if (typeof opts.prompt !== 'string' || opts.prompt.trim() === '') {
+            output.error('--prompt cannot be empty.');
+            process.exitCode = 2;
+            return;
+          }
+          const mutex = ['mcpServer', 'mcpTool', 'mcpActionType', 'config'];
+          for (const k of mutex) {
+            if (opts[k]) {
+              throw new Error('Pass --prompt for AI-assist or the field flags for explicit creation, not both.');
+            }
+          }
+          if (opts.group) {
+            let formData;
+            try {
+              formData = await loadFormData();
+            } catch (err) {
+              const { routeBackendError } = require('../lib/policy-ai-assist');
+              const routed = routeBackendError(err);
+              output.error(routed.message);
+              process.exitCode = routed.exitCode;
+              return;
+            }
+            opts.scopeUserGroupIds = resolveByName(formData.user_groups || [], opts.group, { kind: 'user group' });
+          }
+          const { runMcpPromptCreate } = require('../lib/policy-ai-assist');
+          let result;
+          try {
+            result = await runMcpPromptCreate(opts);
+          } catch (err) {
+            if (err.exitCode === 0) {
+              output.warn(err.message);
+              return;
+            }
+            output.error(err.message);
+            process.exitCode = err.exitCode || 1;
+            return;
+          }
+          if (!result.confirmed) {
+            output.warn('Aborted.');
+            return;
+          }
+          const body = result.body;
+          let data;
+          try {
+            data = await api.post('/api/v1/command-policies/', { body });
+          } catch (err) {
+            const { routeBackendError } = require('../lib/policy-ai-assist');
+            const routed = routeBackendError(err);
+            output.error(routed.message);
+            process.exitCode = routed.exitCode;
+            return;
+          }
+          if (opts.json) {
+            output.json(data);
+            return;
+          }
+          output.success(`MCP policy${body.name ? ` "${body.name}"` : ''} created.`);
+          displayToolPolicy(unwrapToolPolicy(data));
+          return;
+        }
+
+        if (!opts.name) {
+          throw new Error('--name is required (or use --prompt for AI assist).');
+        }
+        if (!opts.mcpServer) {
+          throw new Error('--mcp-server is required (or use --prompt for AI assist).');
+        }
+        if (!opts.action) {
+          throw new Error('--action is required (or use --prompt for AI assist).');
+        }
+
         const action = normalizeAction(opts.action, TOOL_ACTIONS, '--action');
         if ((action === 'BLOCK' || action === 'WARN') && !opts.customMessage) {
           throw new Error('--custom-message is required when --action is BLOCK or WARN.');
@@ -1562,6 +1745,9 @@ Learn more: ${DOCS_TOOL}
           enabled: !opts.disabled,
           config: {},
         };
+        if (opts.config) {
+          body.config = parseJsonOrThrow(opts.config);
+        }
         if (hasTool) body.mcp_tool = opts.mcpTool;
         if (hasActionType) body.mcp_tool_action_type = opts.mcpActionType;
         if (opts.customMessage) body.custom_message = opts.customMessage;
@@ -1595,7 +1781,7 @@ Learn more: ${DOCS_TOOL}
     .option('--enabled', 'Enable the policy')
     .option('--disabled', 'Disable the policy')
     .option('--command-family <family>', '(TERMINAL only) new command family')
-    .option('--field <key=pattern>', '(TERMINAL only) replace config field. Repeatable.', (val, prev = []) => [...prev, val])
+    .option('--field <key=pattern>', '(TERMINAL only) replace config fields. Repeatable — multiple --field are ANDed (all must match), one per field.', (val, prev = []) => [...prev, val])
     .option('--mcp-server <server>', '(MCP only) new MCP server')
     .option('--mcp-tool <tool>', '(MCP only) new MCP tool')
     .option('--mcp-action-type <type>', '(MCP only) new MCP action type')
@@ -1627,6 +1813,7 @@ Learn more: ${DOCS_TOOL}
         } else if (opts.config) {
           body.config = parseJsonOrThrow(opts.config);
         }
+        if (body.config) assertAnyExclusive(body.config);
 
         if (opts.mcpServer) body.mcp_server = opts.mcpServer;
         if (opts.mcpTool) body.mcp_tool = opts.mcpTool;
@@ -1888,4 +2075,4 @@ Learn more: ${DOCS_POLICIES}
   registerLegacy(policy);
 }
 
-module.exports = { register };
+module.exports = { register, assertAnyExclusive };

package/src/commands/setup.js

@@ -946,13 +946,14 @@ async function runSetupAllBundle(apiKey, { backendUrl, frontendUrl, gatewayUrl,
   // actually supports it (Claude Code hooks, Codex hooks, Copilot hooks).
   // Cursor would print "not supported"; passing the flag to gateway-mode
   // scripts would error out — `scriptSupportsBackfill` checks for both.
-  return runBatch(resolvedTools, (tool) => {
+  const result = await runBatch(resolvedTools, (tool) => {
     const args = buildScriptArgs(apiKey, {
       backendUrl, frontendUrl, gatewayUrl,
       backfill: backfill && scriptSupportsBackfill(tool.script),
     });
     return runScriptPiped(tool.script, args);
   });
+  return result;
 }
 
 /**
@@ -967,13 +968,14 @@ async function runMdmSetupAllBundle(adminApiKey, { backendUrl, frontendUrl, gate
       if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
     }
   }
-  return runBatch(resolvedTools, (tool) => {
+  const result = await runBatch(resolvedTools, (tool) => {
     const args = buildScriptArgs(adminApiKey, {
       backendUrl, frontendUrl, gatewayUrl, mdm: true,
       backfill: backfill && scriptSupportsBackfill(tool.script),
     });
     return runScriptPiped(tool.script, args);
   });
+  return result;
 }
 
 module.exports = {