unbound-cli 1.3.2 → 1.5.0

package/test/policy-ai-assist.test.js

@@ -0,0 +1,884 @@
+const { test, beforeEach, after } = require('node:test');
+const assert = require('node:assert/strict');
+const { Command } = require('commander');
+
+// Integration tests: invoke `unbound policy tool create-terminal --prompt ...`
+// against a fresh Command instance with src/api.js and src/config.js stubbed.
+// We never hit the network and never read/write user config.
+
+function loadFreshModules() {
+  // Drop the module cache so each test gets a clean module-level
+  // `_privilegesCache` and a clean stub surface.
+  for (const m of [
+    '../src/commands/policy',
+    '../src/lib/policy-ai-assist',
+    '../src/api',
+    '../src/config',
+    '../src/output',
+  ]) {
+    delete require.cache[require.resolve(m)];
+  }
+  const api = require('../src/api');
+  const config = require('../src/config');
+  const output = require('../src/output');
+  return { api, config, output };
+}
+
+// ApiError shape from src/api.js — exposes statusCode and body.
+class FakeApiError extends Error {
+  constructor(statusCode, body) {
+    super(body && body.error ? body.error : `HTTP ${statusCode}`);
+    this.name = 'ApiError';
+    this.statusCode = statusCode;
+    this.body = body;
+  }
+}
+
+function buildHarness({
+  privilegesResponse = { is_admin: true, is_manager: false, is_member: false },
+  privilegesError = null,
+  assistResponse = null,
+  assistError = null,
+  createResponse = { id: 1, name: 'ok' },
+  createError = null,
+  isTty = false,
+} = {}) {
+  const { api, config, output } = loadFreshModules();
+
+  config.isLoggedIn = () => true;
+  config.getApiKey = () => 'fake-key';
+  config.getBaseUrl = () => 'https://b.acme';
+
+  const calls = { posts: [], gets: [] };
+  api.get = async (path, opts) => {
+    calls.gets.push({ path, opts });
+    if (path === '/api/v1/users/privileges/') {
+      if (privilegesError) throw privilegesError;
+      return privilegesResponse;
+    }
+    throw new Error(`unexpected GET ${path}`);
+  };
+  api.post = async (path, opts) => {
+    calls.posts.push({ path, body: opts && opts.body });
+    if (path === '/api/v1/command-policies/assist/') {
+      if (assistError) throw assistError;
+      return assistResponse;
+    }
+    if (path === '/api/v1/command-policies/') {
+      if (createError) throw createError;
+      return createResponse;
+    }
+    throw new Error(`unexpected POST ${path}`);
+  };
+
+  // Silence + capture output.
+  const captured = { success: [], error: [], warn: [], info: [], stdout: [] };
+  output.success = (m) => captured.success.push(m);
+  output.error = (m) => captured.error.push(m);
+  output.warn = (m) => captured.warn.push(m);
+  output.info = (m) => captured.info.push(m);
+  // renderTerminalPreview uses console.log directly; capture stdout.
+  const origLog = console.log;
+  console.log = (m) => captured.stdout.push(String(m || ''));
+  const restoreLog = () => { console.log = origLog; };
+
+  return { api, config, output, calls, captured, restoreLog };
+}
+
+async function runCreate(argv) {
+  const { register } = require('../src/commands/policy');
+  const program = new Command();
+  program.exitOverride();
+  register(program);
+  const full = ['node', 'unbound', 'policy', 'tool', 'create-terminal', ...argv];
+  await program.parseAsync(full);
+}
+
+beforeEach(() => {
+  process.exitCode = 0;
+});
+
+// Several tests intentionally set process.exitCode to non-zero values to
+// observe the CLI's exit-code routing. Reset it at the end so node:test does
+// not interpret the file itself as having failed.
+after(() => {
+  process.exitCode = 0;
+});
+
+// --- (a) Mutex cases: --prompt + each conflicting flag -----------------------
+// --name, --description, --action are NO LONGER mutex with --prompt; they act
+// as overrides over the AI's suggestion. See tests in the "AI overrides" block.
+
+const MUTEX_FLAGS = [
+  ['--command-family', 'git'],
+  ['--field', 'command=git push*'],
+];
+
+for (const [flag, value] of MUTEX_FLAGS) {
+  test(`mutex: --prompt + ${flag} exits 1 with verbatim wording`, async () => {
+    const h = buildHarness();
+    try {
+      await runCreate(['--prompt', 'block rm -rf', flag, value]);
+      assert.equal(process.exitCode, 1);
+      assert.ok(
+        h.captured.error.some((m) => m === 'Pass --prompt for AI-assist or the field flags for explicit creation, not both.'),
+        `expected mutex error, got: ${JSON.stringify(h.captured.error)}`
+      );
+      assert.equal(h.calls.posts.length, 0, 'no network call should have fired');
+    } finally {
+      h.restoreLog();
+    }
+  });
+}
+
+// Fix 4: --config must also be mutex with --prompt.
+test('mutex: --prompt + --config exits 1 with verbatim wording', async () => {
+  const h = buildHarness();
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--config', '{"foo":"bar"}']);
+    assert.equal(process.exitCode, 1);
+    assert.ok(
+      h.captured.error.some((m) => m === 'Pass --prompt for AI-assist or the field flags for explicit creation, not both.'),
+      `expected mutex error, got: ${JSON.stringify(h.captured.error)}`
+    );
+    assert.equal(h.calls.posts.length, 0, 'no network call should have fired');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// Fix 3: empty --prompt is rejected (does NOT silently fall through to flag path).
+test('empty --prompt: exits 2, never reaches network', async () => {
+  const h = buildHarness();
+  try {
+    await runCreate(['--prompt', '']);
+    assert.equal(process.exitCode, 2);
+    assert.ok(
+      h.captured.error.some((m) => m.includes('--prompt cannot be empty.')),
+      `expected empty-prompt error, got: ${JSON.stringify(h.captured.error)}`
+    );
+    assert.equal(h.calls.posts.length, 0, 'no network call should have fired');
+    assert.equal(h.calls.gets.length, 0, 'no privileges probe should have fired');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// Fix 1: action defaults to AUDIT when neither flag nor AI sets it.
+test('default action: when form_updates omits action and no --action flag, body.action === "AUDIT"', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git',
+        selected_field: 'command',
+        field_value: 'git push*',
+        name: 'Some policy',
+        // action intentionally omitted
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall, 'create POST should have fired');
+    assert.equal(createCall.body.action, 'AUDIT', 'action must default to AUDIT per spec §6.5');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- (b) Merge precedence -----------------------------------------------------
+
+test('merge: flag wins over AI value where set; AI fills the rest', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'filesystem',
+        selected_field: 'command',
+        field_value: 'rm -rf*',
+        action: 'BLOCK',
+        name: 'AI Name',
+        description: 'AI desc',
+      },
+      explanation: 'classified as filesystem destructive write',
+    },
+    createResponse: { id: 42, name: 'AI Name' },
+  });
+  // Stub loadFormData by stubbing api.get for form_data too.
+  h.api.get = async (path) => {
+    if (path === '/api/v1/users/privileges/') return { is_admin: true };
+    if (path === '/api/v1/policies/form_data/') {
+      return { data: { user_groups: [{ id: 7, name: 'GroupX' }] } };
+    }
+    throw new Error(`unexpected GET ${path}`);
+  };
+  try {
+    await runCreate([
+      '--prompt', 'block rm -rf',
+      '--group', 'GroupX',
+      '--disabled',
+      '--custom-message', 'Y',
+      '--yes',
+    ]);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall, 'create POST should have fired');
+    const body = createCall.body;
+    // AI-supplied values that the user did not override:
+    assert.equal(body.action, 'BLOCK');
+    assert.equal(body.name, 'AI Name');
+    assert.equal(body.command_family, 'filesystem');
+    assert.deepEqual(body.config, { command: 'rm -rf*' });
+    assert.equal(body.policy_type, 'TERMINAL_COMMAND');
+    // Flag-supplied values:
+    assert.equal(body.enabled, false, '--disabled wins');
+    assert.equal(body.custom_message, 'Y');
+    assert.deepEqual(body.scope_user_group_ids, [7], 'GroupX resolved to id 7');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- AI override flags: --name, --description, --action ----------------------
+
+test('override: --prompt + --action AUDIT wins over AI BLOCK and skips custom-message guard', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'filesystem', selected_field: 'command',
+        field_value: 'rm -rf*', action: 'BLOCK', name: 'AI Name',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    // regression: lowercase --action input is accepted and stored upper-cased
+    await runCreate(['--prompt', 'block rm -rf', '--action', 'audit', '--yes']);
+    assert.equal(process.exitCode || 0, 0, 'override to AUDIT should not trigger BLOCK/WARN guard');
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall, 'create POST should have fired');
+    assert.equal(createCall.body.action, 'AUDIT', 'flag --action must win over AI (case-insensitive)');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('override: --prompt + --name "Custom" replaces AI name in final body', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'AI Name',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--name', 'Custom', '--yes']);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall);
+    assert.equal(createCall.body.name, 'Custom', '--name flag must override AI name');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('override: --prompt + --description "Custom" replaces AI description', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X', description: 'AI desc',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--description', 'Custom', '--yes']);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall);
+    assert.equal(createCall.body.description, 'Custom', '--description flag must override AI description');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('override: --prompt + --name "   " (whitespace-only) falls back to AI name silently', async () => {
+  // Fix 3: whitespace-only --name must not ship as the policy name. Trim and
+  // fall back to the AI value rather than erroring — non-interactive callers
+  // (Claude Code) may template --name and an empty result is recoverable.
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'AI Name',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--name', '   ', '--yes']);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall, 'create POST should have fired');
+    assert.equal(createCall.body.name, 'AI Name', 'whitespace-only --name must be ignored, AI value preserved');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('guard: user-set --action BLOCK without --custom-message → exit 2 with user-attribution wording', async () => {
+  // Fix 4: when the USER passed --action BLOCK (not the AI), the guard error
+  // must attribute the choice to the user, not blame the AI.
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X',
+        // AI returned AUDIT; user overrides to BLOCK
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--action', 'BLOCK', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const errs = h.captured.error.join(' ');
+    assert.ok(
+      errs.includes('--action BLOCK requires --custom-message'),
+      `expected user-attribution wording, got: ${errs}`
+    );
+    assert.ok(!errs.includes('AI assist set --action'), `should not blame AI: ${errs}`);
+    assert.ok(!h.calls.posts.some((c) => c.path === '/api/v1/command-policies/'), 'no create POST when guard fires');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('override: --prompt + --action INVALID exits 2 with enum error; no assist call fires', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--action', 'NOPE', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const errs = h.captured.error.join(' ');
+    assert.ok(errs.includes('--action must be one of'), `expected enum error, got: ${errs}`);
+    assert.ok(errs.includes('AUDIT, BLOCK, WARN, REQUIRE_SLACK_APPROVAL'), `expected enum values, got: ${errs}`);
+    assert.equal(
+      h.calls.posts.filter((c) => c.path === '/api/v1/command-policies/assist/').length,
+      0,
+      'assist must not be called when --action is invalid'
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- Preview rendering: omitted rows -----------------------------------------
+
+test('preview: explanation line is omitted when explanation is empty', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X',
+      },
+      explanation: '',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    const out = h.captured.stdout.join('\n');
+    assert.ok(!out.includes('AI assist explanation'), `explanation line should be omitted when empty: ${out}`);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('preview: Description row is omitted when description is empty', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X',
+        // description intentionally omitted
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    // The preview is everything emitted BEFORE the post-create displayToolPolicy
+    // (which has its own static "Description" row). Slice at the explanation line
+    // — preview ends with a blank line right after the explanation.
+    const out = h.captured.stdout.join('\n');
+    const expIdx = out.indexOf('AI assist explanation');
+    assert.notEqual(expIdx, -1, 'explanation line should be present in this test setup');
+    // Take a window from the start up to and including the explanation line.
+    const previewWindow = out.slice(0, expIdx);
+    assert.ok(!previewWindow.includes('Description'), `Description row should be omitted when empty: ${previewWindow}`);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- Acceptance #3 — happy-path body shape ------------------------------------
+
+test('happy path: builds policy body and POSTs to /command-policies/', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'filesystem',
+        selected_field: 'command',
+        field_value: 'rm -rf*',
+        action: 'BLOCK',
+        name: 'Block destructive ops',
+      },
+      explanation: 'destructive filesystem write',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--custom-message', 'No.', '--yes']);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.ok(createCall);
+    assert.equal(createCall.body.policy_type, 'TERMINAL_COMMAND');
+    assert.equal(createCall.body.command_family, 'filesystem');
+    assert.deepEqual(createCall.body.config, { command: 'rm -rf*' });
+    assert.equal(createCall.body.action, 'BLOCK');
+    assert.equal(createCall.body.name, 'Block destructive ops');
+    assert.equal(createCall.body.enabled, true);
+    assert.equal(createCall.body.custom_message, 'No.');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- (b.1) Greptile follow-up regressions -------------------------------------
+
+test('AI returns BLOCK without --custom-message → exit 2 with guard message', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'filesystem', selected_field: 'command',
+        field_value: 'rm -rf*', action: 'BLOCK', name: 'X',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const errs = h.captured.error.join(' ');
+    assert.ok(errs.includes('BLOCK'), 'message should name the action');
+    assert.ok(errs.includes('--custom-message'), 'message should name the missing flag');
+    assert.ok(!h.calls.posts.some((c) => c.path === '/api/v1/command-policies/'), 'no create POST when guard fires');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('AI returns WARN without --custom-message → exit 2 with guard message', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'WARN', name: 'X',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'warn on git pushes', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const errs = h.captured.error.join(' ');
+    assert.ok(errs.includes('WARN'));
+    assert.ok(errs.includes('--custom-message'));
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('AI omits name → success message does not say "undefined"', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    assert.equal(process.exitCode || 0, 0);
+    const successes = h.captured.success.join(' ');
+    assert.ok(!successes.includes('undefined'), `success message should not contain "undefined": ${successes}`);
+    assert.ok(successes.includes('Terminal policy'), 'success message should still announce policy creation');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('--json mode does not print the human preview before JSON output', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'A',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--json']);
+    const combined = h.captured.stdout.join('\n');
+    const infos = h.captured.info.join('\n');
+    assert.ok(!combined.includes('Resolved policy'), 'preview must be suppressed under --json (stdout)');
+    assert.ok(!/resolved policy/i.test(infos), 'preview header must be suppressed under --json (info)');
+    assert.ok(!combined.includes('AI assist explanation'), 'explanation must be suppressed under --json');
+    assert.ok(h.calls.posts.some((c) => c.path === '/api/v1/command-policies/'), 'create POST should still fire');
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('--prompt + --group resolves user-group BEFORE the assist call (preview reflects final scope)', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'filesystem', selected_field: 'command',
+        field_value: 'rm -rf*', action: 'AUDIT', name: 'X',
+      },
+      explanation: 'ok',
+    },
+  });
+  h.api.get = async (path, opts) => {
+    h.calls.gets.push({ path, opts });
+    if (path === '/api/v1/users/privileges/') return { is_admin: true };
+    if (path === '/api/v1/policies/form_data/') {
+      return { data: { user_groups: [{ id: 7, name: 'GroupX' }] } };
+    }
+    throw new Error(`unexpected GET ${path}`);
+  };
+  try {
+    await runCreate(['--prompt', 'audit rm', '--group', 'GroupX', '--yes']);
+    const assistIdx = h.calls.posts.findIndex((c) => c.path === '/api/v1/command-policies/assist/');
+    const formDataIdx = h.calls.gets.findIndex((c) => c.path === '/api/v1/policies/form_data/');
+    assert.notEqual(formDataIdx, -1, 'form_data should be fetched');
+    assert.notEqual(assistIdx, -1, 'assist endpoint should be called');
+    // form_data fetched before assist == group resolved in time for preview/merge
+    assert.ok(formDataIdx >= 0 && assistIdx >= 0);
+    const createCall = h.calls.posts.find((c) => c.path === '/api/v1/command-policies/');
+    assert.deepEqual(createCall.body.scope_user_group_ids, [7]);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- (c) Eight HTTP routing cases — one per §6.4 row --------------------------
+
+test('routing: 200 + success:true → success exit 0', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'Audit',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    assert.equal(process.exitCode || 0, 0);
+    assert.ok(h.calls.posts.some((c) => c.path === '/api/v1/command-policies/'));
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 200 + success:false length error → exit 2 + suggestion', async () => {
+  const h = buildHarness({
+    assistResponse: { success: false, error: 'Input is too long (max 2000 characters).' },
+  });
+  try {
+    await runCreate(['--prompt', 'x', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const msg = h.captured.error.join('\n');
+    assert.ok(msg.includes('Input is too long (max 2000 characters).'), `got: ${msg}`);
+    assert.ok(msg.includes('Try shortening to under 1800 characters.'), `got: ${msg}`);
+    assert.equal(h.calls.posts.filter((c) => c.path === '/api/v1/command-policies/').length, 0);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 200 + success:false family error → exit 2 + families suggestion', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: false,
+      error: 'Could not determine command family from your description.',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'xyz', '--yes']);
+    assert.equal(process.exitCode, 2);
+    const msg = h.captured.error.join('\n');
+    assert.ok(msg.includes('Could not determine command family'), `got: ${msg}`);
+    assert.ok(msg.includes('block git pushes'), `got: ${msg}`);
+    assert.ok(msg.includes('unbound policy tool families'), `got: ${msg}`);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 200 + success:false other → verbatim error, exit 2', async () => {
+  const h = buildHarness({
+    assistResponse: { success: false, error: 'Some other backend error.' },
+  });
+  try {
+    await runCreate(['--prompt', 'x', '--yes']);
+    assert.equal(process.exitCode, 2);
+    assert.ok(h.captured.error.some((m) => m.includes('Some other backend error.')));
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 401 → exit 3 + admin-required wording', async () => {
+  const h = buildHarness({
+    assistError: new FakeApiError(401, { error: 'unauthenticated' }),
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 3);
+    assert.ok(
+      h.captured.error.some((m) => m === 'Authentication failed / not authorized. Tool policies require admin. Run `unbound whoami` to check role.'),
+      `got: ${JSON.stringify(h.captured.error)}`
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 422 → exit 2 + validation-failed wording', async () => {
+  const h = buildHarness({
+    assistError: new FakeApiError(422, { field: 'bad' }),
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 2);
+    assert.ok(
+      h.captured.error.some((m) => m.startsWith('Request validation failed:')),
+      `got: ${JSON.stringify(h.captured.error)}`
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: 5xx → exit 4 + fall-back-to-flags suggestion', async () => {
+  const h = buildHarness({
+    assistError: new FakeApiError(503, { error: 'unavailable' }),
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 4);
+    const msg = h.captured.error.join('\n');
+    assert.ok(msg.includes('Server error.'), msg);
+    assert.ok(msg.includes('fall back to flag-based creation'), msg);
+    assert.ok(msg.includes('unbound policy tool --help'), msg);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+test('routing: network/timeout error → exit 4 + network wording', async () => {
+  // A plain Error (no statusCode) is what src/api.js throws for network/timeout.
+  const h = buildHarness({
+    assistError: new Error('connect ECONNREFUSED b.acme'),
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 4);
+    const msg = h.captured.error.join('\n');
+    assert.ok(msg.startsWith('Network error reaching'), msg);
+    assert.ok(msg.includes('Falling back to flag-based creation is not blocked.'), msg);
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// Fix 1: create POST failures must route through routeBackendError (admin/role wording, correct exit code)
+test('routing: assist succeeds but create POST 401 → exit 3 + admin-required wording', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'X',
+      },
+      explanation: 'ok',
+    },
+    createError: new FakeApiError(401, { error: 'unauthenticated' }),
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    assert.equal(process.exitCode, 3);
+    assert.ok(
+      h.captured.error.some((m) => m.includes('Authentication failed')),
+      `expected admin-required wording from create POST 401, got: ${JSON.stringify(h.captured.error)}`
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- (d) --yes + out-of-scope keyword: warns AND proceeds ---------------------
+
+test('out-of-scope: --yes + "staging" warns but still calls the assist endpoint', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'BLOCK', name: 'X',
+      },
+      explanation: 'ok',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'block staging deploys', '--yes']);
+    assert.ok(
+      h.captured.warn.some((m) => m.includes('`staging`')),
+      `expected staging warning, got: ${JSON.stringify(h.captured.warn)}`
+    );
+    assert.ok(
+      h.calls.posts.some((c) => c.path === '/api/v1/command-policies/assist/'),
+      'assist endpoint should still be called'
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// --- Preview rendering (Acceptance #6 and #7) ---------------------------------
+
+test('--yes prints the preview AND skips confirmation AND issues create POST', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'Audit pushes',
+        description: 'Audit git push events.',
+      },
+      explanation: 'audit git activity',
+    },
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes', '--yes']);
+    // Header goes to stdout (NOT output.info / stderr) so the whole preview is
+    // captured together by a single tee/redirect.
+    const out = h.captured.stdout.join('\n');
+    assert.ok(/resolved policy/i.test(out), `preview header not printed to stdout: ${out}`);
+    assert.ok(out.includes('Audit pushes'), `name row missing: ${out}`);
+    assert.ok(out.includes('TERMINAL_COMMAND'), `type row missing: ${out}`);
+    assert.ok(out.includes('git push*'), `pattern row missing: ${out}`);
+    assert.ok(out.includes('AUDIT'), `action row missing: ${out}`);
+    assert.ok(out.includes('AI assist explanation'), `explanation line missing: ${out}`);
+    assert.ok(out.includes('audit git activity'), `explanation body missing: ${out}`);
+    assert.ok(
+      h.calls.posts.some((c) => c.path === '/api/v1/command-policies/'),
+      'create POST should fire under --yes'
+    );
+  } finally {
+    h.restoreLog();
+  }
+});
+
+// Acceptance #6 — interactive preview-then-confirm. We can't easily simulate
+// stdin inside the node:test harness without complicating the runner, so we
+// assert the preview prints BEFORE the create POST happens and the create POST
+// does NOT happen when the user declines. We simulate "decline" by feeding the
+// confirmCreate function via a stdin stub.
+
+test('without --yes: preview prints; "n" declines; no create POST fires', async () => {
+  const h = buildHarness({
+    assistResponse: {
+      success: true,
+      form_updates: {
+        command_family: 'git', selected_field: 'command',
+        field_value: 'git push*', action: 'AUDIT', name: 'Audit',
+      },
+      explanation: 'ok',
+    },
+  });
+  // Stub readline.createInterface — the lib's confirmCreate uses it.
+  const readline = require('readline');
+  const origCreate = readline.createInterface;
+  readline.createInterface = () => ({
+    question(_q, cb) { cb('n'); },
+    close() {},
+  });
+  try {
+    await runCreate(['--prompt', 'audit git pushes']);
+    // Preview header (stdout) must have printed BEFORE the prompt. And the
+    // create POST must NOT have fired because we said "n".
+    const out = h.captured.stdout.join('\n');
+    assert.ok(/resolved policy/i.test(out), `preview header missing on stdout: ${out}`);
+    assert.equal(
+      h.calls.posts.filter((c) => c.path === '/api/v1/command-policies/').length,
+      0,
+      'no create POST should fire when user declines'
+    );
+  } finally {
+    readline.createInterface = origCreate;
+    h.restoreLog();
+  }
+});
+
+// --- Admin probe -------------------------------------------------------------
+
+test('admin probe: non-admin → exits 3 before assist call', async () => {
+  const h = buildHarness({
+    privilegesResponse: { is_admin: false, is_manager: true, is_member: false },
+  });
+  try {
+    await runCreate(['--prompt', 'block rm -rf', '--yes']);
+    assert.equal(process.exitCode, 3);
+    assert.ok(
+      h.captured.error.some((m) => m.includes('admin role')),
+      `got: ${JSON.stringify(h.captured.error)}`
+    );
+    assert.equal(
+      h.calls.posts.filter((c) => c.path === '/api/v1/command-policies/assist/').length,
+      0,
+      'assist must not be called for non-admins'
+    );
+  } finally {
+    h.restoreLog();
+  }
+});