unbound-cli 1.6.3 → 1.6.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.6.3",
+  "version": "1.6.4",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/scripts/verify-nuke-ubuntu.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# WEB-4922 end-to-end verification: `sudo unbound nuke` removes /opt/unbound
+# (plus newsyslog conf + log dir) on Linux when invoked as root.
+#
+# Runs ENTIRELY inside a fresh ubuntu:24.04 container — the host's filesystem
+# is mounted read-only and the repo is copied into the container before
+# `npm link`, so the host's real /opt/unbound (if any) is never touched.
+#
+# Usage: ./scripts/verify-nuke-ubuntu.sh
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "FAIL: docker not on PATH" >&2
+  exit 2
+fi
+
+echo "Running WEB-4922 nuke verification inside ubuntu:24.04..."
+echo "Host repo (mounted read-only): $REPO_ROOT"
+echo
+
+docker run --rm \
+  -v "$REPO_ROOT:/repo:ro" \
+  ubuntu:24.04 bash -c '
+set -euo pipefail
+
+# Refuse to run on a host (e.g. if someone copy-pastes this heredoc into a
+# terminal): /.dockerenv is created by the docker engine in every container
+# but never exists on a real host.
+[ -f /.dockerenv ] || { echo "FAIL: refusing to run outside a container" >&2; exit 99; }
+
+echo "[setup] installing node + curl..."
+export DEBIAN_FRONTEND=noninteractive
+apt-get update -qq >/dev/null
+apt-get install -y -qq curl ca-certificates >/dev/null
+curl -fsSL https://deb.nodesource.com/setup_20.x | bash - >/dev/null 2>&1
+apt-get install -y -qq nodejs >/dev/null
+
+# Copy repo into a writable spot — host mount is read-only.
+cp -R /repo /work
+cd /work
+echo "[setup] npm link..."
+npm link --silent >/dev/null 2>&1
+
+# Fake the pkg layout from setup/packaging/pkg/postinstall.
+echo "[setup] faking /opt/unbound + newsyslog + log dir..."
+mkdir -p /opt/unbound/0.1.5/unbound-hook
+mkdir -p /opt/unbound/0.1.5/unbound-discovery
+mkdir -p /opt/unbound/etc
+echo "#!fake binary" > /opt/unbound/0.1.5/unbound-hook/unbound-hook
+echo "#!fake binary" > /opt/unbound/0.1.5/unbound-discovery/unbound-discovery
+echo "{}" > /opt/unbound/etc/discovery.json
+ln -sfn /opt/unbound/0.1.5 /opt/unbound/current
+mkdir -p /etc/newsyslog.d
+echo "# rotate" > /etc/newsyslog.d/ai.getunbound.conf
+mkdir -p /var/log/unbound
+echo "old log" > /var/log/unbound/discovery.log
+
+echo
+echo "===== BEFORE ====="
+ls -la /opt/unbound
+ls -la /etc/newsyslog.d/ai.getunbound.conf
+ls -la /var/log/unbound
+echo
+
+# EUID 0 inside the container, so hasRootPrivileges() returns true and the
+# includeMdm branch (where removeBinaryInstall is called) runs.
+# Per-tool MDM clears WILL fail (no real tool installs) — that is best-effort
+# and must not abort the binary install removal.
+echo "[run] unbound nuke --yes (per-tool clears may noisily fail; that is fine)"
+unbound nuke --yes || true
+
+echo
+echo "===== AFTER ====="
+ls -la /opt/unbound 2>/dev/null || echo "(gone) /opt/unbound"
+ls -la /etc/newsyslog.d/ai.getunbound.conf 2>/dev/null || echo "(gone) /etc/newsyslog.d/ai.getunbound.conf"
+ls -la /var/log/unbound 2>/dev/null || echo "(gone) /var/log/unbound"
+echo
+
+FAIL=0
+[ ! -e /opt/unbound ]                           || { echo "FAIL: /opt/unbound survived"; FAIL=1; }
+[ ! -e /etc/newsyslog.d/ai.getunbound.conf ]    || { echo "FAIL: newsyslog conf survived"; FAIL=1; }
+[ ! -e /var/log/unbound ]                       || { echo "FAIL: log dir survived"; FAIL=1; }
+if [ "$FAIL" = "0" ]; then
+  echo "PASS: WEB-4922 Ubuntu container — all binary install artifacts removed"
+  exit 0
+else
+  echo "FAIL: at least one artifact survived"
+  exit 1
+fi
+'

package/src/commands/setup.js

@@ -390,6 +390,85 @@ function clearUnboundEnvsEverywhere() {
   return cleared;
 }
 
+// Layout written by the setup pkg's postinstall (setup repo @ 41ca7b2 —
+// packaging/pkg/postinstall + pkg/ai.getunbound.discovery.plist). Hard-coded;
+// never accept user input here. Frozen so a misbehaving test can't mutate the
+// production paths for the rest of the process.
+const BINARY_INSTALL_PATHS = Object.freeze({
+  optDir: '/opt/unbound',
+  daemonPlist: '/Library/LaunchDaemons/ai.getunbound.discovery.plist',
+  daemonLabel: 'ai.getunbound.discovery',
+  newsyslogConf: '/etc/newsyslog.d/ai.getunbound.conf',
+  logDir: '/var/log/unbound',
+});
+
+// Tears down the privileged binary install. Best-effort: a failure on any
+// single path is logged via output.warn AND pushed onto the returned
+// `failed` array, but never aborts the rest. Bootout the daemon FIRST so
+// its supervisor doesn't relaunch mid-rm. Callers MUST gate this on root.
+// Returns { removed, failed } — both labelled lists; nuke folds `failed`
+// into its closing summary so a partial wipe doesn't print "success".
+// Path overrides + `runLaunchctl` exist so tests stay hermetic — see
+// test/setup-args.test.js. Safety net: any production-default path (or
+// daemonLabel, when runLaunchctl is true) requires the caller to explicitly
+// pass `_confirmProductionPaths:true` — dev machines often have a real
+// install, and a forgotten override would wipe it. Production sets the
+// flag; tests omit it and rely on the throw.
+function removeBinaryInstall({
+  optDir = BINARY_INSTALL_PATHS.optDir,
+  daemonPlist = BINARY_INSTALL_PATHS.daemonPlist,
+  daemonLabel = BINARY_INSTALL_PATHS.daemonLabel,
+  newsyslogConf = BINARY_INSTALL_PATHS.newsyslogConf,
+  logDir = BINARY_INSTALL_PATHS.logDir,
+  runLaunchctl = process.platform === 'darwin',
+  _confirmProductionPaths = false,
+} = {}) {
+  const usesProdDefaults =
+    optDir === BINARY_INSTALL_PATHS.optDir ||
+    daemonPlist === BINARY_INSTALL_PATHS.daemonPlist ||
+    newsyslogConf === BINARY_INSTALL_PATHS.newsyslogConf ||
+    logDir === BINARY_INSTALL_PATHS.logDir ||
+    (runLaunchctl && daemonLabel === BINARY_INSTALL_PATHS.daemonLabel);
+  if (usesProdDefaults && !_confirmProductionPaths) {
+    throw new Error('removeBinaryInstall: production-default path(s) used without _confirmProductionPaths:true — pass tmp overrides or set the flag explicitly');
+  }
+  const removed = [];
+  const failed = [];
+  if (runLaunchctl) {
+    // spawnSync does NOT throw on non-zero exit — it returns { status, error,
+    // stderr }. Treat "Could not find specified service" / "No such process"
+    // as the legitimate "daemon not loaded" case (first install, already
+    // booted out) and swallow it. Surface anything else so the operator knows
+    // the bootout-then-rm ordering may have lost the race.
+    const r = spawnSync('launchctl', ['bootout', `system/${daemonLabel}`], { stdio: 'pipe' });
+    const stderr = r.stderr ? r.stderr.toString().trim() : '';
+    if (r.error) {
+      output.warn(`nuke: launchctl bootout failed to spawn: ${r.error.message}`);
+      failed.push(`launchctl bootout ${daemonLabel}`);
+    } else if (r.status !== 0 && !/Could not find specified service|No such process/i.test(stderr)) {
+      output.warn(`nuke: launchctl bootout exited ${r.status}: ${stderr || '(no stderr)'}`);
+      failed.push(`launchctl bootout ${daemonLabel}`);
+    }
+  }
+  const targets = [
+    ['LaunchDaemon plist', daemonPlist],
+    ['newsyslog conf', newsyslogConf],
+    ['log dir', logDir],
+    ['install tree', optDir],
+  ];
+  for (const [label, p] of targets) {
+    try {
+      if (!fs.existsSync(p)) continue;
+      fs.rmSync(p, { recursive: true, force: true });
+      removed.push(`${label} (${p})`);
+    } catch (err) {
+      output.warn(`nuke: failed to remove ${label} (${p}): ${err.message}`);
+      failed.push(`${label} (${p})`);
+    }
+  }
+  return { removed, failed };
+}
+
 /**
  * Returns true when the process has the privileges needed to touch system-level
  * (MDM) configuration. On Windows, `net session` succeeds only when elevated, so
@@ -956,9 +1035,21 @@ Examples:
 
         // MDM clears need root and touch all users — run them only when we have it.
         let mdmFailed = [];
+        let binaryFailed = [];
         if (includeMdm) {
           const mdmTools = Object.keys(MDM_TOOLS).map(name => ({ name, ...MDM_TOOLS[name] }));
           mdmFailed = await clearToolsBestEffort('mdm', mdmTools, { mdm: true, backendUrl, gatewayUrl });
+
+          // Root-only by construction (gated on includeMdm). No-op when no binary
+          // install is present (python-only setups) and on Windows.
+          // `_confirmProductionPaths` is the explicit "this is the real call site"
+          // ack — the function refuses production defaults without it as a guard
+          // against tests forgetting to override paths.
+          const { removed: binaryRemoved, failed: bf } = removeBinaryInstall({ _confirmProductionPaths: true });
+          binaryFailed = bf;
+          if (binaryRemoved.length) {
+            output.info(`Removed binary install: ${binaryRemoved.join('; ')}.`);
+          }
         } else {
           output.info('Skipped MDM (system-level) config — that needs root. Re-run with sudo to remove it too.');
         }
@@ -975,12 +1066,12 @@ Examples:
         output.success('Stored credentials and settings removed.');
 
         console.log('');
-        const failed = [...userFailed, ...mdmFailed];
+        const failed = [...userFailed, ...mdmFailed, ...binaryFailed];
         const scope = includeMdm ? 'on this device' : 'for your user';
         if (failed.length === 0) {
           output.success(`Unbound removed ${scope}. The CLI is back to a fresh state — run "unbound login" to start over.`);
         } else {
-          output.warn(`Done ${scope}, but ${failed.length} tool clear(s) reported issues: ${failed.join(', ')}. Credentials were still removed.`);
+          output.warn(`Done ${scope}, but ${failed.length} step(s) reported issues: ${failed.join(', ')}. Credentials were still removed.`);
         }
       } catch (err) {
         output.error(err.message);
@@ -1049,4 +1140,6 @@ module.exports = {
   resolveSetupAllTools,
   clearUnboundEnvsEverywhere,
   NUKE_ENV_VARS,
+  removeBinaryInstall,
+  BINARY_INSTALL_PATHS,
 };

package/test/setup-args.test.js

@@ -3,7 +3,7 @@ const assert = require('node:assert/strict');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const { buildScriptArgs, scriptSupportsBackfill, resolveSetupAllTools, clearUnboundEnvsEverywhere, NUKE_ENV_VARS } = require('../src/commands/setup');
+const { buildScriptArgs, scriptSupportsBackfill, resolveSetupAllTools, clearUnboundEnvsEverywhere, NUKE_ENV_VARS, removeBinaryInstall, BINARY_INSTALL_PATHS } = require('../src/commands/setup');
 
 // shellEscape single-quotes every value, so a real key surfaces as
 // --api-key '<key>' at the head of the argv tail.
@@ -219,3 +219,180 @@ if (process.platform !== 'win32') {
     }
   });
 }
+
+// All assertions below route through path overrides into a tmp dir and force
+// runLaunchctl:false — the real /opt/unbound + /Library/LaunchDaemons/... are
+// never touched (the dev host has a real binary install).
+function makeFakeBinaryInstall() {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-'));
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  const versionDir = path.join(optDir, '0.1.5');
+  fs.mkdirSync(path.join(versionDir, 'unbound-hook'), { recursive: true });
+  fs.mkdirSync(path.join(versionDir, 'unbound-discovery'), { recursive: true });
+  fs.writeFileSync(path.join(versionDir, 'unbound-hook', 'unbound-hook'), '#!fake binary\n');
+  fs.writeFileSync(path.join(versionDir, 'unbound-discovery', 'unbound-discovery'), '#!fake binary\n');
+  fs.mkdirSync(path.join(optDir, 'etc'), { recursive: true });
+  fs.writeFileSync(path.join(optDir, 'etc', 'discovery.json'), '{}');
+  fs.symlinkSync(versionDir, path.join(optDir, 'current'));
+  const daemonPlist = path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist');
+  fs.mkdirSync(path.dirname(daemonPlist), { recursive: true });
+  fs.writeFileSync(daemonPlist, '<plist/>');
+  const newsyslogConf = path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf');
+  fs.mkdirSync(path.dirname(newsyslogConf), { recursive: true });
+  fs.writeFileSync(newsyslogConf, '# rotate\n');
+  const logDir = path.join(tmp, 'var', 'log', 'unbound');
+  fs.mkdirSync(logDir, { recursive: true });
+  fs.writeFileSync(path.join(logDir, 'discovery.log'), 'old logs\n');
+  return { tmp, optDir, daemonPlist, newsyslogConf, logDir };
+}
+
+test('removeBinaryInstall: full install layout — wipes plist + newsyslog + logs + /opt/unbound', () => {
+  const fx = makeFakeBinaryInstall();
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir: fx.optDir,
+      daemonPlist: fx.daemonPlist,
+      newsyslogConf: fx.newsyslogConf,
+      logDir: fx.logDir,
+      runLaunchctl: false,
+    });
+    assert.equal(removed.length, 4, `expected 4 removed, got ${JSON.stringify(removed)}`);
+    assert.deepEqual(failed, [], `unexpected failures: ${JSON.stringify(failed)}`);
+    assert.ok(!fs.existsSync(fx.optDir), 'optDir survived');
+    assert.ok(!fs.existsSync(fx.daemonPlist), 'plist survived');
+    assert.ok(!fs.existsSync(fx.newsyslogConf), 'newsyslog survived');
+    assert.ok(!fs.existsSync(fx.logDir), 'logDir survived');
+    // Each label appears in the summary so `unbound nuke` output names what went.
+    for (const label of ['LaunchDaemon plist', 'newsyslog conf', 'log dir', 'install tree']) {
+      assert.ok(removed.some(s => s.startsWith(label)), `summary missing ${label}: ${removed.join('; ')}`);
+    }
+  } finally {
+    fs.rmSync(fx.tmp, { recursive: true, force: true });
+  }
+});
+
+test('removeBinaryInstall: nothing present (python-only install) — returns empty lists silently', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-empty-'));
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist'),
+      newsyslogConf: path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf'),
+      logDir: path.join(tmp, 'var', 'log', 'unbound'),
+      runLaunchctl: false,
+    });
+    assert.deepEqual(removed, []);
+    assert.deepEqual(failed, []);
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+test('removeBinaryInstall: partial install (only /opt/unbound, no daemon/log) — removes what exists', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-partial-'));
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  fs.mkdirSync(optDir, { recursive: true });
+  fs.writeFileSync(path.join(optDir, 'marker'), 'x');
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir,
+      daemonPlist: path.join(tmp, 'Library', 'LaunchDaemons', 'ai.getunbound.discovery.plist'),
+      newsyslogConf: path.join(tmp, 'etc', 'newsyslog.d', 'ai.getunbound.conf'),
+      logDir: path.join(tmp, 'var', 'log', 'unbound'),
+      runLaunchctl: false,
+    });
+    assert.equal(removed.length, 1);
+    assert.ok(removed[0].startsWith('install tree'), removed[0]);
+    assert.deepEqual(failed, []);
+    assert.ok(!fs.existsSync(optDir));
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// Bugbot: when a removal step fails (e.g. plist locked by launchd), it must
+// land in the returned `failed` list AND not appear in `removed`, so the
+// outer nuke summary surfaces a partial wipe instead of printing "success".
+test('removeBinaryInstall: rm failure surfaces in `failed`, not `removed`', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-rmfail-'));
+  // Pass an existsSync-true path that fs.rmSync can't remove. The simplest
+  // way to force rmSync to throw is to point optDir at a regular file owned
+  // by another process — but cross-platform that's flaky. Instead, monkey-
+  // patch fs.rmSync just for this call to simulate the real-world EBUSY.
+  const optDir = path.join(tmp, 'opt', 'unbound');
+  fs.mkdirSync(optDir, { recursive: true });
+  const realRmSync = fs.rmSync;
+  fs.rmSync = (p, opts) => {
+    if (p === optDir) throw new Error('EBUSY: resource busy or locked');
+    return realRmSync(p, opts);
+  };
+  try {
+    const { removed, failed } = removeBinaryInstall({
+      optDir,
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: false,
+    });
+    assert.deepEqual(removed, [], 'install tree must not be in removed when rmSync threw');
+    assert.equal(failed.length, 1, `expected 1 failure, got ${JSON.stringify(failed)}`);
+    assert.ok(failed[0].startsWith('install tree'), failed[0]);
+  } finally {
+    fs.rmSync = realRmSync;
+    realRmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+// Guards against accidental drift of the hard-coded paths.
+test('BINARY_INSTALL_PATHS: defaults match setup/packaging/pkg/postinstall layout', () => {
+  assert.equal(BINARY_INSTALL_PATHS.optDir, '/opt/unbound');
+  assert.equal(BINARY_INSTALL_PATHS.daemonPlist, '/Library/LaunchDaemons/ai.getunbound.discovery.plist');
+  assert.equal(BINARY_INSTALL_PATHS.daemonLabel, 'ai.getunbound.discovery');
+  assert.equal(BINARY_INSTALL_PATHS.newsyslogConf, '/etc/newsyslog.d/ai.getunbound.conf');
+  assert.equal(BINARY_INSTALL_PATHS.logDir, '/var/log/unbound');
+});
+
+// Safety net: dev machines often have a real /opt/unbound install. Calling
+// removeBinaryInstall with ANY production-default path requires the explicit
+// `_confirmProductionPaths:true` ack, so a no-override test (or refactor
+// drift) fails loudly instead of wiping the dev's real install. This works
+// regardless of NODE_ENV — production sets the ack, tests don't.
+test('removeBinaryInstall: refuses production-default paths without _confirmProductionPaths', () => {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'unbound-bin-guard-'));
+  try {
+    assert.throws(() => removeBinaryInstall(),
+      /_confirmProductionPaths/, 'no-arg call must throw');
+    // Partial override (logDir left at production) must throw.
+    assert.throws(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      runLaunchctl: false,
+    }), /_confirmProductionPaths/, 'partial override leaving logDir defaulted must throw');
+    // Greptile P2: daemonLabel must be checked when runLaunchctl is true.
+    // All four paths overridden, but default daemonLabel + runLaunchctl:true
+    // → would call `launchctl bootout system/ai.getunbound.discovery` on the
+    // real host. Must throw.
+    assert.throws(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: true,
+    }), /_confirmProductionPaths/, 'default daemonLabel with runLaunchctl:true must throw');
+    // Full override with runLaunchctl:false does NOT throw (no prod surface).
+    assert.doesNotThrow(() => removeBinaryInstall({
+      optDir: path.join(tmp, 'opt', 'unbound'),
+      daemonPlist: path.join(tmp, 'plist'),
+      newsyslogConf: path.join(tmp, 'newsyslog'),
+      logDir: path.join(tmp, 'log'),
+      runLaunchctl: false,
+    }));
+  } finally {
+    fs.rmSync(tmp, { recursive: true, force: true });
+  }
+});
+
+test('BINARY_INSTALL_PATHS: is frozen', () => {
+  assert.ok(Object.isFrozen(BINARY_INSTALL_PATHS));
+});