unbound-cli 0.1.11 → 0.2.1

package/README.md

@@ -14,7 +14,7 @@ npm install -g unbound-cli
 # Login via browser
 unbound login
 
-# Or login with an API key
+# Or login with an API key (for CI/CD or headless environments)
 unbound login --api-key <your-api-key>
 
 # Check who you are
@@ -23,7 +23,10 @@ unbound whoami
 # List policies
 unbound policy list
 
-# Set up Cursor to use Unbound
+# Set up multiple tools interactively
+unbound setup
+
+# Set up a single tool
 unbound setup cursor
 ```
 
@@ -33,11 +36,79 @@ unbound setup cursor
 
 | Command | Description |
 |---------|-------------|
-| `unbound login` | Sign in via browser or `--api-key` |
+| `unbound login` | Sign in via browser |
+| `unbound login --api-key <key>` | Sign in with an API key (non-interactive) |
+| `unbound login --domain <domain>` | Sign in via a custom domain |
 | `unbound logout` | Remove stored credentials |
 | `unbound whoami` | Show current user, org, and role |
 | `unbound status` | Show CLI status and API connectivity |
 
+### Tool Setup
+
+Interactive batch setup:
+
+| Command | Description |
+|---------|-------------|
+| `unbound setup` | Select and install multiple tools interactively |
+
+Automated setup (downloads scripts, sets env vars, configures tool):
+
+| Command | Description |
+|---------|-------------|
+| `unbound setup cursor` | Download hooks, set env, restart Cursor |
+| `unbound setup claude-code` | Interactive mode selection (subscription or gateway) |
+| `unbound setup claude-code --subscription` | Hooks only (keep your Claude subscription) |
+| `unbound setup claude-code --gateway` | Use Unbound as the AI provider |
+| `unbound setup gemini-cli` | Set GEMINI_API_KEY and base URL |
+| `unbound setup codex` | Interactive mode selection (subscription or gateway) |
+| `unbound setup codex --subscription` | Hooks only (keep your OpenAI subscription) |
+| `unbound setup codex --gateway` | Use Unbound as the AI provider |
+
+Instruction-only (shows API key and base URL to configure manually):
+
+| Command | Description |
+|---------|-------------|
+| `unbound setup roo-code` | Show Roo Code config values |
+| `unbound setup cline` | Show Cline config values |
+| `unbound setup kilo-code` | Show Kilo Code config values |
+| `unbound setup custom-access` | Show API key and base URL for direct API access |
+
+Remove configuration:
+
+| Command | Description |
+|---------|-------------|
+| `unbound setup cursor --clear` | Remove Unbound config for Cursor |
+| `unbound setup claude-code --clear` | Remove Unbound config for Claude Code |
+| `unbound setup gemini-cli --clear` | Remove Unbound config for Gemini CLI |
+| `unbound setup codex --clear` | Remove Unbound config for Codex |
+
+### MDM Setup (Admin)
+
+Configure all users on a device via MDM. Requires root.
+
+| Command | Description |
+|---------|-------------|
+| `sudo unbound setup mdm --admin-api-key KEY --all` | Set up all tools |
+| `sudo unbound setup mdm --admin-api-key KEY cursor codex-subscription` | Set up specific tools |
+| `sudo unbound setup mdm --admin-api-key KEY --clear cursor` | Remove config for specific tools |
+
+Available tools: `cursor`, `claude-code-subscription`, `claude-code-gateway`, `gemini-cli`, `codex-subscription`, `codex-gateway`
+
+`claude-code-subscription` and `claude-code-gateway` are mutually exclusive. `codex-subscription` and `codex-gateway` are mutually exclusive. When using `--all`, subscription mode is used by default for Claude Code and Codex.
+
+### MDM AI Tools Discovery
+
+Scan a device for installed AI coding tools and report findings to Unbound. Uses a separate discovery-specific API key. `--domain` defaults to `https://backend.getunbound.ai`.
+
+| Command | Description |
+|---------|-------------|
+| `sudo unbound discover --api-key KEY` | Scan all users on the device (requires root) |
+| `unbound discover --api-key KEY` | Scan current user only |
+| `sudo unbound discover --api-key KEY --domain URL` | Scan with a custom backend URL |
+| `unbound discover schedule --api-key KEY` | Set up 12-hour recurring scan (macOS only) |
+| `unbound discover unschedule` | Remove the scheduled scan |
+| `unbound discover status` | Show scan schedule and log paths |
+
 ### Policies (Admin only)
 
 | Command | Description |
@@ -80,28 +151,7 @@ Alias: `unbound groups` works the same as `unbound user-groups`.
 | `unbound tools connect <type>` | Connect a tool |
 | `unbound tools approved` | List approved tool types |
 
-Supported tool types: `CLAUDE_CODE`, `CURSOR`, `COPILOT`, `ROO_CODE`, `CLINE`, `GEMINI_CLI`, `CODEX`, `KILO_CODE`, `CUSTOM_ACCESS`
-
-### Setup
-
-Automated setup (downloads scripts, sets env vars, configures tool):
-
-| Command | Description |
-|---------|-------------|
-| `unbound setup cursor` | Download hooks, set env, restart Cursor |
-| `unbound setup claude-code` | Configure gateway + install hooks |
-| `unbound setup gemini-cli` | Set GEMINI_API_KEY and base URL |
-| `unbound setup codex` | Set OPENAI_API_KEY and base URL |
-
-Instruction-only (shows API key and base URL to configure manually):
-
-| Command | Description |
-|---------|-------------|
-| `unbound setup roo-code` | Show Roo Code config values |
-| `unbound setup cline` | Show Cline config values |
-| `unbound setup kilo-code` | Show Kilo Code config values |
-| `unbound setup custom-access` | Show API key and base URL for direct API access |
-
+Supported tool types: `CLAUDE_CODE`, `UNBOUND_CLAUDE_CODE`, `CURSOR`, `COPILOT`, `ROO_CODE`, `CLINE`, `GEMINI_CLI`, `CODEX`, `UNBOUND_CODEX`, `KILO_CODE`, `CUSTOM_ACCESS`
 
 ## Configuration
 
@@ -117,7 +167,6 @@ Config is stored in `~/.unbound/config.json`.
 2. `frontend_url` in `~/.unbound/config.json` (set via `unbound config set-frontend-url`)
 3. Default: `https://gateway.getunbound.ai`
 
-
 ## Global Options
 
 All list/get commands support `--json` for machine-readable JSON output.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.1.11",
+  "version": "0.2.1",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js

@@ -0,0 +1,210 @@
+const { spawn, execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const output = require('../output');
+
+const DISCOVER_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/coding-discovery-tool/refs/heads/main';
+const DEFAULT_DOMAIN = 'https://backend.getunbound.ai';
+const LAUNCH_AGENT_LABEL = 'ai.getunbound.discovery';
+
+function isRoot() {
+  if (process.platform === 'win32') return false;
+  return typeof process.getuid === 'function' && process.getuid() === 0;
+}
+
+/**
+ * Downloads a bash script from the discovery repo and executes it with arguments.
+ * Uses stdio: 'inherit' so the script's output is shown live.
+ */
+function runDiscoveryScript(scriptName, args) {
+  return new Promise((resolve, reject) => {
+    const url = `${DISCOVER_BASE_URL}/${scriptName}`;
+    const cmd = `curl -fsSL "${url}" | bash -s -- ${args}`;
+
+    const child = spawn(cmd, { shell: true, stdio: 'inherit' });
+
+    child.on('close', (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        reject(new Error(`Discovery script failed with exit code ${code}`));
+      }
+    });
+
+    child.on('error', reject);
+  });
+}
+
+function register(program) {
+  const discover = program
+    .command('discover')
+    .description(
+      'AI Tools Discovery: scan this device for installed AI coding tools ' +
+      'and report findings to Unbound.'
+    )
+    .option('--api-key <key>', 'Discovery API key (required)')
+    .option('--domain <url>', 'Backend URL', DEFAULT_DOMAIN)
+    .addHelpText('after', `
+Scans this device for installed AI coding tools (Cursor, Claude Code,
+Gemini CLI, Codex, Windsurf, Roo Code, Cline, GitHub Copilot, JetBrains,
+and more) and reports findings to the Unbound backend.
+
+The --api-key is a discovery-specific key (separate from login credentials).
+The --domain defaults to https://backend.getunbound.ai.
+
+Run as root (sudo) to scan all users on the device.
+Run without root to scan the current user only.
+
+Prerequisites:
+  - Python 3 and curl must be installed
+
+Examples:
+  $ sudo unbound discover --api-key KEY              Scan all users
+  $ unbound discover --api-key KEY                   Scan current user only
+  $ sudo unbound discover --api-key KEY --domain https://custom.backend.com
+`)
+    .action(async (opts) => {
+      try {
+        if (!opts.apiKey) {
+          output.error('--api-key is required.');
+          process.exitCode = 1;
+          return;
+        }
+
+        if (!isRoot()) {
+          output.warn('Running without root. Only scanning current user\'s tools.');
+          output.info('Run with sudo to scan all users on this device.');
+          console.log('');
+        }
+
+        const args = `--api-key "${opts.apiKey}" --domain "${opts.domain}"`;
+        await runDiscoveryScript('install.sh', args);
+
+        console.log('');
+        output.success('Discovery complete');
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
+
+  // --- Schedule / Unschedule / Status (macOS only) ---
+
+  discover
+    .command('schedule')
+    .description('Set up a recurring 12-hour discovery scan via macOS LaunchAgent.')
+    .option('--api-key <key>', 'Discovery API key (required)')
+    .option('--domain <url>', 'Backend URL', DEFAULT_DOMAIN)
+    .addHelpText('after', `
+Creates a macOS LaunchAgent that runs the discovery scan every 12 hours.
+Credentials are stored securely in the macOS Keychain (not in files).
+
+The scan runs immediately on install, then every 12 hours.
+Logs are written to ~/Library/Logs/unbound/scan.log.
+
+Prerequisites:
+  - macOS only (uses launchd)
+  - Python 3 and curl must be installed
+
+Examples:
+  $ unbound discover schedule --api-key KEY
+  $ unbound discover schedule --api-key KEY --domain https://custom.backend.com
+`)
+    .action(async (opts) => {
+      try {
+        if (process.platform !== 'darwin') {
+          output.error('Scheduled scans are only supported on macOS.');
+          process.exitCode = 1;
+          return;
+        }
+
+        if (!opts.apiKey) {
+          output.error('--api-key is required.');
+          process.exitCode = 1;
+          return;
+        }
+
+        const args = `--api-key "${opts.apiKey}" --domain "${opts.domain}"`;
+        await runDiscoveryScript('setup-scheduled-scan.sh', args);
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
+
+  discover
+    .command('unschedule')
+    .description('Remove the scheduled discovery scan and clean up (macOS only).')
+    .addHelpText('after', `
+Removes the LaunchAgent, Keychain credentials, wrapper script,
+and install directory created by "unbound discover schedule".
+
+Examples:
+  $ unbound discover unschedule
+`)
+    .action(async () => {
+      try {
+        if (process.platform !== 'darwin') {
+          output.error('Scheduled scans are only supported on macOS.');
+          process.exitCode = 1;
+          return;
+        }
+
+        await runDiscoveryScript('setup-scheduled-scan.sh', '--uninstall');
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
+
+  discover
+    .command('status')
+    .description('Show scheduled scan status and log paths (macOS only).')
+    .action(() => {
+      if (process.platform !== 'darwin') {
+        output.error('Scheduled scans are only supported on macOS.');
+        process.exitCode = 1;
+        return;
+      }
+
+      const home = os.homedir();
+      const plistPath = path.join(home, 'Library/LaunchAgents', `${LAUNCH_AGENT_LABEL}.plist`);
+      const logPath = path.join(home, 'Library/Logs/unbound/scan.log');
+      const errPath = path.join(home, 'Library/Logs/unbound/scan.err');
+
+      const plistExists = fs.existsSync(plistPath);
+
+      let isLoaded = false;
+      try {
+        execSync(`launchctl list "${LAUNCH_AGENT_LABEL}"`, { stdio: 'ignore' });
+        isLoaded = true;
+      } catch {
+        // not loaded
+      }
+
+      let lastScan = '-';
+      if (fs.existsSync(logPath)) {
+        try {
+          const log = fs.readFileSync(logPath, 'utf8');
+          const matches = log.match(/\[(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\] === Starting/g);
+          if (matches && matches.length > 0) {
+            const ts = matches[matches.length - 1].match(/\[(.+?)\]/);
+            if (ts) lastScan = ts[1];
+          }
+        } catch {
+          // ignore read errors
+        }
+      }
+
+      output.keyValue([
+        ['Scheduled', plistExists && isLoaded ? 'Yes (every 12 hours)' : 'No'],
+        ['LaunchAgent', plistExists ? plistPath : 'Not installed'],
+        ['Last scan', lastScan],
+        ['Log file', logPath],
+        ['Error log', errPath],
+      ]);
+    });
+}
+
+module.exports = { register };

package/src/commands/setup.js

@@ -1,21 +1,114 @@
-const { execSync } = require('child_process');
-const readline = require('readline');
+const { execSync, spawn } = require('child_process');
+const { Option } = require('commander');
 const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
 
 const SETUP_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/setup/refs/heads/main';
 
+const SETUP_TOOLS = [
+  { label: 'Cursor', value: 'cursor', script: 'cursor/setup.py' },
+  { label: 'Claude Code \u2014 subscription (hooks)', value: 'claude-sub', script: 'claude-code/hooks/setup.py', group: 'claude-code' },
+  { label: 'Claude Code \u2014 gateway (gateway)', value: 'claude-gw', script: 'claude-code/gateway/setup.py', group: 'claude-code' },
+  { label: 'Gemini CLI', value: 'gemini', script: 'gemini-cli/gateway/setup.py' },
+  { label: 'Codex \u2014 subscription (hooks)', value: 'codex-sub', script: 'codex/hooks/setup.py', group: 'codex' },
+  { label: 'Codex \u2014 gateway (gateway)', value: 'codex-gw', script: 'codex/gateway/setup.py', group: 'codex' },
+];
+
+const MDM_TOOLS = {
+  'cursor':                   { label: 'Cursor',                    script: 'cursor/mdm/setup.py' },
+  'claude-code-subscription': { label: 'Claude Code (subscription)', script: 'claude-code/hooks/mdm/setup.py' },
+  'claude-code-gateway':      { label: 'Claude Code (gateway)',      script: 'claude-code/gateway/mdm/setup.py' },
+  'gemini-cli':               { label: 'Gemini CLI',                 script: 'gemini-cli/gateway/mdm/setup.py' },
+  'codex-subscription':       { label: 'Codex (subscription)',       script: 'codex/hooks/mdm/setup.py' },
+  'codex-gateway':            { label: 'Codex (gateway)',            script: 'codex/gateway/mdm/setup.py' },
+};
+
+// Default tools for --all (uses subscription mode for Claude Code and Codex since only one can be active)
+const MDM_ALL_TOOLS = ['cursor', 'claude-code-subscription', 'gemini-cli', 'codex-subscription'];
+
 /**
- * Runs a Python setup script from the setup repo, passing the stored API key.
+ * Builds a shell command that curls a setup script and pipes it to python3.
  */
-function runSetupScript(scriptPath, apiKey, { clear = false } = {}) {
+function buildSetupCommand(scriptPath, args) {
   const url = `${SETUP_BASE_URL}/${scriptPath}`;
-  const extraArgs = clear ? ' --clear' : '';
-  const cmd = `curl -fsSL "${url}" | python3 - --api-key "${apiKey}"${extraArgs}`;
+  return `curl -fsSL "${url}" | python3 - ${args}`;
+}
 
+/**
+ * Runs a Python setup script from the setup repo with inherited stdio (live output).
+ */
+function runSetupScript(scriptPath, apiKey, { clear = false } = {}) {
+  const args = `--api-key "${apiKey}"${clear ? ' --clear' : ''}`;
   console.log('');
-  execSync(cmd, { stdio: 'inherit' });
+  try {
+    execSync(buildSetupCommand(scriptPath, args), { stdio: 'inherit' });
+  } catch (err) {
+    throw new Error(`Setup script failed with exit code ${err.status || 1}. Check the output above for details.`);
+  }
+}
+
+/**
+ * Runs a setup script with piped output (captured silently for spinner display).
+ * Returns a promise that resolves on success, rejects with captured output on failure.
+ */
+function runScriptPiped(scriptPath, args) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(buildSetupCommand(scriptPath, args), {
+      shell: true,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    child.stdin.on('error', () => {});
+    child.stdin.end();
+
+    let captured = '';
+    child.stdout.on('data', (d) => { captured += d.toString(); });
+    child.stderr.on('data', (d) => { captured += d.toString(); });
+
+    child.on('close', (code) => {
+      if (code === 0) {
+        resolve();
+      } else {
+        const err = new Error(captured.trim() || `Setup failed with exit code ${code}`);
+        err.setupOutput = captured.trim();
+        reject(err);
+      }
+    });
+
+    child.on('error', reject);
+  });
+}
+
+/**
+ * Checks that the process is running as root (macOS/Linux).
+ * Windows admin check is handled by the Python MDM scripts themselves.
+ */
+function checkRoot() {
+  if (process.platform === 'win32') return;
+  if (typeof process.getuid !== 'function' || process.getuid() !== 0) {
+    throw new Error('MDM setup requires root. Run with: sudo unbound setup mdm ...');
+  }
+}
+
+/**
+ * Runs a batch of tools sequentially with spinners.
+ * Stops on first failure. Returns true if all succeeded.
+ */
+async function runBatch(tools, runFn, { clear = false } = {}) {
+  const action = clear ? 'Clearing' : 'Setting up';
+  for (const tool of tools) {
+    const s = output.spinner(`${action} ${tool.label}...`);
+    try {
+      await runFn(tool);
+      s.succeed(tool.label);
+    } catch (err) {
+      s.fail(`Failed: ${tool.label}`);
+      if (err.setupOutput) console.error('\n' + err.setupOutput);
+      process.exitCode = 1;
+      return false;
+    }
+  }
+  return true;
 }
 
 /**
@@ -45,11 +138,14 @@ function register(program) {
       'Supported tools: cursor, claude-code, gemini-cli, codex, roo-code, cline, kilo-code, custom-access.'
     )
     .addHelpText('after', `
-Automated setup (downloads scripts, sets env vars, configures tool):
+Interactive batch setup:
+  $ unbound setup                # Select and install multiple tools at once
+
+Single-tool setup (downloads scripts, sets env vars, configures tool):
   $ unbound setup cursor         # Download hooks, set env, restart Cursor
   $ unbound setup claude-code    # Set up gateway + hooks for Claude Code
   $ unbound setup gemini-cli     # Set GEMINI_API_KEY and base URL
-  $ unbound setup codex          # Set OPENAI_API_KEY and base URL
+  $ unbound setup codex          # Set up gateway + hooks for Codex
 
 Instruction-only (shows API key and base URL to configure manually):
   $ unbound setup roo-code       # Show Roo Code config values
@@ -59,7 +155,40 @@ Instruction-only (shows API key and base URL to configure manually):
 
 All setup commands require login. If not logged in, the browser will
 open automatically to authenticate before proceeding.
-`);
+`)
+    // Parent action: runs when `unbound setup` is invoked with no subcommand.
+    // Subcommand actions (cursor, claude-code, etc.) take precedence when specified.
+    .action(async () => {
+      try {
+        await ensureLoggedIn();
+        const apiKey = config.getApiKey();
+
+        const selected = await output.multiSelect(
+          'Select tools to set up with Unbound:',
+          SETUP_TOOLS
+        );
+
+        if (selected.length === 0) {
+          output.warn('No tools selected.');
+          return;
+        }
+
+        const selectedTools = SETUP_TOOLS.filter(t => selected.includes(t.value));
+        console.log('');
+
+        const ok = await runBatch(selectedTools, (tool) =>
+          runScriptPiped(tool.script, `--api-key "${apiKey}"`)
+        );
+        if (!ok) return;
+
+        console.log('');
+        output.success('All tools configured');
+      } catch (err) {
+        if (err.message === 'Selection cancelled') return;
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
 
   setup
     .command('cursor')
@@ -126,17 +255,19 @@ Examples:
         const apiKey = config.getApiKey();
         const scriptOpts = { clear: opts.clear };
 
+        if (opts.subscription && opts.gateway) {
+          output.error('Cannot use both --subscription and --gateway. Choose one.');
+          process.exitCode = 1;
+          return;
+        }
+
         let useSubscription = opts.subscription;
         if (!opts.clear && !opts.subscription && !opts.gateway) {
-          const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-          const answer = await new Promise((resolve) => {
-            console.log('\nHow do you want to use Claude Code with Unbound?\n');
-            console.log('  1. I have my own Claude subscription (hooks only - policy enforcement)');
-            console.log('  2. Use Unbound as the AI provider (gateway mode)\n');
-            rl.question('Choose (1 or 2): ', resolve);
-          });
-          rl.close();
-          useSubscription = answer.trim() === '1';
+          const mode = await output.select('How do you want to use Claude Code with Unbound?', [
+            { label: 'Use my Claude subscription (hooks)', value: 'subscription' },
+            { label: 'Use Unbound as the AI provider (gateway)', value: 'gateway' },
+          ]);
+          useSubscription = mode === 'subscription';
         }
 
         if (opts.clear) {
@@ -180,15 +311,26 @@ Examples:
   setup
     .command('codex')
     .description(
-      'Set up Codex to use Unbound. Sets OPENAI_API_KEY and ' +
-      'OPENAI_BASE_URL environment variables.'
+      'Set up Codex to use Unbound. Prompts whether to use your existing ' +
+      'OpenAI subscription or use Unbound as the AI provider.'
     )
+    .option('--subscription', 'Use your existing OpenAI subscription (hooks only)')
+    .option('--gateway', 'Use Unbound as the AI provider (gateway mode)')
     .option('--clear', 'Remove Unbound configuration for Codex')
     .addHelpText('after', `
-What this does:
-  1. Sets OPENAI_API_KEY to your Unbound API key in your shell profile
-  2. Sets OPENAI_BASE_URL to the Unbound gateway endpoint
-  3. Codex will route all requests through Unbound
+Modes:
+  Subscription (hooks only):
+    Keep your existing OpenAI subscription. Installs Unbound hooks for
+    policy enforcement (security guardrails, cost limits) without changing
+    the AI provider. Runs codex/hooks/setup.py.
+
+  Gateway:
+    Use Unbound as the AI provider. Routes all Codex requests through
+    the Unbound gateway for full policy enforcement and model management.
+    Runs codex/gateway/setup.py.
+
+  If neither --subscription nor --gateway is provided, an interactive
+  prompt will ask you to choose.
 
 Prerequisites:
   - Must be logged in (will auto-open browser to authenticate if not)
@@ -196,10 +338,45 @@ Prerequisites:
   - Codex must be installed
 
 Examples:
-  $ unbound setup codex
-  $ unbound setup codex --clear   # Remove Unbound configuration
+  $ unbound setup codex                # Interactive mode selection
+  $ unbound setup codex --subscription # Hooks only (keep your subscription)
+  $ unbound setup codex --gateway      # Use Unbound as AI provider
+  $ unbound setup codex --clear        # Remove Unbound configuration
 `)
-    .action(makeAction('codex/gateway/setup.py'));
+    .action(async (opts) => {
+      try {
+        await ensureLoggedIn();
+        const apiKey = config.getApiKey();
+        const scriptOpts = { clear: opts.clear };
+
+        if (opts.subscription && opts.gateway) {
+          output.error('Cannot use both --subscription and --gateway. Choose one.');
+          process.exitCode = 1;
+          return;
+        }
+
+        let useSubscription = opts.subscription;
+        if (!opts.clear && !opts.subscription && !opts.gateway) {
+          const mode = await output.select('How do you want to use Codex with Unbound?', [
+            { label: 'Use my OpenAI subscription (hooks)', value: 'subscription' },
+            { label: 'Use Unbound as the AI provider (gateway)', value: 'gateway' },
+          ]);
+          useSubscription = mode === 'subscription';
+        }
+
+        if (opts.clear) {
+          runSetupScript('codex/hooks/setup.py', apiKey, scriptOpts);
+          runSetupScript('codex/gateway/setup.py', apiKey, scriptOpts);
+        } else if (useSubscription) {
+          runSetupScript('codex/hooks/setup.py', apiKey, scriptOpts);
+        } else {
+          runSetupScript('codex/gateway/setup.py', apiKey, scriptOpts);
+        }
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
 
   // --- Instruction-only tools ---
 
@@ -349,6 +526,107 @@ Examples:
         process.exitCode = 1;
       }
     });
+
+  // --- MDM setup ---
+
+  const mdmToolNames = Object.keys(MDM_TOOLS).join(', ');
+
+  setup
+    .command('mdm')
+    .description(
+      'MDM setup: configure all users on this device. Requires root. ' +
+      'Used by organization admins to enroll devices via MDM.'
+    )
+    .argument('[tools...]', 'Tools to set up: ' + mdmToolNames)
+    .requiredOption('--admin-api-key <key>', 'Admin API key for MDM enrollment')
+    .option('--clear', 'Remove Unbound configuration for the specified tools')
+    .option('--all', 'Set up all available tools')
+    .addOption(new Option('--url <url>', 'Override backend URL').hideHelp())
+    .addHelpText('after', `
+Available tools:
+  cursor                    Cursor IDE
+  claude-code-subscription  Claude Code with your own subscription (hooks only)
+  claude-code-gateway       Claude Code with Unbound as AI provider
+  gemini-cli                Gemini CLI
+  codex-subscription        Codex with your own subscription (hooks only)
+  codex-gateway             Codex with Unbound as AI provider
+
+Note: claude-code-subscription and claude-code-gateway are mutually exclusive.
+      codex-subscription and codex-gateway are mutually exclusive.
+When using --all, subscription mode is used by default for Claude Code and Codex.
+
+Examples:
+  $ sudo unbound setup mdm --admin-api-key KEY cursor
+  $ sudo unbound setup mdm --admin-api-key KEY cursor claude-code-subscription codex-subscription
+  $ sudo unbound setup mdm --admin-api-key KEY --all
+  $ sudo unbound setup mdm --admin-api-key KEY --clear cursor codex-subscription
+`)
+    .action(async (tools, opts) => {
+      try {
+        checkRoot();
+
+        if (opts.all && tools.length > 0) {
+          output.error('Cannot combine --all with specific tool names. Use one or the other.');
+          process.exitCode = 1;
+          return;
+        }
+
+        let toolNames;
+        if (opts.all) {
+          toolNames = MDM_ALL_TOOLS;
+        } else if (tools.length > 0) {
+          toolNames = tools;
+        } else {
+          output.error('Specify tools to set up, or use --all.');
+          console.error('  Available: ' + mdmToolNames);
+          process.exitCode = 1;
+          return;
+        }
+
+        const invalid = toolNames.filter(t => !MDM_TOOLS[t]);
+        if (invalid.length > 0) {
+          output.error(`Unknown tool(s): ${invalid.join(', ')}`);
+          console.error('  Available: ' + mdmToolNames);
+          process.exitCode = 1;
+          return;
+        }
+
+        if (toolNames.includes('claude-code-subscription') && toolNames.includes('claude-code-gateway')) {
+          output.error('Cannot use both claude-code-subscription and claude-code-gateway. Choose one.');
+          process.exitCode = 1;
+          return;
+        }
+
+        if (toolNames.includes('codex-subscription') && toolNames.includes('codex-gateway')) {
+          output.error('Cannot use both codex-subscription and codex-gateway. Choose one.');
+          process.exitCode = 1;
+          return;
+        }
+
+        const resolvedTools = toolNames.map(name => ({ name, ...MDM_TOOLS[name] }));
+        console.log('');
+
+        const mdmArgs = (tool) => {
+          let args = `--api_key "${opts.adminApiKey}"`;
+          if (opts.url) args += ` --url "${opts.url}"`;
+          if (opts.clear) args += ' --clear';
+          return args;
+        };
+
+        const ok = await runBatch(
+          resolvedTools,
+          (tool) => runScriptPiped(tool.script, mdmArgs(tool)),
+          { clear: opts.clear }
+        );
+        if (!ok) return;
+
+        console.log('');
+        output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
 }
 
 module.exports = { register };

package/src/commands/tools.js

@@ -11,6 +11,7 @@ const SUPPORTED_TOOL_TYPES = [
   'CLINE',
   'GEMINI_CLI',
   'CODEX',
+  'UNBOUND_CODEX',
   'KILO_CODE',
   'CUSTOM_ACCESS',
 ];

package/src/index.js

@@ -24,13 +24,15 @@ AUTHENTICATION
   $ unbound status                         Show CLI status and API connectivity
 
 TOOL SETUP
-  Automated setup (installs hooks, sets env vars, configures tool):
+  $ unbound setup                          Select and install multiple tools interactively
   $ unbound setup cursor                   Set up Cursor
   $ unbound setup claude-code              Set up Claude Code (interactive mode selection)
   $ unbound setup claude-code --gateway    Use Unbound as AI provider
   $ unbound setup claude-code --subscription  Hooks only (keep your subscription)
   $ unbound setup gemini-cli               Set up Gemini CLI
-  $ unbound setup codex                    Set up Codex
+  $ unbound setup codex                    Set up Codex (interactive mode selection)
+  $ unbound setup codex --gateway          Use Unbound as AI provider
+  $ unbound setup codex --subscription     Hooks only (keep your subscription)
 
   Instruction-only (shows config values to set manually):
   $ unbound setup roo-code                 Show Roo Code config values
@@ -44,6 +46,21 @@ TOOL SETUP
   $ unbound setup gemini-cli --clear       Remove Unbound config for Gemini CLI
   $ unbound setup codex --clear            Remove Unbound config for Codex
 
+MDM SETUP (admin, requires root)
+  $ sudo unbound setup mdm --admin-api-key KEY --all
+  $ sudo unbound setup mdm --admin-api-key KEY cursor codex-subscription
+  $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription codex-subscription gemini-cli
+  $ sudo unbound setup mdm --admin-api-key KEY --clear cursor codex-subscription
+
+MDM AI TOOLS DISCOVERY
+  --domain defaults to https://backend.getunbound.ai
+  $ sudo unbound discover --api-key KEY              Scan all users (requires root)
+  $ unbound discover --api-key KEY                   Scan current user only
+  $ sudo unbound discover --api-key KEY --domain https://custom.backend.com
+  $ unbound discover schedule --api-key KEY           Set up 12h recurring scan (macOS)
+  $ unbound discover unschedule                       Remove scheduled scan
+  $ unbound discover status                           Show scan schedule and logs
+
 POLICY MANAGEMENT
   $ unbound policy list                    List all policies
   $ unbound policy list --type SECURITY    Filter by type (SECURITY, MODEL, COST)
@@ -89,6 +106,7 @@ require('./commands/users').register(program);
 require('./commands/user-groups').register(program);
 require('./commands/tools').register(program);
 require('./commands/setup').register(program);
+require('./commands/discover').register(program);
 
 // config command for managing CLI settings
 const configCmd = program

package/src/output.js

@@ -89,22 +89,264 @@ function spinner(message) {
     process.stderr.write(`\r${c.cyan(frames[i++ % frames.length])} ${message}`);
   }, 80);
 
+  function clear() {
+    clearInterval(interval);
+    process.stderr.write('\r\x1b[K');
+    process.removeListener('SIGINT', onSigint);
+  }
+  function onSigint() { clear(); process.exit(130); }
+  process.on('SIGINT', onSigint);
+
   return {
-    stop() {
-      clearInterval(interval);
-      process.stderr.write('\r\x1b[K');
-    },
-    succeed(msg) {
-      clearInterval(interval);
-      process.stderr.write('\r\x1b[K');
-      success(msg);
-    },
-    fail(msg) {
-      clearInterval(interval);
-      process.stderr.write('\r\x1b[K');
-      error(msg);
-    },
+    stop: clear,
+    succeed(msg) { clear(); success(msg); },
+    fail(msg) { clear(); error(msg); },
   };
 }
 
-module.exports = { table, json, keyValue, success, error, warn, info, spinner };
+/**
+ * Interactive select prompt with arrow-key navigation.
+ * Falls back to a numbered prompt in non-TTY environments.
+ *
+ * @param {string} message - The prompt message
+ * @param {Array<{label: string, value: any}>} options - Options to choose from
+ * @returns {Promise<any>} The value of the selected option
+ */
+function select(message, options) {
+  if (!options || options.length === 0) {
+    return Promise.reject(new Error('No options provided'));
+  }
+  return new Promise((resolve, reject) => {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      const readline = require('readline');
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      console.log(`\n${message}\n`);
+      options.forEach((opt, i) => console.log(`  ${i + 1}. ${opt.label}`));
+      console.log('');
+      rl.question(`Choose (1-${options.length}): `, (answer) => {
+        rl.close();
+        const idx = parseInt(answer.trim(), 10) - 1;
+        resolve(idx >= 0 && idx < options.length ? options[idx].value : options[0].value);
+      });
+      return;
+    }
+
+    let selected = 0;
+    const { stdin, stdout } = process;
+    const hint = c.dim('  \u2191/\u2193 to move, enter to select');
+
+    function render() {
+      return options.map((opt, i) =>
+        i === selected
+          ? `  ${c.cyan('\u276f')} ${c.cyan(opt.label)}`
+          : `    ${c.dim(opt.label)}`
+      );
+    }
+
+    // Static header
+    stdout.write(`\n${message}\n\n`);
+    // Hide cursor, render options + hint
+    stdout.write('\x1b[?25l');
+    const restoreCursor = () => stdout.write('\x1b[?25h');
+    process.on('exit', restoreCursor);
+    stdout.write(render().join('\n') + '\n\n' + hint);
+
+    // Dynamic area: options + blank line + hint line
+    const dynamicLines = options.length + 2;
+
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding('utf8');
+
+    function cleanup() {
+      stdin.setRawMode(false);
+      stdin.pause();
+      stdin.removeListener('data', onData);
+      process.removeListener('exit', restoreCursor);
+      restoreCursor();
+    }
+
+    function onData(key) {
+      if (key === '\x03') {
+        stdout.write(`\r\x1b[${dynamicLines - 1}A\x1b[J`);
+        cleanup();
+        stdout.write('\n');
+        reject(new Error('Selection cancelled'));
+        return;
+      }
+
+      if (key === '\r' || key === '\n') {
+        stdout.write(`\r\x1b[${dynamicLines - 1}A\x1b[J`);
+        const check = process.stdout.isTTY ? '\u2714' : '\u221A';
+        stdout.write(`  ${c.green(check)} ${options[selected].label}\n`);
+        cleanup();
+        resolve(options[selected].value);
+        return;
+      }
+
+      let changed = false;
+      if (key === '\x1b[A') {
+        selected = selected > 0 ? selected - 1 : options.length - 1;
+        changed = true;
+      } else if (key === '\x1b[B') {
+        selected = selected < options.length - 1 ? selected + 1 : 0;
+        changed = true;
+      }
+      if (!changed) return;
+
+      stdout.write(`\r\x1b[${dynamicLines - 1}A`);
+      for (const line of render()) {
+        stdout.write(`\x1b[2K${line}\n`);
+      }
+      stdout.write(`\x1b[2K\n\x1b[2K${hint}`);
+    }
+
+    stdin.on('data', onData);
+  });
+}
+
+/**
+ * Interactive multi-select prompt with arrow-key navigation and space to toggle.
+ * Items sharing the same `group` are mutually exclusive (radio within the group).
+ * Falls back to a comma-separated prompt in non-TTY environments.
+ *
+ * @param {string} message - The prompt message
+ * @param {Array<{label: string, value: any, group?: string}>} options
+ * @returns {Promise<Array<any>>} The values of selected options
+ */
+function multiSelect(message, options) {
+  if (!options || options.length === 0) {
+    return Promise.resolve([]);
+  }
+  return new Promise((resolve, reject) => {
+    if (!process.stdin.isTTY || !process.stdout.isTTY) {
+      const readline = require('readline');
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      console.log(`\n${message}\n`);
+      options.forEach((opt, i) => console.log(`  ${i + 1}. ${opt.label}`));
+      console.log('');
+      rl.question('Select (comma-separated numbers): ', (answer) => {
+        rl.close();
+        const indices = answer.split(',').map(s => parseInt(s.trim(), 10) - 1);
+        resolve(
+          indices.filter(i => i >= 0 && i < options.length).map(i => options[i].value)
+        );
+      });
+      return;
+    }
+
+    const checked = new Set();
+    let cursor = 0;
+    const { stdin, stdout } = process;
+
+    function getHint() {
+      const n = checked.size;
+      const count = n > 0 ? c.cyan(` (${n} selected)`) : '';
+      return c.dim('  \u2191/\u2193 move \u00b7 space select \u00b7 a all \u00b7 enter confirm') + count;
+    }
+
+    function render() {
+      return options.map((opt, i) => {
+        const focused = i === cursor;
+        const on = checked.has(i);
+        const pointer = focused ? c.cyan('\u276f') : ' ';
+        const box = on ? c.green('\u25fc') : c.dim('\u25fb');
+        const label = focused ? c.cyan(opt.label) : on ? opt.label : c.dim(opt.label);
+        return `  ${pointer} ${box} ${label}`;
+      });
+    }
+
+    stdout.write(`\n${message}\n\n`);
+    stdout.write('\x1b[?25l');
+    const restoreCursor = () => stdout.write('\x1b[?25h');
+    process.on('exit', restoreCursor);
+    stdout.write(render().join('\n') + '\n\n' + getHint());
+
+    const dynamicLines = options.length + 2;
+
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding('utf8');
+
+    function cleanup() {
+      stdin.setRawMode(false);
+      stdin.pause();
+      stdin.removeListener('data', onData);
+      process.removeListener('exit', restoreCursor);
+      restoreCursor();
+    }
+
+    function redraw() {
+      stdout.write(`\r\x1b[${dynamicLines - 1}A`);
+      for (const line of render()) {
+        stdout.write(`\x1b[2K${line}\n`);
+      }
+      stdout.write(`\x1b[2K\n\x1b[2K${getHint()}`);
+    }
+
+    function onData(key) {
+      if (key === '\x03') {
+        stdout.write(`\r\x1b[${dynamicLines - 1}A\x1b[J`);
+        cleanup();
+        stdout.write('\n');
+        reject(new Error('Selection cancelled'));
+        return;
+      }
+
+      if (key === '\r' || key === '\n') {
+        stdout.write(`\r\x1b[${dynamicLines - 1}A\x1b[J`);
+        const check = process.stdout.isTTY ? '\u2714' : '\u221a';
+        const selected = options.filter((_, i) => checked.has(i));
+        if (selected.length > 0) {
+          const names = selected.map(opt => opt.label).join(', ');
+          stdout.write(`  ${c.green(check)} ${c.dim(names)}\n`);
+        } else {
+          stdout.write(c.dim('  No tools selected') + '\n');
+        }
+        cleanup();
+        resolve(selected.map(opt => opt.value));
+        return;
+      }
+
+      if (key === '\x1b[A') {
+        cursor = cursor > 0 ? cursor - 1 : options.length - 1;
+        redraw();
+      } else if (key === '\x1b[B') {
+        cursor = cursor < options.length - 1 ? cursor + 1 : 0;
+        redraw();
+      } else if (key === ' ') {
+        if (checked.has(cursor)) {
+          checked.delete(cursor);
+        } else {
+          const opt = options[cursor];
+          if (opt.group) {
+            for (let i = 0; i < options.length; i++) {
+              if (i !== cursor && options[i].group === opt.group) checked.delete(i);
+            }
+          }
+          checked.add(cursor);
+        }
+        redraw();
+      } else if (key === 'a') {
+        if (checked.size > 0) {
+          checked.clear();
+        } else {
+          const seenGroups = new Set();
+          for (let i = 0; i < options.length; i++) {
+            const g = options[i].group;
+            if (g) {
+              if (seenGroups.has(g)) continue;
+              seenGroups.add(g);
+            }
+            checked.add(i);
+          }
+        }
+        redraw();
+      }
+    }
+
+    stdin.on('data', onData);
+  });
+}
+
+module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect };