npm - unbound-cli - Versions diffs - 0.9.6 → 0.9.7 - Mend

unbound-cli 0.9.6 → 0.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/src/commands/discover.js +17 -4
package/src/commands/onboard.js +18 -4
package/test/onboard-cron.test.js +122 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.9.6",
+  "version": "0.9.7",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js CHANGED Viewed

@@ -183,6 +183,21 @@ async function runDiscoveryScan({ apiKey, domain }) {
   await runDiscoveryScript('install.sh', args);
 }
+/**
+ * Installs the recurring 12-hour discovery LaunchAgent (macOS only) via
+ * setup-scheduled-scan.sh. Extracted so `unbound onboard --cron` reuses the
+ * exact same scheduling path as `unbound discover schedule`. The scheduled job
+ * runs the discovery scan only — it never runs tool setup or --backfill.
+ */
+async function runDiscoverySchedule({ apiKey, domain }) {
+  if (!apiKey) {
+    throw new Error('Discovery API key is required.');
+  }
+  const resolvedDomain = domain || config.getBaseUrl();
+  const args = `--api-key ${shellEscape(apiKey)} --domain ${shellEscape(resolvedDomain)}`;
+  await runDiscoveryScript('setup-scheduled-scan.sh', args);
+}
 function register(program) {
   const discover = program
     .command('discover')
@@ -266,9 +281,7 @@ Examples:
           return;
         }
-        const domain = opts.domain || config.getBaseUrl();
-        const args = `--api-key ${shellEscape(opts.apiKey)} --domain ${shellEscape(domain)}`;
-        await runDiscoveryScript('setup-scheduled-scan.sh', args);
+        await runDiscoverySchedule({ apiKey: opts.apiKey, domain: opts.domain });
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;
@@ -349,4 +362,4 @@ Examples:
     });
 }
-module.exports = { register, runDiscoveryScan, classifyDiscoveryExit };
+module.exports = { register, runDiscoveryScan, runDiscoverySchedule, classifyDiscoveryExit };

package/src/commands/onboard.js CHANGED Viewed

@@ -3,7 +3,7 @@ const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
 const { runSetupAllBundle, runMdmSetupAllBundle, checkRoot, ALL_TOOLS, MDM_ALL_TOOLS } = require('./setup');
-const { runDiscoveryScan } = require('./discover');
+const { runDiscoveryScan, runDiscoverySchedule } = require('./discover');
 /**
  * Builds the recovery-command suffix for partial-failure hints.
@@ -27,6 +27,7 @@ function register(program) {
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--cron', 'Set up a recurring 12-hour discovery scan instead of a one-time scan (macOS only)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
@@ -34,7 +35,8 @@ function register(program) {
 Runs the full onboarding flow for an end user:
   1. Logs in with --api-key and stores credentials.
   2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
-  3. Runs device discovery with --discovery-key.
+  3. Runs device discovery with --discovery-key. With --cron, sets up a
+     recurring 12-hour discovery scan (macOS only) instead of a one-time scan.
 The user API key and discovery API key are separate keys obtained from
 different parts of the Unbound dashboard. Discovery uses its own key
@@ -48,6 +50,7 @@ For admin device enrollment via MDM, use \`unbound onboard-mdm\` instead.
 Examples:
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --backfill
+  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --cron
   $ sudo unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
 `)
     .action(async (opts) => {
@@ -90,7 +93,13 @@ Examples:
         console.log('');
         output.info('Step 2/2: Running device discovery');
         console.log('');
-        await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        if (opts.cron && process.platform === 'darwin') {
+          // --cron sets up the recurring 12-hour scan, which also scans now.
+          await runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        } else {
+          if (opts.cron) output.warn('--cron is macOS-only; running a one-time scan instead.');
+          await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        }
         console.log('');
         output.success('Onboarding complete');
@@ -98,8 +107,13 @@ Examples:
         if (!err.displayed) output.error(err.message);
         if (setupSucceeded) {
           const suffix = domainHintSuffix(discoveryDomain);
+          // Point at the path the user actually wanted: the scheduler when
+          // --cron was used on macOS, otherwise the one-time scan.
+          const retryCmd = opts.cron && process.platform === 'darwin'
+            ? `unbound discover schedule --api-key <DISCOVERY_KEY>${suffix}`
+            : `unbound discover --api-key <DISCOVERY_KEY>${suffix}`;
           console.error('  Tool setup completed successfully — only discovery failed.');
-          console.error(`  Re-run discovery only with: unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
+          console.error(`  Re-run discovery only with: ${retryCmd}`);
         }
         process.exitCode = 1;
       }

package/test/onboard-cron.test.js ADDED Viewed

@@ -0,0 +1,122 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('node:fs');
+const path = require('node:path');
+const discover = require('../src/commands/discover');
+const DISCOVER_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'discover.js');
+const ONBOARD_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'onboard.js');
+const discoverSrc = fs.readFileSync(DISCOVER_SRC_PATH, 'utf8');
+const onboardSrc = fs.readFileSync(ONBOARD_SRC_PATH, 'utf8');
+// Extracts the textual body of a top-level `async function <name>(...) { ... }`
+// by brace-matching from the function keyword. Lets us assert on a single
+// function's body without false positives from the rest of the file.
+function extractFunctionBody(src, name) {
+  const start = src.indexOf(`async function ${name}`);
+  assert.notEqual(start, -1, `expected "async function ${name}" in source`);
+  // Skip the parameter list (which may itself contain destructuring braces)
+  // by finding the matching close-paren first, then the body's opening brace.
+  const paramOpen = src.indexOf('(', start);
+  let pDepth = 0;
+  let paramClose = -1;
+  for (let i = paramOpen; i < src.length; i++) {
+    if (src[i] === '(') pDepth++;
+    else if (src[i] === ')') {
+      pDepth--;
+      if (pDepth === 0) { paramClose = i; break; }
+    }
+  }
+  assert.notEqual(paramClose, -1, `unbalanced parens in ${name} signature`);
+  const open = src.indexOf('{', paramClose);
+  assert.notEqual(open, -1, `expected an opening brace after ${name}`);
+  let depth = 0;
+  for (let i = open; i < src.length; i++) {
+    if (src[i] === '{') depth++;
+    else if (src[i] === '}') {
+      depth--;
+      if (depth === 0) return src.slice(open, i + 1);
+    }
+  }
+  throw new Error(`unbalanced braces while extracting ${name}`);
+}
+const scheduleBody = extractFunctionBody(discoverSrc, 'runDiscoverySchedule');
+test('runDiscoverySchedule is exported as a function', () => {
+  assert.equal(typeof discover.runDiscoverySchedule, 'function');
+});
+test('runDiscoverySchedule takes a single destructured options object', () => {
+  // One formal parameter: ({ apiKey, domain }). Arity counts that single object.
+  assert.equal(discover.runDiscoverySchedule.length, 1);
+  // Accepts exactly apiKey and domain — no third field could carry backfill.
+  assert.match(discoverSrc, /async function runDiscoverySchedule\(\{\s*apiKey,\s*domain\s*\}\)/);
+});
+test('the scheduled path runs setup-scheduled-scan.sh, never install.sh', () => {
+  assert.ok(
+    scheduleBody.includes("'setup-scheduled-scan.sh'"),
+    'runDiscoverySchedule must schedule setup-scheduled-scan.sh'
+  );
+  assert.ok(
+    !scheduleBody.includes('install.sh'),
+    'runDiscoverySchedule must not invoke install.sh'
+  );
+});
+// Core WEB-4499 regression guard: backfill is a one-time setup operation and
+// must be structurally impossible to reach the recurring scheduled scan.
+test('runDiscoverySchedule body contains no backfill reference', () => {
+  assert.ok(
+    !scheduleBody.toLowerCase().includes('backfill'),
+    'backfill must never appear in the scheduled-scan code path'
+  );
+});
+test('runDiscoverySchedule shell-escapes both apiKey and domain', () => {
+  // Both user-influenced values pass through shellEscape before hitting the
+  // shell:true spawn, so neither can break out of the command string.
+  assert.match(scheduleBody, /--api-key \$\{shellEscape\(apiKey\)\}/);
+  assert.match(scheduleBody, /--domain \$\{shellEscape\(resolvedDomain\)\}/);
+});
+// The onboard --cron path must call the shared schedule helper with only
+// apiKey + domain — never forwarding opts.backfill into the schedule.
+test('onboard schedules via runDiscoverySchedule with only apiKey and domain', () => {
+  assert.ok(
+    onboardSrc.includes('runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain })'),
+    'onboard must call runDiscoverySchedule with exactly { apiKey, domain }'
+  );
+});
+test('onboard never passes backfill into runDiscoverySchedule', () => {
+  // Find the runDiscoverySchedule call site in onboard and confirm its
+  // argument object carries no backfill key.
+  const callIdx = onboardSrc.indexOf('runDiscoverySchedule(');
+  assert.notEqual(callIdx, -1, 'expected a runDiscoverySchedule call in onboard');
+  const open = onboardSrc.indexOf('(', callIdx);
+  const close = onboardSrc.indexOf(')', open);
+  const callArgs = onboardSrc.slice(open, close + 1);
+  assert.ok(!callArgs.toLowerCase().includes('backfill'), callArgs);
+});
+test('runDiscoverySchedule is re-exported into onboard from discover', () => {
+  // onboard pulls the helper from ./discover rather than re-implementing it,
+  // so both the `discover schedule` command and `onboard --cron` share one path.
+  assert.match(
+    onboardSrc,
+    /const \{[^}]*runDiscoverySchedule[^}]*\} = require\('\.\/discover'\)/
+  );
+});
+test('runDiscoverySchedule rejects when apiKey is missing', async () => {
+  // Mirrors runDiscoveryScan's guard so a future caller can't silently send
+  // --api-key 'undefined' to the schedule script. Throws before any network.
+  await assert.rejects(
+    () => discover.runDiscoverySchedule({ domain: 'https://example.com' }),
+    /Discovery API key is required/
+  );
+});