unbound-cli 0.9.6 → 0.9.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.9.6",
+  "version": "0.9.8",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js

@@ -183,6 +183,21 @@ async function runDiscoveryScan({ apiKey, domain }) {
   await runDiscoveryScript('install.sh', args);
 }
 
+/**
+ * Installs the recurring 12-hour discovery LaunchAgent (macOS only) via
+ * setup-scheduled-scan.sh. Extracted so `unbound onboard --cron` reuses the
+ * exact same scheduling path as `unbound discover schedule`. The scheduled job
+ * runs the discovery scan only — it never runs tool setup or --backfill.
+ */
+async function runDiscoverySchedule({ apiKey, domain }) {
+  if (!apiKey) {
+    throw new Error('Discovery API key is required.');
+  }
+  const resolvedDomain = domain || config.getBaseUrl();
+  const args = `--api-key ${shellEscape(apiKey)} --domain ${shellEscape(resolvedDomain)}`;
+  await runDiscoveryScript('setup-scheduled-scan.sh', args);
+}
+
 function register(program) {
   const discover = program
     .command('discover')
@@ -266,9 +281,7 @@ Examples:
           return;
         }
 
-        const domain = opts.domain || config.getBaseUrl();
-        const args = `--api-key ${shellEscape(opts.apiKey)} --domain ${shellEscape(domain)}`;
-        await runDiscoveryScript('setup-scheduled-scan.sh', args);
+        await runDiscoverySchedule({ apiKey: opts.apiKey, domain: opts.domain });
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;
@@ -349,4 +362,4 @@ Examples:
     });
 }
 
-module.exports = { register, runDiscoveryScan, classifyDiscoveryExit };
+module.exports = { register, runDiscoveryScan, runDiscoverySchedule, classifyDiscoveryExit };

package/src/commands/onboard.js

@@ -3,7 +3,7 @@ const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
 const { runSetupAllBundle, runMdmSetupAllBundle, checkRoot, ALL_TOOLS, MDM_ALL_TOOLS } = require('./setup');
-const { runDiscoveryScan } = require('./discover');
+const { runDiscoveryScan, runDiscoverySchedule } = require('./discover');
 
 /**
  * Builds the recovery-command suffix for partial-failure hints.
@@ -26,7 +26,8 @@ function register(program) {
     .requiredOption('--api-key <key>', 'User API key (for tool setup and login)')
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--cron', 'Set up a recurring 12-hour discovery scan instead of a one-time scan (macOS only)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
@@ -34,7 +35,8 @@ function register(program) {
 Runs the full onboarding flow for an end user:
   1. Logs in with --api-key and stores credentials.
   2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
-  3. Runs device discovery with --discovery-key.
+  3. Runs device discovery with --discovery-key. With --cron, sets up a
+     recurring 12-hour discovery scan (macOS only) instead of a one-time scan.
 
 The user API key and discovery API key are separate keys obtained from
 different parts of the Unbound dashboard. Discovery uses its own key
@@ -48,6 +50,7 @@ For admin device enrollment via MDM, use \`unbound onboard-mdm\` instead.
 Examples:
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --backfill
+  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --cron
   $ sudo unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
 `)
     .action(async (opts) => {
@@ -90,7 +93,13 @@ Examples:
         console.log('');
         output.info('Step 2/2: Running device discovery');
         console.log('');
-        await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        if (opts.cron && process.platform === 'darwin') {
+          // --cron sets up the recurring 12-hour scan, which also scans now.
+          await runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        } else {
+          if (opts.cron) output.warn('--cron is macOS-only; running a one-time scan instead.');
+          await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        }
 
         console.log('');
         output.success('Onboarding complete');
@@ -98,8 +107,13 @@ Examples:
         if (!err.displayed) output.error(err.message);
         if (setupSucceeded) {
           const suffix = domainHintSuffix(discoveryDomain);
+          // Point at the path the user actually wanted: the scheduler when
+          // --cron was used on macOS, otherwise the one-time scan.
+          const retryCmd = opts.cron && process.platform === 'darwin'
+            ? `unbound discover schedule --api-key <DISCOVERY_KEY>${suffix}`
+            : `unbound discover --api-key <DISCOVERY_KEY>${suffix}`;
           console.error('  Tool setup completed successfully — only discovery failed.');
-          console.error(`  Re-run discovery only with: unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
+          console.error(`  Re-run discovery only with: ${retryCmd}`);
         }
         process.exitCode = 1;
       }
@@ -116,7 +130,7 @@ Examples:
     .requiredOption('--admin-api-key <key>', 'Admin API key for MDM enrollment')
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())

package/src/commands/setup.js

@@ -232,11 +232,13 @@ function buildScriptArgs(apiKey, { backendUrl, frontendUrl, gatewayUrl, clear, m
   return args.trim();
 }
 
-// Backfill only applies to the hooks variants of Claude Code / Codex; gateway
-// mode and Cursor have no local transcripts to seed.
+// Backfill only applies to the hooks variants of Claude Code / Codex / Copilot;
+// gateway mode and Cursor have no local transcripts to seed.
 function scriptSupportsBackfill(scriptPath) {
   return scriptPath.includes('/hooks/') && (
-    scriptPath.startsWith('claude-code/') || scriptPath.startsWith('codex/')
+    scriptPath.startsWith('claude-code/') ||
+    scriptPath.startsWith('codex/') ||
+    scriptPath.startsWith('copilot/')
   );
 }
 
@@ -352,7 +354,7 @@ function register(program) {
     .option('--subscription', 'Use subscription mode for Claude Code / Codex (hooks only)')
     .option('--gateway', 'Use gateway mode for Claude Code / Codex (Unbound as AI provider)')
     .option('--all', 'Set up the default bundle: Cursor, Copilot, Claude Code (hooks), Codex (hooks)')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor and Copilot unsupported)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
@@ -386,9 +388,10 @@ Examples:
   $ unbound setup --all                                    Set up the default bundle
   $ unbound setup --all --api-key <key>                    Login + set up the bundle
 
-  Seed historical sessions (Claude Code / Codex subscription mode only):
+  Seed historical sessions (Claude Code / Codex subscription mode + Copilot):
   $ unbound setup claude-code --subscription --backfill   Install hooks AND backfill local history
   $ unbound setup codex --subscription --backfill         Install hooks AND backfill local history
+  $ unbound setup copilot --backfill                      Install hooks AND backfill local history
 
   One-step login and setup:
   $ unbound setup cursor --api-key <key>                   Login + set up Cursor
@@ -648,7 +651,7 @@ requires authentication.
     .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (not required with --clear)')
     .option('--clear', 'Remove Unbound configuration for the specified tools (no API key required)')
     .option('--all', 'Set up all available tools')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor and Copilot unsupported)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
     .addHelpText('after', `
 Available tools:
   cursor                    Cursor IDE
@@ -671,6 +674,8 @@ Setup examples (require --admin-api-key):
   $ sudo unbound setup mdm --admin-api-key KEY --all
   $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription --backfill
                                                            Install hooks AND backfill local history
+  $ sudo unbound setup mdm --admin-api-key KEY copilot --backfill
+                                                           Install Copilot hooks AND backfill local history
 
 Clear examples (no API key required):
   $ sudo unbound setup mdm --clear cursor
@@ -802,9 +807,9 @@ async function runSetupAllBundle(apiKey, { backendUrl, frontendUrl, gatewayUrl,
     }
   }
   // Build args per-tool so --backfill only goes to tools whose script
-  // actually supports it (Claude Code hooks and Codex hooks). Cursor would
-  // print "not supported"; passing the flag to gateway-mode scripts would
-  // error out — `scriptSupportsBackfill` checks for both.
+  // actually supports it (Claude Code hooks, Codex hooks, Copilot hooks).
+  // Cursor would print "not supported"; passing the flag to gateway-mode
+  // scripts would error out — `scriptSupportsBackfill` checks for both.
   return runBatch(resolvedTools, (tool) => {
     const args = buildScriptArgs(apiKey, {
       backendUrl, frontendUrl, gatewayUrl,
@@ -843,4 +848,5 @@ module.exports = {
   ALL_TOOLS,
   MDM_ALL_TOOLS,
   buildScriptArgs,
+  scriptSupportsBackfill,
 };

package/test/onboard-cron.test.js

@@ -0,0 +1,122 @@
+const { test } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('node:fs');
+const path = require('node:path');
+
+const discover = require('../src/commands/discover');
+
+const DISCOVER_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'discover.js');
+const ONBOARD_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'onboard.js');
+
+const discoverSrc = fs.readFileSync(DISCOVER_SRC_PATH, 'utf8');
+const onboardSrc = fs.readFileSync(ONBOARD_SRC_PATH, 'utf8');
+
+// Extracts the textual body of a top-level `async function <name>(...) { ... }`
+// by brace-matching from the function keyword. Lets us assert on a single
+// function's body without false positives from the rest of the file.
+function extractFunctionBody(src, name) {
+  const start = src.indexOf(`async function ${name}`);
+  assert.notEqual(start, -1, `expected "async function ${name}" in source`);
+  // Skip the parameter list (which may itself contain destructuring braces)
+  // by finding the matching close-paren first, then the body's opening brace.
+  const paramOpen = src.indexOf('(', start);
+  let pDepth = 0;
+  let paramClose = -1;
+  for (let i = paramOpen; i < src.length; i++) {
+    if (src[i] === '(') pDepth++;
+    else if (src[i] === ')') {
+      pDepth--;
+      if (pDepth === 0) { paramClose = i; break; }
+    }
+  }
+  assert.notEqual(paramClose, -1, `unbalanced parens in ${name} signature`);
+  const open = src.indexOf('{', paramClose);
+  assert.notEqual(open, -1, `expected an opening brace after ${name}`);
+  let depth = 0;
+  for (let i = open; i < src.length; i++) {
+    if (src[i] === '{') depth++;
+    else if (src[i] === '}') {
+      depth--;
+      if (depth === 0) return src.slice(open, i + 1);
+    }
+  }
+  throw new Error(`unbalanced braces while extracting ${name}`);
+}
+
+const scheduleBody = extractFunctionBody(discoverSrc, 'runDiscoverySchedule');
+
+test('runDiscoverySchedule is exported as a function', () => {
+  assert.equal(typeof discover.runDiscoverySchedule, 'function');
+});
+
+test('runDiscoverySchedule takes a single destructured options object', () => {
+  // One formal parameter: ({ apiKey, domain }). Arity counts that single object.
+  assert.equal(discover.runDiscoverySchedule.length, 1);
+  // Accepts exactly apiKey and domain — no third field could carry backfill.
+  assert.match(discoverSrc, /async function runDiscoverySchedule\(\{\s*apiKey,\s*domain\s*\}\)/);
+});
+
+test('the scheduled path runs setup-scheduled-scan.sh, never install.sh', () => {
+  assert.ok(
+    scheduleBody.includes("'setup-scheduled-scan.sh'"),
+    'runDiscoverySchedule must schedule setup-scheduled-scan.sh'
+  );
+  assert.ok(
+    !scheduleBody.includes('install.sh'),
+    'runDiscoverySchedule must not invoke install.sh'
+  );
+});
+
+// Core WEB-4499 regression guard: backfill is a one-time setup operation and
+// must be structurally impossible to reach the recurring scheduled scan.
+test('runDiscoverySchedule body contains no backfill reference', () => {
+  assert.ok(
+    !scheduleBody.toLowerCase().includes('backfill'),
+    'backfill must never appear in the scheduled-scan code path'
+  );
+});
+
+test('runDiscoverySchedule shell-escapes both apiKey and domain', () => {
+  // Both user-influenced values pass through shellEscape before hitting the
+  // shell:true spawn, so neither can break out of the command string.
+  assert.match(scheduleBody, /--api-key \$\{shellEscape\(apiKey\)\}/);
+  assert.match(scheduleBody, /--domain \$\{shellEscape\(resolvedDomain\)\}/);
+});
+
+// The onboard --cron path must call the shared schedule helper with only
+// apiKey + domain — never forwarding opts.backfill into the schedule.
+test('onboard schedules via runDiscoverySchedule with only apiKey and domain', () => {
+  assert.ok(
+    onboardSrc.includes('runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain })'),
+    'onboard must call runDiscoverySchedule with exactly { apiKey, domain }'
+  );
+});
+
+test('onboard never passes backfill into runDiscoverySchedule', () => {
+  // Find the runDiscoverySchedule call site in onboard and confirm its
+  // argument object carries no backfill key.
+  const callIdx = onboardSrc.indexOf('runDiscoverySchedule(');
+  assert.notEqual(callIdx, -1, 'expected a runDiscoverySchedule call in onboard');
+  const open = onboardSrc.indexOf('(', callIdx);
+  const close = onboardSrc.indexOf(')', open);
+  const callArgs = onboardSrc.slice(open, close + 1);
+  assert.ok(!callArgs.toLowerCase().includes('backfill'), callArgs);
+});
+
+test('runDiscoverySchedule is re-exported into onboard from discover', () => {
+  // onboard pulls the helper from ./discover rather than re-implementing it,
+  // so both the `discover schedule` command and `onboard --cron` share one path.
+  assert.match(
+    onboardSrc,
+    /const \{[^}]*runDiscoverySchedule[^}]*\} = require\('\.\/discover'\)/
+  );
+});
+
+test('runDiscoverySchedule rejects when apiKey is missing', async () => {
+  // Mirrors runDiscoveryScan's guard so a future caller can't silently send
+  // --api-key 'undefined' to the schedule script. Throws before any network.
+  await assert.rejects(
+    () => discover.runDiscoverySchedule({ domain: 'https://example.com' }),
+    /Discovery API key is required/
+  );
+});

package/test/setup-args.test.js

@@ -1,6 +1,6 @@
 const { test } = require('node:test');
 const assert = require('node:assert/strict');
-const { buildScriptArgs } = require('../src/commands/setup');
+const { buildScriptArgs, scriptSupportsBackfill } = require('../src/commands/setup');
 
 // shellEscape single-quotes every value, so a real key surfaces as
 // --api-key '<key>' at the head of the argv tail.
@@ -51,6 +51,25 @@ test('buildScriptArgs: backfill:true appends --backfill', () => {
   assert.ok(args.includes('--backfill'), args);
 });
 
+// Backfill is supported only by the hooks variants of Claude Code, Codex, and
+// Copilot. Gateway-mode scripts and Cursor have no local transcripts to seed.
+test('scriptSupportsBackfill: hooks variants of claude-code, codex, copilot are supported', () => {
+  assert.ok(scriptSupportsBackfill('claude-code/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('claude-code/hooks/mdm/setup.py'));
+  assert.ok(scriptSupportsBackfill('codex/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('codex/hooks/mdm/setup.py'));
+  assert.ok(scriptSupportsBackfill('copilot/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('copilot/hooks/mdm/setup.py'));
+});
+
+test('scriptSupportsBackfill: cursor and gateway-mode scripts are unsupported', () => {
+  assert.ok(!scriptSupportsBackfill('cursor/setup.py'));
+  assert.ok(!scriptSupportsBackfill('cursor/mdm/setup.py'));
+  assert.ok(!scriptSupportsBackfill('claude-code/gateway/setup.py'));
+  assert.ok(!scriptSupportsBackfill('codex/gateway/setup.py'));
+  assert.ok(!scriptSupportsBackfill('gemini-cli/gateway/setup.py'));
+});
+
 // MDM scripts have no browser-auth flow, so --domain (frontend URL) is
 // suppressed even when a frontendUrl is supplied.
 test('buildScriptArgs: mdm:true suppresses --domain even with frontendUrl', () => {