unbound-cli 0.9.7 → 0.9.9

package/README.md

@@ -123,7 +123,7 @@ Scan a device for installed AI coding tools and report findings to Unbound. Uses
 | `sudo unbound discover --api-key KEY` | Scan all users on the device (requires root) |
 | `unbound discover --api-key KEY` | Scan current user only |
 | `sudo unbound discover --api-key KEY --domain URL` | Scan with a custom backend URL |
-| `unbound discover schedule --api-key KEY` | Set up 12-hour recurring scan (macOS only) |
+| `unbound discover --set-cron --api-key KEY` | Set up daily scan at 09:00 (cross-platform) |
 | `unbound discover unschedule` | Remove the scheduled scan |
 | `unbound discover status` | Show scan schedule and log paths |
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "0.9.7",
+  "version": "0.9.9",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js

@@ -2,11 +2,9 @@ const { spawn, execSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
-const https = require('https');
 const config = require('../config');
 const output = require('../output');
-
-const DISCOVER_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/coding-discovery-tool/refs/heads/main';
+const { shellEscape, downloadToFile, DISCOVER_BASE_URL } = require('../utils');
 const LAUNCH_AGENT_LABEL = 'ai.getunbound.discovery';
 
 // install.sh exits with this code when the OS isn't supported for discovery
@@ -32,37 +30,6 @@ function isRoot() {
   return typeof process.getuid === 'function' && process.getuid() === 0;
 }
 
-function downloadToFile(url, destPath) {
-  return new Promise((resolve, reject) => {
-    const request = (u, remaining) => {
-      https.get(u, (res) => {
-        if ([301, 302, 303, 307, 308].includes(res.statusCode) && res.headers.location && remaining > 0) {
-          res.resume();
-          return request(res.headers.location, remaining - 1);
-        }
-        if (res.statusCode !== 200) {
-          res.resume();
-          return reject(new Error(`Failed to download ${u}: HTTP ${res.statusCode}`));
-        }
-        const file = fs.createWriteStream(destPath);
-        res.pipe(file);
-        file.on('finish', () => file.close(resolve));
-        file.on('error', reject);
-      }).on('error', reject);
-    };
-    request(url, 3);
-  });
-}
-
-/**
- * Escapes a string for safe embedding in a shell command (single-quote wrap).
- * Mirrors the helper in setup.js. Required because runDiscoveryScript uses
- * spawn(cmd, { shell: true }) which routes the full command through bash.
- */
-function shellEscape(str) {
-  return "'" + String(str).replace(/'/g, "'\\''") + "'";
-}
-
 /**
  * Downloads a bash script from the discovery repo and executes it with arguments.
  * Uses stdio: 'inherit' so the script's output is shown live.
@@ -183,20 +150,6 @@ async function runDiscoveryScan({ apiKey, domain }) {
   await runDiscoveryScript('install.sh', args);
 }
 
-/**
- * Installs the recurring 12-hour discovery LaunchAgent (macOS only) via
- * setup-scheduled-scan.sh. Extracted so `unbound onboard --cron` reuses the
- * exact same scheduling path as `unbound discover schedule`. The scheduled job
- * runs the discovery scan only — it never runs tool setup or --backfill.
- */
-async function runDiscoverySchedule({ apiKey, domain }) {
-  if (!apiKey) {
-    throw new Error('Discovery API key is required.');
-  }
-  const resolvedDomain = domain || config.getBaseUrl();
-  const args = `--api-key ${shellEscape(apiKey)} --domain ${shellEscape(resolvedDomain)}`;
-  await runDiscoveryScript('setup-scheduled-scan.sh', args);
-}
 
 function register(program) {
   const discover = program
@@ -207,6 +160,7 @@ function register(program) {
     )
     .option('--api-key <key>', 'Discovery API key (required)')
     .option('--domain <url>', 'Backend URL (defaults to configured backend)')
+    .option('--set-cron', 'Set up a daily scheduled discovery scan at 09:00 (cross-platform)')
     .addHelpText('after', `
 Scans this device for installed AI coding tools (Cursor, Claude Code,
 Gemini CLI, Codex, Windsurf, Roo Code, Cline, GitHub Copilot, JetBrains,
@@ -228,6 +182,7 @@ Examples:
   $ sudo unbound discover --api-key KEY --domain https://custom.backend.com
 `)
     .action(async (opts) => {
+      let scanSucceeded = false;
       try {
         if (!opts.apiKey) {
           output.error('--api-key is required.');
@@ -236,32 +191,57 @@ Examples:
         }
 
         await runDiscoveryScan({ apiKey: opts.apiKey, domain: opts.domain });
+        scanSucceeded = true;
+
+        if (opts.setCron) {
+          console.log('');
+          output.info('Setting up daily scheduled discovery scan');
+          const { setupScheduledRun } = require('../scheduled');
+          await setupScheduledRun({
+            command: 'discover',
+            apiKey: opts.apiKey,
+            domain: opts.domain || config.getBaseUrl(),
+            skipRunAtLoad: true,
+          });
+        }
 
         console.log('');
         output.success('Discovery complete');
       } catch (err) {
         output.error(err.message);
+        // Hint only when the scan completed and the user actually asked for
+        // cron setup — guards against a future code path between scanSucceeded
+        // and the if(opts.setCron) block throwing and showing a misleading hint.
+        if (scanSucceeded && opts.setCron) {
+          const domain = opts.domain || config.getBaseUrl();
+          const suffix = domain && domain !== config.DEFAULT_BASE_URL ? ` --domain ${domain}` : '';
+          console.error('  Discovery completed successfully — only scheduled-run setup failed.');
+          console.error(`  Re-run cron setup with: unbound discover --set-cron --api-key <DISCOVERY_KEY>${suffix}`);
+        }
         process.exitCode = 1;
       }
     });
 
-  // --- Schedule / Unschedule / Status (macOS only) ---
+  // --- Schedule / Unschedule / Status ---
 
   discover
-    .command('schedule')
-    .description('Set up a recurring 12-hour discovery scan via macOS LaunchAgent.')
+    .command('schedule', { hidden: true })
+    .description('Set up a daily scheduled discovery scan (cross-platform).')
     .option('--api-key <key>', 'Discovery API key (required)')
     .option('--domain <url>', 'Backend URL (defaults to configured backend)')
     .addHelpText('after', `
-Creates a macOS LaunchAgent that runs the discovery scan every 12 hours.
-Credentials are stored securely in the macOS Keychain (not in files).
+Sets up a daily scheduled discovery scan using the OS-native scheduler:
+  - macOS:   launchd LaunchAgent (~/Library/LaunchAgents)
+  - Linux:   systemd --user timer (with Persistent=true), or crontab fallback
+  - Windows: Task Scheduler (with StartWhenAvailable for catch-up)
 
-The scan runs immediately on install, then every 12 hours.
-Logs are written to ~/Library/Logs/unbound/scan.log.
+Credentials are stored in the OS-native secret store:
+  - macOS:   Keychain
+  - Linux:   ~/.unbound/scheduled-creds.json (mode 0600)
+  - Windows: Credential Manager
 
-Prerequisites:
-  - macOS only (uses launchd)
-  - Python 3 and curl must be installed
+The scan runs immediately on install, then daily at 09:00 local time.
+Alias of \`unbound discover --set-cron\`.
 
 Examples:
   $ unbound discover schedule --api-key KEY
@@ -269,19 +249,15 @@ Examples:
 `)
     .action(async (opts) => {
       try {
-        if (process.platform !== 'darwin') {
-          output.error('Scheduled scans are only supported on macOS.');
-          process.exitCode = 1;
-          return;
-        }
-
         if (!opts.apiKey) {
           output.error('--api-key is required.');
           process.exitCode = 1;
           return;
         }
 
-        await runDiscoverySchedule({ apiKey: opts.apiKey, domain: opts.domain });
+        const domain = opts.domain || config.getBaseUrl();
+        const { setupScheduledRun } = require('../scheduled');
+        await setupScheduledRun({ command: 'discover', apiKey: opts.apiKey, domain });
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;
@@ -290,23 +266,20 @@ Examples:
 
   discover
     .command('unschedule')
-    .description('Remove the scheduled discovery scan and clean up (macOS only).')
+    .description('Remove the daily scheduled Unbound run and clean up stored credentials.')
     .addHelpText('after', `
-Removes the LaunchAgent, Keychain credentials, wrapper script,
-and install directory created by "unbound discover schedule".
+Removes the scheduled job and credentials regardless of how the cron was set up —
+"unbound discover --set-cron", "unbound discover schedule", or "unbound onboard --set-cron"
+all register the same job.
 
 Examples:
   $ unbound discover unschedule
+  $ unbound onboard unschedule
 `)
     .action(async () => {
       try {
-        if (process.platform !== 'darwin') {
-          output.error('Scheduled scans are only supported on macOS.');
-          process.exitCode = 1;
-          return;
-        }
-
-        await runDiscoveryScript('setup-scheduled-scan.sh', '--uninstall');
+        const { uninstallScheduledRun } = require('../scheduled');
+        await uninstallScheduledRun();
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;
@@ -315,10 +288,14 @@ Examples:
 
   discover
     .command('status')
-    .description('Show scheduled scan status and log paths (macOS only).')
+    .description('Show scheduled scan status and log paths (macOS only; use OS tools on Linux/Windows).')
     .action(() => {
       if (process.platform !== 'darwin') {
-        output.error('Scheduled scans are only supported on macOS.');
+        output.error(
+          'The status command only supports macOS (reads launchctl state).\n' +
+          '  Linux:   systemctl --user status unbound-scheduled.timer\n' +
+          '  Windows: Get-ScheduledTask -TaskName "ai.getunbound.scheduled"'
+        );
         process.exitCode = 1;
         return;
       }
@@ -353,7 +330,7 @@ Examples:
       }
 
       output.keyValue([
-        ['Scheduled', plistExists && isLoaded ? 'Yes (every 12 hours)' : 'No'],
+        ['Scheduled', plistExists && isLoaded ? 'Yes (daily at 09:00)' : 'No'],
         ['LaunchAgent', plistExists ? plistPath : 'Not installed'],
         ['Last scan', lastScan],
         ['Log file', logPath],
@@ -362,4 +339,4 @@ Examples:
     });
 }
 
-module.exports = { register, runDiscoveryScan, runDiscoverySchedule, classifyDiscoveryExit };
+module.exports = { register, runDiscoveryScan, classifyDiscoveryExit };

package/src/commands/onboard.js

@@ -3,7 +3,7 @@ const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
 const { runSetupAllBundle, runMdmSetupAllBundle, checkRoot, ALL_TOOLS, MDM_ALL_TOOLS } = require('./setup');
-const { runDiscoveryScan, runDiscoverySchedule } = require('./discover');
+const { runDiscoveryScan } = require('./discover');
 
 /**
  * Builds the recovery-command suffix for partial-failure hints.
@@ -17,17 +17,17 @@ function domainHintSuffix(domain) {
 }
 
 function register(program) {
-  program
+  const onboard = program
     .command('onboard')
     .description(
       'One-step user onboarding: install the default AI tools bundle and run device discovery. ' +
       'Runs `setup --all` followed by `discover` in a single command.'
     )
-    .requiredOption('--api-key <key>', 'User API key (for tool setup and login)')
-    .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
+    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var)')
+    .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY env var)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
+    .option('--set-cron', 'Set up a daily background job to keep governance up to date')
     .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
-    .option('--cron', 'Set up a recurring 12-hour discovery scan instead of a one-time scan (macOS only)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
@@ -35,8 +35,8 @@ function register(program) {
 Runs the full onboarding flow for an end user:
   1. Logs in with --api-key and stores credentials.
   2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
-  3. Runs device discovery with --discovery-key. With --cron, sets up a
-     recurring 12-hour discovery scan (macOS only) instead of a one-time scan.
+  3. Runs device discovery with --discovery-key. With --set-cron, sets up a
+     recurring daily scheduled scan (cross-platform) instead of a one-time scan.
 
 The user API key and discovery API key are separate keys obtained from
 different parts of the Unbound dashboard. Discovery uses its own key
@@ -50,11 +50,25 @@ For admin device enrollment via MDM, use \`unbound onboard-mdm\` instead.
 Examples:
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --backfill
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --cron
+  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron
   $ sudo unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
 `)
     .action(async (opts) => {
+      const apiKeyOpt = opts.apiKey || process.env.UNBOUND_API_KEY;
+      const discoveryKeyOpt = opts.discoveryKey || process.env.UNBOUND_DISCOVERY_KEY;
+      if (!apiKeyOpt) {
+        output.error('--api-key is required (or set UNBOUND_API_KEY env var)');
+        process.exitCode = 1;
+        return;
+      }
+      if (!discoveryKeyOpt) {
+        output.error('--discovery-key is required (or set UNBOUND_DISCOVERY_KEY env var)');
+        process.exitCode = 1;
+        return;
+      }
+
       let setupSucceeded = false;
+      let discoverySucceeded = false;
       let discoveryDomain;
       try {
         // Persist URLs first, then login, then setup — order matters so the
@@ -76,7 +90,7 @@ Examples:
         discoveryDomain = opts.domain || backendUrl;
 
         await ensureLoggedIn({
-          apiKey: opts.apiKey,
+          apiKey: apiKeyOpt,
           baseUrl: written.base_url,
           frontendUrl: written.frontend_url,
         });
@@ -93,32 +107,73 @@ Examples:
         console.log('');
         output.info('Step 2/2: Running device discovery');
         console.log('');
-        if (opts.cron && process.platform === 'darwin') {
-          // --cron sets up the recurring 12-hour scan, which also scans now.
-          await runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain });
-        } else {
-          if (opts.cron) output.warn('--cron is macOS-only; running a one-time scan instead.');
-          await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
+        await runDiscoveryScan({ apiKey: discoveryKeyOpt, domain: discoveryDomain });
+        discoverySucceeded = true;
+
+        if (opts.setCron) {
+          console.log('');
+          output.info('Setting up daily scheduled run');
+          const { setupScheduledRun } = require('../scheduled');
+          await setupScheduledRun({
+            command: 'onboard',
+            apiKey: apiKeyOpt,
+            discoveryKey: discoveryKeyOpt,
+            domain: discoveryDomain,
+            skipRunAtLoad: true,
+          });
         }
 
         console.log('');
         output.success('Onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
-        if (setupSucceeded) {
+        if (discoverySucceeded && opts.setCron) {
+          // Both setup and discovery completed; only the optional --set-cron
+          // step failed. Don't tell the user to re-run discovery — they already
+          // did. Tell them how to retry just the cron setup. discover schedule
+          // would install a discover-only cron, dropping the tool-bundle
+          // reinstall the user originally asked for, so the correct retry is
+          // re-running onboard with both keys.
+          const suffix = domainHintSuffix(discoveryDomain);
+          console.error('  Setup and discovery completed successfully — only scheduled-run setup failed.');
+          console.error(`  Re-run cron setup with: unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
+        } else if (setupSucceeded && !discoverySucceeded) {
           const suffix = domainHintSuffix(discoveryDomain);
-          // Point at the path the user actually wanted: the scheduler when
-          // --cron was used on macOS, otherwise the one-time scan.
-          const retryCmd = opts.cron && process.platform === 'darwin'
-            ? `unbound discover schedule --api-key <DISCOVERY_KEY>${suffix}`
-            : `unbound discover --api-key <DISCOVERY_KEY>${suffix}`;
+          const retryCmd = `unbound discover --api-key <DISCOVERY_KEY>${suffix}`;
           console.error('  Tool setup completed successfully — only discovery failed.');
-          console.error(`  Re-run discovery only with: ${retryCmd}`);
+          if (opts.setCron) {
+            console.error(`  Re-run with: unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
+          } else {
+            console.error(`  Re-run discovery only with: ${retryCmd}`);
+          }
         }
         process.exitCode = 1;
       }
     });
 
+  // --- onboard unschedule ---
+
+  onboard
+    .command('unschedule')
+    .description('Remove the daily scheduled onboarding run and clean up stored credentials.')
+    .addHelpText('after', `
+Removes the scheduled job and credentials created by "unbound onboard --set-cron"
+(or "unbound discover --set-cron" / "unbound discover schedule" — all three
+register the same job, so either unschedule command removes it).
+
+Examples:
+  $ unbound onboard unschedule
+`)
+    .action(async () => {
+      try {
+        const { uninstallScheduledRun } = require('../scheduled');
+        await uninstallScheduledRun();
+      } catch (err) {
+        output.error(err.message);
+        process.exitCode = 1;
+      }
+    });
+
   // --- MDM onboard (separate top-level command, mirrors `unbound onboard`) ---
 
   program
@@ -130,7 +185,7 @@ Examples:
     .requiredOption('--admin-api-key <key>', 'Admin API key for MDM enrollment')
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())

package/src/commands/setup.js

@@ -232,11 +232,13 @@ function buildScriptArgs(apiKey, { backendUrl, frontendUrl, gatewayUrl, clear, m
   return args.trim();
 }
 
-// Backfill only applies to the hooks variants of Claude Code / Codex; gateway
-// mode and Cursor have no local transcripts to seed.
+// Backfill only applies to the hooks variants of Claude Code / Codex / Copilot;
+// gateway mode and Cursor have no local transcripts to seed.
 function scriptSupportsBackfill(scriptPath) {
   return scriptPath.includes('/hooks/') && (
-    scriptPath.startsWith('claude-code/') || scriptPath.startsWith('codex/')
+    scriptPath.startsWith('claude-code/') ||
+    scriptPath.startsWith('codex/') ||
+    scriptPath.startsWith('copilot/')
   );
 }
 
@@ -352,7 +354,7 @@ function register(program) {
     .option('--subscription', 'Use subscription mode for Claude Code / Codex (hooks only)')
     .option('--gateway', 'Use gateway mode for Claude Code / Codex (Unbound as AI provider)')
     .option('--all', 'Set up the default bundle: Cursor, Copilot, Claude Code (hooks), Codex (hooks)')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor and Copilot unsupported)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
@@ -386,9 +388,10 @@ Examples:
   $ unbound setup --all                                    Set up the default bundle
   $ unbound setup --all --api-key <key>                    Login + set up the bundle
 
-  Seed historical sessions (Claude Code / Codex subscription mode only):
+  Seed historical sessions (Claude Code / Codex subscription mode + Copilot):
   $ unbound setup claude-code --subscription --backfill   Install hooks AND backfill local history
   $ unbound setup codex --subscription --backfill         Install hooks AND backfill local history
+  $ unbound setup copilot --backfill                      Install hooks AND backfill local history
 
   One-step login and setup:
   $ unbound setup cursor --api-key <key>                   Login + set up Cursor
@@ -648,7 +651,7 @@ requires authentication.
     .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (not required with --clear)')
     .option('--clear', 'Remove Unbound configuration for the specified tools (no API key required)')
     .option('--all', 'Set up all available tools')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor and Copilot unsupported)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
     .addHelpText('after', `
 Available tools:
   cursor                    Cursor IDE
@@ -671,6 +674,8 @@ Setup examples (require --admin-api-key):
   $ sudo unbound setup mdm --admin-api-key KEY --all
   $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription --backfill
                                                            Install hooks AND backfill local history
+  $ sudo unbound setup mdm --admin-api-key KEY copilot --backfill
+                                                           Install Copilot hooks AND backfill local history
 
 Clear examples (no API key required):
   $ sudo unbound setup mdm --clear cursor
@@ -802,9 +807,9 @@ async function runSetupAllBundle(apiKey, { backendUrl, frontendUrl, gatewayUrl,
     }
   }
   // Build args per-tool so --backfill only goes to tools whose script
-  // actually supports it (Claude Code hooks and Codex hooks). Cursor would
-  // print "not supported"; passing the flag to gateway-mode scripts would
-  // error out — `scriptSupportsBackfill` checks for both.
+  // actually supports it (Claude Code hooks, Codex hooks, Copilot hooks).
+  // Cursor would print "not supported"; passing the flag to gateway-mode
+  // scripts would error out — `scriptSupportsBackfill` checks for both.
   return runBatch(resolvedTools, (tool) => {
     const args = buildScriptArgs(apiKey, {
       backendUrl, frontendUrl, gatewayUrl,
@@ -843,4 +848,5 @@ module.exports = {
   ALL_TOOLS,
   MDM_ALL_TOOLS,
   buildScriptArgs,
+  scriptSupportsBackfill,
 };

package/src/index.js

@@ -91,7 +91,7 @@ MDM AI TOOLS DISCOVERY
   $ sudo unbound discover --api-key KEY              Scan all users (requires root)
   $ unbound discover --api-key KEY                   Scan current user only
   $ sudo unbound discover --api-key KEY --domain https://custom.backend.com
-  $ unbound discover schedule --api-key KEY           Set up 12h recurring scan (macOS)
+  $ unbound discover --set-cron --api-key KEY         Set up daily scan at 09:00 (cross-platform)
   $ unbound discover unschedule                       Remove scheduled scan
   $ unbound discover status                           Show scan schedule and logs
 

package/src/scheduled.js

@@ -0,0 +1,137 @@
+const { spawn } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { shellEscape, downloadToFile, DISCOVER_BASE_URL } = require('./utils');
+
+/**
+ * Cross-platform scheduled-run setup. Dispatches to the OS-appropriate
+ * script in coding-discovery-tool:
+ *   - macOS/Linux: bash setup-scheduled-scan.sh
+ *   - Windows:     PowerShell setup-scheduled-scan.ps1
+ *
+ * The remote script handles launchd/crontab/Task Scheduler setup and
+ * credential storage (Keychain/file/Credential Manager). The CLI just
+ * passes the command + keys through.
+ *
+ * @param {object} opts
+ * @param {'onboard'|'discover'} opts.command - which subcommand the cron should run
+ * @param {string} opts.apiKey                - api key (for onboard) or discovery key (for discover)
+ * @param {string} [opts.discoveryKey]        - separate discovery key (onboard only)
+ * @param {string} [opts.domain]              - backend domain to pass to the scheduled run
+ * @param {boolean} [opts.skipRunAtLoad]      - macOS: set RunAtLoad=false (scan already ran)
+ */
+async function setupScheduledRun(opts) {
+  const { command, apiKey, discoveryKey, domain, skipRunAtLoad } = opts;
+  if (!command || !apiKey) {
+    throw new Error('setupScheduledRun: command and apiKey are required');
+  }
+
+  if (process.platform === 'win32') {
+    return setupScheduledRunWindows(opts);
+  }
+
+  // macOS + Linux: same .sh script (the script branches on `uname -s` internally)
+  const args = [
+    '--command', shellEscape(command),
+    '--api-key', shellEscape(apiKey),
+  ];
+  if (discoveryKey) args.push('--discovery-key', shellEscape(discoveryKey));
+  if (domain) args.push('--domain', shellEscape(domain));
+  if (skipRunAtLoad) args.push('--no-run-at-load');
+
+  const url = `${DISCOVER_BASE_URL}/setup-scheduled-scan.sh`;
+  const cmd = `curl -fsSL "${url}" | bash -s -- ${args.join(' ')}`;
+
+  await new Promise((resolve, reject) => {
+    const child = spawn(cmd, { shell: true, stdio: 'inherit' });
+    child.on('close', (code) => {
+      if (code === 0) resolve();
+      else reject(new Error(`Scheduled-run setup failed with exit code ${code}`));
+    });
+    child.on('error', reject);
+  });
+}
+
+async function setupScheduledRunWindows(opts) {
+  const { command, apiKey, discoveryKey, domain } = opts;
+  const url = `${DISCOVER_BASE_URL}/setup-scheduled-scan.ps1`;
+  const tmp = path.join(os.tmpdir(), `unbound-scheduled-${Date.now()}-${Math.random().toString(36).slice(2)}.ps1`);
+  // Single try/finally covers both download and spawn so a mid-stream
+  // network drop still removes the partial temp file.
+  try {
+    try {
+      await downloadToFile(url, tmp);
+    } catch (err) {
+      throw new Error(
+        `${err.message}. Windows scheduled-run requires setup-scheduled-scan.ps1 in the coding-discovery-tool repo.`
+      );
+    }
+
+    const psArgs = [
+      '-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', tmp,
+      '-Command', command,
+      '-ApiKey', apiKey,
+    ];
+    if (discoveryKey) psArgs.push('-DiscoveryKey', discoveryKey);
+    if (domain) psArgs.push('-Domain', domain);
+
+    await new Promise((resolve, reject) => {
+      const child = spawn('powershell', psArgs, { stdio: 'inherit', shell: false, windowsHide: true });
+      child.on('close', (code) => {
+        if (code === 0) resolve();
+        else reject(new Error(`Scheduled-run setup failed with exit code ${code}`));
+      });
+      child.on('error', reject);
+    });
+  } finally {
+    try { fs.unlinkSync(tmp); } catch { /* best-effort */ }
+  }
+}
+
+/**
+ * Cross-platform uninstall: removes the scheduled task/launchd job/cron entry
+ * and stored credentials. Delegates to the same OS-specific setup-scheduled-scan
+ * script with --uninstall (or -Uninstall on Windows).
+ */
+async function uninstallScheduledRun() {
+  if (process.platform === 'win32') {
+    const url = `${DISCOVER_BASE_URL}/setup-scheduled-scan.ps1`;
+    const tmp = path.join(os.tmpdir(), `unbound-scheduled-uninstall-${Date.now()}-${Math.random().toString(36).slice(2)}.ps1`);
+    try {
+      try {
+        await downloadToFile(url, tmp);
+      } catch (err) {
+        throw new Error(`${err.message}. Windows uninstall requires setup-scheduled-scan.ps1.`);
+      }
+      await new Promise((resolve, reject) => {
+        const child = spawn(
+          'powershell',
+          ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', tmp, '-Uninstall'],
+          { stdio: 'inherit', shell: false, windowsHide: true }
+        );
+        child.on('close', (code) => {
+          if (code === 0) resolve();
+          else reject(new Error(`Scheduled-run uninstall failed with exit code ${code}`));
+        });
+        child.on('error', reject);
+      });
+    } finally {
+      try { fs.unlinkSync(tmp); } catch { /* best-effort */ }
+    }
+    return;
+  }
+
+  const url = `${DISCOVER_BASE_URL}/setup-scheduled-scan.sh`;
+  const cmd = `curl -fsSL "${url}" | bash -s -- --uninstall`;
+  await new Promise((resolve, reject) => {
+    const child = spawn(cmd, { shell: true, stdio: 'inherit' });
+    child.on('close', (code) => {
+      if (code === 0) resolve();
+      else reject(new Error(`Scheduled-run uninstall failed with exit code ${code}`));
+    });
+    child.on('error', reject);
+  });
+}
+
+module.exports = { setupScheduledRun, uninstallScheduledRun };

package/src/utils.js

@@ -1,4 +1,6 @@
 const readline = require('readline');
+const fs = require('fs');
+const https = require('https');
 
 function formatDate(dateStr) {
   if (!dateStr) return '-';
@@ -20,4 +22,42 @@ function parseCommaSeparated(value) {
   return value.split(',').map((s) => s.trim()).filter(Boolean);
 }
 
-module.exports = { formatDate, confirm, parseCommaSeparated };
+/**
+ * Escapes a string for safe embedding in a shell command (single-quote wrap).
+ * Used wherever spawn(cmd, { shell: true }) is called with user-supplied values.
+ */
+function shellEscape(str) {
+  return "'" + String(str).replace(/'/g, "'\\''") + "'";
+}
+
+/**
+ * Downloads a URL to a local file, following up to 3 redirects.
+ * Forwards response-stream errors to the Promise rejection so callers
+ * (and their finally blocks) can clean up partial downloads.
+ */
+function downloadToFile(url, destPath) {
+  return new Promise((resolve, reject) => {
+    const request = (u, remaining) => {
+      https.get(u, (res) => {
+        if ([301, 302, 303, 307, 308].includes(res.statusCode) && res.headers.location && remaining > 0) {
+          res.resume();
+          return request(res.headers.location, remaining - 1);
+        }
+        if (res.statusCode !== 200) {
+          res.resume();
+          return reject(new Error(`Failed to download ${u}: HTTP ${res.statusCode}`));
+        }
+        const file = fs.createWriteStream(destPath);
+        res.pipe(file);
+        res.on('error', reject);
+        file.on('finish', () => file.close(resolve));
+        file.on('error', reject);
+      }).on('error', reject);
+    };
+    request(url, 3);
+  });
+}
+
+const DISCOVER_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/coding-discovery-tool/refs/heads/main';
+
+module.exports = { formatDate, confirm, parseCommaSeparated, shellEscape, downloadToFile, DISCOVER_BASE_URL };

package/test/onboard-cron.test.js

@@ -3,12 +3,12 @@ const assert = require('node:assert/strict');
 const fs = require('node:fs');
 const path = require('node:path');
 
-const discover = require('../src/commands/discover');
+const scheduled = require('../src/scheduled');
 
-const DISCOVER_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'discover.js');
+const SCHEDULED_SRC_PATH = path.join(__dirname, '..', 'src', 'scheduled.js');
 const ONBOARD_SRC_PATH = path.join(__dirname, '..', 'src', 'commands', 'onboard.js');
 
-const discoverSrc = fs.readFileSync(DISCOVER_SRC_PATH, 'utf8');
+const scheduledSrc = fs.readFileSync(SCHEDULED_SRC_PATH, 'utf8');
 const onboardSrc = fs.readFileSync(ONBOARD_SRC_PATH, 'utf8');
 
 // Extracts the textual body of a top-level `async function <name>(...) { ... }`
@@ -17,8 +17,6 @@ const onboardSrc = fs.readFileSync(ONBOARD_SRC_PATH, 'utf8');
 function extractFunctionBody(src, name) {
   const start = src.indexOf(`async function ${name}`);
   assert.notEqual(start, -1, `expected "async function ${name}" in source`);
-  // Skip the parameter list (which may itself contain destructuring braces)
-  // by finding the matching close-paren first, then the body's opening brace.
   const paramOpen = src.indexOf('(', start);
   let pDepth = 0;
   let paramClose = -1;
@@ -43,80 +41,85 @@ function extractFunctionBody(src, name) {
   throw new Error(`unbalanced braces while extracting ${name}`);
 }
 
-const scheduleBody = extractFunctionBody(discoverSrc, 'runDiscoverySchedule');
+const setupBody = extractFunctionBody(scheduledSrc, 'setupScheduledRun');
 
-test('runDiscoverySchedule is exported as a function', () => {
-  assert.equal(typeof discover.runDiscoverySchedule, 'function');
+test('setupScheduledRun is exported as a function', () => {
+  assert.equal(typeof scheduled.setupScheduledRun, 'function');
 });
 
-test('runDiscoverySchedule takes a single destructured options object', () => {
-  // One formal parameter: ({ apiKey, domain }). Arity counts that single object.
-  assert.equal(discover.runDiscoverySchedule.length, 1);
-  // Accepts exactly apiKey and domain — no third field could carry backfill.
-  assert.match(discoverSrc, /async function runDiscoverySchedule\(\{\s*apiKey,\s*domain\s*\}\)/);
+test('setupScheduledRun takes a single options object', () => {
+  assert.equal(scheduled.setupScheduledRun.length, 1);
 });
 
 test('the scheduled path runs setup-scheduled-scan.sh, never install.sh', () => {
   assert.ok(
-    scheduleBody.includes("'setup-scheduled-scan.sh'"),
-    'runDiscoverySchedule must schedule setup-scheduled-scan.sh'
+    setupBody.includes('setup-scheduled-scan.sh'),
+    'setupScheduledRun must use setup-scheduled-scan.sh'
   );
   assert.ok(
-    !scheduleBody.includes('install.sh'),
-    'runDiscoverySchedule must not invoke install.sh'
+    !setupBody.includes('install.sh'),
+    'setupScheduledRun must not invoke install.sh'
   );
 });
 
-// Core WEB-4499 regression guard: backfill is a one-time setup operation and
+// Core regression guard: backfill is a one-time setup operation and
 // must be structurally impossible to reach the recurring scheduled scan.
-test('runDiscoverySchedule body contains no backfill reference', () => {
+test('setupScheduledRun body contains no backfill reference', () => {
   assert.ok(
-    !scheduleBody.toLowerCase().includes('backfill'),
+    !setupBody.toLowerCase().includes('backfill'),
     'backfill must never appear in the scheduled-scan code path'
   );
 });
 
-test('runDiscoverySchedule shell-escapes both apiKey and domain', () => {
-  // Both user-influenced values pass through shellEscape before hitting the
-  // shell:true spawn, so neither can break out of the command string.
-  assert.match(scheduleBody, /--api-key \$\{shellEscape\(apiKey\)\}/);
-  assert.match(scheduleBody, /--domain \$\{shellEscape\(resolvedDomain\)\}/);
+test('setupScheduledRun shell-escapes command, apiKey, and domain', () => {
+  assert.match(setupBody, /shellEscape\(command\)/);
+  assert.match(setupBody, /shellEscape\(apiKey\)/);
+  assert.match(setupBody, /shellEscape\(domain\)/);
 });
 
-// The onboard --cron path must call the shared schedule helper with only
-// apiKey + domain — never forwarding opts.backfill into the schedule.
-test('onboard schedules via runDiscoverySchedule with only apiKey and domain', () => {
-  assert.ok(
-    onboardSrc.includes('runDiscoverySchedule({ apiKey: opts.discoveryKey, domain: discoveryDomain })'),
-    'onboard must call runDiscoverySchedule with exactly { apiKey, domain }'
+test('setupScheduledRun rejects when apiKey is missing', async () => {
+  await assert.rejects(
+    () => scheduled.setupScheduledRun({ command: 'discover' }),
+    /command and apiKey are required/
   );
 });
 
-test('onboard never passes backfill into runDiscoverySchedule', () => {
-  // Find the runDiscoverySchedule call site in onboard and confirm its
-  // argument object carries no backfill key.
-  const callIdx = onboardSrc.indexOf('runDiscoverySchedule(');
-  assert.notEqual(callIdx, -1, 'expected a runDiscoverySchedule call in onboard');
-  const open = onboardSrc.indexOf('(', callIdx);
-  const close = onboardSrc.indexOf(')', open);
-  const callArgs = onboardSrc.slice(open, close + 1);
-  assert.ok(!callArgs.toLowerCase().includes('backfill'), callArgs);
+test('setupScheduledRun rejects when command is missing', async () => {
+  await assert.rejects(
+    () => scheduled.setupScheduledRun({ apiKey: 'some-key' }),
+    /command and apiKey are required/
+  );
 });
 
-test('runDiscoverySchedule is re-exported into onboard from discover', () => {
-  // onboard pulls the helper from ./discover rather than re-implementing it,
-  // so both the `discover schedule` command and `onboard --cron` share one path.
+// onboard must call setupScheduledRun with command: 'onboard' and both keys
+test('onboard schedules via setupScheduledRun with command onboard', () => {
   assert.match(
     onboardSrc,
-    /const \{[^}]*runDiscoverySchedule[^}]*\} = require\('\.\/discover'\)/
+    /setupScheduledRun\(\{[^}]*command:\s*'onboard'[^}]*\}\)/s,
+    'onboard must call setupScheduledRun with command: onboard'
   );
 });
 
-test('runDiscoverySchedule rejects when apiKey is missing', async () => {
-  // Mirrors runDiscoveryScan's guard so a future caller can't silently send
-  // --api-key 'undefined' to the schedule script. Throws before any network.
-  await assert.rejects(
-    () => discover.runDiscoverySchedule({ domain: 'https://example.com' }),
-    /Discovery API key is required/
+test('onboard passes both apiKey and discoveryKey to setupScheduledRun', () => {
+  const callIdx = onboardSrc.indexOf("command: 'onboard'");
+  assert.notEqual(callIdx, -1, 'expected command: onboard call site in onboard.js');
+  const open = onboardSrc.lastIndexOf('{', callIdx);
+  let depth = 0;
+  let close = -1;
+  for (let i = open; i < onboardSrc.length; i++) {
+    if (onboardSrc[i] === '{') depth++;
+    else if (onboardSrc[i] === '}') { depth--; if (depth === 0) { close = i; break; } }
+  }
+  const callArgs = onboardSrc.slice(open, close + 1);
+  assert.ok(callArgs.includes('apiKey'), 'setupScheduledRun call must include apiKey');
+  assert.ok(callArgs.includes('discoveryKey'), 'setupScheduledRun call must include discoveryKey');
+  assert.ok(!callArgs.toLowerCase().includes('backfill'), 'setupScheduledRun call must not include backfill');
+});
+
+test('onboard imports setupScheduledRun from ../scheduled', () => {
+  assert.match(
+    onboardSrc,
+    /require\(['"]\.\.\/scheduled['"]\)/,
+    'onboard must require ../scheduled for setupScheduledRun'
   );
 });

package/test/setup-args.test.js

@@ -1,6 +1,6 @@
 const { test } = require('node:test');
 const assert = require('node:assert/strict');
-const { buildScriptArgs } = require('../src/commands/setup');
+const { buildScriptArgs, scriptSupportsBackfill } = require('../src/commands/setup');
 
 // shellEscape single-quotes every value, so a real key surfaces as
 // --api-key '<key>' at the head of the argv tail.
@@ -51,6 +51,25 @@ test('buildScriptArgs: backfill:true appends --backfill', () => {
   assert.ok(args.includes('--backfill'), args);
 });
 
+// Backfill is supported only by the hooks variants of Claude Code, Codex, and
+// Copilot. Gateway-mode scripts and Cursor have no local transcripts to seed.
+test('scriptSupportsBackfill: hooks variants of claude-code, codex, copilot are supported', () => {
+  assert.ok(scriptSupportsBackfill('claude-code/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('claude-code/hooks/mdm/setup.py'));
+  assert.ok(scriptSupportsBackfill('codex/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('codex/hooks/mdm/setup.py'));
+  assert.ok(scriptSupportsBackfill('copilot/hooks/setup.py'));
+  assert.ok(scriptSupportsBackfill('copilot/hooks/mdm/setup.py'));
+});
+
+test('scriptSupportsBackfill: cursor and gateway-mode scripts are unsupported', () => {
+  assert.ok(!scriptSupportsBackfill('cursor/setup.py'));
+  assert.ok(!scriptSupportsBackfill('cursor/mdm/setup.py'));
+  assert.ok(!scriptSupportsBackfill('claude-code/gateway/setup.py'));
+  assert.ok(!scriptSupportsBackfill('codex/gateway/setup.py'));
+  assert.ok(!scriptSupportsBackfill('gemini-cli/gateway/setup.py'));
+});
+
 // MDM scripts have no browser-auth flow, so --domain (frontend URL) is
 // suppressed even when a frontendUrl is supplied.
 test('buildScriptArgs: mdm:true suppresses --domain even with frontendUrl', () => {