npm - unbound-cli - Versions diffs - 1.1.0 → 1.1.2 - Mend

unbound-cli 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/onboard.js CHANGED Viewed

@@ -23,7 +23,7 @@ function register(program) {
       'One-step user onboarding: install the default AI tools bundle and run device discovery. ' +
       'Runs `setup --all` followed by `discover` in a single command.'
     )
-    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var)')
+    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var, or reuse a stored `unbound login` key)')
     .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY env var)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--set-cron', 'Set up a daily background job to keep governance up to date')
@@ -33,7 +33,8 @@ function register(program) {
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
     .addHelpText('after', `
 Runs the full onboarding flow for an end user:
-  1. Logs in with --api-key and stores credentials.
+  1. Logs in with --api-key and stores credentials (or reuses a stored
+     \`unbound login\` key when --api-key is omitted).
   2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
   3. Runs device discovery with --discovery-key. With --set-cron, sets up a
      recurring daily scheduled scan (cross-platform) instead of a one-time scan.
@@ -56,8 +57,10 @@ Examples:
     .action(async (opts) => {
       const apiKeyOpt = opts.apiKey || process.env.UNBOUND_API_KEY;
       const discoveryKeyOpt = opts.discoveryKey || process.env.UNBOUND_DISCOVERY_KEY;
-      if (!apiKeyOpt) {
-        output.error('--api-key is required (or set UNBOUND_API_KEY env var)');
+      // A stored `unbound login` key is enough — only demand --api-key when not
+      // already logged in. ensureLoggedIn() reuses the stored credential below.
+      if (!apiKeyOpt && !config.isLoggedIn()) {
+        output.error('--api-key is required (or set UNBOUND_API_KEY env var, or run `unbound login` first)');
         process.exitCode = 1;
         return;
       }
@@ -116,7 +119,7 @@ Examples:
           const { setupScheduledRun } = require('../scheduled');
           await setupScheduledRun({
             command: 'onboard',
-            apiKey: apiKeyOpt,
+            apiKey: apiKeyOpt || apiKey,
             discoveryKey: discoveryKeyOpt,
             domain: discoveryDomain,
             skipRunAtLoad: true,
@@ -182,7 +185,7 @@ Examples:
       'One-step MDM onboarding: install the default MDM tool bundle and run device discovery. ' +
       'Requires root. Used by organization admins to enroll devices via MDM.'
     )
-    .requiredOption('--admin-api-key <key>', 'Admin API key for MDM enrollment')
+    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key)')
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
@@ -196,11 +199,14 @@ Runs the full MDM onboarding flow for device enrollment:
 Both steps require root. The admin API key and discovery API key are
 separate keys obtained from different parts of the Unbound admin dashboard.
+--admin-api-key may be omitted to reuse the key stored by a prior
+\`unbound login\` (run sudo with HOME preserved so the stored key is found).
 For end-user onboarding (non-MDM), use \`unbound onboard\` instead.
 Examples:
   $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
+  $ sudo unbound onboard-mdm --discovery-key <DISCOVERY_KEY>   Reuse the stored \`unbound login\` key
   $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY> --backfill
 `)
     .action(async (opts) => {
@@ -221,9 +227,17 @@ Examples:
         checkRoot('onboard-mdm');
+        // Reuse the key stored by `unbound login` when --admin-api-key is omitted.
+        const adminApiKey = opts.adminApiKey || config.getApiKey();
+        if (!adminApiKey) {
+          output.error('--admin-api-key is required (or run `unbound login` first).');
+          process.exitCode = 1;
+          return;
+        }
         console.log('');
         output.info('Step 1/2: Installing MDM tool bundle');
-        const ok = await runMdmSetupAllBundle(opts.adminApiKey, {
+        const ok = await runMdmSetupAllBundle(adminApiKey, {
           backendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;

package/src/commands/setup.js CHANGED Viewed

@@ -332,6 +332,23 @@ function checkRoot(commandHint = 'setup mdm') {
   }
 }
+/**
+ * Returns true when the process has the privileges needed to touch system-level
+ * (MDM) configuration. On Windows, `net session` succeeds only when elevated, so
+ * it doubles as an Administrator check — this keeps nuke's scope (and the copy it
+ * shows) accurate instead of assuming admin.
+ */
+function hasRootPrivileges() {
+  if (process.platform === 'win32') {
+    try {
+      return spawnSync('net', ['session'], { stdio: 'ignore', windowsHide: true }).status === 0;
+    } catch {
+      return false;
+    }
+  }
+  return typeof process.getuid === 'function' && process.getuid() === 0;
+}
 /**
  * Runs a batch of tools sequentially with spinners.
  * Stops on first failure. Returns true if all succeeded.
@@ -493,7 +510,7 @@ requires authentication.
         // No tools specified → interactive multi-select (existing flow)
         if (tools.length === 0) {
           const selected = await output.multiSelect(
-            'Select tools to set up with Unbound:',
+            opts.clear ? 'Select tools to remove Unbound configuration for:' : 'Select tools to set up with Unbound:',
             SETUP_TOOLS
           );
@@ -513,14 +530,15 @@ requires authentication.
           const ok = await runBatch(selectedTools, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
+              clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          });
+          }, { clear: opts.clear });
           if (!ok) return;
           console.log('');
-          output.success('All tools configured');
+          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
           return;
         }
@@ -688,7 +706,7 @@ requires authentication.
       'Used by organization admins to enroll devices via MDM.'
     )
     .argument('[tools...]', 'Tools to set up: ' + mdmToolNames)
-    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (not required with --clear)')
+    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key; not required with --clear)')
     .option('--clear', 'Remove Unbound configuration for the specified tools (no API key required)')
     .option('--all', 'Set up all available tools')
     .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
@@ -708,10 +726,12 @@ Note: claude-code-subscription and claude-code-gateway are mutually exclusive wh
       setting up; same for codex. Bare claude-code/codex set up subscription mode.
       When using --all, subscription mode is used by default for Claude Code and Codex.
-Setup examples (require --admin-api-key):
+Setup examples (need an admin key — pass --admin-api-key, or omit it to reuse the
+key stored by a prior \`unbound login\`):
   $ sudo unbound setup mdm --admin-api-key KEY cursor
   $ sudo unbound setup mdm --admin-api-key KEY cursor claude-code-subscription codex-subscription
   $ sudo unbound setup mdm --admin-api-key KEY --all
+  $ sudo unbound setup mdm --all                           Reuse the stored \`unbound login\` key
   $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription --backfill
                                                            Install hooks AND backfill local history
   $ sudo unbound setup mdm --admin-api-key KEY copilot --backfill
@@ -731,9 +751,12 @@ Clear examples (no API key required):
         // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
         const globalOpts = command.optsWithGlobals();
         // Clearing removes config without calling the API, so a key is only
-        // required when actually enrolling tools.
-        if (!globalOpts.clear && !opts.adminApiKey) {
-          output.error('--admin-api-key is required to set up tools.');
+        // required when actually enrolling tools. Fall back to the API key
+        // stored by `unbound login` so admins who are already logged in don't
+        // have to pass --admin-api-key again.
+        const adminApiKey = opts.adminApiKey || config.getApiKey();
+        if (!globalOpts.clear && !adminApiKey) {
+          output.error('--admin-api-key is required to set up tools (or run `unbound login` first).');
           process.exitCode = 1;
           return;
         }
@@ -812,7 +835,7 @@ Clear examples (no API key required):
         const ok = await runBatch(
           resolvedTools,
           (tool) => {
-            const toolArgs = buildScriptArgs(opts.adminApiKey, {
+            const toolArgs = buildScriptArgs(adminApiKey, {
               backendUrl,
               gatewayUrl,
               clear: globalOpts.clear,
@@ -839,52 +862,49 @@ Clear examples (no API key required):
     .command('nuke')
     .alias('uninstall')
     .description(
-      'Remove Unbound and start fresh. By default clears every user-level AND ' +
-      'MDM (system-level) tool configuration plus stored credentials (requires ' +
-      "root). Use --user to clear only this user's tools and credentials (no root)."
+      'Remove Unbound and start fresh: clears AI-tool configuration and deletes ' +
+      'stored credentials. Scope follows your privileges — run with sudo to also ' +
+      'remove MDM (system-level) config for all users; without root it clears only ' +
+      'the current user.'
     )
     .option('-y, --yes', 'Skip the confirmation prompt')
-    .option('--user', "Clear only THIS user's tool config and credentials — skip MDM (no root required)")
     .addHelpText('after', `
-Two modes:
-  Default (requires root)   Clears every user-level and MDM (system-level) tool
-                            config for all users on the device, then deletes
-                            credentials.
-  --user (no root)          Clears only the current user's tool config, then
-                            deletes credentials. Leaves MDM config untouched
-                            (removing system-level config needs root).
+Scope is chosen automatically from your privileges:
+  Run with sudo (root)   Clears every user-level AND MDM (system-level) tool
+                         config for all users on the device, then deletes
+                         credentials.
+  Run without root       Clears only the current user's tool config and
+                         credentials. MDM (system-level) config is skipped —
+                         re-run with sudo to remove it too.
 What it clears:
   - USER-level tool config — Cursor, GitHub Copilot, Claude Code (subscription +
-    gateway), Gemini CLI, Codex (subscription + gateway).                [both modes]
-  - MDM (system-level) tool config across all users on the device.    [default only]
-  - Stored credentials and settings (~/.unbound/config.json).            [both modes]
+    gateway), Gemini CLI, Codex (subscription + gateway).
+  - MDM (system-level) tool config across all users          [only when run as root]
+  - Stored credentials and settings (~/.unbound/config.json).
 After it finishes, run \`unbound login\` (or \`unbound onboard\`) to set things up
 fresh. Clearing never contacts the Unbound API, so no API key is needed.
 Examples:
-  $ sudo unbound nuke                       Remove everything on the device (asks to confirm)
-  $ sudo unbound nuke --yes                 Remove everything, no confirmation
-  $ unbound nuke --user                     Clear only your tools + credentials (no sudo)
-  $ unbound nuke --user --yes               Same, no confirmation
-  $ sudo unbound uninstall                  'uninstall' is an alias for 'nuke'
+  $ sudo unbound nuke              Remove everything on the device (asks to confirm)
+  $ sudo unbound nuke --yes        Remove everything, no confirmation
+  $ unbound nuke                   Clear just your tools + credentials (no sudo)
+  $ unbound nuke --yes             Same, no confirmation
+  $ unbound uninstall              'uninstall' is an alias for 'nuke'
 `)
     .action(async (opts) => {
       try {
-        // Root is only required for the MDM clears (system-level, all users).
-        // --user mode skips them, so it doesn't need root. On native Windows the
-        // Python MDM scripts do their own admin check, so skip the uid check there.
-        if (!opts.user && process.platform !== 'win32' && (typeof process.getuid !== 'function' || process.getuid() !== 0)) {
-          output.error('nuke removes system-level MDM config for all users, so it must run as root. Run with: sudo unbound nuke — or use `unbound nuke --user` to clear just your own tools and credentials without root.');
-          process.exitCode = 1;
-          return;
-        }
+        // Scope follows privileges: with root (or Windows Administrator) we also
+        // remove system-level MDM config for all users; otherwise we clear only
+        // this user. Detecting elevation up front keeps the confirmation honest
+        // (no promising MDM removal we can't perform).
+        const includeMdm = hasRootPrivileges();
         if (!opts.yes) {
-          output.warn(opts.user
-            ? 'This removes your user-level Unbound tool configuration and deletes your stored credentials.'
-            : 'This removes ALL Unbound tool configuration on this device (user-level and MDM) and deletes your stored credentials.');
+          output.warn(includeMdm
+            ? 'This removes ALL Unbound tool configuration on this device (user-level and MDM) and deletes your stored credentials.'
+            : 'This removes your user-level Unbound tool configuration and deletes your stored credentials. (MDM/system-level config needs root and will be skipped — re-run with sudo to remove it too.)');
           const ok = await confirm('Continue?');
           if (!ok) {
             output.info('Cancelled. Nothing was changed.');
@@ -902,11 +922,13 @@ Examples:
         const userTools = Object.keys(SETUP_TOOL_MAP).map(name => ({ name, ...SETUP_TOOL_MAP[name] }));
         const userFailed = await clearToolsBestEffort('user', userTools, { mdm: false, backendUrl, gatewayUrl, frontendUrl });
-        // MDM clears are skipped in --user mode (they need root and touch all users).
+        // MDM clears need root and touch all users — run them only when we have it.
         let mdmFailed = [];
-        if (!opts.user) {
+        if (includeMdm) {
           const mdmTools = Object.keys(MDM_TOOLS).map(name => ({ name, ...MDM_TOOLS[name] }));
           mdmFailed = await clearToolsBestEffort('mdm', mdmTools, { mdm: true, backendUrl, gatewayUrl });
+        } else {
+          output.info('Skipped MDM (system-level) config — that needs root. Re-run with sudo to remove it too.');
         }
         // Wipe credentials + settings last, regardless of tool-clear outcomes.
@@ -915,7 +937,7 @@ Examples:
         console.log('');
         const failed = [...userFailed, ...mdmFailed];
-        const scope = opts.user ? 'for your user' : 'on this device';
+        const scope = includeMdm ? 'on this device' : 'for your user';
         if (failed.length === 0) {
           output.success(`Unbound removed ${scope}. The CLI is back to a fresh state — run "unbound login" to start over.`);
         } else {

package/src/index.js CHANGED Viewed

@@ -82,8 +82,8 @@ TOOL SETUP
   $ unbound setup --all --clear            Remove config for every tool
   Full uninstall (all tools + credentials):
-  $ sudo unbound nuke                      Wipe everything on the device (MDM + user); requires root
-  $ unbound nuke --user                    Wipe just your tools + credentials (no sudo)
+  $ sudo unbound nuke                      Wipe everything on the device (MDM + user)
+  $ unbound nuke                           Wipe just your tools + credentials (no sudo)
 MDM SETUP (admin, requires root)
   $ sudo unbound setup mdm --admin-api-key KEY --all