unbound-cli 1.1.0 → 1.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/onboard.js

@@ -23,7 +23,7 @@ function register(program) {
       'One-step user onboarding: install the default AI tools bundle and run device discovery. ' +
       'Runs `setup --all` followed by `discover` in a single command.'
     )
-    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var)')
+    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var, or reuse a stored `unbound login` key)')
     .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY env var)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--set-cron', 'Set up a daily background job to keep governance up to date')
@@ -33,7 +33,8 @@ function register(program) {
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
     .addHelpText('after', `
 Runs the full onboarding flow for an end user:
-  1. Logs in with --api-key and stores credentials.
+  1. Logs in with --api-key and stores credentials (or reuses a stored
+     \`unbound login\` key when --api-key is omitted).
   2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
   3. Runs device discovery with --discovery-key. With --set-cron, sets up a
      recurring daily scheduled scan (cross-platform) instead of a one-time scan.
@@ -56,8 +57,10 @@ Examples:
     .action(async (opts) => {
       const apiKeyOpt = opts.apiKey || process.env.UNBOUND_API_KEY;
       const discoveryKeyOpt = opts.discoveryKey || process.env.UNBOUND_DISCOVERY_KEY;
-      if (!apiKeyOpt) {
-        output.error('--api-key is required (or set UNBOUND_API_KEY env var)');
+      // A stored `unbound login` key is enough — only demand --api-key when not
+      // already logged in. ensureLoggedIn() reuses the stored credential below.
+      if (!apiKeyOpt && !config.isLoggedIn()) {
+        output.error('--api-key is required (or set UNBOUND_API_KEY env var, or run `unbound login` first)');
         process.exitCode = 1;
         return;
       }
@@ -116,7 +119,7 @@ Examples:
           const { setupScheduledRun } = require('../scheduled');
           await setupScheduledRun({
             command: 'onboard',
-            apiKey: apiKeyOpt,
+            apiKey: apiKeyOpt || apiKey,
             discoveryKey: discoveryKeyOpt,
             domain: discoveryDomain,
             skipRunAtLoad: true,
@@ -182,7 +185,7 @@ Examples:
       'One-step MDM onboarding: install the default MDM tool bundle and run device discovery. ' +
       'Requires root. Used by organization admins to enroll devices via MDM.'
     )
-    .requiredOption('--admin-api-key <key>', 'Admin API key for MDM enrollment')
+    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key)')
     .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
@@ -196,11 +199,14 @@ Runs the full MDM onboarding flow for device enrollment:
 
 Both steps require root. The admin API key and discovery API key are
 separate keys obtained from different parts of the Unbound admin dashboard.
+--admin-api-key may be omitted to reuse the key stored by a prior
+\`unbound login\` (run sudo with HOME preserved so the stored key is found).
 
 For end-user onboarding (non-MDM), use \`unbound onboard\` instead.
 
 Examples:
   $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
+  $ sudo unbound onboard-mdm --discovery-key <DISCOVERY_KEY>   Reuse the stored \`unbound login\` key
   $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY> --backfill
 `)
     .action(async (opts) => {
@@ -221,9 +227,17 @@ Examples:
 
         checkRoot('onboard-mdm');
 
+        // Reuse the key stored by `unbound login` when --admin-api-key is omitted.
+        const adminApiKey = opts.adminApiKey || config.getApiKey();
+        if (!adminApiKey) {
+          output.error('--admin-api-key is required (or run `unbound login` first).');
+          process.exitCode = 1;
+          return;
+        }
+
         console.log('');
         output.info('Step 1/2: Installing MDM tool bundle');
-        const ok = await runMdmSetupAllBundle(opts.adminApiKey, {
+        const ok = await runMdmSetupAllBundle(adminApiKey, {
           backendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;

package/src/commands/setup.js

@@ -332,6 +332,23 @@ function checkRoot(commandHint = 'setup mdm') {
   }
 }
 
+/**
+ * Returns true when the process has the privileges needed to touch system-level
+ * (MDM) configuration. On Windows, `net session` succeeds only when elevated, so
+ * it doubles as an Administrator check — this keeps nuke's scope (and the copy it
+ * shows) accurate instead of assuming admin.
+ */
+function hasRootPrivileges() {
+  if (process.platform === 'win32') {
+    try {
+      return spawnSync('net', ['session'], { stdio: 'ignore', windowsHide: true }).status === 0;
+    } catch {
+      return false;
+    }
+  }
+  return typeof process.getuid === 'function' && process.getuid() === 0;
+}
+
 /**
  * Runs a batch of tools sequentially with spinners.
  * Stops on first failure. Returns true if all succeeded.
@@ -493,7 +510,7 @@ requires authentication.
         // No tools specified → interactive multi-select (existing flow)
         if (tools.length === 0) {
           const selected = await output.multiSelect(
-            'Select tools to set up with Unbound:',
+            opts.clear ? 'Select tools to remove Unbound configuration for:' : 'Select tools to set up with Unbound:',
             SETUP_TOOLS
           );
 
@@ -513,14 +530,15 @@ requires authentication.
           const ok = await runBatch(selectedTools, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
+              clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          });
+          }, { clear: opts.clear });
           if (!ok) return;
 
           console.log('');
-          output.success('All tools configured');
+          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
           return;
         }
 
@@ -688,7 +706,7 @@ requires authentication.
       'Used by organization admins to enroll devices via MDM.'
     )
     .argument('[tools...]', 'Tools to set up: ' + mdmToolNames)
-    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (not required with --clear)')
+    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key; not required with --clear)')
     .option('--clear', 'Remove Unbound configuration for the specified tools (no API key required)')
     .option('--all', 'Set up all available tools')
     .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
@@ -708,10 +726,12 @@ Note: claude-code-subscription and claude-code-gateway are mutually exclusive wh
       setting up; same for codex. Bare claude-code/codex set up subscription mode.
       When using --all, subscription mode is used by default for Claude Code and Codex.
 
-Setup examples (require --admin-api-key):
+Setup examples (need an admin key — pass --admin-api-key, or omit it to reuse the
+key stored by a prior \`unbound login\`):
   $ sudo unbound setup mdm --admin-api-key KEY cursor
   $ sudo unbound setup mdm --admin-api-key KEY cursor claude-code-subscription codex-subscription
   $ sudo unbound setup mdm --admin-api-key KEY --all
+  $ sudo unbound setup mdm --all                           Reuse the stored \`unbound login\` key
   $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription --backfill
                                                            Install hooks AND backfill local history
   $ sudo unbound setup mdm --admin-api-key KEY copilot --backfill
@@ -731,9 +751,12 @@ Clear examples (no API key required):
         // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
         const globalOpts = command.optsWithGlobals();
         // Clearing removes config without calling the API, so a key is only
-        // required when actually enrolling tools.
-        if (!globalOpts.clear && !opts.adminApiKey) {
-          output.error('--admin-api-key is required to set up tools.');
+        // required when actually enrolling tools. Fall back to the API key
+        // stored by `unbound login` so admins who are already logged in don't
+        // have to pass --admin-api-key again.
+        const adminApiKey = opts.adminApiKey || config.getApiKey();
+        if (!globalOpts.clear && !adminApiKey) {
+          output.error('--admin-api-key is required to set up tools (or run `unbound login` first).');
           process.exitCode = 1;
           return;
         }
@@ -812,7 +835,7 @@ Clear examples (no API key required):
         const ok = await runBatch(
           resolvedTools,
           (tool) => {
-            const toolArgs = buildScriptArgs(opts.adminApiKey, {
+            const toolArgs = buildScriptArgs(adminApiKey, {
               backendUrl,
               gatewayUrl,
               clear: globalOpts.clear,
@@ -839,52 +862,49 @@ Clear examples (no API key required):
     .command('nuke')
     .alias('uninstall')
     .description(
-      'Remove Unbound and start fresh. By default clears every user-level AND ' +
-      'MDM (system-level) tool configuration plus stored credentials (requires ' +
-      "root). Use --user to clear only this user's tools and credentials (no root)."
+      'Remove Unbound and start fresh: clears AI-tool configuration and deletes ' +
+      'stored credentials. Scope follows your privileges — run with sudo to also ' +
+      'remove MDM (system-level) config for all users; without root it clears only ' +
+      'the current user.'
     )
     .option('-y, --yes', 'Skip the confirmation prompt')
-    .option('--user', "Clear only THIS user's tool config and credentials — skip MDM (no root required)")
     .addHelpText('after', `
-Two modes:
-  Default (requires root)   Clears every user-level and MDM (system-level) tool
-                            config for all users on the device, then deletes
-                            credentials.
-  --user (no root)          Clears only the current user's tool config, then
-                            deletes credentials. Leaves MDM config untouched
-                            (removing system-level config needs root).
+Scope is chosen automatically from your privileges:
+  Run with sudo (root)   Clears every user-level AND MDM (system-level) tool
+                         config for all users on the device, then deletes
+                         credentials.
+  Run without root       Clears only the current user's tool config and
+                         credentials. MDM (system-level) config is skipped —
+                         re-run with sudo to remove it too.
 
 What it clears:
   - USER-level tool config — Cursor, GitHub Copilot, Claude Code (subscription +
-    gateway), Gemini CLI, Codex (subscription + gateway).                [both modes]
-  - MDM (system-level) tool config across all users on the device.    [default only]
-  - Stored credentials and settings (~/.unbound/config.json).            [both modes]
+    gateway), Gemini CLI, Codex (subscription + gateway).
+  - MDM (system-level) tool config across all users          [only when run as root]
+  - Stored credentials and settings (~/.unbound/config.json).
 
 After it finishes, run \`unbound login\` (or \`unbound onboard\`) to set things up
 fresh. Clearing never contacts the Unbound API, so no API key is needed.
 
 Examples:
-  $ sudo unbound nuke                       Remove everything on the device (asks to confirm)
-  $ sudo unbound nuke --yes                 Remove everything, no confirmation
-  $ unbound nuke --user                     Clear only your tools + credentials (no sudo)
-  $ unbound nuke --user --yes               Same, no confirmation
-  $ sudo unbound uninstall                  'uninstall' is an alias for 'nuke'
+  $ sudo unbound nuke              Remove everything on the device (asks to confirm)
+  $ sudo unbound nuke --yes        Remove everything, no confirmation
+  $ unbound nuke                   Clear just your tools + credentials (no sudo)
+  $ unbound nuke --yes             Same, no confirmation
+  $ unbound uninstall              'uninstall' is an alias for 'nuke'
 `)
     .action(async (opts) => {
       try {
-        // Root is only required for the MDM clears (system-level, all users).
-        // --user mode skips them, so it doesn't need root. On native Windows the
-        // Python MDM scripts do their own admin check, so skip the uid check there.
-        if (!opts.user && process.platform !== 'win32' && (typeof process.getuid !== 'function' || process.getuid() !== 0)) {
-          output.error('nuke removes system-level MDM config for all users, so it must run as root. Run with: sudo unbound nuke — or use `unbound nuke --user` to clear just your own tools and credentials without root.');
-          process.exitCode = 1;
-          return;
-        }
+        // Scope follows privileges: with root (or Windows Administrator) we also
+        // remove system-level MDM config for all users; otherwise we clear only
+        // this user. Detecting elevation up front keeps the confirmation honest
+        // (no promising MDM removal we can't perform).
+        const includeMdm = hasRootPrivileges();
 
         if (!opts.yes) {
-          output.warn(opts.user
-            ? 'This removes your user-level Unbound tool configuration and deletes your stored credentials.'
-            : 'This removes ALL Unbound tool configuration on this device (user-level and MDM) and deletes your stored credentials.');
+          output.warn(includeMdm
+            ? 'This removes ALL Unbound tool configuration on this device (user-level and MDM) and deletes your stored credentials.'
+            : 'This removes your user-level Unbound tool configuration and deletes your stored credentials. (MDM/system-level config needs root and will be skipped — re-run with sudo to remove it too.)');
           const ok = await confirm('Continue?');
           if (!ok) {
             output.info('Cancelled. Nothing was changed.');
@@ -902,11 +922,13 @@ Examples:
         const userTools = Object.keys(SETUP_TOOL_MAP).map(name => ({ name, ...SETUP_TOOL_MAP[name] }));
         const userFailed = await clearToolsBestEffort('user', userTools, { mdm: false, backendUrl, gatewayUrl, frontendUrl });
 
-        // MDM clears are skipped in --user mode (they need root and touch all users).
+        // MDM clears need root and touch all users — run them only when we have it.
         let mdmFailed = [];
-        if (!opts.user) {
+        if (includeMdm) {
           const mdmTools = Object.keys(MDM_TOOLS).map(name => ({ name, ...MDM_TOOLS[name] }));
           mdmFailed = await clearToolsBestEffort('mdm', mdmTools, { mdm: true, backendUrl, gatewayUrl });
+        } else {
+          output.info('Skipped MDM (system-level) config — that needs root. Re-run with sudo to remove it too.');
         }
 
         // Wipe credentials + settings last, regardless of tool-clear outcomes.
@@ -915,7 +937,7 @@ Examples:
 
         console.log('');
         const failed = [...userFailed, ...mdmFailed];
-        const scope = opts.user ? 'for your user' : 'on this device';
+        const scope = includeMdm ? 'on this device' : 'for your user';
         if (failed.length === 0) {
           output.success(`Unbound removed ${scope}. The CLI is back to a fresh state — run "unbound login" to start over.`);
         } else {

package/src/index.js

@@ -82,8 +82,8 @@ TOOL SETUP
   $ unbound setup --all --clear            Remove config for every tool
 
   Full uninstall (all tools + credentials):
-  $ sudo unbound nuke                      Wipe everything on the device (MDM + user); requires root
-  $ unbound nuke --user                    Wipe just your tools + credentials (no sudo)
+  $ sudo unbound nuke                      Wipe everything on the device (MDM + user)
+  $ unbound nuke                           Wipe just your tools + credentials (no sudo)
 
 MDM SETUP (admin, requires root)
   $ sudo unbound setup mdm --admin-api-key KEY --all