unbound-cli 1.1.5 → 1.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.5",
+  "version": "1.1.6",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/onboard.js

@@ -101,7 +101,7 @@ Examples:
 
         console.log('');
         output.info('Step 1/2: Installing tool bundle');
-        const ok = await runSetupAllBundle(apiKey, {
+        const { ok, skipped } = await runSetupAllBundle(apiKey, {
           backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -127,7 +127,9 @@ Examples:
         }
 
         console.log('');
-        output.success('Onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'Onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'Onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (discoverySucceeded && opts.setCron) {
@@ -237,7 +239,7 @@ Examples:
 
         console.log('');
         output.info('Step 1/2: Installing MDM tool bundle');
-        const ok = await runMdmSetupAllBundle(adminApiKey, {
+        const { ok, skipped } = await runMdmSetupAllBundle(adminApiKey, {
           backendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -249,7 +251,9 @@ Examples:
         await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
 
         console.log('');
-        output.success('MDM onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'MDM onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'MDM onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (setupSucceeded) {

package/src/commands/setup.js

@@ -11,6 +11,14 @@ const { confirm } = require('../utils');
 
 const SETUP_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/setup/refs/heads/main';
 
+// A setup script exits with this code when it detects an existing MDM (managed)
+// install for that tool and skips itself. It is a deliberate, non-fatal signal —
+// not a failure — so the CLI suppresses the script's own output and reports the
+// skip cleanly instead. Must stay in sync with the setup repo's setup.py scripts.
+// Only emitted by setup runs: the scripts run the MDM check AFTER the --clear
+// branch, so clear/nuke operations never produce this code.
+const EXIT_MDM_PRESENT = 3;
+
 // WSL reports as Linux via uname; only native Windows (cmd.exe / PowerShell)
 // takes the Windows code path. WSL keeps using the Linux curl|python3 pipe.
 function isWindowsNative() {
@@ -200,7 +208,9 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
   await downloadToFile(url, tmp);
   const py = resolveWindowsPython();
   try {
-    await new Promise((resolve, reject) => {
+    // `return await` so the resolved value (e.g. { mdmSkipped: true }) reaches
+    // the caller; the finally below still runs before the function returns.
+    return await new Promise((resolve, reject) => {
       const child = spawn(py.cmd, [...py.prefix, tmp, ...parsePosixArgs(args)], {
         stdio: capture ? ['pipe', 'pipe', 'pipe'] : 'inherit',
         shell: false,
@@ -215,6 +225,8 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
       }
       child.on('close', (code) => {
         if (code === 0) return resolve();
+        // Managed by MDM — drop any captured output and signal a skip.
+        if (code === EXIT_MDM_PRESENT) return resolve({ mdmSkipped: true });
         const err = new Error(out.trim() || `Setup script failed with exit code ${code}`);
         if (capture) err.setupOutput = out.trim();
         reject(err);
@@ -276,12 +288,14 @@ async function runSetupScript(scriptPath, apiKey, { clear = false, backendUrl, f
   const args = buildScriptArgs(apiKey, { backendUrl, frontendUrl, gatewayUrl, clear, backfill });
   console.log('');
   if (isWindowsNative()) {
-    await runPythonScriptWindows(scriptPath, args, { capture: false });
-    return;
+    return runPythonScriptWindows(scriptPath, args, { capture: false });
   }
   try {
     execSync(buildSetupCommand(scriptPath, args), { stdio: 'inherit' });
   } catch (err) {
+    // Managed by MDM — the script already printed its one-line notice (stdio is
+    // inherited here). Signal a skip so the caller can add the CLI notice.
+    if (err.status === EXIT_MDM_PRESENT) return { mdmSkipped: true };
     throw new Error(`Setup script failed with exit code ${err.status || 1}. Check the output above for details.`);
   }
 }
@@ -309,6 +323,9 @@ function runScriptPiped(scriptPath, args) {
     child.on('close', (code) => {
       if (code === 0) {
         resolve();
+      } else if (code === EXIT_MDM_PRESENT) {
+        // Managed by MDM — drop the captured script output and signal a skip.
+        resolve({ mdmSkipped: true });
       } else {
         const err = new Error(captured.trim() || `Setup failed with exit code ${code}`);
         err.setupOutput = captured.trim();
@@ -350,24 +367,61 @@ function hasRootPrivileges() {
 }
 
 /**
- * Runs a batch of tools sequentially with spinners.
- * Stops on first failure. Returns true if all succeeded.
+ * Prints a clear, red, end-of-run notice for tools that were skipped because an
+ * MDM (organization-managed) setup is already present. Kept separate so callers
+ * can surface it at the very end of their flow.
+ */
+function reportMdmSkips(labels) {
+  if (!labels || labels.length === 0) return;
+  console.error('');
+  console.error(output.colors.bold(output.colors.red(
+    `✗ Skipped — managed by your organization (MDM): ${labels.join(', ')}`)));
+  console.error(output.colors.red("  User-level setup can't override MDM. Contact your IT admin to change it."));
+}
+
+/**
+ * Runs a batch of tools sequentially with spinners. Stops on the first hard
+ * failure. A tool that reports an MDM skip is NOT a failure — it's collected and
+ * surfaced (in red) at the end, and the batch continues. Returns
+ * { ok, skipped } — ok is false only on a hard failure; skipped is the list of
+ * MDM-managed tool labels so callers can qualify their own success message.
+ * When `summary` is set, a green success line is printed for the configured
+ * tools before the MDM notice.
  */
-async function runBatch(tools, runFn, { clear = false } = {}) {
+async function runBatch(tools, runFn, { clear = false, summary = null } = {}) {
   const action = clear ? 'Clearing' : 'Setting up';
+  const mdmSkipped = [];
   for (const tool of tools) {
     const s = output.spinner(`${action} ${tool.label}...`);
     try {
-      await runFn(tool);
-      s.succeed(tool.label);
+      const result = await runFn(tool);
+      if (result && result.mdmSkipped) {
+        // Stop the spinner and leave an inline marker so the tool doesn't just
+        // vanish mid-batch; the actionable red summary still prints at the end.
+        s.stop();
+        console.error(output.colors.dim(`  Skipped ${tool.label} — managed by MDM`));
+        mdmSkipped.push(tool.label);
+      } else {
+        s.succeed(tool.label);
+      }
     } catch (err) {
       s.fail(`Failed: ${tool.label}`);
       if (err.setupOutput) console.error('\n' + err.setupOutput);
       process.exitCode = 1;
-      return false;
+      // Still surface any tools skipped before this failure so the notice isn't lost.
+      reportMdmSkips(mdmSkipped);
+      return { ok: false, skipped: mdmSkipped };
     }
   }
-  return true;
+  const configured = tools.length - mdmSkipped.length;
+  if (summary && configured > 0) {
+    console.log('');
+    // Some tools may have been MDM-managed, so report the actual count and the
+    // matching verb. (clear never produces skips, but keep the verb consistent.)
+    output.success(mdmSkipped.length ? `${configured} of ${tools.length} tools ${clear ? 'cleared' : 'configured'}` : summary);
+  }
+  reportMdmSkips(mdmSkipped);
+  return { ok: true, skipped: mdmSkipped };
 }
 
 /**
@@ -468,6 +522,11 @@ Examples:
 When setting up, if you are not logged in and --api-key is not provided, the
 browser opens automatically to authenticate first. Clearing (--clear) never
 requires authentication.
+
+If an MDM (organization-managed) setup is already present for a tool, user-level
+setup for that tool is skipped automatically — the managed configuration already
+enforces Unbound for every user on the device. To change it, an administrator
+must update the MDM configuration.
 `)
     .action(async (tools, opts) => {
       try {
@@ -527,18 +586,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(selectedTools, (tool) => {
+          await runBatch(selectedTools, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
-          if (!ok) return;
-
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           return;
         }
 
@@ -604,7 +659,8 @@ requires authentication.
             const { script, label } = SETUP_TOOL_MAP[toolName];
             const backfill = opts.backfill && scriptSupportsBackfill(script);
             if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-            await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            const r = await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            if (r && r.mdmSkipped) reportMdmSkips([label]);
           } else if (MODE_TOOLS[toolName]) {
             const mode = MODE_TOOLS[toolName];
             if (opts.clear) {
@@ -621,7 +677,8 @@ requires authentication.
               const { script, label } = SETUP_TOOL_MAP[resolved];
               const backfill = opts.backfill && scriptSupportsBackfill(script);
               if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-              await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              const r = await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              if (r && r.mdmSkipped) reportMdmSkips([label]);
             }
           } else if (INSTRUCTION_TOOLS[toolName]) {
             output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
@@ -664,14 +721,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(resolvedScripts, (tool) => {
+          const { ok } = await runBatch(resolvedScripts, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           if (!ok) return;
         }
 
@@ -682,10 +739,6 @@ requires authentication.
           output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
         }
 
-        if (resolvedScripts.length > 0) {
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
-        }
       } catch (err) {
         if (err.message === 'Selection cancelled') return;
         if (!err.displayed) output.error(err.message);
@@ -832,7 +885,7 @@ Clear examples (no API key required):
           }
         }
 
-        const ok = await runBatch(
+        const { ok } = await runBatch(
           resolvedTools,
           (tool) => {
             const toolArgs = buildScriptArgs(adminApiKey, {
@@ -844,12 +897,9 @@ Clear examples (no API key required):
             });
             return runScriptPiped(tool.script, toolArgs);
           },
-          { clear: globalOpts.clear }
+          { clear: globalOpts.clear, summary: globalOpts.clear ? 'All tools cleared' : 'All tools configured' }
         );
         if (!ok) return;
-
-        console.log('');
-        output.success(globalOpts.clear ? 'All tools cleared' : 'All tools configured');
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;

package/src/output.js

@@ -349,4 +349,4 @@ function multiSelect(message, options) {
   });
 }
 
-module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect };
+module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect, colors: c };