npm - unbound-cli - Versions diffs - 1.1.5 → 1.1.7 - Mend

unbound-cli 1.1.5 → 1.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js CHANGED Viewed

@@ -11,6 +11,13 @@ const LAUNCH_AGENT_LABEL = 'ai.getunbound.discovery';
 // (e.g. Linux). Treated as a skipped scan, not a failure.
 const DISCOVERY_EXIT_UNSUPPORTED_OS = 3;
+// Self-imposed discovery run timeout (seconds), forwarded through install.sh to
+// the discovery process so `unbound onboard` / `unbound discover` can't hang
+// indefinitely. Discovery enforces this itself — on expiry it releases its lock,
+// reports the run as failed, and exits non-zero. Kept in sync with
+// setup/mdm/onboard.py's DISCOVERY_TIMEOUT_SECONDS.
+const DISCOVERY_TIMEOUT_SECONDS = 1800;
 // Classifies a discovery subprocess exit code:
 // 'success' (scan ran), 'unsupported' (skipped on this OS), or 'failure'.
 function classifyDiscoveryExit(code) {
@@ -146,7 +153,16 @@ async function runDiscoveryScan({ apiKey, domain }) {
     console.log('');
   }
+  // Don't pass --timeout: install.sh is fetched from coding-discovery-tool/main,
+  // and an older discovery there would reject the unknown flag (argparse exits
+  // non-zero) and fail the scan. Discovery self-bounds via its own default (kept
+  // equal to DISCOVERY_TIMEOUT_SECONDS), so this is correct regardless of merge
+  // order. Surface the bound so the wait isn't a mystery; on expiry the discovery
+  // process prints its own line (stdio is inherited) and exits non-zero.
   const args = `--api-key ${shellEscape(apiKey)} --domain ${shellEscape(domain)}`;
+  if (!isWindowsNative()) {
+    output.info(`Discovery stops on its own after ${Math.round(DISCOVERY_TIMEOUT_SECONDS / 60)} minutes if it can't finish.`);
+  }
   await runDiscoveryScript('install.sh', args);
 }

package/src/commands/onboard.js CHANGED Viewed

@@ -101,7 +101,7 @@ Examples:
         console.log('');
         output.info('Step 1/2: Installing tool bundle');
-        const ok = await runSetupAllBundle(apiKey, {
+        const { ok, skipped } = await runSetupAllBundle(apiKey, {
           backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -127,7 +127,9 @@ Examples:
         }
         console.log('');
-        output.success('Onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'Onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'Onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (discoverySucceeded && opts.setCron) {
@@ -237,7 +239,7 @@ Examples:
         console.log('');
         output.info('Step 1/2: Installing MDM tool bundle');
-        const ok = await runMdmSetupAllBundle(adminApiKey, {
+        const { ok, skipped } = await runMdmSetupAllBundle(adminApiKey, {
           backendUrl, gatewayUrl, backfill: !!opts.backfill,
         });
         if (!ok) return;
@@ -249,7 +251,9 @@ Examples:
         await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
         console.log('');
-        output.success('MDM onboarding complete');
+        output.success(skipped && skipped.length
+          ? 'MDM onboarding complete — tools managed by MDM were skipped (see above)'
+          : 'MDM onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
         if (setupSucceeded) {

package/src/commands/setup.js CHANGED Viewed

@@ -11,6 +11,14 @@ const { confirm } = require('../utils');
 const SETUP_BASE_URL = 'https://raw.githubusercontent.com/websentry-ai/setup/refs/heads/main';
+// A setup script exits with this code when it detects an existing MDM (managed)
+// install for that tool and skips itself. It is a deliberate, non-fatal signal —
+// not a failure — so the CLI suppresses the script's own output and reports the
+// skip cleanly instead. Must stay in sync with the setup repo's setup.py scripts.
+// Only emitted by setup runs: the scripts run the MDM check AFTER the --clear
+// branch, so clear/nuke operations never produce this code.
+const EXIT_MDM_PRESENT = 3;
 // WSL reports as Linux via uname; only native Windows (cmd.exe / PowerShell)
 // takes the Windows code path. WSL keeps using the Linux curl|python3 pipe.
 function isWindowsNative() {
@@ -200,7 +208,9 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
   await downloadToFile(url, tmp);
   const py = resolveWindowsPython();
   try {
-    await new Promise((resolve, reject) => {
+    // `return await` so the resolved value (e.g. { mdmSkipped: true }) reaches
+    // the caller; the finally below still runs before the function returns.
+    return await new Promise((resolve, reject) => {
       const child = spawn(py.cmd, [...py.prefix, tmp, ...parsePosixArgs(args)], {
         stdio: capture ? ['pipe', 'pipe', 'pipe'] : 'inherit',
         shell: false,
@@ -215,6 +225,8 @@ async function runPythonScriptWindows(scriptPath, args, { capture }) {
       }
       child.on('close', (code) => {
         if (code === 0) return resolve();
+        // Managed by MDM — drop any captured output and signal a skip.
+        if (code === EXIT_MDM_PRESENT) return resolve({ mdmSkipped: true });
         const err = new Error(out.trim() || `Setup script failed with exit code ${code}`);
         if (capture) err.setupOutput = out.trim();
         reject(err);
@@ -276,12 +288,14 @@ async function runSetupScript(scriptPath, apiKey, { clear = false, backendUrl, f
   const args = buildScriptArgs(apiKey, { backendUrl, frontendUrl, gatewayUrl, clear, backfill });
   console.log('');
   if (isWindowsNative()) {
-    await runPythonScriptWindows(scriptPath, args, { capture: false });
-    return;
+    return runPythonScriptWindows(scriptPath, args, { capture: false });
   }
   try {
     execSync(buildSetupCommand(scriptPath, args), { stdio: 'inherit' });
   } catch (err) {
+    // Managed by MDM — the script already printed its one-line notice (stdio is
+    // inherited here). Signal a skip so the caller can add the CLI notice.
+    if (err.status === EXIT_MDM_PRESENT) return { mdmSkipped: true };
     throw new Error(`Setup script failed with exit code ${err.status || 1}. Check the output above for details.`);
   }
 }
@@ -309,6 +323,9 @@ function runScriptPiped(scriptPath, args) {
     child.on('close', (code) => {
       if (code === 0) {
         resolve();
+      } else if (code === EXIT_MDM_PRESENT) {
+        // Managed by MDM — drop the captured script output and signal a skip.
+        resolve({ mdmSkipped: true });
       } else {
         const err = new Error(captured.trim() || `Setup failed with exit code ${code}`);
         err.setupOutput = captured.trim();
@@ -350,24 +367,61 @@ function hasRootPrivileges() {
 }
 /**
- * Runs a batch of tools sequentially with spinners.
- * Stops on first failure. Returns true if all succeeded.
+ * Prints a clear, red, end-of-run notice for tools that were skipped because an
+ * MDM (organization-managed) setup is already present. Kept separate so callers
+ * can surface it at the very end of their flow.
+ */
+function reportMdmSkips(labels) {
+  if (!labels || labels.length === 0) return;
+  console.error('');
+  console.error(output.colors.bold(output.colors.red(
+    `✗ Skipped — managed by your organization (MDM): ${labels.join(', ')}`)));
+  console.error(output.colors.red("  User-level setup can't override MDM. Contact your IT admin to change it."));
+}
+/**
+ * Runs a batch of tools sequentially with spinners. Stops on the first hard
+ * failure. A tool that reports an MDM skip is NOT a failure — it's collected and
+ * surfaced (in red) at the end, and the batch continues. Returns
+ * { ok, skipped } — ok is false only on a hard failure; skipped is the list of
+ * MDM-managed tool labels so callers can qualify their own success message.
+ * When `summary` is set, a green success line is printed for the configured
+ * tools before the MDM notice.
  */
-async function runBatch(tools, runFn, { clear = false } = {}) {
+async function runBatch(tools, runFn, { clear = false, summary = null } = {}) {
   const action = clear ? 'Clearing' : 'Setting up';
+  const mdmSkipped = [];
   for (const tool of tools) {
     const s = output.spinner(`${action} ${tool.label}...`);
     try {
-      await runFn(tool);
-      s.succeed(tool.label);
+      const result = await runFn(tool);
+      if (result && result.mdmSkipped) {
+        // Stop the spinner and leave an inline marker so the tool doesn't just
+        // vanish mid-batch; the actionable red summary still prints at the end.
+        s.stop();
+        console.error(output.colors.dim(`  Skipped ${tool.label} — managed by MDM`));
+        mdmSkipped.push(tool.label);
+      } else {
+        s.succeed(tool.label);
+      }
     } catch (err) {
       s.fail(`Failed: ${tool.label}`);
       if (err.setupOutput) console.error('\n' + err.setupOutput);
       process.exitCode = 1;
-      return false;
+      // Still surface any tools skipped before this failure so the notice isn't lost.
+      reportMdmSkips(mdmSkipped);
+      return { ok: false, skipped: mdmSkipped };
     }
   }
-  return true;
+  const configured = tools.length - mdmSkipped.length;
+  if (summary && configured > 0) {
+    console.log('');
+    // Some tools may have been MDM-managed, so report the actual count and the
+    // matching verb. (clear never produces skips, but keep the verb consistent.)
+    output.success(mdmSkipped.length ? `${configured} of ${tools.length} tools ${clear ? 'cleared' : 'configured'}` : summary);
+  }
+  reportMdmSkips(mdmSkipped);
+  return { ok: true, skipped: mdmSkipped };
 }
 /**
@@ -468,6 +522,11 @@ Examples:
 When setting up, if you are not logged in and --api-key is not provided, the
 browser opens automatically to authenticate first. Clearing (--clear) never
 requires authentication.
+If an MDM (organization-managed) setup is already present for a tool, user-level
+setup for that tool is skipped automatically — the managed configuration already
+enforces Unbound for every user on the device. To change it, an administrator
+must update the MDM configuration.
 `)
     .action(async (tools, opts) => {
       try {
@@ -527,18 +586,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(selectedTools, (tool) => {
+          await runBatch(selectedTools, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
-          if (!ok) return;
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           return;
         }
@@ -604,7 +659,8 @@ requires authentication.
             const { script, label } = SETUP_TOOL_MAP[toolName];
             const backfill = opts.backfill && scriptSupportsBackfill(script);
             if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-            await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            const r = await runSetupScript(script, apiKey, { clear: opts.clear, backfill, ...urlOpts });
+            if (r && r.mdmSkipped) reportMdmSkips([label]);
           } else if (MODE_TOOLS[toolName]) {
             const mode = MODE_TOOLS[toolName];
             if (opts.clear) {
@@ -621,7 +677,8 @@ requires authentication.
               const { script, label } = SETUP_TOOL_MAP[resolved];
               const backfill = opts.backfill && scriptSupportsBackfill(script);
               if (opts.backfill && !backfill) noteBackfillUnsupported(label, script);
-              await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              const r = await runSetupScript(script, apiKey, { ...urlOpts, backfill });
+              if (r && r.mdmSkipped) reportMdmSkips([label]);
             }
           } else if (INSTRUCTION_TOOLS[toolName]) {
             output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
@@ -664,14 +721,14 @@ requires authentication.
               if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
             }
           }
-          const ok = await runBatch(resolvedScripts, (tool) => {
+          const { ok } = await runBatch(resolvedScripts, (tool) => {
             const toolArgs = buildScriptArgs(apiKey, {
               ...urlOpts,
               clear: opts.clear,
               backfill: opts.backfill && scriptSupportsBackfill(tool.script),
             });
             return runScriptPiped(tool.script, toolArgs);
-          }, { clear: opts.clear });
+          }, { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' });
           if (!ok) return;
         }
@@ -682,10 +739,6 @@ requires authentication.
           output.keyValue(INSTRUCTION_TOOLS[toolName].values(apiKey, frontendUrl));
         }
-        if (resolvedScripts.length > 0) {
-          console.log('');
-          output.success(opts.clear ? 'All tools cleared' : 'All tools configured');
-        }
       } catch (err) {
         if (err.message === 'Selection cancelled') return;
         if (!err.displayed) output.error(err.message);
@@ -832,7 +885,7 @@ Clear examples (no API key required):
           }
         }
-        const ok = await runBatch(
+        const { ok } = await runBatch(
           resolvedTools,
           (tool) => {
             const toolArgs = buildScriptArgs(adminApiKey, {
@@ -844,12 +897,9 @@ Clear examples (no API key required):
             });
             return runScriptPiped(tool.script, toolArgs);
           },
-          { clear: globalOpts.clear }
+          { clear: globalOpts.clear, summary: globalOpts.clear ? 'All tools cleared' : 'All tools configured' }
         );
         if (!ok) return;
-        console.log('');
-        output.success(globalOpts.clear ? 'All tools cleared' : 'All tools configured');
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;

package/src/output.js CHANGED Viewed

@@ -349,4 +349,4 @@ function multiSelect(message, options) {
   });
 }
-module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect };
+module.exports = { table, json, keyValue, success, error, warn, info, spinner, select, multiSelect, colors: c };