npm - unbound-cli - Versions diffs - 1.1.8 → 1.3.0 - Mend

unbound-cli 1.1.8 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/LOCAL_DEV.md +10 -10
package/README.md +8 -8
package/package.json +1 -1
package/src/commands/chat.js +2 -2
package/src/commands/doctor.js +198 -0
package/src/commands/onboard.js +112 -161
package/src/commands/setup.js +106 -180
package/src/commands/status.js +42 -2
package/src/config.js +1 -1
package/src/index.js +12 -12
package/src/toolHealth.js +288 -0
package/test/command-merge.test.js +44 -0
package/test/doctor-exit.test.js +31 -0
package/test/onboard-scope.test.js +114 -0
package/test/tool-health.test.js +210 -0
package/src/commands/whoami.js +0 -65

package/src/commands/onboard.js CHANGED Viewed

@@ -2,7 +2,7 @@ const { Option } = require('commander');
 const config = require('../config');
 const output = require('../output');
 const { ensureLoggedIn } = require('../auth');
-const { runSetupAllBundle, runMdmSetupAllBundle, checkRoot, ALL_TOOLS, MDM_ALL_TOOLS } = require('./setup');
+const { runSetupAllBundle, runMdmSetupAllBundle, hasRootPrivileges, ALL_TOOLS, MDM_ALL_TOOLS } = require('./setup');
 const { runDiscoveryScan } = require('./discover');
 /**
@@ -20,52 +20,55 @@ function register(program) {
   const onboard = program
     .command('onboard')
     .description(
-      'One-step user onboarding: install the default AI tools bundle and run device discovery. ' +
-      'Runs `setup --all` followed by `discover` in a single command.'
+      'One-step onboarding: install the AI tools bundle and run device discovery. ' +
+      'Scope is auto-detected from your privileges — run with sudo to enroll every ' +
+      'user on the device (MDM/org scope), or without sudo to set up just the current user.'
     )
-    .option('--api-key <key>', 'User API key (or set UNBOUND_API_KEY env var, or reuse a stored `unbound login` key)')
-    .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY env var)')
+    .option('--api-key <key>', 'API key (user key, or admin key when run with sudo). Falls back to UNBOUND_API_KEY or a stored `unbound login` key)')
+    .addOption(new Option('--admin-api-key <key>', 'Alias for --api-key (back-compat)').hideHelp())
+    .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
-    .option('--set-cron', 'Set up a daily background job to keep governance up to date')
-    .option('--backfill', 'Seed historical Claude Code / Codex sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
+    .option('--set-cron', 'Set up a daily background job to keep governance up to date (under sudo, schedules a discovery scan only — not a full tool re-install)')
+    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
     .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
     .addHelpText('after', `
-Runs the full onboarding flow for an end user:
-  1. Logs in with --api-key and stores credentials (or reuses a stored
-     \`unbound login\` key when --api-key is omitted).
-  2. Installs the default tool bundle: ${ALL_TOOLS.join(', ')}.
+Runs the full onboarding flow, auto-detecting scope from your privileges:
+  With sudo, installs the MDM tool bundle (${MDM_ALL_TOOLS.join(', ')}) and
+  scans all users on the device. Without sudo, installs the user bundle
+  (${ALL_TOOLS.join(', ')}) and scans the current user.
+  1. Logs in / resolves the API key (or reuses a stored \`unbound login\` key
+     when --api-key is omitted).
+  2. Installs the tool bundle for the detected scope.
   3. Runs device discovery with --discovery-key. With --set-cron, sets up a
      recurring daily scheduled scan (cross-platform) instead of a one-time scan.
-The user API key and discovery API key are separate keys obtained from
-different parts of the Unbound dashboard. Discovery uses its own key
-that is not stored in the CLI config.
-Run with sudo to let the discovery step scan all users on the device.
-Without sudo, discovery only scans the current user.
-For admin device enrollment via MDM, use \`unbound onboard-mdm\` instead.
+The API key and discovery API key are separate keys obtained from different
+parts of the Unbound dashboard. Discovery uses its own key that is not stored
+in the CLI config.
 Examples:
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
+  $ sudo unbound onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --backfill
   $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron
-  $ sudo unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
 `)
     .action(async (opts) => {
-      const apiKeyOpt = opts.apiKey || process.env.UNBOUND_API_KEY;
+      const apiKeyOpt = opts.apiKey || opts.adminApiKey || process.env.UNBOUND_API_KEY;
       const discoveryKeyOpt = opts.discoveryKey || process.env.UNBOUND_DISCOVERY_KEY;
-      // A stored `unbound login` key is enough — only demand --api-key when not
-      // already logged in. ensureLoggedIn() reuses the stored credential below.
-      if (!apiKeyOpt && !config.isLoggedIn()) {
-        output.error('--api-key is required (or set UNBOUND_API_KEY env var, or run `unbound login` first)');
+      const isMdm = hasRootPrivileges();
+      if (!discoveryKeyOpt) {
+        output.error('--discovery-key is required (or set UNBOUND_DISCOVERY_KEY env var)');
         process.exitCode = 1;
         return;
       }
-      if (!discoveryKeyOpt) {
-        output.error('--discovery-key is required (or set UNBOUND_DISCOVERY_KEY env var)');
+      // User scope needs a key or an existing login; MDM scope resolves the
+      // admin key below (it may come from a stored `unbound login` credential).
+      if (!isMdm && !apiKeyOpt && !config.isLoggedIn()) {
+        output.error('--api-key is required (or set UNBOUND_API_KEY env var, or run `unbound login` first)');
         process.exitCode = 1;
         return;
       }
@@ -73,84 +76,120 @@ Examples:
       let setupSucceeded = false;
       let discoverySucceeded = false;
       let discoveryDomain;
+      let skippedTools;
       try {
         // Persist URLs first, then login, then setup — order matters so the
         // login validates against the new backend and setup wires tools at the
         // new gateway. setUrls is atomic; a malformed URL throws before any
-        // disk write so the three URLs never end up out of sync.
+        // disk write so the three URLs never end up out of sync. Prefer the
+        // values we JUST persisted over the env-var-aware getters — a stale
+        // UNBOUND_*_URL from a prior shell session could otherwise silently
+        // shadow the user's explicit --*-url flag.
         const written = config.setUrls({
           backend: opts.backendUrl,
           frontend: opts.frontendUrl,
           gateway: opts.gatewayUrl,
         });
-        // Prefer the values we JUST persisted over the env-var-aware getters —
-        // a stale UNBOUND_*_URL from a prior shell session could otherwise
-        // silently shadow the user's explicit --*-url flag and route login or
-        // setup at the wrong tenant.
         const backendUrl = written.base_url || config.getBaseUrl();
         const frontendUrl = written.frontend_url || config.getFrontendUrl();
         const gatewayUrl = written.gateway_url || config.getGatewayUrl();
         discoveryDomain = opts.domain || backendUrl;
-        await ensureLoggedIn({
-          apiKey: apiKeyOpt,
-          baseUrl: written.base_url,
-          frontendUrl: written.frontend_url,
-        });
-        const apiKey = config.getApiKey();
+        if (isMdm) {
+          // Reuse the key stored by `unbound login` when no key was passed.
+          const adminApiKey = apiKeyOpt || config.getApiKey();
+          if (!adminApiKey) {
+            output.error('--api-key is required (or run `unbound login` first).');
+            process.exitCode = 1;
+            return;
+          }
-        console.log('');
-        output.info('Step 1/2: Installing tool bundle');
-        const { ok, skipped } = await runSetupAllBundle(apiKey, {
-          backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
-        });
-        if (!ok) return;
-        setupSucceeded = true;
+          console.log('');
+          output.info('Step 1/2: Installing MDM tool bundle (all users)');
+          const { ok, skipped } = await runMdmSetupAllBundle(adminApiKey, {
+            backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
+          });
+          if (!ok) return;
+          setupSucceeded = true;
-        console.log('');
-        output.info('Step 2/2: Running device discovery');
-        console.log('');
-        await runDiscoveryScan({ apiKey: discoveryKeyOpt, domain: discoveryDomain });
-        discoverySucceeded = true;
+          console.log('');
+          output.info('Step 2/2: Running device discovery');
+          console.log('');
+          await runDiscoveryScan({ apiKey: discoveryKeyOpt, domain: discoveryDomain });
+          discoverySucceeded = true;
+          skippedTools = skipped;
+        } else {
+          await ensureLoggedIn({
+            apiKey: apiKeyOpt,
+            baseUrl: written.base_url,
+            frontendUrl: written.frontend_url,
+          });
+          const apiKey = config.getApiKey();
+          console.log('');
+          output.info('Step 1/2: Installing tool bundle');
+          const { ok, skipped } = await runSetupAllBundle(apiKey, {
+            backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
+          });
+          if (!ok) return;
+          setupSucceeded = true;
+          console.log('');
+          output.info('Step 2/2: Running device discovery');
+          console.log('');
+          await runDiscoveryScan({ apiKey: discoveryKeyOpt, domain: discoveryDomain });
+          discoverySucceeded = true;
+          skippedTools = skipped;
+        }
         if (opts.setCron) {
           console.log('');
-          output.info('Setting up daily scheduled run');
           const { setupScheduledRun } = require('../scheduled');
-          await setupScheduledRun({
-            command: 'onboard',
-            apiKey: apiKeyOpt || apiKey,
-            discoveryKey: discoveryKeyOpt,
-            domain: discoveryDomain,
-            skipRunAtLoad: true,
-          });
+          if (isMdm) {
+            // Under sudo, the recurring job refreshes the device/tool inventory
+            // only — it does NOT re-push the full MDM tool bundle daily, and it
+            // stores the lower-privilege discovery key, not the admin key.
+            output.info('Setting up daily scheduled discovery scan');
+            await setupScheduledRun({
+              command: 'discover',
+              apiKey: discoveryKeyOpt,
+              domain: discoveryDomain,
+              skipRunAtLoad: true,
+            });
+          } else {
+            output.info('Setting up daily scheduled run');
+            await setupScheduledRun({
+              command: 'onboard',
+              apiKey: apiKeyOpt || config.getApiKey(),
+              discoveryKey: discoveryKeyOpt,
+              domain: discoveryDomain,
+              skipRunAtLoad: true,
+            });
+          }
         }
         console.log('');
-        output.success(skipped && skipped.length
+        output.success(skippedTools && skippedTools.length
           ? 'Onboarding complete — tools managed by MDM were skipped (see above)'
           : 'Onboarding complete');
       } catch (err) {
         if (!err.displayed) output.error(err.message);
+        const suffix = domainHintSuffix(discoveryDomain);
+        const sudo = isMdm ? 'sudo ' : '';
         if (discoverySucceeded && opts.setCron) {
           // Both setup and discovery completed; only the optional --set-cron
-          // step failed. Don't tell the user to re-run discovery — they already
-          // did. Tell them how to retry just the cron setup. discover schedule
-          // would install a discover-only cron, dropping the tool-bundle
-          // reinstall the user originally asked for, so the correct retry is
-          // re-running onboard with both keys.
-          const suffix = domainHintSuffix(discoveryDomain);
+          // step failed. Retry just the cron: under sudo the scheduled job is a
+          // discovery-only scan, so point at `discover --set-cron`; in user
+          // scope it re-runs the full onboard (the bundle reinstall is intended).
           console.error('  Setup and discovery completed successfully — only scheduled-run setup failed.');
-          console.error(`  Re-run cron setup with: unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
-        } else if (setupSucceeded && !discoverySucceeded) {
-          const suffix = domainHintSuffix(discoveryDomain);
-          const retryCmd = `unbound discover --api-key <DISCOVERY_KEY>${suffix}`;
-          console.error('  Tool setup completed successfully — only discovery failed.');
-          if (opts.setCron) {
-            console.error(`  Re-run with: unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
+          if (isMdm) {
+            console.error(`  Re-run just the scheduled scan with: sudo unbound discover --api-key <DISCOVERY_KEY> --set-cron${suffix}`);
           } else {
-            console.error(`  Re-run discovery only with: ${retryCmd}`);
+            console.error(`  Re-run cron setup with: unbound onboard --api-key <KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
           }
+        } else if (setupSucceeded && !discoverySucceeded) {
+          console.error('  Tool setup completed successfully — only discovery failed.');
+          console.error(`  Re-run discovery only with: ${sudo}unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
         }
         process.exitCode = 1;
       }
@@ -178,94 +217,6 @@ Examples:
         process.exitCode = 1;
       }
     });
-  // --- MDM onboard (separate top-level command, mirrors `unbound onboard`) ---
-  program
-    .command('onboard-mdm')
-    .description(
-      'One-step MDM onboarding: install the default MDM tool bundle and run device discovery. ' +
-      'Requires root. Used by organization admins to enroll devices via MDM.'
-    )
-    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key)')
-    .requiredOption('--discovery-key <key>', 'Discovery API key (for device scan)')
-    .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
-    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
-    .addOption(new Option('--backend-url <url>', 'Override backend URL for setup scripts (dev only)').hideHelp())
-    .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
-    .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
-    .addHelpText('after', `
-Runs the full MDM onboarding flow for device enrollment:
-  1. Installs the MDM tool bundle: ${MDM_ALL_TOOLS.join(', ')}.
-  2. Runs device discovery against all users on the device.
-Both steps require root. The admin API key and discovery API key are
-separate keys obtained from different parts of the Unbound admin dashboard.
---admin-api-key may be omitted to reuse the key stored by a prior
-\`unbound login\` (run sudo with HOME preserved so the stored key is found).
-For end-user onboarding (non-MDM), use \`unbound onboard\` instead.
-Examples:
-  $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
-  $ sudo unbound onboard-mdm --discovery-key <DISCOVERY_KEY>   Reuse the stored \`unbound login\` key
-  $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY> --backfill
-`)
-    .action(async (opts) => {
-      let setupSucceeded = false;
-      let discoveryDomain;
-      try {
-        // Persist URLs first, then login, then setup — order matters so this
-        // MDM run wires tools at the new tenant. Prefer just-written values
-        // over env-var-aware getters so a stale UNBOUND_*_URL can't shadow the
-        // user's explicit --*-url flag.
-        const written = config.setUrls({
-          backend: opts.backendUrl,
-          frontend: opts.frontendUrl,
-          gateway: opts.gatewayUrl,
-        });
-        const backendUrl = written.base_url || config.getBaseUrl();
-        const frontendUrl = written.frontend_url || config.getFrontendUrl();
-        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
-        discoveryDomain = opts.domain || backendUrl;
-        checkRoot('onboard-mdm');
-        // Reuse the key stored by `unbound login` when --admin-api-key is omitted.
-        const adminApiKey = opts.adminApiKey || config.getApiKey();
-        if (!adminApiKey) {
-          output.error('--admin-api-key is required (or run `unbound login` first).');
-          process.exitCode = 1;
-          return;
-        }
-        console.log('');
-        output.info('Step 1/2: Installing MDM tool bundle');
-        const { ok, skipped } = await runMdmSetupAllBundle(adminApiKey, {
-          backendUrl, frontendUrl, gatewayUrl, backfill: !!opts.backfill,
-        });
-        if (!ok) return;
-        setupSucceeded = true;
-        console.log('');
-        output.info('Step 2/2: Running device discovery');
-        console.log('');
-        await runDiscoveryScan({ apiKey: opts.discoveryKey, domain: discoveryDomain });
-        console.log('');
-        output.success(skipped && skipped.length
-          ? 'MDM onboarding complete — tools managed by MDM were skipped (see above)'
-          : 'MDM onboarding complete');
-      } catch (err) {
-        if (!err.displayed) output.error(err.message);
-        if (setupSucceeded) {
-          const suffix = domainHintSuffix(discoveryDomain);
-          console.error('  MDM tool setup completed successfully — only discovery failed.');
-          console.error(`  Re-run discovery only with: sudo unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
-        }
-        process.exitCode = 1;
-      }
-    });
 }
 module.exports = { register };