unbound-cli 1.1.8 → 1.3.0

package/src/commands/setup.js

@@ -45,10 +45,10 @@ const MDM_TOOLS = {
   'codex-gateway':            { label: 'Codex (gateway)',            script: 'codex/gateway/mdm/setup.py' },
 };
 
-// Default MDM tools for `unbound onboard-mdm` (subscription mode for Claude Code/Codex since only one can be active)
+// Default MDM tools for `sudo unbound onboard` (subscription mode for Claude Code/Codex since only one can be active)
 const MDM_ALL_TOOLS = ['cursor', 'claude-code-subscription', 'gemini-cli', 'codex-subscription', 'copilot'];
 
-// Tools for `unbound setup mdm --all` — identical to MDM_ALL_TOOLS today; split kept for future flexibility.
+// Tools for `sudo unbound setup --all` — identical to MDM_ALL_TOOLS today; split kept for future flexibility.
 const MDM_SETUP_ALL_TOOLS = ['cursor', 'claude-code-subscription', 'gemini-cli', 'codex-subscription', 'copilot'];
 
 // Default tools for `unbound onboard` (Cursor, Claude Code hooks, Codex hooks, Copilot hooks; no Gemini CLI).
@@ -73,7 +73,7 @@ const SETUP_TOOL_MAP = {
  * bundle (one mode per tool, no Gemini CLI), but clearing must remove EVERY
  * tool Unbound can configure — both modes plus Gemini CLI — so a prior
  * gateway-mode or Gemini setup isn't silently left behind. Mirrors the
- * `setup mdm --all` split.
+ * MDM `--all` split.
  */
 function resolveSetupAllTools(clear) {
   return clear ? Object.keys(SETUP_TOOL_MAP) : [...SETUP_ALL_TOOLS];
@@ -338,18 +338,6 @@ function runScriptPiped(scriptPath, args) {
   });
 }
 
-/**
- * Checks that the process is running as root (macOS/Linux).
- * Windows admin check is handled by the Python MDM scripts themselves.
- * Pass a customized hint for the calling command (defaults to "setup mdm").
- */
-function checkRoot(commandHint = 'setup mdm') {
-  if (process.platform === 'win32') return;
-  if (typeof process.getuid !== 'function' || process.getuid() !== 0) {
-    throw new Error(`MDM setup requires root. Run with: sudo unbound ${commandHint} ...`);
-  }
-}
-
 /**
  * Returns true when the process has the privileges needed to touch system-level
  * (MDM) configuration. On Windows, `net session` succeeds only when elevated, so
@@ -455,9 +443,12 @@ function register(program) {
     .argument('[tools...]', 'Tools to set up')
     .description(
       'Configure AI coding tools to use Unbound as their API gateway. ' +
-      'Run with no arguments for interactive setup, or specify tools directly.'
+      'Run with no arguments for interactive setup, or specify tools directly. ' +
+      'Run with sudo to configure every user on the device (MDM/org scope); ' +
+      'without sudo, only the current user.'
     )
     .option('--api-key <key>', 'Authenticate with an API key (skips browser login)')
+    .addOption(new Option('--admin-api-key <key>', 'Alias for --api-key for MDM enrollment (back-compat)').hideHelp())
     .option('--clear', 'Remove Unbound configuration for the specified tools (no login or API key required)')
     .option('--subscription', 'Use subscription mode for Claude Code / Codex (hooks only)')
     .option('--gateway', 'Use gateway mode for Claude Code / Codex (Unbound as AI provider)')
@@ -467,6 +458,10 @@ function register(program) {
     .addOption(new Option('--frontend-url <url>', 'Override frontend URL for setup scripts (dev only)').hideHelp())
     .addOption(new Option('--gateway-url <url>', 'Override gateway URL for setup scripts (dev only)').hideHelp())
     .addHelpText('after', `
+Scope is chosen automatically from your privileges:
+  Run with sudo to configure every user on the device (MDM/org scope);
+  without sudo, only the current user is configured.
+
 Available tools:
   cursor                    Cursor IDE
   copilot                   GitHub Copilot
@@ -496,6 +491,11 @@ Examples:
   $ unbound setup --all                                    Set up the default bundle
   $ unbound setup --all --api-key <key>                    Login + set up the bundle
 
+  Configure all users on the device (MDM/org scope — run with sudo):
+  $ sudo unbound setup --all                               Configure all users (MDM)
+  $ sudo unbound setup cursor codex-subscription           Configure specific tools for all users
+  $ sudo unbound setup --clear --all                       Remove config for all users
+
   Seed historical sessions (Claude Code / Codex subscription mode + Copilot):
   $ unbound setup claude-code --subscription --backfill   Install hooks AND backfill local history
   $ unbound setup codex --subscription --backfill         Install hooks AND backfill local history
@@ -545,6 +545,95 @@ must update the MDM configuration.
         const frontendUrl = written.frontend_url || config.getFrontendUrl();
         const gatewayUrl = written.gateway_url || config.getGatewayUrl();
 
+        // Scope is auto-detected from privileges: with sudo/root we configure
+        // every user on the device (MDM scope); without it, just the current
+        // user. URLs were already persisted above and apply to both scopes.
+        const isMdm = hasRootPrivileges();
+        if (isMdm) {
+          const mdmToolNames = [...Object.keys(MDM_TOOLS), 'claude-code', 'codex'].join(', ');
+          const adminApiKey = opts.adminApiKey || opts.apiKey || config.getApiKey();
+          if (!opts.clear && !adminApiKey) {
+            output.error('--api-key is required to set up tools (or run `unbound login` first).');
+            process.exitCode = 1;
+            return;
+          }
+          if (opts.all && tools.length > 0) {
+            output.error('Cannot combine --all with specific tool names. Use one or the other.');
+            process.exitCode = 1;
+            return;
+          }
+          let toolNames;
+          if (opts.all) {
+            // --clear --all wipes every tool (both modes); setup --all uses the
+            // subscription-default bundle (can't enroll both modes at once).
+            toolNames = opts.clear ? Object.keys(MDM_TOOLS) : MDM_SETUP_ALL_TOOLS;
+          } else if (tools.length > 0) {
+            toolNames = tools;
+          } else {
+            output.error('Specify tools to set up, or use --all.');
+            console.error('  Available: ' + mdmToolNames);
+            process.exitCode = 1;
+            return;
+          }
+          // Bare claude-code/codex have no interactive mode prompt under MDM:
+          // --clear removes both modes; setup honors --gateway/--subscription
+          // (matching user scope) and defaults to subscription.
+          if (!opts.clear && opts.subscription && opts.gateway) {
+            output.error('Cannot use both --subscription and --gateway. Choose one.');
+            process.exitCode = 1;
+            return;
+          }
+          toolNames = [...new Set(toolNames.flatMap(name => {
+            const mode = MODE_TOOLS[name];
+            if (!mode) return [name];
+            if (opts.clear) return [mode.subscription, mode.gateway];
+            return opts.gateway ? [mode.gateway] : [mode.subscription];
+          }))];
+          const invalid = toolNames.filter(t => !MDM_TOOLS[t]);
+          if (invalid.length > 0) {
+            output.error(`Unknown tool(s): ${invalid.join(', ')}`);
+            console.error('  Available: ' + mdmToolNames);
+            process.exitCode = 1;
+            return;
+          }
+          if (!opts.clear) {
+            if (toolNames.includes('claude-code-subscription') && toolNames.includes('claude-code-gateway')) {
+              output.error('Cannot use both claude-code-subscription and claude-code-gateway. Choose one.');
+              process.exitCode = 1;
+              return;
+            }
+            if (toolNames.includes('codex-subscription') && toolNames.includes('codex-gateway')) {
+              output.error('Cannot use both codex-subscription and codex-gateway. Choose one.');
+              process.exitCode = 1;
+              return;
+            }
+          }
+          const resolvedTools = toolNames.map(name => ({ name, ...MDM_TOOLS[name] }));
+          console.log('');
+          if (opts.backfill) {
+            for (const tool of resolvedTools) {
+              if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
+            }
+          }
+          const { ok } = await runBatch(
+            resolvedTools,
+            (tool) => {
+              const toolArgs = buildScriptArgs(adminApiKey, {
+                backendUrl,
+                frontendUrl,
+                gatewayUrl,
+                clear: opts.clear,
+                mdm: true,
+                backfill: opts.backfill && scriptSupportsBackfill(tool.script),
+              });
+              return runScriptPiped(tool.script, toolArgs);
+            },
+            { clear: opts.clear, summary: opts.clear ? 'All tools cleared' : 'All tools configured' }
+          );
+          if (!ok) return;
+          return;
+        }
+
         // Clearing config needs no credentials — the setup scripts remove
         // files without calling the API — so don't force a login for --clear.
         if (!opts.clear) {
@@ -747,169 +836,6 @@ must update the MDM configuration.
       }
     });
 
-  // --- MDM setup ---
-
-  // Bare claude-code/codex are accepted too: with --clear they remove both
-  // modes; for setup they default to subscription (MDM has no mode prompt).
-  const mdmToolNames = [...Object.keys(MDM_TOOLS), 'claude-code', 'codex'].join(', ');
-
-  setup
-    .command('mdm')
-    .description(
-      'MDM setup: configure all users on this device. Requires root. ' +
-      'Used by organization admins to enroll devices via MDM.'
-    )
-    .argument('[tools...]', 'Tools to set up: ' + mdmToolNames)
-    .option('--admin-api-key <key>', 'Admin API key for MDM enrollment (falls back to your stored `unbound login` key; not required with --clear)')
-    .option('--clear', 'Remove Unbound configuration for the specified tools (no API key required)')
-    .option('--all', 'Set up all available tools')
-    .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (subscription/hooks mode only; Cursor unsupported)')
-    .addHelpText('after', `
-Available tools:
-  cursor                    Cursor IDE
-  copilot                   GitHub Copilot
-  claude-code-subscription  Claude Code with your own subscription (hooks only)
-  claude-code-gateway       Claude Code with Unbound as AI provider
-  claude-code               Both Claude Code modes (clears both; sets up subscription)
-  gemini-cli                Gemini CLI
-  codex-subscription        Codex with your own subscription (hooks only)
-  codex-gateway             Codex with Unbound as AI provider
-  codex                     Both Codex modes (clears both; sets up subscription)
-
-Note: claude-code-subscription and claude-code-gateway are mutually exclusive when
-      setting up; same for codex. Bare claude-code/codex set up subscription mode.
-      When using --all, subscription mode is used by default for Claude Code and Codex.
-
-Setup examples (need an admin key — pass --admin-api-key, or omit it to reuse the
-key stored by a prior \`unbound login\`):
-  $ sudo unbound setup mdm --admin-api-key KEY cursor
-  $ sudo unbound setup mdm --admin-api-key KEY cursor claude-code-subscription codex-subscription
-  $ sudo unbound setup mdm --admin-api-key KEY --all
-  $ sudo unbound setup mdm --all                           Reuse the stored \`unbound login\` key
-  $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription --backfill
-                                                           Install hooks AND backfill local history
-  $ sudo unbound setup mdm --admin-api-key KEY copilot --backfill
-                                                           Install Copilot hooks AND backfill local history
-
-Clear examples (no API key required):
-  $ sudo unbound setup mdm --clear cursor
-  $ sudo unbound setup mdm --clear claude-code              Clears BOTH Claude Code modes
-  $ sudo unbound setup mdm --clear codex                    Clears BOTH Codex modes
-  $ sudo unbound setup mdm --clear --all                    Clears every tool
-`)
-    .action(async (tools, opts, command) => {
-      try {
-        checkRoot();
-        // --all and --clear are defined on both this command and the parent `setup` command;
-        // --backend-url, --frontend-url, --gateway-url are defined only on the parent `setup` command.
-        // Use optsWithGlobals() so they all work regardless of position relative to `mdm`.
-        const globalOpts = command.optsWithGlobals();
-        // Clearing removes config without calling the API, so a key is only
-        // required when actually enrolling tools. Fall back to the API key
-        // stored by `unbound login` so admins who are already logged in don't
-        // have to pass --admin-api-key again.
-        const adminApiKey = opts.adminApiKey || config.getApiKey();
-        if (!globalOpts.clear && !adminApiKey) {
-          output.error('--admin-api-key is required to set up tools (or run `unbound login` first).');
-          process.exitCode = 1;
-          return;
-        }
-        // Persist URLs first so this MDM run wires tools at the new tenant
-        // and any subsequent non-MDM command on the same machine inherits.
-        // Prefer just-persisted values over env-var-aware getters so a stale
-        // UNBOUND_*_URL can't shadow the explicit --*-url flag.
-        const written = config.setUrls({
-          backend: globalOpts.backendUrl,
-          frontend: globalOpts.frontendUrl,
-          gateway: globalOpts.gatewayUrl,
-        });
-        const backendUrl = written.base_url || config.getBaseUrl();
-        const frontendUrl = written.frontend_url || config.getFrontendUrl();
-        const gatewayUrl = written.gateway_url || config.getGatewayUrl();
-
-        if (globalOpts.all && tools.length > 0) {
-          output.error('Cannot combine --all with specific tool names. Use one or the other.');
-          process.exitCode = 1;
-          return;
-        }
-
-        let toolNames;
-        if (globalOpts.all) {
-          // --clear --all wipes every tool, including both Claude Code/Codex modes.
-          // Setup --all uses the subscription-default bundle (can't enroll both modes).
-          toolNames = globalOpts.clear ? Object.keys(MDM_TOOLS) : MDM_SETUP_ALL_TOOLS;
-        } else if (tools.length > 0) {
-          toolNames = tools;
-        } else {
-          output.error('Specify tools to set up, or use --all.');
-          console.error('  Available: ' + mdmToolNames);
-          process.exitCode = 1;
-          return;
-        }
-
-        // Expand bare claude-code/codex (MDM has no interactive mode prompt):
-        // --clear removes both modes; setup defaults to subscription, matching --all.
-        toolNames = [...new Set(toolNames.flatMap(name => {
-          const mode = MODE_TOOLS[name];
-          if (!mode) return [name];
-          return globalOpts.clear ? [mode.subscription, mode.gateway] : [mode.subscription];
-        }))];
-
-        const invalid = toolNames.filter(t => !MDM_TOOLS[t]);
-        if (invalid.length > 0) {
-          output.error(`Unknown tool(s): ${invalid.join(', ')}`);
-          console.error('  Available: ' + mdmToolNames);
-          process.exitCode = 1;
-          return;
-        }
-
-        // Mode mutual-exclusivity only applies when setting up — clearing both
-        // modes at once is valid (and is what bare claude-code/codex --clear does).
-        if (!globalOpts.clear) {
-          if (toolNames.includes('claude-code-subscription') && toolNames.includes('claude-code-gateway')) {
-            output.error('Cannot use both claude-code-subscription and claude-code-gateway. Choose one.');
-            process.exitCode = 1;
-            return;
-          }
-
-          if (toolNames.includes('codex-subscription') && toolNames.includes('codex-gateway')) {
-            output.error('Cannot use both codex-subscription and codex-gateway. Choose one.');
-            process.exitCode = 1;
-            return;
-          }
-        }
-
-        const resolvedTools = toolNames.map(name => ({ name, ...MDM_TOOLS[name] }));
-        console.log('');
-
-        if (globalOpts.backfill) {
-          for (const tool of resolvedTools) {
-            if (!scriptSupportsBackfill(tool.script)) noteBackfillUnsupported(tool.label, tool.script);
-          }
-        }
-
-        const { ok } = await runBatch(
-          resolvedTools,
-          (tool) => {
-            const toolArgs = buildScriptArgs(adminApiKey, {
-              backendUrl,
-              frontendUrl,
-              gatewayUrl,
-              clear: globalOpts.clear,
-              mdm: true,
-              backfill: globalOpts.backfill && scriptSupportsBackfill(tool.script),
-            });
-            return runScriptPiped(tool.script, toolArgs);
-          },
-          { clear: globalOpts.clear, summary: globalOpts.clear ? 'All tools cleared' : 'All tools configured' }
-        );
-        if (!ok) return;
-      } catch (err) {
-        output.error(err.message);
-        process.exitCode = 1;
-      }
-    });
-
   // --- Full uninstall ---
 
   program
@@ -1054,7 +980,7 @@ module.exports = {
   register,
   runSetupAllBundle,
   runMdmSetupAllBundle,
-  checkRoot,
+  hasRootPrivileges,
   ALL_TOOLS,
   MDM_ALL_TOOLS,
   buildScriptArgs,

package/src/commands/status.js

@@ -2,21 +2,36 @@ const config = require('../config');
 const api = require('../api');
 const output = require('../output');
 const { getDeviceSerial } = require('../device-serial');
+const { detectTools } = require('../toolHealth');
+
+function roleFromPrivileges(p) {
+  if (!p) return null;
+  if (p.is_admin) return 'Admin';
+  if (p.is_manager) return 'Manager';
+  if (p.is_member) return 'Member';
+  return 'Unknown';
+}
+
 
 function register(program) {
   program
     .command('status')
-    .description('Show the current CLI status including config location, login state, and API connectivity. Useful for debugging connection issues.')
+    .description('Show the current CLI status: config location, login state, role, connected tools, and API connectivity. Useful for debugging connection issues.')
     .addHelpText('after', `
 Output fields:
   Config file      - Path to the config file (~/.unbound/config.json)
   Logged in        - Whether credentials are stored (Yes/No)
   Email            - The authenticated user's email (if logged in)
   Organization     - The organization name (if logged in)
+  Role             - Admin / Manager / Member (if logged in)
   Backend URL      - REST API host (configurable for tenant deployments)
   Frontend URL     - Browser login host
   Gateway URL      - AI gateway host (used by tool setup)
   API status       - Connectivity check result (Connected / Error)
+  Connected tools  - AI tools wired through Unbound on this device, with mode
+
+For a deep per-tool health check (config, hook script, env wiring), run
+\`unbound doctor\`.
 
 Examples:
   $ unbound status
@@ -32,8 +47,8 @@ Examples:
           ['Logged in', loggedIn ? 'Yes' : 'No'],
         ];
 
-        // Check API connectivity
         let connectivity = 'Not checked (not logged in)';
+        let role = null;
         if (loggedIn) {
           const spin = output.spinner('Checking API connectivity...');
           try {
@@ -42,6 +57,7 @@ Examples:
               query: { device_serial: deviceSerial },
             });
             config.backfillUserInfo(privileges);
+            role = roleFromPrivileges(privileges);
             spin.stop();
             connectivity = 'Connected';
           } catch (err) {
@@ -52,12 +68,17 @@ Examples:
           const cfg = config.readConfig();
           pairs.push(['Email', cfg.email || '-']);
           pairs.push(['Organization', cfg.org_name || '-']);
+          pairs.push(['Role', role || '-']);
         }
         pairs.push(['Backend URL', config.getBaseUrl()]);
         pairs.push(['Frontend URL', config.getFrontendUrl()]);
         pairs.push(['Gateway URL', config.getGatewayUrl()]);
         pairs.push(['API status', connectivity]);
 
+        // Locally detected AI tools wired through Unbound, with their mode.
+        const connected = detectTools({ gatewayUrl: config.getGatewayUrl(), apiKey: config.getApiKey() })
+          .filter((t) => t.status !== 'not-installed');
+
         if (opts.json) {
           const cfg = loggedIn ? config.readConfig() : {};
           output.json({
@@ -65,15 +86,34 @@ Examples:
             logged_in: loggedIn,
             email: loggedIn ? (cfg.email || null) : null,
             organization: loggedIn ? (cfg.org_name || null) : null,
+            role: role,
             backend_url: config.getBaseUrl(),
             frontend_url: config.getFrontendUrl(),
             gateway_url: config.getGatewayUrl(),
             api_status: connectivity,
+            connected_tools: connected.map((t) => ({ tool: t.key, label: t.label, mode: t.mode, status: t.status })),
           });
           return;
         }
 
         output.keyValue(pairs);
+
+        console.log('');
+        output.info('Connected tools');
+        const C = output.colors;
+        if (connected.length === 0) {
+          console.log(`  ${C.dim('None set up yet.')} Run ${C.bold('unbound setup')} to wire a tool.`);
+        } else {
+          for (const t of connected) {
+            const mode = t.mode ? C.dim(` (${t.mode})`) : '';
+            let mark = C.green('✓');
+            let note = '';
+            if (t.status === 'tampered') { mark = C.red('✗'); note = C.dim(' — run `unbound doctor`'); }
+            else if (t.status === 'managed-by-mdm') { note = C.dim(' (managed by MDM)'); }
+            console.log(`  ${mark} ${t.label}${mode}${note}`);
+          }
+        }
+        console.log('');
       } catch (err) {
         output.error(err.message);
         process.exitCode = 1;

package/src/config.js

@@ -141,7 +141,7 @@ function isLoggedIn() {
  * Refreshes cached user identity (email, org_name) from a backend response.
  * Always overwrites when the response carries a non-empty value so that
  * switching tenants under the same API key (or rotating the key to a new org)
- * shows the correct organization in `whoami` / `status` instead of stale data.
+ * shows the correct organization in `status` instead of stale data.
  * Defensive: leaves an existing cached value untouched if the response field
  * is missing or empty, so a partial API response can't blank the local config.
  */

package/src/index.js

@@ -29,8 +29,8 @@ AUTHENTICATION
   $ unbound login --api-key <key>          Sign in with an API key (for CI/CD)
   $ unbound login --domain custom.co       Sign in via custom domain
   $ unbound logout                         Remove stored credentials
-  $ unbound whoami                         Show current user and organization
-  $ unbound status                         Show CLI status and API connectivity
+  $ unbound status                         Show CLI status, role, and connected tools
+  $ unbound doctor                         Diagnose per-tool health and API key
 
   Tenant deployments — pass URL flags on login; they persist to ~/.unbound/config.json:
   $ unbound login --api-key <YOUR_API_KEY> \\
@@ -44,9 +44,9 @@ AUTHENTICATION
   Or set URLs separately (any time):
   $ unbound config urls <gateway-url> <frontend-url> <backend-url>
 
-ONBOARDING (one-step install + discover)
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
-  $ sudo unbound onboard-mdm --admin-api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
+ONBOARDING (one-step install + discover; scope auto-detected from sudo)
+  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>         Current user
+  $ sudo unbound onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>   All users (MDM)
 
 TOOL SETUP
   $ unbound setup                          Select and install multiple tools interactively
@@ -85,11 +85,11 @@ TOOL SETUP
   $ sudo unbound nuke                      Wipe everything on the device (MDM + user)
   $ unbound nuke                           Wipe just your tools + credentials (no sudo)
 
-MDM SETUP (admin, requires root)
-  $ sudo unbound setup mdm --admin-api-key KEY --all
-  $ sudo unbound setup mdm --admin-api-key KEY cursor copilot codex-subscription
-  $ sudo unbound setup mdm --admin-api-key KEY claude-code-subscription codex-subscription gemini-cli
-  $ sudo unbound setup mdm --clear cursor codex-subscription   (no API key needed to clear)
+MDM SETUP (all users on the device — run setup with sudo)
+  $ sudo unbound setup --all --api-key KEY
+  $ sudo unbound setup cursor copilot codex-subscription --api-key KEY
+  $ sudo unbound setup claude-code-subscription codex-subscription gemini-cli --api-key KEY
+  $ sudo unbound setup --clear cursor codex-subscription       (no API key needed to clear)
 
 MDM AI TOOLS DISCOVERY
   --domain defaults to the configured backend URL (set via "unbound config set-backend-url")
@@ -178,8 +178,8 @@ LEARN MORE
 // Register all command modules
 require('./commands/login').register(program);
 require('./commands/logout').register(program);
-require('./commands/whoami').register(program);
 require('./commands/status').register(program);
+require('./commands/doctor').register(program);
 require('./commands/policy').register(program);
 require('./commands/users').register(program);
 require('./commands/user-groups').register(program);
@@ -241,7 +241,7 @@ Use this on a fresh install for tenant deployments. Positional order is fixed:
   2. <frontend-url>  — Frontend host (e.g. https://gateway.acme.com)
                        Used by the browser login flow.
   3. <backend-url>   — REST API host (e.g. https://backend.acme.com)
-                       All "unbound *" commands (whoami, status, policies, ...) hit this.
+                       All "unbound *" commands (status, doctor, policies, ...) hit this.
 
 Bare hostnames are accepted; "https://" is added automatically.
 The three values are written atomically to ~/.unbound/config.json.