unbound-cli 1.7.0 → 1.7.1

package/LOCAL_DEV.md

@@ -83,7 +83,7 @@ node src/index.js setup --backend-url http://localhost:8000 --frontend-url http:
 sudo node src/index.js setup --api-key <ADMIN_KEY> --all --backend-url http://localhost:8000 --frontend-url http://localhost:3000
 
 # Onboarding (combined setup + discover)
-node src/index.js onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> \
+node src/index.js onboard --api-key <USER_KEY> \
     --backend-url http://localhost:8000 --frontend-url http://localhost:3000
 sudo node src/index.js onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY> \
     --backend-url http://localhost:8000 --frontend-url http://localhost:3000
@@ -183,8 +183,7 @@ node src/index.js setup --all
 node src/index.js setup --all --api-key <key>
 
 # Onboarding (one command: login + setup --all + discover)
-node src/index.js onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
-sudo node src/index.js onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
+node src/index.js onboard --api-key <USER_KEY>
 
 # MDM onboarding (admin device enrollment, requires root — MDM scope auto-detected from sudo)
 sudo node src/index.js onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>

package/README.md

@@ -37,7 +37,7 @@ For new users, the fastest path from install to a fully-configured device is the
 ```bash
 # End user
 npm install -g unbound-cli
-unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
+unbound onboard --api-key <USER_KEY>
 
 # Admin enrolling a device via MDM (requires root)
 sudo unbound onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbound-cli",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "CLI tool for Unbound - AI Gateway management",
   "main": "src/index.js",
   "bin": {

package/src/commands/discover.js

@@ -199,7 +199,9 @@ Scans this device for installed AI coding tools (Cursor, Claude Code,
 Gemini CLI, Codex, Windsurf, Roo Code, Cline, GitHub Copilot, JetBrains,
 and more) and reports findings to the Unbound backend.
 
-The --api-key is a discovery-specific key (separate from login credentials).
+Which --api-key to use depends on scope:
+  - Single-user scan (no sudo): use your own user API key.
+  - All-users scan (sudo): use the org discovery key.
 The --domain defaults to the backend URL configured via "unbound config set-backend-url"
 (falls back to https://backend.getunbound.ai when unset).
 

package/src/commands/onboard.js

@@ -27,7 +27,7 @@ function register(program) {
     )
     .option('--api-key <key>', 'API key (user key, or admin key when run with sudo). Falls back to UNBOUND_API_KEY or a stored `unbound login` key)')
     .addOption(new Option('--admin-api-key <key>', 'Alias for --api-key (back-compat)').hideHelp())
-    .option('--discovery-key <key>', 'Discovery API key for device scan (or set UNBOUND_DISCOVERY_KEY)')
+    .option('--discovery-key <key>', 'Org discovery key for the device scan — required only under sudo (MDM/org scope); ignored for per-user onboarding (or set UNBOUND_DISCOVERY_KEY)')
     .option('--domain <url>', 'Backend URL for discovery (defaults to configured backend)')
     .option('--set-cron', 'Set up a daily background job to keep governance up to date (under sudo, schedules a discovery scan only — not a full tool re-install)')
     .option('--backfill', 'Seed historical Claude Code / Codex / Copilot sessions from local transcripts into Unbound analytics (Cursor skipped automatically)')
@@ -37,24 +37,27 @@ function register(program) {
     .addHelpText('after', `
 Runs the full onboarding flow, auto-detecting scope from your privileges:
   With sudo, installs the MDM tool bundle (${MDM_ALL_TOOLS.join(', ')}) and
-  scans all users on the device. Without sudo, installs the user bundle
-  (${ALL_TOOLS.join(', ')}) and scans the current user.
+  scans all users on the device using --discovery-key. Without sudo, installs
+  the user bundle (${ALL_TOOLS.join(', ')}) and scans the current user using
+  your own API key.
 
   1. Logs in / resolves the API key (or reuses a stored \`unbound login\` key
      when --api-key is omitted).
   2. Installs the tool bundle for the detected scope.
-  3. Runs device discovery with --discovery-key. With --set-cron, sets up a
-     recurring daily scheduled scan (cross-platform) instead of a one-time scan.
+  3. Runs device discovery. Per-user scope scans with your API key so the
+     device is attributed to you from the first report; sudo/MDM scope scans
+     all users with --discovery-key. With --set-cron, sets up a recurring daily
+     scheduled scan (cross-platform) instead of a one-time scan.
 
-The API key and discovery API key are separate keys obtained from different
-parts of the Unbound dashboard. Discovery uses its own key that is not stored
-in the CLI config.
+Per-user onboarding needs only your API key. The separate --discovery-key is
+required only under sudo (MDM/org enrollment), where the scan covers every user
+on the device and cannot be attributed from a single user's key.
 
 Examples:
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>
+  $ unbound onboard --api-key <USER_KEY>
   $ sudo unbound onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --backfill
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY> --set-cron
+  $ unbound onboard --api-key <USER_KEY> --backfill
+  $ unbound onboard --api-key <USER_KEY> --set-cron
 `)
     .action(telemetry.wrapAction('onboard', async (opts) => {
       const apiKeyOpt = opts.apiKey || opts.adminApiKey || process.env.UNBOUND_API_KEY;
@@ -65,8 +68,12 @@ Examples:
       telemetry.rememberSecret(discoveryKeyOpt);
       const isMdm = hasRootPrivileges();
 
-      if (!discoveryKeyOpt) {
-        output.error('--discovery-key is required (or set UNBOUND_DISCOVERY_KEY env var)');
+      // MDM/org scope (sudo) scans every user on the device, so it still needs a
+      // dedicated org discovery key. Per-user scope scans only the current user
+      // and attributes the device via that user's own API key (see Step 2), so a
+      // separate discovery key is neither needed nor used.
+      if (isMdm && !discoveryKeyOpt) {
+        output.error('--discovery-key is required under sudo (MDM/org enrollment), or set UNBOUND_DISCOVERY_KEY env var');
         process.exitCode = 1;
         return;
       }
@@ -77,6 +84,13 @@ Examples:
         process.exitCode = 1;
         return;
       }
+      // Back-compat: --discovery-key used to be required for per-user onboarding.
+      // It is now ignored in user scope — the personal API key is used for the
+      // scan so the device is attributed to the user from the first report
+      // (WEB-4891). Warn rather than fail so existing scripts keep working.
+      if (!isMdm && discoveryKeyOpt) {
+        output.warn('--discovery-key is deprecated for per-user onboarding and is ignored; your API key is used for the device scan, so the device is attributed to you. You can drop --discovery-key (and unset UNBOUND_DISCOVERY_KEY if it is set in your environment).');
+      }
 
       let setupSucceeded = false;
       let discoverySucceeded = false;
@@ -148,7 +162,11 @@ Examples:
           console.log('');
           output.info('Step 2/2: Running device discovery');
           console.log('');
-          await runDiscoveryScan({ apiKey: discoveryKeyOpt, domain: discoveryDomain });
+          // Per-user scope: scan with the user's own API key so the backend
+          // attributes the device to them at ingestion. Using the org discovery
+          // key here leaves the device unattributed until a device->user mapping
+          // resolves later (WEB-4891).
+          await runDiscoveryScan({ apiKey, domain: discoveryDomain });
           discoverySucceeded = true;
           skippedTools = skipped;
         }
@@ -168,11 +186,12 @@ Examples:
               skipRunAtLoad: true,
             });
           } else {
+            // Per-user cron re-runs `unbound onboard`, which now scans with the
+            // user's own API key — no separate discovery key to store.
             output.info('Setting up daily scheduled run');
             await setupScheduledRun({
               command: 'onboard',
               apiKey: apiKeyOpt || config.getApiKey(),
-              discoveryKey: discoveryKeyOpt,
               domain: discoveryDomain,
               skipRunAtLoad: true,
             });
@@ -199,11 +218,15 @@ Examples:
           if (isMdm) {
             console.error(`  Re-run just the scheduled scan with: sudo unbound discover --api-key <DISCOVERY_KEY> --set-cron${suffix}`);
           } else {
-            console.error(`  Re-run cron setup with: unbound onboard --api-key <KEY> --discovery-key <DISCOVERY_KEY> --set-cron${suffix}`);
+            console.error(`  Re-run cron setup with: unbound onboard --api-key <KEY> --set-cron${suffix}`);
           }
         } else if (setupSucceeded && !discoverySucceeded) {
           console.error('  Tool setup completed successfully — only discovery failed.');
-          console.error(`  Re-run discovery only with: ${sudo}unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
+          if (isMdm) {
+            console.error(`  Re-run discovery only with: sudo unbound discover --api-key <DISCOVERY_KEY>${suffix}`);
+          } else {
+            console.error(`  Re-run discovery only with: unbound discover --api-key <KEY>${suffix}`);
+          }
         }
         process.exitCode = 1;
       }

package/src/index.js

@@ -55,7 +55,7 @@ AUTHENTICATION
   $ unbound config urls <gateway-url> <frontend-url> <backend-url>
 
 ONBOARDING (one-step install + discover; scope auto-detected from sudo)
-  $ unbound onboard --api-key <USER_KEY> --discovery-key <DISCOVERY_KEY>         Current user
+  $ unbound onboard --api-key <USER_KEY>                                         Current user
   $ sudo unbound onboard --api-key <ADMIN_KEY> --discovery-key <DISCOVERY_KEY>   All users (MDM)
 
 TOOL SETUP

package/test/onboard-cron.test.js

@@ -100,7 +100,9 @@ test('onboard schedules via setupScheduledRun with command onboard', () => {
   );
 });
 
-test('onboard passes both apiKey and discoveryKey to setupScheduledRun', () => {
+// WEB-4891: per-user onboarding scans with the user's own API key, so the
+// per-user cron stores a single key — no separate discoveryKey.
+test('per-user onboard cron passes apiKey but NOT discoveryKey to setupScheduledRun', () => {
   const callIdx = onboardSrc.indexOf("command: 'onboard'");
   assert.notEqual(callIdx, -1, 'expected command: onboard call site in onboard.js');
   const open = onboardSrc.lastIndexOf('{', callIdx);
@@ -112,10 +114,31 @@ test('onboard passes both apiKey and discoveryKey to setupScheduledRun', () => {
   }
   const callArgs = onboardSrc.slice(open, close + 1);
   assert.ok(callArgs.includes('apiKey'), 'setupScheduledRun call must include apiKey');
-  assert.ok(callArgs.includes('discoveryKey'), 'setupScheduledRun call must include discoveryKey');
+  assert.ok(!callArgs.includes('discoveryKey'), 'per-user onboard cron must NOT pass a discoveryKey (single-key onboarding, WEB-4891)');
   assert.ok(!callArgs.toLowerCase().includes('backfill'), 'setupScheduledRun call must not include backfill');
 });
 
+// WEB-4891 core fix: the per-user discovery scan must run with the user's own
+// API key so the backend attributes the device to them at ingestion. Only the
+// MDM (sudo) branch — which scans every user and cannot be attributed from one
+// user's key — may scan with the org discovery key.
+test('per-user discovery scans with the user key; only MDM uses the discovery key', () => {
+  const userBranchStart = onboardSrc.indexOf('const apiKey = config.getApiKey();');
+  assert.notEqual(userBranchStart, -1, 'expected the per-user branch in onboard.js');
+  const userBranch = onboardSrc.slice(userBranchStart);
+  assert.match(
+    userBranch,
+    /runDiscoveryScan\(\{\s*apiKey\s*,/,
+    'per-user onboarding must scan with the user apiKey, not the org discovery key'
+  );
+  const discoveryKeyScans = (onboardSrc.match(/runDiscoveryScan\(\{\s*apiKey:\s*discoveryKeyOpt/g) || []).length;
+  assert.equal(
+    discoveryKeyScans,
+    1,
+    'exactly one runDiscoveryScan (the MDM branch) may use the org discovery key'
+  );
+});
+
 test('onboard imports setupScheduledRun from ../scheduled', () => {
   assert.match(
     onboardSrc,

package/test/onboard-scope.test.js

@@ -35,7 +35,7 @@ test('hasRootPrivileges: false when effective uid is not 0 (no sudo)', () => {
 // ---- 2. onboard routes by detected scope ----
 // Reloads the module graph with stubbed deps so we can observe which bundle
 // helper the single `onboard` command invokes.
-async function runOnboard(isRoot, { setCron = false } = {}) {
+async function runOnboard(isRoot, { setCron = false, discoveryKey = 'd' } = {}) {
   for (const m of [
     '../src/commands/onboard',
     '../src/commands/setup',
@@ -48,7 +48,7 @@ async function runOnboard(isRoot, { setCron = false } = {}) {
     delete require.cache[require.resolve(m)];
   }
 
-  const calls = { mdm: 0, user: 0, discovery: 0, loggedIn: 0, cron: null };
+  const calls = { mdm: 0, user: 0, discovery: 0, loggedIn: 0, cron: null, warns: [] };
   const setup = require('../src/commands/setup');
   const discover = require('../src/commands/discover');
   const auth = require('../src/auth');
@@ -59,7 +59,7 @@ async function runOnboard(isRoot, { setCron = false } = {}) {
   setup.hasRootPrivileges = () => isRoot;
   setup.runMdmSetupAllBundle = async () => { calls.mdm++; return { ok: true, skipped: [] }; };
   setup.runSetupAllBundle = async () => { calls.user++; return { ok: true, skipped: [] }; };
-  discover.runDiscoveryScan = async () => { calls.discovery++; };
+  discover.runDiscoveryScan = async (o) => { calls.discovery++; calls.discoveryArgs = o; };
   auth.ensureLoggedIn = async () => { calls.loggedIn++; };
   scheduled.setupScheduledRun = async (o) => { calls.cron = o; };
   config.setUrls = () => ({});
@@ -68,13 +68,15 @@ async function runOnboard(isRoot, { setCron = false } = {}) {
   config.getFrontendUrl = () => 'https://f.acme';
   config.getGatewayUrl = () => 'https://g.acme';
   config.isLoggedIn = () => true;
-  for (const k of ['info', 'success', 'error', 'warn']) output[k] = () => {};
+  for (const k of ['info', 'success', 'error']) output[k] = () => {};
+  output.warn = (m) => calls.warns.push(m);
 
   const { register } = require('../src/commands/onboard');
   const program = new Command();
   program.exitOverride();
   register(program);
-  const argv = ['node', 'unbound', 'onboard', '--api-key', 'k', '--discovery-key', 'd'];
+  const argv = ['node', 'unbound', 'onboard', '--api-key', 'k'];
+  if (discoveryKey) argv.push('--discovery-key', discoveryKey);
   if (setCron) argv.push('--set-cron');
   await program.parseAsync(argv);
   return calls;
@@ -86,6 +88,7 @@ test('onboard with sudo/root → installs the MDM bundle (all users), no login',
   assert.equal(calls.user, 0, 'user bundle NOT installed');
   assert.equal(calls.loggedIn, 0, 'MDM scope does not run ensureLoggedIn');
   assert.equal(calls.discovery, 1, 'discovery still runs');
+  assert.equal(calls.discoveryArgs.apiKey, 'd', 'MDM scope scans with the org discovery key');
 });
 
 test('onboard without sudo → logs in and installs the user bundle', async () => {
@@ -94,6 +97,9 @@ test('onboard without sudo → logs in and installs the user bundle', async () =
   assert.equal(calls.mdm, 0, 'MDM bundle NOT installed');
   assert.equal(calls.loggedIn, 1, 'user scope runs ensureLoggedIn');
   assert.equal(calls.discovery, 1, 'discovery still runs');
+  // WEB-4891: per-user scan uses the resolved user key, NOT the org discovery key.
+  assert.equal(calls.discoveryArgs.apiKey, 'resolved-key', 'user scope scans with the user API key');
+  assert.notEqual(calls.discoveryArgs.apiKey, 'd', 'user scope must NOT scan with the discovery key');
 });
 
 // --set-cron under sudo schedules discovery only (not a daily full MDM
@@ -110,5 +116,34 @@ test('onboard --set-cron without sudo → schedules the full onboard run', async
   const calls = await runOnboard(false, { setCron: true });
   assert.ok(calls.cron, 'a scheduled run was set up');
   assert.equal(calls.cron.command, 'onboard', 'user scope keeps the full onboard cron');
-  assert.equal(calls.cron.discoveryKey, 'd', 'discovery key forwarded for the onboard cron');
+  // WEB-4891: the per-user cron re-runs onboard, which scans with the user's own
+  // key — so the user key is stored and no separate discovery key is.
+  assert.equal(calls.cron.apiKey, 'k', 'per-user cron stores the user API key');
+  assert.equal(calls.cron.discoveryKey, undefined, 'per-user onboard cron no longer forwards a discovery key');
+});
+
+// WEB-4891: the clean per-user path passes NO --discovery-key. It must work
+// without error, scan with the user key, and emit no deprecation warning.
+test('onboard without sudo and without --discovery-key → clean single-key path', async () => {
+  const calls = await runOnboard(false, { discoveryKey: null });
+  assert.equal(calls.user, 1, 'user bundle installed');
+  assert.equal(calls.discovery, 1, 'discovery runs');
+  assert.equal(calls.discoveryArgs.apiKey, 'resolved-key', 'scans with the user API key');
+  assert.equal(
+    calls.warns.filter((w) => /discovery-key is deprecated/.test(w)).length,
+    0,
+    'no deprecation warning when --discovery-key is omitted',
+  );
+});
+
+// Passing --discovery-key in user scope is deprecated: it is ignored (the scan
+// still uses the user key) and exactly one deprecation warning is emitted.
+test('onboard without sudo WITH --discovery-key → ignored + deprecation warning', async () => {
+  const calls = await runOnboard(false, { discoveryKey: 'd' });
+  assert.equal(calls.discoveryArgs.apiKey, 'resolved-key', 'still scans with the user API key, not the discovery key');
+  assert.equal(
+    calls.warns.filter((w) => /discovery-key is deprecated/.test(w)).length,
+    1,
+    'emits exactly one deprecation warning',
+  );
 });