btps_client 1.0.0

data/lib/btps_client/api_requestor.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+require 'typhoeus'
+require 'json'
+
+module BtpsClient
+  # Single-responsibility HTTP layer.
+  # Builds requests, executes via Typhoeus, retries on 429/5xx,
+  # and maps HTTP status codes to the SDK error hierarchy.
+  # Never logs request bodies or bearer tokens.
+  class ApiRequestor
+    ERROR_MAP = {
+      400 => InvalidRequestError,
+      401 => AuthenticationError,
+      403 => PermissionError,
+      404 => NotFoundError,
+      409 => ConflictError,
+      422 => ValidationError,
+      429 => RateLimitError
+    }.freeze
+
+    def initialize(config)
+      @config = config
+    end
+
+    # Performs an HTTP request with automatic retry on retriable errors.
+    #
+    # @param method  [Symbol]  :get, :post, :put, :delete
+    # @param path    [String]  path relative to base_url (leading slash optional)
+    # @param params  [Hash]    query-string parameters
+    # @param body    [Hash|String|nil]  request body
+    # @param opts    [Hash]    { headers: {}, multipart: bool, form_encoded: bool }
+    # @return        [Hash|Array|String|nil]  parsed response body
+    def request(method, path, params: {}, body: nil, opts: {})
+      url     = "#{@config.base_url}/#{path.to_s.sub(%r{^/}, '')}"
+      attempt = 0
+
+      begin
+        attempt += 1
+        log(:debug, "→ #{method.upcase} #{url}#{" params=#{params}" unless params.empty?}")
+        response = execute(method, url, build_headers(opts), params, body, opts)
+        log(:debug, "← #{response.code} (attempt #{attempt})")
+        if response.code.zero?
+          raise ApiError.new(
+            "Network error: #{response.return_message} (curl code #{response.return_code})",
+            http_status: 0, http_body: nil
+          )
+        end
+        handle_response(response)
+      rescue RateLimitError, ApiError => e
+        log(:warn, "Retriable error (attempt #{attempt}/#{@config.max_retries}): #{e.message}")
+        raise if attempt > @config.max_retries
+
+        sleep(backoff(attempt))
+        retry
+      end
+    end
+
+    private
+
+    def execute(method, url, headers, params, body, opts)
+      req_opts = {
+        method: method,
+        headers: headers,
+        ssl_verifypeer: @config.verify_ssl,
+        timeout: @config.timeout,
+        connecttimeout: @config.connect_timeout
+      }
+
+      req_opts[:params] = params unless params.nil? || params.empty?
+
+      if opts[:multipart]
+        req_opts[:body] = body
+      elsif opts[:form_encoded]
+        req_opts[:body]    = body
+        req_opts[:headers] = req_opts[:headers].merge('Content-Type' => 'application/x-www-form-urlencoded')
+      elsif !body.nil?
+        encoded_body       = body.is_a?(String) ? body : body.to_json
+        req_opts[:body]    = encoded_body
+        req_opts[:headers] = req_opts[:headers].merge('Content-Type' => 'application/json')
+      end
+
+      Typhoeus::Request.new(url, req_opts).run
+    end
+
+    def handle_response(response)
+      status     = response.code
+      body       = response.body
+      request_id = response.headers&.[]('X-Request-Id')
+
+      return parse_success_body(body) if status >= 200 && status < 300
+
+      raise_for_status(status, body, request_id)
+    end
+
+    def parse_success_body(body)
+      return nil if body.nil? || body.strip.empty?
+
+      JSON.parse(body)
+    rescue JSON::ParserError
+      body
+    end
+
+    def raise_for_status(status, body, request_id)
+      error_class = ERROR_MAP[status] || (status >= 500 ? ApiError : BtpsError)
+      log(:error, "HTTP #{status} (request_id=#{request_id}): #{body}")
+      raise error_class.new(parse_error_message(body), http_status: status, http_body: body, request_id: request_id)
+    end
+
+    def parse_error_message(body)
+      return nil if body.nil? || body.strip.empty?
+
+      parsed = JSON.parse(body)
+      extract_error_message(parsed)
+    rescue JSON::ParserError
+      body
+    end
+
+    def extract_error_message(parsed)
+      return parsed.to_s unless parsed.is_a?(Hash)
+
+      parsed['message'] || parsed['Message'] || parsed['error'] || parsed.to_s
+    end
+
+    def build_headers(opts = {})
+      headers = {
+        'Accept' => 'application/json',
+        'User-Agent' => "btps_client/#{BtpsClient::VERSION} Ruby/#{RUBY_VERSION}"
+      }
+      headers['Authorization'] = "Bearer #{@config.access_token}" if @config.access_token
+      headers.merge(opts.fetch(:headers, {}))
+    end
+
+    def backoff(attempt)
+      base = [(2**(attempt - 1)) * 0.5, 32].min
+      base * (0.5 + (rand * 0.5)) # jitter: randomise between 50% and 100% of base
+    end
+
+    def log(level, message)
+      @config.logger&.public_send(level, "[BtpsClient] #{message}")
+    end
+  end
+end

data/lib/btps_client/api_resource.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  # Abstract marker for all API resource classes.
+  # Subclasses declare their base path with the `resource_path` class macro
+  # and extend only the operation mixins that correspond to real API endpoints.
+  class ApiResource < BtpsObject
+    # Class macro — call once per subclass to set the URL path segment.
+    #   resource_path 'secrets-safe/folders'
+    def self.resource_path(path = nil)
+      return @resource_path = path if path
+
+      @resource_path || raise(NotImplementedError, "#{name} must declare resource_path")
+    end
+
+    # Returns the full collection URL, or the member URL when an id is given.
+    def self.resource_url(id = nil)
+      id ? "#{resource_path}/#{id}" : resource_path
+    end
+
+    # Class macro — declares validation constraints inline on each resource.
+    # The block is evaluated inside a SchemaBuilder instance:
+    #
+    #   param_schema :create do
+    #     required 'Name', type: :string, min_length: 1, max_length: 256
+    #     optional 'Description', type: :string, max_length: 256
+    #   end
+    #
+    # Calling param_schema with the same operation again overwrites the
+    # previous schema for that class.
+    def self.param_schema(operation, &block)
+      @param_schemas ||= {}
+      builder = SchemaBuilder.new
+      builder.instance_eval(&block)
+      @param_schemas[operation.to_sym] = builder.to_h
+    end
+
+    # Returns the schema Hash registered for +operation+, or nil when none
+    # has been declared (meaning validation is skipped for that operation).
+    def self.schema_for(operation)
+      @param_schemas ||= {}
+      @param_schemas[operation.to_sym]
+    end
+  end
+end

data/lib/btps_client/btps_object.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  # Immutable base class for all deserialized API responses.
+  # Converts PascalCase JSON keys into snake_case Ruby reader methods.
+  # Instances are frozen after initialization — no mutations allowed.
+  class BtpsObject
+    attr_reader :raw_response
+
+    # Ruby built-in method names that must never be overwritten.
+    # API keys that snake_case to any of these are accessible via #[] instead.
+    RESERVED_METHODS = (BasicObject.instance_methods | Object.instance_methods)
+                       .map(&:to_s).freeze
+
+    def initialize(data = {})
+      data = {} if data.nil?
+      @raw_response = data.dup.freeze
+
+      data.each_key do |key|
+        attr_name = snake_case(key.to_s)
+        next if RESERVED_METHODS.include?(attr_name)
+
+        val = sanitize(data[key])
+        # Define per-instance readers via the singleton class so different
+        # instances with different keys do not pollute each other's class.
+        singleton_class.define_method(attr_name) { val }
+      end
+
+      freeze
+    end
+
+    # Fetch any field by its original API key name (string or symbol).
+    # Useful for fields whose snake_case name collides with a Ruby built-in
+    # (e.g. 'ObjectId' → 'object_id') and therefore have no reader method.
+    def [](key)
+      @raw_response[key.to_s] || @raw_response[key.to_sym]
+    end
+
+    private
+
+    # Converts PascalCase / camelCase key strings into snake_case.
+    def snake_case(str)
+      str
+        .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+        .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+        .downcase
+    end
+
+    # Recursively wraps nested hashes as BtpsObjects and freezes arrays.
+    def sanitize(value)
+      case value
+      when Hash  then BtpsObject.new(value)
+      when Array then value.map { |v| v.is_a?(Hash) ? BtpsObject.new(v) : v }.freeze
+      else            value
+      end
+    end
+  end
+end

data/lib/btps_client/client.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  # User-facing entry point. Instantiate with per-client config overrides
+  # or rely on the global BtpsClient.configure block.
+  class Client
+    def initialize(**opts)
+      base    = BtpsClient.configuration.to_h
+      @config = Configuration.new(base.merge(opts))
+    end
+
+    # Returns the SecretsSafeService aggregator (folders / safes / secrets).
+    def secrets_safe
+      @secrets_safe ||= Services::SecretsSafeService.new(@config)
+    end
+
+    # Returns the AuthService for sign-in, sign-out, and OAuth token acquisition.
+    def auth
+      @auth ||= Services::AuthService.new(@config)
+    end
+
+    # Returns the ManagedAccountsService.
+    def managed_accounts
+      @managed_accounts ||= Services::ManagedAccountsService.new(@config)
+    end
+
+    # Returns the RequestsService.
+    def requests
+      @requests ||= Services::RequestsService.new(@config)
+    end
+
+    # Returns the CredentialsService.
+    def credentials
+      @credentials ||= Services::CredentialsService.new(@config)
+    end
+  end
+end

data/lib/btps_client/configuration.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  # Holds all SDK configuration.
+  # Build via BtpsClient.configure block or pass overrides to Configuration.new.
+  # Per-client overrides can be passed to Client.new — each Client gets its own
+  # Configuration copy so changes to one do not affect others.
+  class Configuration
+    DEFAULTS = {
+      scheme: 'https',
+      host: nil,
+      port: nil,
+      base_path: 'api/public/v3',
+      verify_ssl: true,
+      timeout: 30,
+      connect_timeout: 10,
+      max_retries: 3,
+      logger: nil
+    }.freeze
+
+    ALLOWED_ATTRS = DEFAULTS.keys.freeze
+
+    attr_accessor :access_token, :client_id, :client_secret
+    attr_reader(*ALLOWED_ATTRS)
+
+    def initialize(overrides = {})
+      overrides = overrides.transform_keys(&:to_sym)
+      invalid   = overrides.keys - ALLOWED_ATTRS - %i[access_token client_id client_secret]
+      raise ArgumentError, "Unknown configuration keys: #{invalid.join(', ')}" unless invalid.empty?
+
+      ALLOWED_ATTRS.each do |key|
+        instance_variable_set(:"@#{key}", overrides.fetch(key, DEFAULTS[key]))
+      end
+
+      @access_token  = overrides[:access_token]  || ENV.fetch('BTPS_ACCESS_TOKEN',  nil)
+      @client_id     = overrides[:client_id]     || ENV.fetch('BTPS_CLIENT_ID',     nil)
+      @client_secret = overrides[:client_secret] || ENV.fetch('BTPS_CLIENT_SECRET', nil)
+    end
+
+    # Setters for use inside BtpsClient.configure { |c| c.host = '...' }
+    ALLOWED_ATTRS.each do |attr|
+      define_method(:"#{attr}=") { |val| instance_variable_set(:"@#{attr}", val) }
+    end
+
+    # Builds the full base URL used by ApiRequestor.
+    def base_url
+      port_segment = port ? ":#{port}" : ''
+      "#{scheme}://#{host}#{port_segment}/#{base_path}"
+    end
+
+    # Returns a safe string representation — credentials are redacted so this
+    # is safe to appear in logs, exception messages, and IRB sessions.
+    def inspect
+      attrs = ALLOWED_ATTRS.map { |k| "#{k}=#{public_send(k).inspect}" }
+      attrs << "access_token=#{@access_token ? '[REDACTED]' : 'nil'}"
+      attrs << "client_id=#{@client_id ? '[REDACTED]' : 'nil'}"
+      attrs << "client_secret=#{@client_secret ? '[REDACTED]' : 'nil'}"
+      "#<#{self.class} #{attrs.join(', ')}>"
+    end
+
+    # Returns all settings as a plain Hash — used by Client to merge global config
+    # with per-instance overrides.
+    def to_h
+      hash = ALLOWED_ATTRS.to_h { |key| [key, public_send(key)] }
+      hash[:access_token]  = @access_token
+      hash[:client_id]     = @client_id
+      hash[:client_secret] = @client_secret
+      hash
+    end
+  end
+end

data/lib/btps_client/errors.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  # Base class for all SDK errors. Carries HTTP context without leaking credentials.
+  class BtpsError < StandardError
+    attr_reader :http_status, :http_body, :request_id
+
+    def initialize(message = nil, http_status: nil, http_body: nil, request_id: nil)
+      super(message)
+      @http_status = http_status
+      @http_body   = http_body
+      @request_id  = request_id
+    end
+  end
+
+  # HTTP 400
+  class InvalidRequestError < BtpsError; end
+
+  # HTTP 401
+  class AuthenticationError < BtpsError; end
+
+  # HTTP 403
+  class PermissionError < BtpsError; end
+
+  # HTTP 404
+  class NotFoundError < BtpsError; end
+
+  # HTTP 409
+  class ConflictError < BtpsError; end
+
+  # HTTP 422
+  class ValidationError < BtpsError; end
+
+  # HTTP 429
+  class RateLimitError < BtpsError; end
+
+  # HTTP 5xx
+  class ApiError < BtpsError; end
+end

data/lib/btps_client/resources/credential.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  module Resources
+    # Swagger tag: Credentials
+    # Endpoints:
+    #   GET  /credentials/{requestId}                                   — retrieve password by request
+    #   PUT  /credentials                                               — update credentials (bulk)
+    #   GET  /managedaccounts/{managedAccountID}/credentials            — get current credentials
+    #   PUT  /managedaccounts/{managedAccountID}/credentials            — set/update credentials
+    #   POST /managedaccounts/{managedAccountID}/credentials/test       — test credentials on system
+    #   POST /managedaccounts/{managedAccountID}/credentials/change     — trigger live rotation
+    class Credential < ApiResource
+      resource_path 'credentials'
+
+      # Update schema — maps to CredentialsUpdateModel (all optional)
+      param_schema :update do
+        optional 'Password',     type: :string,  nullable: true
+        optional 'Credentials',  type: :string,  nullable: true
+        optional 'PublicKey',    type: :string,  nullable: true
+        optional 'PrivateKey',   type: :string,  nullable: true
+        optional 'Passphrase',   type: :string,  nullable: true
+        optional 'UpdateSystem', type: :boolean, nullable: true
+      end
+
+      # Change schema — maps to CredentialsChangeModel (all optional)
+      param_schema :change do
+        optional 'Password',     type: :string,  nullable: true
+        optional 'Credentials',  type: :string,  nullable: true
+        optional 'PublicKey',    type: :string,  nullable: true
+        optional 'PrivateKey',   type: :string,  nullable: true
+        optional 'Passphrase',   type: :string,  nullable: true
+        optional 'UpdateSystem', type: :boolean, nullable: true
+        optional 'Queue',        type: :boolean, nullable: true
+      end
+
+      # ── Request-scoped retrieve ────────────────────────────────────────────────
+
+      # GET /credentials/{requestId}
+      # Returns the password/credential for an active request as a BtpsObject with .value.
+      def self.retrieve_by_request(request_id, config: BtpsClient.config)
+        requestor = ApiRequestor.new(config)
+        data      = requestor.request(:get, "#{resource_path}/#{request_id}")
+        BtpsObject.new('value' => data)
+      end
+
+      # ── Global (bulk) update ───────────────────────────────────────────────────
+
+      # PUT /credentials
+      # Updates credentials in bulk (not scoped to a specific managed account).
+      def self.update_global(params, config: BtpsClient.config)
+        Validator.validate!(schema_for(:update), params)
+        requestor = ApiRequestor.new(config)
+        requestor.request(:put, resource_path, body: params)
+        true
+      end
+
+      # ── Account-scoped methods ────────────────────────────────────────────────
+
+      # GET /managedaccounts/{managedAccountID}/credentials
+      # Retrieves current credentials for a managed account (returns BtpsObject with .value).
+      def self.retrieve_for_account(managed_account_id, params = {}, config: BtpsClient.config)
+        requestor = ApiRequestor.new(config)
+        data      = requestor.request(:get, "managedaccounts/#{managed_account_id}/credentials",
+                                      params: params)
+        BtpsObject.new('value' => data)
+      end
+
+      # PUT /managedaccounts/{managedAccountID}/credentials
+      # Sets or updates the stored credentials for a managed account.
+      def self.update_for_account(managed_account_id, params, config: BtpsClient.config)
+        Validator.validate!(schema_for(:update), params)
+        requestor = ApiRequestor.new(config)
+        requestor.request(:put, "managedaccounts/#{managed_account_id}/credentials", body: params)
+        true
+      end
+
+      # POST /managedaccounts/{managedAccountID}/credentials/test
+      # Tests whether the stored credentials succeed on the target system.
+      def self.test_for_account(managed_account_id, config: BtpsClient.config)
+        requestor = ApiRequestor.new(config)
+        data      = requestor.request(:post, "managedaccounts/#{managed_account_id}/credentials/test")
+        data ? BtpsObject.new(data) : true
+      end
+
+      # POST /managedaccounts/{managedAccountID}/credentials/change
+      # Triggers a live credential rotation on the target system.
+      def self.change_for_account(managed_account_id, params = {}, config: BtpsClient.config)
+        Validator.validate!(schema_for(:change), params)
+        requestor = ApiRequestor.new(config)
+        body      = params.empty? ? nil : params
+        requestor.request(:post, "managedaccounts/#{managed_account_id}/credentials/change",
+                          body: body)
+        true
+      end
+    end
+  end
+end

data/lib/btps_client/resources/folder.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  module Resources
+    # Swagger tag: Secrets Safe Folders
+    # Endpoints: GET/POST /secrets-safe/folders
+    #            GET/PUT/DELETE /secrets-safe/folders/{folderId}
+    #            PUT /secrets-safe/folders/{folderId}/move
+    class Folder < ApiResource
+      resource_path 'secrets-safe/folders'
+
+      extend ApiOperations::Listable      # GET  /secrets-safe/folders
+      extend ApiOperations::Retrievable   # GET  /secrets-safe/folders/{folderId}
+      extend ApiOperations::Creatable     # POST /secrets-safe/folders
+      extend ApiOperations::Updatable     # PUT  /secrets-safe/folders/{folderId}
+      extend ApiOperations::Deletable     # DELETE /secrets-safe/folders/{folderId}
+      extend ApiOperations::Movable       # PUT  /secrets-safe/folders/{folderId}/move
+
+      param_schema :create do
+        required 'Name',        type: :string, min_length: 1, max_length: 256
+        optional 'Description', type: :string, max_length: 256, nullable: true
+        optional 'ParentId',    type: :string, format: :uuid, nullable: true
+      end
+
+      param_schema :update do
+        required 'Name',        type: :string, min_length: 1
+        optional 'Description', type: :string, max_length: 256, nullable: true
+      end
+
+      param_schema :move do
+        required 'DestinationFolderId', type: :string, format: :uuid
+        required 'DuplicateNameAction', type: :string, values: %w[Rename Replace Abort]
+      end
+    end
+  end
+end

data/lib/btps_client/resources/managed_account.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+module BtpsClient
+  module Resources
+    # Swagger tag: Managed Accounts
+    # Endpoints:
+    #   GET    /managedaccounts                                              — list requestable accounts
+    #   GET    /managedaccounts/{id}                                        — get by ID
+    #   PUT    /managedaccounts/{id}                                        — update
+    #   DELETE /managedaccounts/{id}                                        — delete
+    #   GET    /managedsystems/{managedSystemID}/managedaccounts            — list by managed system
+    #   POST   /managedsystems/{managedSystemID}/managedaccounts            — create in managed system
+    #   DELETE /managedsystems/{managedSystemID}/managedaccounts            — delete all in system
+    #   DELETE /managedsystems/{managedSystemID}/managedaccounts/{name}     — delete by system + name
+    #   GET    /smartrules/{smartRuleID}/managedaccounts                    — list by smart rule
+    class ManagedAccount < ApiResource
+      resource_path 'managedaccounts'
+
+      extend ApiOperations::Listable       # GET    /managedaccounts
+      extend ApiOperations::Retrievable    # GET    /managedaccounts/{id}
+      extend ApiOperations::Updatable      # PUT    /managedaccounts/{id}
+      extend ApiOperations::Deletable      # DELETE /managedaccounts/{id}
+      extend ApiOperations::NestedListable # list_for(parent_path, parent_id)
+
+      # Create schema — AccountName required, all others from ManagedAccountAddUpdateModel
+      param_schema :create do
+        required 'AccountName',        type: :string,  max_length: 245
+        optional 'Password',           type: :string,  max_length: 128,  nullable: true
+        optional 'Description',        type: :string,  max_length: 1024, nullable: true
+        optional 'ApiEnabled',         type: :boolean, nullable: true
+        optional 'PasswordRuleID',     type: :integer, nullable: true
+        optional 'ReleaseDuration',    type: :integer, minimum: 1, maximum: 525_600
+        optional 'MaxReleaseDuration', type: :integer, minimum: 1, maximum: 525_600
+        optional 'ISAReleaseDuration', type: :integer, minimum: 1, maximum: 525_600
+        optional 'AutoManagementFlag', type: :boolean, nullable: true
+        optional 'ChangeFrequencyType', type: :string, values: %w[first last xdays], nullable: true
+        optional 'ChangeFrequencyDays', type: :integer, minimum: 1, maximum: 999
+      end
+
+      # Update schema — all optional for PUT /managedaccounts/{id}
+      param_schema :update do
+        optional 'AccountName',        type: :string,  max_length: 245,  nullable: true
+        optional 'Password',           type: :string,  max_length: 128,  nullable: true
+        optional 'Description',        type: :string,  max_length: 1024, nullable: true
+        optional 'ApiEnabled',         type: :boolean, nullable: true
+        optional 'PasswordRuleID',     type: :integer, nullable: true
+        optional 'ReleaseDuration',    type: :integer, minimum: 1, maximum: 525_600
+        optional 'MaxReleaseDuration', type: :integer, minimum: 1, maximum: 525_600
+        optional 'ISAReleaseDuration', type: :integer, minimum: 1, maximum: 525_600
+        optional 'AutoManagementFlag', type: :boolean, nullable: true
+        optional 'ChangeFrequencyType', type: :string, values: %w[first last xdays], nullable: true
+        optional 'ChangeFrequencyDays', type: :integer, minimum: 1, maximum: 999
+      end
+
+      # ── Managed System-scoped methods ──────────────────────────────────────────
+
+      # GET /managedsystems/{managedSystemID}/managedaccounts
+      # Lists all managed accounts for a specific managed system.
+      def self.list_by_system(system_id, params = {}, config: BtpsClient.config)
+        list_for('managedsystems', system_id, params: params, config: config)
+      end
+
+      # POST /managedsystems/{managedSystemID}/managedaccounts
+      # Creates a managed account within the given managed system.
+      def self.create_in_system(system_id, params, config: BtpsClient.config)
+        Validator.validate!(schema_for(:create), params)
+        requestor = ApiRequestor.new(config)
+        data      = requestor.request(:post, "managedsystems/#{system_id}/managedaccounts", body: params)
+        new(data)
+      end
+
+      # DELETE /managedsystems/{managedSystemID}/managedaccounts
+      # Deletes ALL managed accounts within the given managed system.
+      def self.delete_all_in_system(system_id, config: BtpsClient.config)
+        requestor = ApiRequestor.new(config)
+        requestor.request(:delete, "managedsystems/#{system_id}/managedaccounts")
+        true
+      end
+
+      # DELETE /managedsystems/{managedSystemID}/managedaccounts/{accountName}
+      # Deletes a specific account by managed system ID and account name.
+      def self.delete_by_system_and_name(system_id, account_name, config: BtpsClient.config)
+        requestor = ApiRequestor.new(config)
+        requestor.request(:delete, "managedsystems/#{system_id}/managedaccounts/#{account_name}")
+        true
+      end
+
+      # ── Smart Rule-scoped method ────────────────────────────────────────────────
+
+      # GET /smartrules/{smartRuleID}/managedaccounts
+      # Lists all managed accounts matching a smart rule.
+      def self.list_by_smart_rule(smart_rule_id, params = {}, config: BtpsClient.config)
+        list_for('smartrules', smart_rule_id, params: params, config: config)
+      end
+    end
+  end
+end