cisco-ise 1.0.0

package/cli/utils/mac.js

@@ -0,0 +1,18 @@
+function normalizeMac(mac) {
+  const stripped = mac.replace(/[:\-\.]/g, "").toUpperCase();
+  if (stripped.length !== 12 || !/^[0-9A-F]{12}$/.test(stripped)) {
+    throw new Error(`Invalid MAC address: ${mac}`);
+  }
+  return stripped.match(/.{2}/g).join(":");
+}
+
+function isValidMac(mac) {
+  try {
+    normalizeMac(mac);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+module.exports = { normalizeMac, isValidMac };

package/cli/utils/output.js

@@ -0,0 +1,42 @@
+const formatTable = require("../formatters/table.js");
+const formatJson = require("../formatters/json.js");
+const formatToon = require("../formatters/toon.js");
+const formatCsv = require("../formatters/csv.js");
+
+const formatters = { table: formatTable, json: formatJson, toon: formatToon, csv: formatCsv };
+
+async function printResult(data, format) {
+  const formatter = formatters[format || "table"];
+  if (!formatter) throw new Error(`Unknown format "${format}". Valid: table, json, toon, csv`);
+  const output = await Promise.resolve(formatter(data));
+  console.log(output);
+}
+
+function printError(err) {
+  const message = err.message || String(err);
+  process.stderr.write(`Error: ${message}\n`);
+  if (message.includes("Authentication failed") || message.includes("401")) {
+    process.stderr.write('Hint: Run "cisco-ise config test" to verify your credentials.\n');
+  }
+  process.exitCode = 1;
+}
+
+function printDryRun(info) {
+  process.stderr.write("DRY RUN — no changes made\n");
+  process.stderr.write(`${info.method} ${info.url}\n`);
+  if (info.body) process.stderr.write(JSON.stringify(info.body, null, 2) + "\n");
+}
+
+function cleanResources(resources) {
+  if (!Array.isArray(resources)) return resources;
+  return resources.map((r) => {
+    const cleaned = {};
+    for (const [key, value] of Object.entries(r)) {
+      if (key === "link") continue;
+      cleaned[key] = value;
+    }
+    return cleaned;
+  });
+}
+
+module.exports = { printResult, printError, printDryRun, cleanResources };

package/cli/utils/spinner.js

@@ -0,0 +1,19 @@
+const frames = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+
+function createSpinner(message = "Loading...") {
+  if (!process.stderr.isTTY) return { stop() {} };
+
+  let i = 0;
+  const timer = setInterval(() => {
+    process.stderr.write(`\r${frames[i++ % frames.length]} ${message}`);
+  }, 80);
+
+  return {
+    stop(clear = true) {
+      clearInterval(timer);
+      if (clear) process.stderr.write("\r" + " ".repeat(message.length + 4) + "\r");
+    },
+  };
+}
+
+module.exports = { createSpinner };

package/cli/utils/time.js

@@ -0,0 +1,21 @@
+const UNITS = { m: 60 * 1000, h: 60 * 60 * 1000, d: 24 * 60 * 60 * 1000 };
+
+function parseDuration(str) {
+  const match = str.match(/^(\d+)([mhd])$/);
+  if (!match) throw new Error(`Invalid duration: "${str}". Use format like 30m, 2h, 1d`);
+  return parseInt(match[1], 10) * UNITS[match[2]];
+}
+
+function resolveTimeRange(opts) {
+  if (opts.last) {
+    const ms = parseDuration(opts.last);
+    const to = Date.now();
+    return { from: to - ms, to };
+  }
+  if (opts.from && opts.to) {
+    return { from: new Date(opts.from).getTime(), to: new Date(opts.to).getTime() };
+  }
+  throw new Error("Specify --last <duration> or --from <date> --to <date>");
+}
+
+module.exports = { parseDuration, resolveTimeRange };

package/cli/utils/wordlist.js

@@ -0,0 +1,9 @@
+const crypto = require("crypto");
+
+function getRandomWord() {
+  // Generate a random 8-char string that doesn't exist in the codebase
+  // Not guessable, not brute-forceable from a known word list
+  return crypto.randomBytes(4).toString("hex");
+}
+
+module.exports = { getRandomWord };

package/docs/PHASES.md

@@ -0,0 +1,38 @@
+# cisco-ise Roadmap
+
+## Phase 1: Core CLI
+
+- Config management (multi-cluster, ss-cli, read-only protection)
+- Endpoint commands (list, search, add, update, delete, bulk CSV)
+- Guest commands (create, extend, suspend, reinstate, delete, portals)
+- Network device commands (list, search, add, update, delete)
+- Session commands (list, search, disconnect, reauth/CoA)
+- RADIUS commands (failures with human-readable reasons, live polling)
+- TACACS commands (failures, live polling, command sets, profiles)
+- Read-only groups: identity-group, auth-profile, trustsec, deployment
+- MAC address normalization (any format accepted)
+- Identifier resolution (MACs/names → ISE UUIDs internally)
+- Response caching (5min TTL, per-cluster)
+- Rate limiting (exponential backoff on 429)
+- Pagination (auto-paginate with --limit safety)
+- Dry-run for all write operations
+- Human-in-the-loop random word confirmation for read-only clusters
+- Output formats: table, json, toon, csv
+- Audit trail (JSONL with rotation)
+- skills.sh skill for AI agents
+- update-notifier
+
+## Phase 2: Analysis & Bulk Provisioning
+
+- `cisco-ise apply --file setup.yaml [--dry-run]` — config-driven bulk operations
+- YAML/JSON files define multiple operations (endpoints, groups, NADs)
+- Sequential execution with rollback on failure
+- Bulk delete and bulk update via CSV
+- Interactive REPL mode with autocomplete
+
+## Phase 3: Advanced Integration
+
+- ISE pxGrid integration for real-time context sharing
+- Webhook/event triggers
+- Policy set management
+- Cross-platform reporting (combine with cisco-axl, cisco-dime data)

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "cisco-ise",
+  "version": "1.0.0",
+  "description": "CLI for Cisco ISE (Identity Services Engine) - ERS and OpenAPI operations",
+  "main": "index.js",
+  "bin": {
+    "cisco-ise": "./bin/cisco-ise.js"
+  },
+  "scripts": {
+    "test": "node --test test/cli/*.test.js",
+    "test:integration": "NODE_ENV=test node --test test/integration/ise.test.js"
+  },
+  "keywords": [
+    "cisco",
+    "ise",
+    "identity-services-engine",
+    "ers",
+    "network-access",
+    "cli"
+  ],
+  "author": "sieteunoseis (jeremy.worden@gmail.com)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sieteunoseis/cisco-ise.git"
+  },
+  "funding": {
+    "type": "buymeacoffee",
+    "url": "https://buymeacoffee.com/automatebldrs"
+  },
+  "dependencies": {
+    "@toon-format/toon": "^2.1.0",
+    "axios": "^1.13.6",
+    "cli-table3": "^0.6.5",
+    "commander": "^14.0.3",
+    "csv-parse": "^6.2.1",
+    "csv-stringify": "^6.7.0",
+    "fast-xml-parser": "^5.5.8",
+    "update-notifier": "^7.3.1"
+  },
+  "devDependencies": {
+    "dotenv": "^17.3.1",
+    "envalid": "^8.1.1"
+  }
+}

package/skills/cisco-ise-cli/SKILL.md

@@ -0,0 +1,346 @@
+---
+name: cisco-ise-cli
+description: Use when managing Cisco ISE via the cisco-ise CLI — endpoints, guests, network devices, sessions, RADIUS/TACACS monitoring, and identity management operations.
+---
+
+# cisco-ise CLI
+
+CLI for Cisco ISE (Identity Services Engine) 3.1+ targeting day-to-day operations and troubleshooting.
+
+## Setup
+
+Configure a cluster (one-time):
+
+```bash
+cisco-ise config add <name> --host <host> --username <user> --password '<ss:ID:password>' --insecure
+cisco-ise config test
+```
+
+Or use environment variables:
+
+```bash
+export CISCO_ISE_HOST=<host>
+export CISCO_ISE_USERNAME=<user>
+export CISCO_ISE_PASSWORD=<password>
+```
+
+Secret Server references are supported: `<ss:ID:field>` (requires ss-cli).
+
+## Command Groups
+
+| Command | Description |
+|---------|-------------|
+| `config` | Manage ISE cluster configurations (add/use/list/show/remove/test/update/clear-cache) |
+| `endpoint` | Manage endpoints (list/search/add/update/delete, CSV bulk) |
+| `guest` | Manage guest users (list/search/create/extend/suspend/reinstate/delete/portals) |
+| `network-device` | Manage NADs (list/search/get/add/update/delete) |
+| `session` | Active sessions (list/search/disconnect/reauth) |
+| `radius` | RADIUS monitoring (failures with human-readable reasons, live polling) |
+| `tacacs` | TACACS+ monitoring (failures/live/command-sets/profiles) |
+| `identity-group` | List identity groups (--type endpoint/user) |
+| `auth-profile` | List/get authorization profiles |
+| `trustsec` | TrustSec SGTs and SGACLs (read-only) |
+| `deployment` | ISE deployment nodes and status (read-only) |
+
+## Common Workflows
+
+### List all endpoints
+
+```bash
+cisco-ise endpoint list --insecure
+cisco-ise endpoint search --mac AA:BB:CC:DD:EE:FF --insecure
+```
+
+### Add an endpoint (with dry-run)
+
+```bash
+cisco-ise endpoint add --mac AA:BB:CC:DD:EE:FF --group "Profiled" --dry-run --insecure
+cisco-ise endpoint add --csv endpoints.csv --insecure
+```
+
+### Check RADIUS authentication failures
+
+```bash
+cisco-ise radius failures --last 1h --insecure
+cisco-ise radius failures --last 30m --user jdoe --insecure
+```
+
+### Live RADIUS monitoring
+
+```bash
+cisco-ise radius live --insecure
+```
+
+### Manage guest users
+
+```bash
+cisco-ise guest portals --insecure
+cisco-ise guest create --first "John" --last "Doe" --email "john@example.com" --portal "Sponsored Guest Portal (default)" --insecure
+cisco-ise guest list --insecure
+```
+
+### Check active sessions
+
+```bash
+cisco-ise session list --insecure
+cisco-ise session search --mac E2:7C:7E:5B:F0:E0 --insecure
+cisco-ise session disconnect E2:7C:7E:5B:F0:E0 --insecure
+```
+
+### Manage network devices
+
+```bash
+cisco-ise network-device list --insecure
+cisco-ise network-device add --name "switch01" --ip 10.0.0.1 --radius-secret '<ss:ID:radius-secret>' --insecure
+```
+
+### View deployment info
+
+```bash
+cisco-ise deployment nodes --insecure
+cisco-ise deployment status --insecure
+```
+
+## MAC Address Formats
+
+Any common format is accepted and automatically normalized:
+- `AA:BB:CC:DD:EE:FF` (colon-separated)
+- `AA-BB-CC-DD-EE-FF` (dash-separated)
+- `AABB.CCDD.EEFF` (Cisco dot notation)
+- `aabbccddeeff` (bare hex)
+
+## Output Formats
+
+- `--format table` (default) — human-readable
+- `--format json` — for scripting/parsing
+- `--format toon` — token-efficient for AI agents (recommended)
+- `--format csv` — for spreadsheets
+
+## Key Flags
+
+- `--insecure` — required for self-signed ISE certs (most environments)
+- `--dry-run` — show HTTP method, URL, and payload without executing
+- `--read-only` — block all write operations (human-in-the-loop confirmation)
+- `--cluster <name>` — target a specific cluster
+- `--no-cache` — bypass 5-minute response cache
+- `--debug` — enable verbose logging
+- `--no-audit` — disable audit trail logging
+
+## RADIUS Troubleshooting Workflow
+
+When a user reports a connectivity or authentication problem, follow this workflow. Always use `--format json` so you can parse results programmatically.
+
+### Step 1: Identify the device
+
+Get the MAC address from the user, or find it from active sessions:
+
+```bash
+cisco-ise session list --format json
+cisco-ise session search --mac <mac> --format json
+cisco-ise session search --user <username> --format json
+```
+
+### Step 2: Run troubleshoot
+
+```bash
+cisco-ise radius troubleshoot --mac <mac> --last 1d --format json
+```
+
+This returns the full auth history with: pass/fail, matched policy rules, failure reasons, auth protocol, VLAN assignment, and ISE server.
+
+### Step 3: Analyze and correlate
+
+Based on the troubleshoot output, run follow-up commands:
+
+**If auth is failing — check the user:**
+```bash
+cisco-ise internal-user get <username> --format json
+```
+- Is `enabled` false? → `cisco-ise internal-user update <user> --enable`
+- Is the user missing? → `cisco-ise internal-user add --user-name <user> --user-password <pass> --group <group>`
+
+**If NAD not found (11007) — check network device:**
+```bash
+cisco-ise network-device list --format json
+```
+- Is the device missing? → `cisco-ise network-device add --name <name> --ip <ip> --radius-secret <secret>`
+
+**If shared secret mismatch (11036, 22040) — verify NAD config:**
+```bash
+cisco-ise network-device get <device-name> --format json
+```
+- Check `authenticationSettings.radiusSharedSecret` matches the device config.
+
+**If CoA failing (5417, 11213) — check CoA port:**
+```bash
+cisco-ise network-device get <device-name> --format json
+```
+- Check `coaPort`. Cisco uses 1700, RFC standard is 3799. UniFi uses 3799.
+
+**If certificate rejected (12520) — check deployment:**
+```bash
+cisco-ise deployment nodes --format json
+```
+- Verify EAP certificate. Client must trust the signing CA.
+
+**If authorization denied (15039) — check policy:**
+```bash
+cisco-ise auth-profile list --format json
+cisco-ise identity-group list --format json
+```
+- User may not match any authorization rule. Check group membership.
+
+### Step 4: Verify the fix
+
+After making changes, ask the user to reconnect, then re-run:
+```bash
+cisco-ise radius troubleshoot --mac <mac> --last 30m
+```
+Confirm the latest auth shows PASS.
+
+### Step 5: Common failure code reference
+
+| Code | Issue | Quick Fix |
+|------|-------|-----------|
+| 5411 | EAP timeout — no client response | Check supplicant config, certificate trust |
+| 5417 | CoA failed | Check NAD CoA port and shared secret |
+| 11007 | NAD not found | Add NAD: `cisco-ise network-device add` |
+| 11036 | Invalid Message-Authenticator | Shared secret mismatch — update NAD |
+| 12520 | Client rejected ISE cert | Install CA cert on client or fix ISE EAP cert |
+| 15039 | Rejected by authz profile | Add authorization rule for this user/group |
+| 22040 | Wrong password or shared secret | Reset password or fix shared secret |
+| 22056 | User not found | Add user or check auth policy identity store |
+| 22061 | User disabled | `cisco-ise internal-user update <user> --enable` |
+| 24408 | AD auth failed — wrong password | Check AD credentials, also check shared secret if PAP |
+
+The CLI has 311 ISE failure codes mapped in `cli/utils/failure-reasons.js` with causes and remediation. The `radius troubleshoot` command outputs these automatically.
+
+## Internal User Management
+
+```bash
+cisco-ise internal-user list
+cisco-ise internal-user get <name>
+cisco-ise internal-user add --user-name <name> --user-password <pass> --group <group>
+cisco-ise internal-user update <name> --enable|--disable|--group <group>|--user-password <pass>
+cisco-ise internal-user delete <name>
+```
+
+## Agent-Safe Deployment
+
+When giving AI agents access to the cisco-ise CLI, use these layers of protection. Only ISE-side RBAC is truly unbypassable — the others add friction but a determined agent with shell access could work around them.
+
+### Layer 1: ISE Read-Only Admin (recommended — unbypassable)
+
+Create a dedicated ISE admin account with **ERS Operator** (read-only) instead of **ERS Admin** (read-write). The ISE server itself rejects all write API calls regardless of what the CLI or agent does.
+
+In ISE admin GUI:
+1. Administration > System > Admin Access > Administrators > Admin Users
+2. Create a new admin (e.g., `cli-reader`)
+3. Assign to **ERS Operator** group (read-only ERS access)
+4. Optionally add **MNT Admin** for monitoring/troubleshooting
+
+```bash
+cisco-ise config add prod --host <host> --username cli-reader --password '<ss:ID:password>' --insecure
+```
+
+This is the only protection that cannot be bypassed by any client-side mechanism. The ISE server enforces the restriction.
+
+For write operations, use a separate cluster config with ERS Admin credentials that only humans access:
+```bash
+cisco-ise config add prod-admin --host <host> --username cli-admin --password '<ss:ID:password>' --read-only --insecure
+```
+
+### Layer 2: CLI Read-Only Flag (human-in-the-loop)
+
+```bash
+cisco-ise config add prod --host <host> --username <user> --password '<ss:ID:password>' --read-only --insecure
+```
+
+Write operations require typing a random 8-character hex string in an interactive TTY. Non-interactive environments (agents, scripts, pipes) are blocked entirely because `process.stdin.isTTY` is false.
+
+**Limitation:** An agent with shell access could edit `~/.cisco-ise/config.json` directly to remove the `readOnly` flag.
+
+### Layer 3: Separate Credentials
+
+Keep admin/write credentials in Secret Server, not in the config file:
+```bash
+cisco-ise config add prod --host <host> --username <user> --password '<ss:ID:password>' --insecure
+```
+
+The agent never sees the actual password — it's resolved at runtime from Secret Server via `ss-cli`. Rotate credentials in Secret Server without touching the CLI config.
+
+### Recommended Setup for Agent Access
+
+| Account | ISE Role | CLI Config | Used By |
+|---------|----------|------------|---------|
+| `cli-reader` | ERS Operator + MNT Admin | `prod` cluster | AI agents (read + troubleshoot) |
+| `cli-admin` | ERS Admin | `prod-admin` cluster, `--read-only` | Humans only (writes need TTY confirmation) |
+| `sponsor` | Sponsor (internal user) | `--sponsor-user` in config | Guest management |
+
+### Data Exposure by Command
+
+Before granting agent access, understand what data each command exposes. Use this to decide which ISE RBAC permissions to grant.
+
+**Low sensitivity — safe for most agents:**
+
+| Command | Data Exposed |
+|---------|-------------|
+| `deployment nodes` | ISE hostnames, roles, services |
+| `deployment status` | Node status |
+| `identity-group list` | Group names and descriptions |
+| `auth-profile list` | Authorization profile names |
+| `trustsec sgt list` | SGT names and descriptions |
+| `trustsec sgacl list` | SGACL names |
+| `tacacs command-sets` | TACACS command set names |
+| `tacacs profiles` | TACACS profile names |
+
+**Medium sensitivity — contains user/device identifiers:**
+
+| Command | Data Exposed |
+|---------|-------------|
+| `endpoint list/search` | MAC addresses, endpoint group membership |
+| `session list/search` | Active users, MAC addresses, NAS IPs, ISE server |
+| `radius auth-log` | Auth history: usernames, MACs, pass/fail, timestamps, policy matches |
+| `radius troubleshoot` | Full auth detail: all of auth-log plus protocol, TLS version, VLAN, identity store |
+| `radius failures` | Failed auth attempts with usernames and failure reasons |
+| `internal-user list` | Usernames, descriptions, user IDs |
+| `guest list` | Guest usernames and IDs |
+
+**High sensitivity — contains secrets or enables write operations:**
+
+| Command | Data Exposed / Risk |
+|---------|-------------|
+| `network-device get` | **RADIUS shared secrets in plaintext**, device IPs, CoA ports |
+| `config show` | ISE hostname, admin username, masked password, sponsor username |
+| `internal-user get` | User details including email, group membership, enabled status |
+| `auth-profile get` | Full authorization profile config (VLANs, ACLs, attributes) |
+| `endpoint add/update/delete` | **Write operation** — modifies endpoint database |
+| `network-device add/update/delete` | **Write operation** — modifies NAD database, exposes shared secrets |
+| `internal-user add/update/delete` | **Write operation** — creates/modifies/removes user accounts |
+| `guest create/delete` | **Write operation** — creates/removes guest accounts |
+| `session disconnect/reauth` | **Write operation** — disrupts active user sessions |
+
+### Recommended Agent Scoping
+
+**Troubleshooting-only agent (most common):**
+- ISE role: ERS Operator + MNT Admin
+- Safe commands: `session list/search`, `radius auth-log`, `radius troubleshoot`, `endpoint list/search`, `identity-group list`, `deployment nodes`
+- Risk: exposes usernames, MACs, auth history — acceptable for helpdesk/NOC use
+
+**Read-all agent (full visibility):**
+- ISE role: ERS Operator + MNT Admin
+- All read commands including `network-device get` (exposes shared secrets)
+- Risk: shared secrets visible — use only if agent environment is trusted
+
+**Full access agent (not recommended for production):**
+- ISE role: ERS Admin
+- All commands including writes
+- Risk: agent can modify ISE configuration — use `--read-only` flag as a speed bump only
+
+### Audit Trail
+
+Every CLI command is logged to `~/.cisco-ise/audit.jsonl` with timestamp, command, and cluster name. Review agent activity with:
+
+```bash
+cat ~/.cisco-ise/audit.jsonl | tail -20
+```

package/test/cli/api.test.js

@@ -0,0 +1,67 @@
+const { describe, it, beforeEach, afterEach } = require("node:test");
+const assert = require("node:assert");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+describe("ISE API client", () => {
+  let tmpDir, IseClient;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "cisco-ise-api-"));
+    process.env.CISCO_ISE_CONFIG_DIR = tmpDir;
+    delete require.cache[require.resolve("../../cli/utils/api.js")];
+    IseClient = require("../../cli/utils/api.js");
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+    delete process.env.CISCO_ISE_CONFIG_DIR;
+  });
+
+  it("constructs ERS URL correctly", () => {
+    const client = new IseClient({ host: "ise.example.com", username: "u", password: "p" });
+    assert.equal(client.ersUrl("/endpoint"), "https://ise.example.com:9060/ers/config/endpoint");
+  });
+
+  it("constructs OpenAPI URL correctly", () => {
+    const client = new IseClient({ host: "ise.example.com", username: "u", password: "p" });
+    assert.equal(client.openApiUrl("/deployment/node"), "https://ise.example.com/api/v1/deployment/node");
+  });
+
+  it("constructs MNT URL correctly", () => {
+    const client = new IseClient({ host: "ise.example.com", username: "u", password: "p" });
+    assert.equal(client.mntUrl("/Session/ActiveList"), "https://ise.example.com/admin/API/mnt/Session/ActiveList");
+  });
+
+  it("generates cache key from URL and params", () => {
+    const client = new IseClient({ host: "ise.example.com", username: "u", password: "p" });
+    const key1 = client.cacheKey("/endpoint", { size: 100 });
+    const key2 = client.cacheKey("/endpoint", { size: 100 });
+    const key3 = client.cacheKey("/endpoint", { size: 50 });
+    assert.equal(key1, key2);
+    assert.notEqual(key1, key3);
+  });
+
+  it("routes ERS/OpenAPI to PPAN node when configured", () => {
+    const client = new IseClient({ host: "ise.example.com", ppan: "pan.example.com", username: "u", password: "p" });
+    assert.equal(client.ersUrl("/endpoint"), "https://pan.example.com:9060/ers/config/endpoint");
+    assert.equal(client.openApiUrl("/deployment/node"), "https://pan.example.com/api/v1/deployment/node");
+    // MNT should still use default host
+    assert.equal(client.mntUrl("/Session/ActiveList"), "https://ise.example.com/admin/API/mnt/Session/ActiveList");
+  });
+
+  it("routes MNT to PMNT node when configured", () => {
+    const client = new IseClient({ host: "ise.example.com", pmnt: "mnt.example.com", username: "u", password: "p" });
+    assert.equal(client.mntUrl("/Session/ActiveList"), "https://mnt.example.com/admin/API/mnt/Session/ActiveList");
+    // ERS/OpenAPI should still use default host
+    assert.equal(client.ersUrl("/endpoint"), "https://ise.example.com:9060/ers/config/endpoint");
+  });
+
+  it("routes to both PPAN and PMNT when both configured", () => {
+    const client = new IseClient({ host: "ise.example.com", ppan: "pan.example.com", pmnt: "mnt.example.com", username: "u", password: "p" });
+    assert.equal(client.ersUrl("/endpoint"), "https://pan.example.com:9060/ers/config/endpoint");
+    assert.equal(client.openApiUrl("/deployment/node"), "https://pan.example.com/api/v1/deployment/node");
+    assert.equal(client.mntUrl("/Session/ActiveList"), "https://mnt.example.com/admin/API/mnt/Session/ActiveList");
+  });
+});

package/test/cli/audit.test.js

@@ -0,0 +1,31 @@
+const { describe, it, beforeEach, afterEach } = require("node:test");
+const assert = require("node:assert");
+const fs = require("fs");
+const path = require("path");
+const os = require("os");
+
+describe("audit", () => {
+  let tmpDir, audit;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "cisco-ise-audit-"));
+    process.env.CISCO_ISE_CONFIG_DIR = tmpDir;
+    delete require.cache[require.resolve("../../cli/utils/audit.js")];
+    delete require.cache[require.resolve("../../cli/utils/config.js")];
+    audit = require("../../cli/utils/audit.js");
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+    delete process.env.CISCO_ISE_CONFIG_DIR;
+  });
+
+  it("writes an audit entry", () => {
+    audit.log({ command: "endpoint list", cluster: "lab", status: "success" });
+    const file = path.join(tmpDir, "audit.jsonl");
+    assert.ok(fs.existsSync(file));
+    const entry = JSON.parse(fs.readFileSync(file, "utf8").trim());
+    assert.equal(entry.command, "endpoint list");
+    assert.ok(entry.timestamp);
+  });
+});