bc-cli 0.2.0__tar.gz → 0.4.0__tar.gz

{bc_cli-0.2.0 → bc_cli-0.4.0}/.gitignore

@@ -33,3 +33,6 @@ PRD-*.md
 TODOS.md
 bcapi_cli_prd.md
 .planning/
+
+# Codex CLI session metadata — local-only, not part of the repo
+.context/

{bc_cli-0.2.0 → bc_cli-0.4.0}/AGENTS.md

@@ -161,6 +161,106 @@ user, don't loop.
 
 ---
 
+## Mutation result envelope — read this, not stdout
+
+For real writes (not dry-run), pass `--result-out PATH` (or
+`--result-fd N` on Unix harnesses) and parse the JSON envelope written
+there. The envelope is the canonical record of what happened — stdout
+is for human consumers; agents shouldn't scrape it.
+
+```bash
+bcli --profile p post vendors --data '{"...": "..."}' --result-out /tmp/r.json
+# then jq < /tmp/r.json
+```
+
+The envelope is an 18-field JSON object: `invocation_id`,
+`tool_version`, `profile`, `environment`, `company`, `method`,
+`endpoint`, `resolved_url`, `record_id`, `dry_run`, `status`
+(`succeeded` / `failed`), `exit_code`, `bc_correlation_id`,
+`telemetry_event_id`, `audit_log_offset`, `started_at`,
+`duration_ms`, plus `version` of the envelope schema. Atomic write
+(tmp + `os.replace` + `fsync`) — the file appears whole or not at all.
+
+**Failed envelopes** keep the same shape with `status="failed"`,
+`exit_code` per the taxonomy below, and `bc_correlation_id` set when
+BC returned one. Use it to diagnose without scraping a Python
+traceback off stderr.
+
+For `bcli batch run`, the envelope's `record_id` IS the ledger run id.
+Pivot from there to `bcli batch state <run-id>` for per-step detail.
+
+## Batch operation state
+
+`bcli batch run` writes a durable SQLite ledger that survives SIGKILL.
+Three new commands let you inspect and undo runs:
+
+```bash
+bcli batch list --format json                  # recent runs, newest first
+bcli batch state <run-id> --format json        # per-step detail for one run
+bcli batch rollback <run-id> --dry-run         # preview undo
+bcli batch rollback <run-id>                   # apply undo (POST→DELETE only)
+```
+
+`bcli batch list` filters with `--state STATE` (`completed`, `failed`,
+`partially_committed`, `rolled_back`, `running`, `cancelled`). Use
+`partially_committed` to find runs that died mid-way — those are where
+ledger-based recovery is worth the cost.
+
+Rollback issues `DELETE` for committed POSTs only. PATCH and DELETE
+steps are marked `rollback_skipped` because there's no clean inverse
+without a pre-image snapshot. `disable_writes` profiles refuse rollback
+outright (no `--yes` bypass) — that's by design.
+
+## Exit code taxonomy
+
+Don't treat all non-zero as "generic error." The taxonomy is
+documented in `bcli describe`'s `exit_codes` field:
+
+| Code | Meaning |
+|---|---|
+| 0 | success |
+| 1 | generic crash / unhandled exception |
+| 2 | usage error (bad flag, missing arg) |
+| 3 | auth (token expired, login required) |
+| 4 | not found (endpoint, record, profile) |
+| 5 | validation (filter, param schema) |
+| 6 | remote 4xx (BC rejected the request) |
+| 7 | remote 5xx (BC server error) |
+| 8 | policy refusal (`disable_writes` triggered without `--yes`) |
+
+Key off the specific code. Exit `8` means "the profile is read-only";
+prompting for `--yes` and retrying is the right move. Exit `3` means
+"run `bcli auth login --profile X`." Exit `1` is the only one that
+warrants "report to user and stop."
+
+## Idempotency keys for retries
+
+For mutations you might retry, pass `--idempotency-key K`. The IETF
+`Idempotency-Key` HTTP header goes out on the first call so any
+gateway-level dedup applies; subsequent retries within the same `bcli
+batch run` short-circuit through the ledger (no second HTTP, no
+duplicate row).
+
+```bash
+KEY=$(uuidgen)
+bcli post vendors --data '{"...":"..."}' --idempotency-key "$KEY" --result-out r.json
+# If you need to retry, reuse the same KEY — same-run replay is safe.
+```
+
+Inside a batch YAML, declare per-step:
+
+```yaml
+steps:
+  - name: create_vendor
+    action: post
+    endpoint: vendors
+    idempotency_key: "${{ params.vendor_no }}-2026Q2"
+    body: { ... }
+```
+
+Cross-run replay is deferred (would mean scanning every ledger DB); the
+header is sent on every retry so gateway-level dedup remains in play.
+
 ## Dry-run before writes
 
 Before any `post` / `patch` / `delete` / `attach upload`, run with `--dry-run`
@@ -226,15 +326,26 @@ on, and the CLI exit code is the answer when it's off.
 
 If the user has mounted `bcli-mcp` (see [`docs/mcp-server.md`](docs/mcp-server.md)),
 prefer those tools — they collapse discovery + query into single calls
-with structured results:
-
-- `list_endpoints()` — full registry as JSON
-- `describe_endpoint(name, discover_fields=True)` — metadata + field
-  discovery in one call
-- `query(endpoint, filter, ...)` — the same as `bcli get`, but typed
+with structured results. As of 0.4.0 the MCP server generates 23 tools
+dynamically from `bcli describe`, including five new mutating verbs
+(`bcli_post`, `bcli_patch`, `bcli_delete`, `bcli_attach_upload`,
+`bcli_batch_run`) that internally pass `--result-out` and return the
+envelope as the tool result.
+
+**Tool names match the CLI command path** (`bcli_get`,
+`bcli_endpoint_list`, `bcli_endpoint_info`, `bcli_endpoint_fields`,
+`bcli_company_list`, …). The pre-0.4.0 names (`query`,
+`list_endpoints`, `describe_endpoint`, `list_companies`) are gone — see
+the migration table in [`docs/mcp-server.md`](docs/mcp-server.md) if
+your client config references the old names.
+
+For mutating tools, a `status="failed"` envelope surfaces as MCP
+`ToolError` with the BC correlation id quoted in the error message —
+you don't need to read the envelope separately for failures.
 
 The CLI recipes above still work fine if the MCP server isn't
-available; this is purely an "if you've got it, use it" optimization.
+available; the MCP tools are an "if you've got them, use them"
+optimization.
 
 ---
 

bc_cli-0.4.0/CHANGELOG.md

@@ -0,0 +1,458 @@
+# Changelog
+
+All notable changes to this project are documented here.
+
+The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.4.0] — 2026-05-18 — Agent Interface Profile v0.1
+
+The Agent Interface Profile (AIP) v0.1 lands: a small kernel of CLI
+primitives that any agent runtime can drive deterministically, without
+parallel schemas or hand-written MCP tools.
+
+### Added
+
+- **`bcli describe --format json`** — canonical machine-readable
+  projection of the live Typer surface + endpoint registry + active
+  profile. One command MCP, completions, and docs all consume; new CLI
+  commands light up automatically. Cached at
+  `~/.config/bcli/describe/<profile>.<hash>.json` with mtime
+  invalidation. Subtree mode (`bcli describe get`, `bcli describe batch
+  run`) returns narrow output for token-constrained agents. Includes
+  forward-compat declarations: `emits_result_envelope`,
+  `emits_operation_state`, `requires_confirmation: "production"`, plus
+  the new `exit_codes` taxonomy and per-command `positionals` /
+  `required` / `limits` extensions.
+- **Mutation result envelope (`--result-out PATH` / `--result-fd N`)**
+  on every mutating verb (`post`, `patch`, `delete`, `attach upload`,
+  `batch run`). Frozen 18-field JSON envelope written atomically
+  (`os.replace` + `fsync`); contains profile, environment, company,
+  method, endpoint, resolved URL, record id, status, exit code, BC
+  correlation id, started_at, duration_ms. Failed envelopes carry the
+  exit code (4 = not found, 6 = remote 4xx, 7 = remote 5xx, 8 = policy
+  refusal, etc.) so an agent can read it side-channel and act without
+  scraping stdout. For `batch run` the envelope's `record_id` is the
+  ledger run id — pivot directly to `bcli batch state <run-id>` for
+  per-step detail.
+- **Batch operation ledger (SQLite)** — one
+  `~/.config/bcli/batch/<run-id>.db` per `bcli batch run` invocation.
+  WAL + `synchronous=NORMAL`, intent row written before each HTTP call
+  (survives SIGKILL); outcome row after. Derived run state
+  distinguishes `partially_committed` from a stale `running` stamp. New
+  commands: `bcli batch state <run-id>`, `bcli batch list [--state
+  STATE] [--limit N]`, `bcli batch rollback <run-id> [--dry-run]
+  [--yes]`. Rollback issues `DELETE` for committed POSTs only; PATCH /
+  DELETE marked `rollback_skipped` (no clean inverse without pre-image
+  snapshots). `disable_writes` is a hard refusal on rollback (no
+  `--yes` bypass).
+- **Exit code taxonomy** — `bcli.exit_codes` defines 0/1/2/3/4/5/6/7/8
+  with short labels; `bcli describe` projects the map; centralized
+  error handler maps `BCLIError` subclasses (`AuthError → 3`,
+  `RegistryError → 4`, `ValidationError → 5`, `ConfigError → 2`,
+  `SafetyError → 8`).
+- **"Did you mean" remediation hints** on `BCLIError` paths: auth →
+  `Run 'bcli auth login --profile X'`, config (no profiles) →
+  `Run 'bcli config init'`, config (unknown profile) → fuzzy match,
+  registry (no fuzzy) → `Run 'bcli registry import …'`.
+- **JSON on pipe by default** — when stdout isn't a TTY and no
+  `--format` was passed, emit JSON. Pipelines, redirects, CI steps,
+  agent runtimes all get the canonical machine-readable shape with no
+  flag dance. The `CLAUDECODE` and `BCLI_AGENT` env hints keep their
+  markdown semantics (explicit user opt-in); legacy Windows console
+  host stays on markdown for the mojibake reason. `BCLI_FORMAT` and
+  explicit `--format` always win.
+- **`--idempotency-key KEY`** on `post`, `patch`, `delete`, `attach
+  upload`. IETF `Idempotency-Key` HTTP header sent on the first call
+  (gateway-level dedup remains in play). Same-run replay protection in
+  `bcli batch run`: if two mutating steps share an `idempotency_key:`
+  in the YAML, the second is replayed (no second HTTP, no duplicate
+  ledger row), and the result entry carries `prior_seq`,
+  `prior_step_id`, `prior_bc_correlation_id`. Ledger schema migrates
+  v1 → v2 non-destructively via `ALTER TABLE step ADD COLUMN
+  idempotency_key`.
+- **Progress events (`--progress-fd N`)** on `bcli batch run` and
+  `bcli extract run`. JSON-lines `step_started` / `step_completed`
+  written to a dedicated fd (separate from `--result-fd`). Stderr
+  stays human-readable; the fd channel is structured and stable for
+  agents to demux. Replayed steps emit a synthetic pair with
+  `status="replayed"` so the progress stream tells the truth.
+- **23 dynamically-generated MCP tools** in `bcli_mcp` (was 4
+  hand-written). Server subprocesses `bcli describe` once on startup
+  and registers one tool per command; new CLI commands light up as
+  MCP tools automatically. Five new mutating tools (`bcli_post`,
+  `bcli_patch`, `bcli_delete`, `bcli_attach_upload`, `bcli_batch_run`)
+  pass `--result-out` and return the envelope as their tool result.
+  `status="failed"` envelopes surface as MCP `ToolError` with the BC
+  correlation id quoted.
+- **`AsyncBCClient.delete_url(url, *, etag="*")`** — new SDK method
+  for absolute-URL deletes (used by the rollback path; avoids
+  re-resolving the registry at undo time).
+- **`bcli skill install`** — generates `.claude/commands/bcli-<name>.md`
+  per saved query and per batch template (`~/.config/bcli/batches/
+  <profile>/*.yaml`). Generates a top-level
+  `.claude/skills/bcli/SKILL.md` index grouped by `categories:`.
+  SHA-256 content hash embedded in the provenance comment for
+  byte-stable idempotency — no `generated_at` timestamp, so re-runs on
+  unchanged sources are mtime-preserving no-ops. `manual: true` in a
+  file's YAML frontmatter protects it from regeneration. `--dry-run`
+  previews; `--target` resolves to explicit path > CWD with `.claude/`
+  > `$HOME`. Stdlib only — no jinja2; atomic writes via
+  `tempfile.mkstemp` + `os.replace`.
+- **`bcli skill init`** — interactive wizard that reads `bcli describe
+  --format json` via subprocess, runs 4 Rich prompts (role / top-three
+  daily questions / slash-command style / generate-new-queries y/N),
+  fuzzy-matches existing saved queries against the top-three free
+  text (stdlib `difflib`), and proposes new role-tailored queries via
+  entry-point providers — each with a per-query `[y/N]` approval gate.
+  Generates `~/.claude/skills/bcli-<user>/SKILL.md` with YAML
+  provenance frontmatter. Atomic commit phase: snapshots existing
+  content, writes all targets, restores on first failure. Guardrails
+  via `_assert_writable` restrict writes to `~/.config/bcli/queries/`,
+  `~/.claude/skills/bcli-<user>/`, and `~/.config/bcli/skills/`;
+  symlink-safe via `Path.resolve(strict=False)` + `is_relative_to`.
+- **`bcli skill update`** — idempotent re-run via state cache at
+  `~/.config/bcli/skills/.last-init.json`. The cache persists both
+  the interview answers AND the approved-query bodies so a later
+  `--non-interactive` replay re-writes the same queries verbatim
+  (without re-asking the operator). Describe-payload-hash mismatch
+  refuses silent replay and asks for a re-interview when the describe
+  surface changed under the user's feet.
+- **Saved-query YAML schema extension** — three additive fields
+  (`description`, `categories`, `args`). Existing saved-query bundles
+  without these still work: when `args:` is omitted, `bcli skill
+  install` derives it from `params:` keys (required first, optional
+  second, both in YAML insertion order). Documented in
+  `docs/saved-queries.md`'s new "Slash-command projection" section.
+- **Entry-point group `bcli.skill_init.role_templates`** — OSS bcli
+  ships with an opinion-free default proposer (returns `[]` for every
+  role). Downstream packages plug in role templates by registering
+  callables under this entry-point group via standard Python
+  packaging. Discovered at wizard time via
+  `importlib.metadata.entry_points`. The provider signature is
+  `(interview, payload) -> list[ProposedQuery]`; downstream
+  integrators publish their own integration documentation.
+
+### Changed
+
+- **Policy refusal exit code 1 → 8.** Scripts that grep `if exit==1`
+  for "the read-only profile blocked me" need updating. Agents
+  consuming `bcli describe`'s new `exit_codes` field pick up the new
+  code automatically.
+- **MCP tool renames** (breaking for existing MCP clients — Claude
+  Desktop, MCP Inspector configs referencing the old names need an
+  update):
+  - `query` → `bcli_get`
+  - `list_endpoints` → `bcli_endpoint_list`
+  - `describe_endpoint` → `bcli_endpoint_info` (with
+    `bcli_endpoint_fields` split out for field discovery)
+  - `list_companies` → `bcli_company_list`
+
+  Migration table in `docs/mcp-server.md`. Tool names now consistently
+  match the CLI command path.
+- **MCP `bcli_get --top` cap remains 50 default / 1000 max** — parity
+  with the pre-rewrite hand-written `query` tool. CLI shell users can
+  still pass `--top 100000` directly; the cap is enforced only at the
+  MCP schema level (advisory for agent runtimes).
+- **Stderr routing for `bcli batch run` metadata** — the ledger path
+  and run id print to stderr, not stdout. Stdout matches legacy batch
+  output byte-for-byte (required by the additive constraint).
+
+### Fixed
+
+- **Clean SIGPIPE handling for piped output** — `bcli <cmd> | head`,
+  `| grep -m 1`, and similar pipe-truncating consumers now terminate
+  the CLI silently, matching `cat` and `grep` conventions, instead of
+  emitting a `BrokenPipeError: [Errno 32] Broken pipe` traceback at
+  interpreter shutdown. Implemented as a new `bcli_cli.app:main`
+  console-script entry point that installs `SIGPIPE -> SIG_DFL` on
+  POSIX with a `BrokenPipeError` safety net for Windows.
+- **Hyphenated saved-query param names** — the workflow template
+  resolver now accepts hyphens in identifiers, so references like
+  `${{ params.vendor-no }}` substitute correctly. Previously the regex
+  matched only `[\w.]`, silently leaving the literal `${{ … }}` token
+  in the rendered filter (BC then 400'd or, worse, returned mismatched
+  rows). Affects both `bcli q` saved queries and `bcli batch`
+  workflows.
+
+### Breaking changes
+
+The two items above (exit code 1→8 + MCP tool renames) are intentional
+breaking changes called out in the AIP plan. Both have one-line
+migration paths. Skill install / skill init / skill update are
+additive — no breaking changes from the Skills layer.
+
+### Deferred to v0.5
+
+- **Cross-run idempotency replay** — would require scanning every
+  `*.db` in `~/.config/bcli/batch/` on each mutating call. Same-run
+  protection covers the agent-retry case which is the common one;
+  gateway-level Idempotency-Key dedup covers the rest.
+- **`batch run --idempotency-key`** as a run-level flag — collides
+  across multiple mutating steps. Per-step `idempotency_key:` in the
+  batch YAML is the correct surface.
+- **`telemetry_event_id` / `audit_log_offset` on the envelope** —
+  currently always `null`. Wiring requires extending the
+  `TelemetrySink` and audit protocols to return the emitted event id /
+  log offset, touching every backend including the optional Azure
+  Monitor extra.
+- **Plan-token binding for single mutations** — `batch run --plan-out`
+  works; `bcli post --plan-out` does not. Defer until requested.
+- **Direct FastMCP schema-introspection test** — the `__signature__`
+  patch is indirectly covered via tool-list registration tests; a
+  future FastMCP upgrade could silently degrade tool input schemas
+  without breaking tests.
+- **Etag capture in ledger** — rollback DELETEs use `etag="*"`. A
+  future concurrent edit between POST and rollback could clobber.
+- **CWD-relative batch template discovery** for `bcli skill install` —
+  today only `~/.config/bcli/batches/<profile>/*.yaml` is scanned;
+  project-local batches in `./batches/` would also be useful for the
+  per-project `.claude/` workflow.
+- **SKILL.md frontmatter `generated_at` churn cleanup** — the
+  timestamp ticks forward on every `bcli skill update
+  --non-interactive` replay, so the frontmatter changes even when the
+  body is byte-stable. Idempotency tests compare body-only; downstream
+  content-hash watchers would see noise. Cosmetic.
+- **`bcli skill update` separated from `init`** — today
+  `update_command` delegates to `init_command(...)` verbatim.
+  Documented for future evolution.
+- **Public `bcli.skill_init` namespace for the entry-point contract**
+  — downstream packages currently couple to
+  `bcli_cli.commands.skill_init_cmd` for `InterviewState` /
+  `ProposedQuery`. A future release could promote the protocol types
+  to a public `bcli.skill_init` namespace.
+
+## [0.2.0] — 2026-05-06
+
+### Added
+
+- **Structured `--dry-run` output** — write commands (`post`, `patch`,
+  `delete`, `attach upload`) now emit a stable JSON envelope on stdout
+  when `--format json` / `ndjson` / `raw` is selected. Includes
+  `dry_run`, `method`, `endpoint`, `resolved_url`, `profile`,
+  `environment`, `company_id`, `body`, and `record_id` (when applicable).
+  Agents can parse the envelope before deciding whether to proceed. The
+  human format keeps the same yellow rich panel on stderr but is now
+  augmented with the resolved URL and profile context. See
+  `docs/write-operations.md`.
+- **Opt-in audit log** — new `[audit]` config section persists every
+  write to a per-profile JSONL file. Each entry captures the resolved
+  URL, response status, BC `correlation_id`, latency, redacted request
+  body, and outcome (`completed` / `failed` / `dry_run`). Bounded disk
+  usage via single-backup rotation. SDK (`AsyncBCClient`) does NOT
+  auto-emit; this is a CLI-layer ergonomic on top of BC permission sets.
+  See `docs/configuration.md#audit-log`.
+- **Endpoint `caution` flag** — `EndpointMetadata` now carries a
+  `caution: low | medium | high` level. Importers populate it
+  automatically from a verb-name heuristic (entities containing `post`,
+  `release`, `cancel`, `void`, `reverse`, `apply`, `unapply` are flagged
+  `high`). Surfaced in `bcli endpoint info` and the `list_endpoints` MCP
+  tool so agents can require explicit user confirmation before mutating
+  posted/closed records.
+- New `AGENTS.md` recipes for dry-run-first writes, caution-level
+  interpretation, and audit-log location.
+
+## [0.1.5] — 2026-05-05
+
+### Added
+
+- **Business Central admin setup guide** — new
+  `docs/business-central-admin-setup.md` walks a zero-knowledge user
+  through Entra app registration, localhost redirect setup, delegated BC
+  permissions, admin consent, BC user permission sets, first `bcli
+  config init`, and verification.
+- **`bcli-mcp` preview server** — an MCP (Model Context Protocol) server
+  that lets Claude Desktop and other MCP clients drive bcli. Four
+  read-only tools: `query`, `list_endpoints`, `describe_endpoint`,
+  `list_companies`. Subprocess-only architecture inherits profile, auth,
+  retry, telemetry, and `disable_writes` from the CLI. Install with
+  `pip install "bc-cli[mcp]"`. See `docs/mcp-server.md`.
+
+### Changed
+
+- `bcli config init` now defaults to browser PKCE auth for local humans
+  and agents. New `--automation` and `--headless` shortcuts create
+  client-credentials and device-code profiles respectively.
+- CLI runtime dependencies now ship with the base `bc-cli` install, so
+  `pip install bc-cli` and `uv tool install bc-cli` provide a working
+  `bcli` command without requiring an extra.
+- `bcli company list` accepts `--format` (`json`, `markdown`, `csv`,
+  `ndjson`, `table`). Stable JSON shape:
+  `[{"id", "name", "alias", "is_default"}]`.
+- `bcli endpoint list` and `bcli endpoint info` accept `--format json`.
+  Stable JSON shapes documented inline in each command's help text.
+
+### Removed
+
+- Removed WorkOS AuthKit support. Browser PKCE is now the delegated auth
+  path, Business Central remains the permission boundary, and
+  client-credentials profiles cover automation.
+
+## [0.1.2] — 2026-04-29
+
+Security release. Closes four findings from a strix.ai run against the
+repo. No public SDK signature changes; the CLI gains one new flag
+(`bcli batch run --yes`).
+
+### Security
+
+- **vuln-0001 (HIGH, CWE-352)** — WorkOS localhost callback now binds a
+  per-login high-entropy `state` token. Before this release, any local
+  request reaching `127.0.0.1:8401/callback?code=…` during the login
+  window would be exchanged for a role-bearing WorkOS identity and
+  cached on disk. The handler now rejects callbacks whose path is not
+  `/callback` (404) or whose `state` doesn't match the per-login token
+  (400), and surfaces invalid callbacks as auth failures rather than
+  masking them as timeouts.
+- **vuln-0002 (MEDIUM, CWE-841)** — `bcli batch run` now enforces the
+  `disable_writes` profile gate that direct `post`/`patch`/`delete`
+  commands already honour. Mutating batch steps on a read-only profile
+  prompt for confirmation interactively or abort with exit 1 in
+  non-interactive sessions. New `--yes` / `-y` flag opts scripted use
+  past the prompt. Pure GET batches are unaffected, and `--dry-run`
+  still skips the gate so workflows can be previewed.
+- **vuln-0003 (MEDIUM)** — Browser auth callback listener now binds an
+  ephemeral kernel-assigned port instead of a hard-coded 8400, and
+  serves continuously until a state-bound callback arrives or the
+  timeout expires. Stray requests (e.g. `/favicon.ico`) and
+  state-mismatched callbacks no longer consume the only callback slot.
+  Microsoft Entra accepts any port for `http://localhost` redirect URIs
+  on public clients per RFC 8252, so existing app registrations
+  continue to work without changes.
+- **vuln-0004 (HIGH, CWE-841)** — `SafeContext` writes are now bound to
+  the explicit `environment` and `company_id` passed to
+  `client.safe_write(env, company)`, not the client's profile-bound
+  target. Previously the safety gate validated operator intent but the
+  underlying URL still resolved against the profile, so writes inside
+  `safe_write("Sandbox", "company-SANDBOX")` could still hit
+  `Production/company-PROD`. Closes the documentation-vs-behaviour
+  mismatch where the README/changelog claimed the gate prevented
+  wrong-environment writes.
+
+### Changed
+
+- `bcli batch run` accepts a new `--yes` / `-y` flag (see vuln-0002
+  above). Existing automation against writable profiles is unaffected;
+  CI scripts that run mutating batches against a `disable_writes`
+  profile must pass `--yes` or migrate to a writable profile.
+
+## [0.1.1] — 2026-04-29
+
+OSS-readiness polish. No SDK behaviour changes; one CLI rename and a
+README/docstring cleanup pass.
+
+### Changed
+
+- **Renamed the document-attachment CLI command** to `bcli attach`,
+  with subcommands `bcli attach upload` and `bcli attach test`.
+  Functionality is unchanged. The previous name was a customer-name
+  leftover from internal development; the workflow is generic to any
+  Business Central tenant.
+- Genericised customer-named example values in
+  `docs/authentication.md`, `examples/attach-purchase-invoice-pdf.yaml`,
+  and SDK docstrings.
+
+### Fixed
+
+- README license badge said Apache 2.0 but the License section said
+  MIT. Now consistent: Apache 2.0 throughout (matches the actual
+  `LICENSE` file and `pyproject.toml`).
+
+## [0.1.0] — 2026-04-29
+
+First public release on PyPI as **`bc-cli`**.
+
+> **Note on the package name.** The PyPI distribution name is `bc-cli`,
+> not `bcli` — the latter is squatted by an unrelated 2018-era
+> "EC2 Cluster Creator" package. The Python import name (`import bcli`)
+> and the CLI binary on PATH (`bcli`) are unaffected.
+
+### Added
+
+- **SDK** — `BCClient` (sync) and `AsyncBCClient` (async) for Microsoft
+  Dynamics 365 Business Central. Two construction modes: profile-based
+  (TOML config files) and programmatic (pass auth params directly).
+- **CLI** — Typer-based `bcli` command with subcommands for query
+  (`get`), write (`post`/`patch`/`delete`/`attach`), config, auth,
+  registry import, batch operations, saved queries (`q`), and ETL
+  pipelines.
+- **Three-tier endpoint resolution.** Custom registry → standard v2.0 →
+  fuzzy-match suggestion. Custom APIs imported from Postman v2.1
+  collections, raw JSON, or live `$metadata`.
+- **Auth** — Client-credentials, device-code, browser (PKCE), and
+  WorkOS AuthKit (role → BC client_id mapping). Token cache with 5-min
+  expiry buffer; OS keychain integration via `keyring`.
+- **Write safety** — `SafeContext` gate enforces explicit `environment`
+  + `company_id` on writes; production writes require
+  `confirm_production=True`. CLI's `disable_writes` profile flag adds
+  an interactive confirmation prompt before any mutating call.
+- **Saved queries** (`bcli q`) — Hide OData syntax behind named,
+  parameterised aliases stored per-profile. Per-param `type`,
+  `pattern`, `min`/`max`, and `enum` validation runs locally before any
+  HTTP call. String parameters interpolated into `filter:` are escaped
+  using OData v4 single-quote rules so an injection-shaped value cannot
+  break the literal.
+- **ETL pipeline** — Built-in [dlt](https://dlthub.com) source for
+  incremental backup. Polaris REST catalog integration for Iceberg
+  snapshots. Generic + bcli-bridge layers.
+- **Telemetry** — Pluggable backend with `null`, `console`,
+  `azure_monitor`, and arbitrary `module:Class` sinks. Privacy-first
+  defaults: token redaction in error messages, opt-in capture of filter
+  text and signed-in UPN. Every event carries `version`, `os`,
+  `os_release`, `arch`, `python_version`, and a stable per-laptop
+  `install_id` for downstream slicing.
+- **Structured logging** — JSON request logs to the `bcli.http` logger
+  with method/url/status/retry-count/latency/correlation-id.
+
+### Security
+
+The 0.1.0 release went through two independent security review passes
+before publish. Findings addressed:
+
+- Pinned wheel-version installer scripts; scrubbed registry `supports`
+  arrays to `["GET"]` for read-only profiles; removed sensitive field
+  metadata from public artefacts shipped by the bootstrap installer.
+- **Critical:** Project-level `.bcli.toml` files cannot override
+  `[telemetry] backend`. Closes an arbitrary-Python-import RCE on
+  `bcli` invocation in any directory containing a malicious
+  `.bcli.toml`.
+- **High:** Token caches and identity caches written with `0o600`
+  perms via atomic write; parent dir tightened to `0o700`; one-shot
+  warning on insecure existing perms.
+- **High:** WorkOS role cache now expires after 1 hour; revoked roles
+  no longer keep mapping to privileged BC apps indefinitely.
+- **Medium:** Absolute-URL paths (`@odata.nextLink`) validated against
+  a `*.businesscentral.dynamics.com` / `*.bc.dynamics.com` host
+  allowlist before the bearer token is attached. Closes a
+  bearer-exfiltration vector via tampered BC responses.
+- **Medium:** CI hardened — third-party actions pinned by full commit
+  SHA, default `permissions: contents: read`, `uv sync --locked` for
+  reproducible installs from a committed `uv.lock`.
+- **Medium:** Saved-query OData injection prevention (filter-context
+  escape + per-parameter `type`/`pattern`/`min`/`max`/`enum`
+  validation).
+
+### Known limitations
+
+- Alpha software. The SDK and CLI surface may change in 0.x releases;
+  track this CHANGELOG for breaking changes.
+- Some BC custom-API edge cases (zero-GUID ids on
+  `SourceTableTemporary` pages) require the `--standard` flag to
+  bypass the registry — see `bcli attach upload --help`.
+
+## [Pre-0.1.0 history]
+
+Earlier development happened under the working name `bcapi`, then
+moved to `bcli` (April 2026), then to the PyPI distribution name
+`bc-cli` (April 2026, after discovering the `bcli` PyPI name was
+squatted by an unrelated 2018 package).
+
+[Unreleased]: https://github.com/igor-ctrl/bcli/compare/v0.4.0...HEAD
+[0.4.0]: https://github.com/igor-ctrl/bcli/compare/v0.2.0...v0.4.0
+[0.2.0]: https://github.com/igor-ctrl/bcli/compare/v0.1.5...v0.2.0
+[0.1.5]: https://github.com/igor-ctrl/bcli/compare/v0.1.2...v0.1.5
+[0.1.2]: https://github.com/igor-ctrl/bcli/compare/v0.1.1...v0.1.2
+[0.1.1]: https://github.com/igor-ctrl/bcli/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/igor-ctrl/bcli/releases/tag/v0.1.0

{bc_cli-0.2.0 → bc_cli-0.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bc-cli
-Version: 0.2.0
+Version: 0.4.0
 Summary: Python SDK and CLI for Microsoft Dynamics 365 Business Central APIs
 Project-URL: Homepage, https://github.com/igor-ctrl/bcli
 Project-URL: Repository, https://github.com/igor-ctrl/bcli
@@ -32,14 +32,27 @@ Requires-Dist: tomlkit>=0.13
 Requires-Dist: typer>=0.12
 Provides-Extra: cli
 Provides-Extra: dev
+Requires-Dist: anthropic>=0.40; extra == 'dev'
 Requires-Dist: dlt[filesystem,parquet,s3]>=1.0; extra == 'dev'
 Requires-Dist: mcp>=1.0; extra == 'dev'
+Requires-Dist: openai>=1.50; extra == 'dev'
+Requires-Dist: pypdf>=4.0; extra == 'dev'
 Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
 Requires-Dist: pytest-httpx>=0.30; extra == 'dev'
 Requires-Dist: pytest>=8.0; extra == 'dev'
 Requires-Dist: ruff>=0.5; extra == 'dev'
 Provides-Extra: etl
 Requires-Dist: dlt[filesystem,parquet,s3]>=1.0; extra == 'etl'
+Provides-Extra: extract
+Requires-Dist: anthropic>=0.40; extra == 'extract'
+Requires-Dist: openai>=1.50; extra == 'extract'
+Requires-Dist: pypdf>=4.0; extra == 'extract'
+Provides-Extra: extract-claude
+Requires-Dist: anthropic>=0.40; extra == 'extract-claude'
+Requires-Dist: pypdf>=4.0; extra == 'extract-claude'
+Provides-Extra: extract-openai
+Requires-Dist: openai>=1.50; extra == 'extract-openai'
+Requires-Dist: pypdf>=4.0; extra == 'extract-openai'
 Provides-Extra: mcp
 Requires-Dist: mcp>=1.0; extra == 'mcp'
 Provides-Extra: polaris