bt-cli 0.4.12__tar.gz → 0.4.14__tar.gz

{bt_cli-0.4.12 → bt_cli-0.4.14}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.12
+Version: 0.4.14
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.12 → bt_cli-0.4.14}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.12"
+version = "0.4.14"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

bt_cli-0.4.14/scripts/sync-package-data.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Sync skills and CLAUDE.md to package data directory before building
+# Run this before `python -m build` to ensure package has latest content
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+
+echo "Syncing package data..."
+
+# Sync skills
+rm -rf "$PROJECT_ROOT/src/bt_cli/data/skills"
+cp -r "$PROJECT_ROOT/.claude/skills" "$PROJECT_ROOT/src/bt_cli/data/skills"
+echo "  ✓ Synced .claude/skills -> src/bt_cli/data/skills"
+
+# Sync CLAUDE.md
+cp "$PROJECT_ROOT/CLAUDE.md" "$PROJECT_ROOT/src/bt_cli/data/CLAUDE.md"
+echo "  ✓ Synced CLAUDE.md -> src/bt_cli/data/CLAUDE.md"
+
+echo "Done. Ready to build."

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.12"
+__version__ = "0.4.13"

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/CLAUDE.md

@@ -1,11 +1,11 @@
-# BT-Admin CLI
+# BT-CLI
 
 BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows.
 
 ## Setup
 
 ```bash
-cd /home/admin/entitl-sko/bt-cli
+# From project root
 source .venv/bin/activate && source .env
 bt whoami   # Test all connections
 ```
@@ -62,16 +62,22 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - PWS assets: Must create via workgroup endpoint
 - ECM integration: PWS system name must match PRA jump item name
 
-## Key Reference IDs
+## Functional vs Managed Accounts
 
-| Resource | ID | Notes |
-|----------|-----|-------|
-| PWS Workgroup AWS | 3 | |
-| PWS Workgroup Datacenter | 2 | |
-| PWS Functional Account | 7 | SSH key auth |
-| PRA Jumpoint AWS | 3 | |
-| PRA Jumpoint Datacenter | 2 | |
-| PRA ec2-admin SSH CA | 31 | For EC2 provisioning |
+**Functional accounts** (`bt pws functional`) - Service accounts used BY Password Safe to connect to systems for auto-management (password rotation, discovery). One functional account can manage many systems.
+
+**Managed accounts** (`bt pws accounts`) - User accounts ON systems that Password Safe manages (stores/rotates passwords for). These are what users check out.
+
+```bash
+# List functional accounts to find the right one for your platform
+bt pws functional list
+
+# List workgroups to find the right one
+bt pws workgroups list
+
+# Use functional account when onboarding a system
+bt pws quick onboard -n "server" -i "10.0.1.50" -w <WORKGROUP_ID> -f <FUNC_ACCT_ID> -e "sudo"
+```
 
 ## Project Structure
 

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/skills/bt/SKILL.md

@@ -22,9 +22,10 @@ Before executing any destructive operation:
 
 ## Setup
 
+The CLI should be installed and configured. Test with:
+
 ```bash
-cd /home/admin/entitl-sko/bt-cli
-source .venv/bin/activate && source .env
+bt whoami   # Verify all products are connected
 ```
 
 ## Test All Connections
@@ -47,27 +48,32 @@ bt quick pasm-search web-server -o json
 ### PASM Onboard (PWS + PRA)
 Onboard a host to both Password Safe and PRA in one command.
 
+**First, discover your environment IDs** (see "Discover Environment IDs" below).
+
 ```bash
-# Linux SSH host
-bt quick pasm-onboard -n "my-server" -i "10.0.1.50" -w 3 -j 3 -g 24
+# Linux SSH host (use IDs from your environment)
+bt quick pasm-onboard -n "my-server" -i "10.0.1.50" \
+    -w <workgroup_id> -j <jumpoint_id> -g <jump_group_id>
 
 # Full options
 bt quick pasm-onboard \
     --name "web-01" \
     --ip "10.0.1.100" \
-    --workgroup 3 \
-    --jumpoint 3 \
-    --jump-group 24 \
-    --functional-account 7 \
+    --workgroup <workgroup_id> \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
+    --functional-account <func_acct_id> \
     --elevation "sudo" \
-    --pra-username "ec2-admin"
+    --pra-username "admin"
 
 # Windows RDP host
-bt quick pasm-onboard -n "win-srv" -i "10.0.2.10" -w 2 -p 1 -j 3 -g 31 --jump-type rdp --port 3389
+bt quick pasm-onboard -n "win-srv" -i "10.0.2.10" \
+    -w <workgroup_id> -p <platform_id> -j <jumpoint_id> -g <jump_group_id> \
+    --jump-type rdp --port 3389
 
 # Skip one product
-bt quick pasm-onboard -n "pra-only" -i "10.0.1.5" -j 3 -g 24 --skip-pws
-bt quick pasm-onboard -n "pws-only" -i "10.0.1.6" -w 3 --skip-pra
+bt quick pasm-onboard -n "pra-only" -i "10.0.1.5" -j <jumpoint_id> -g <jump_group_id> --skip-pws
+bt quick pasm-onboard -n "pws-only" -i "10.0.1.6" -w <workgroup_id> --skip-pra
 ```
 
 ### PASM Offboard
@@ -78,20 +84,24 @@ bt quick pasm-offboard -n "my-server"
 bt quick pasm-offboard -n "web-01" --force
 ```
 
-## Environment Reference IDs
-
-| Resource | ID | Notes |
-|----------|-----|-------|
-| PWS Workgroup (AWS) | 3 | AWS_Account Workgroup |
-| PWS Workgroup (Datacenter) | 2 | Datacenter_West |
-| PWS Functional Account | 7 | pws-functional SSH key |
-| PWS Platform Linux | 2 | |
-| PWS Platform Windows | 1 | |
-| PRA Jumpoint (AWS) | 3 | AWS Account |
-| PRA Jumpoint (Datacenter) | 2 | Data Center 01 |
-| PRA Vault Account (ec2-admin) | 31 | SSH CA for EC2 |
-| Entitle PRA Integration | bb2a3c79-02a9-45d9-be7f-f209d97cb1d7 | |
-| Entitle Customer Access | 22f4960f-b2ee-435f-9fa2-b82baeca06b2 | Virtual integration |
+## Discover Environment IDs
+
+Use these commands to find the IDs for your environment:
+
+```bash
+# PWS resources
+bt pws workgroups list          # Find workgroup IDs
+bt pws functional list          # Find functional account IDs
+bt pws platforms list           # Find platform IDs
+
+# PRA resources
+bt pra jumpoint list            # Find jumpoint IDs
+bt pra jump-groups list         # Find jump group IDs
+bt pra vault groups list        # Find vault account group IDs
+
+# Entitle resources
+bt entitle integrations list    # Find integration IDs
+```
 
 ## Product-Specific Skills
 

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/skills/entitle/SKILL.md

@@ -25,10 +25,10 @@ bt entitle integrations get <integration_id>
 bt entitle resources list --integration <integration_id>
 bt entitle resources get <resource_id>
 
-# Virtual integration resources
+# Virtual integration resources (use integration ID from `bt entitle integrations list`)
 bt entitle resources create-virtual \
     --name "Customer-05 (Bing7)" \
-    --integration 22f4960f-b2ee-435f-9fa2-b82baeca06b2 \
+    --integration <virtual_integration_id> \
     --source-role-id <role_id> \
     --role-name "Start Session"
 bt entitle resources delete <resource_id>
@@ -101,18 +101,21 @@ bt entitle policies get <policy_id>
 - Or manually trigger sync in Entitle UI: Integrations → PRA → Sync Now
 
 ```bash
-# 1. Trigger PRA sync in Entitle UI (or wait for hourly sync)
+# 1. Find your PRA integration ID
+bt entitle integrations list | grep -i pra
 
-# 2. Find the new PRA resource
-bt entitle resources list --integration bb2a3c79-02a9-45d9-be7f-f209d97cb1d7
+# 2. Trigger PRA sync in Entitle UI (or wait for hourly sync)
 
-# 3. Get "Start Sessions Only" role ID
+# 3. Find the new PRA resource
+bt entitle resources list --integration <pra_integration_id>
+
+# 4. Get "Start Sessions Only" role ID
 bt entitle roles list --resource <pra_resource_id>
 
-# 4. Add to Customer Access virtual integration
+# 5. Add to virtual integration (find ID with `bt entitle integrations list`)
 bt entitle resources create-virtual \
     --name "Customer-05" \
-    --integration 22f4960f-b2ee-435f-9fa2-b82baeca06b2 \
+    --integration <virtual_integration_id> \
     --source-role-id <role_id> \
     --role-name "Start Session"
 ```
@@ -123,13 +126,21 @@ bt entitle resources create-virtual \
 bt entitle permissions list --user "user@example.com" -o json
 ```
 
-## Key IDs
+## Discover IDs
+
+```bash
+# Find integration IDs
+bt entitle integrations list
+
+# Find workflow IDs
+bt entitle workflows list
+
+# Find resource IDs within an integration
+bt entitle resources list --integration <integration_id>
 
-| Resource | ID |
-|----------|-----|
-| PRA Integration | bb2a3c79-02a9-45d9-be7f-f209d97cb1d7 |
-| Customer Access (Virtual) | 22f4960f-b2ee-435f-9fa2-b82baeca06b2 |
-| AWS SandBox | (check `bt entitle integrations list`) |
+# Find role IDs for a resource
+bt entitle roles list --resource <resource_id>
+```
 
 ## Integrations Available
 

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/skills/epmw/SKILL.md

@@ -118,22 +118,21 @@ bt epmw audits requests list
 bt epmw audits requests get <audit_id>
 ```
 
-## Key Groups
-
-| ID | Name | Computers |
-|----|------|-----------|
-| 042267ec-... | Servers - Datacenter1 | CorpMem01, CorpMem02 |
-| 1c8f6310-... | Workstations - Datacenter1 | CorpWS01, CorpWS02 |
-| 67ca23ad-... | Engineering | BenC-Skynet |
-
-## Key Computers
-
-| Host | Domain | Group | Status |
-|------|--------|-------|--------|
-| CorpMem01 | nexusdyn.corp | Servers | Connected |
-| CorpMem02 | nexusdyn.corp | Servers | Connected |
-| CorpWS01 | nexusdyn.corp | Workstations | Connected |
-| CorpWS02 | nexusdyn.corp | Workstations | Connected |
+## Discover IDs
+
+```bash
+# Find group IDs
+bt epmw groups list
+
+# Find computer IDs
+bt epmw computers list
+
+# Find policy IDs
+bt epmw policies list
+
+# Find user IDs
+bt epmw users list
+```
 
 ## API Notes
 

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/skills/pra/SKILL.md

@@ -35,28 +35,28 @@ bt pra quick search admin -o json
 
 ```bash
 bt pra jump-items shell list
-bt pra jump-items shell get 55
+bt pra jump-items shell get <jump_item_id>
 bt pra jump-items shell create \
     --name "web-server-01" \
     --hostname "10.0.1.50" \
-    --jumpoint 3 \
-    --jump-group 24 \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
     --protocol ssh \
     --port 22 \
-    --username "ec2-admin"
-bt pra jump-items shell delete 55
+    --username "admin"
+bt pra jump-items shell delete <jump_item_id>
 ```
 
 ### RDP Jump
 
 ```bash
 bt pra jump-items rdp list
-bt pra jump-items rdp get 1
+bt pra jump-items rdp get <jump_item_id>
 bt pra jump-items rdp create \
     --name "win-server-01" \
     --hostname "10.0.2.10" \
-    --jumpoint 3 \
-    --jump-group 31 \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
     --port 3389
 ```
 
@@ -67,8 +67,8 @@ bt pra jump-items tunnel list
 bt pra jump-items tunnel create \
     --name "production-k8s" \
     --hostname "k8s-api.example.com" \
-    --jumpoint 3 \
-    --jump-group 24 \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
     --type k8s \
     --url "https://k8s-api.example.com:6443" \
     --ca-cert "$(cat /path/to/ca.crt)"
@@ -78,25 +78,25 @@ bt pra jump-items tunnel create \
 
 ```bash
 bt pra jump-groups list
-bt pra jump-groups get 24
+bt pra jump-groups get <group_id>
 bt pra jump-groups create \
-    --name "Customer-05 (Bing7)" \
-    --code-name bing7 \
-    --comments "Demo customer"
-bt pra jump-groups delete 30
+    --name "Customer-05" \
+    --code-name customer05 \
+    --comments "New customer environment"
+bt pra jump-groups delete <group_id>
 ```
 
 ## Vault Accounts
 
 ```bash
 bt pra vault accounts list
-bt pra vault accounts get 6
-bt pra vault accounts checkout 6
-bt pra vault accounts checkin 6
-bt pra vault accounts rotate 6
+bt pra vault accounts get <account_id>
+bt pra vault accounts checkout <account_id>
+bt pra vault accounts checkin <account_id>
+bt pra vault accounts rotate <account_id>
 
 # SSH CA - get public key for provisioning
-bt pra vault accounts get-public-key 31
+bt pra vault accounts get-public-key <ssh_ca_account_id>
 ```
 
 ## SSH CA Authentication
@@ -104,21 +104,18 @@ bt pra vault accounts get-public-key 31
 PRA supports SSH CA for ephemeral access - no static keys on hosts.
 
 ```bash
+# Find SSH CA vault accounts
+bt pra vault accounts list | grep -i ssh
+
 # Get CA public key (ready for authorized_keys)
-bt pra vault accounts get-public-key 31
+bt pra vault accounts get-public-key <ssh_ca_account_id>
 # Output: cert-authority ssh-rsa AAAAB3NzaC1yc2E...
 
 # Provision EC2 with SSH CA
-PRA_CA_KEY=$(bt pra vault accounts get-public-key 31)
+PRA_CA_KEY=$(bt pra vault accounts get-public-key <ssh_ca_account_id>)
 # Embed in user-data script for EC2
 ```
 
-**SSH CA Vault Accounts:**
-| ID | Name | Username |
-|----|------|----------|
-| 3 | Ephemeral Admin SSH CA | admin-ephemeral |
-| 31 | ec2-admin | ec2-admin |
-
 ## CSV Import/Export
 
 ```bash
@@ -128,17 +125,21 @@ bt pra import jump-items --file jump-items.csv --dry-run
 bt pra import jump-items --file jump-items.csv
 ```
 
-## Key IDs
-
-| Resource | ID |
-|----------|-----|
-| Jumpoint: Data Center 01 | 2 |
-| Jumpoint: AWS Account | 3 |
-| Jump Group: Datacenter 01 (West) | 1 |
-| Jump Group: Customer-01 (Axion) | 24 |
-| Jump Group: Customer-02 (Meridian) | 25 |
-| Jump Group: Cloud Containers | 26 |
-| Vault: ec2-admin (SSH CA) | 31 |
+## Discover IDs
+
+```bash
+# Find jumpoint IDs
+bt pra jumpoint list
+
+# Find jump group IDs
+bt pra jump-groups list
+
+# Find vault account IDs
+bt pra vault accounts list
+
+# Find vault account group IDs
+bt pra vault groups list
+```
 
 ## API Notes
 

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/data/skills/pws/SKILL.md

@@ -39,8 +39,9 @@ bt pws quick search root -o json
 bt pws quick rotate -s "axion-finapp-01" -a "root"
 
 # Onboard system (asset + system + account)
-bt pws quick onboard -n "my-server" -i "10.0.1.50" -w 3
-bt pws quick onboard -n "web-01" -i "10.0.1.100" -w 3 -f 7 -e "sudo"
+# First find your workgroup and functional account IDs (see "Discover IDs" below)
+bt pws quick onboard -n "my-server" -i "10.0.1.50" -w <workgroup_id>
+bt pws quick onboard -n "web-01" -i "10.0.1.100" -w <workgroup_id> -f <func_acct_id> -e "sudo"
 
 # Offboard system
 bt pws quick offboard -s "my-server"
@@ -52,15 +53,15 @@ bt pws quick offboard -s "web-01" --force
 ```bash
 # List systems
 bt pws systems list
-bt pws systems list --workgroup 3
+bt pws systems list --workgroup <workgroup_id>
 bt pws systems list -o json
 
 # Get system details
-bt pws systems get 22
+bt pws systems get <system_id>
 
 # List accounts on a system
-bt pws accounts list --system 22
-bt pws accounts get 45
+bt pws accounts list --system <system_id>
+bt pws accounts get <account_id>
 ```
 
 ## Secrets Safe
@@ -128,13 +129,13 @@ bt pws quick user-entitlements dave
 
 ```bash
 # 1. Find system
-bt pws systems list -o json | jq '.[] | select(.SystemName=="axion-finapp-01")'
+bt pws systems list -o json | jq '.[] | select(.SystemName=="my-server")'
 
 # 2. Find account
-bt pws accounts list --system 22
+bt pws accounts list --system <system_id>
 
 # 3. Checkout
-bt pws credentials checkout --system "axion-finapp-01" --account "root"
+bt pws credentials checkout --system "my-server" --account "root"
 
 # 4. Get password
 bt pws credentials show <request_id>
@@ -158,18 +159,18 @@ bt pws import systems --file systems.csv
 bt pws import secrets --file secrets.csv
 ```
 
-## Key IDs
+## Discover IDs
 
-| Resource | ID |
-|----------|-----|
-| Workgroup: Default | 1 |
-| Workgroup: Datacenter_West | 2 |
-| Workgroup: AWS_Account | 3 |
-| Platform: Windows | 1 |
-| Platform: Linux | 2 |
-| Platform: MySQL | 10 |
-| Platform: PostgreSQL | 79 |
-| Functional Account | 7 |
+```bash
+# Find workgroup IDs
+bt pws workgroups list
+
+# Find platform IDs
+bt pws platforms list
+
+# Find functional account IDs (for auto-management)
+bt pws functional list
+```
 
 ## EC2 Systems in AWS
 
@@ -179,7 +180,7 @@ When onboarding EC2 instances to Password Safe, use the **internal AWS DNS name*
 # Use internal DNS for EC2 systems
 bt pws quick onboard -n "web-prod-01" \
     -i "ip-10-0-12-45.us-east-1.compute.internal" \
-    -w 3 -f 7
+    -w <workgroup_id> -f <func_acct_id>
 
 # Or set DNS separately
 bt pws systems update <system_id> --dns "ip-10-0-12-45.us-east-1.compute.internal"

{bt_cli-0.4.12 → bt_cli-0.4.14}/src/bt_cli/epmw/commands/policies.py

@@ -288,15 +288,29 @@ def revert_policy(
 @app.command("download")
 def download_policy(
     policy_id: str = typer.Argument(..., help="Policy ID (UUID)"),
+    file: Optional[str] = typer.Option(None, "--file", "-f", help="Save to file instead of stdout"),
 ):
-    """Download policy content (XML format)."""
+    """Download policy content (XML format).
+
+    Examples:
+        bt epmw policies download <policy_id>
+        bt epmw policies download <policy_id> --file policy.xml
+        bt epmw policies download <policy_id> > policy.xml
+    """
     from bt_cli.epmw.client import get_client
 
     try:
         client = get_client()
         content = client.download_policy(policy_id)
-        # Policy content is XML
-        typer.echo(content)
+
+        if file:
+            # Write to file
+            with open(file, "w", encoding="utf-8") as f:
+                f.write(content)
+            print_success(f"Policy saved to: {file}")
+        else:
+            # Output to stdout
+            typer.echo(content)
     except httpx.HTTPStatusError as e:
         print_api_error(e, "download policy")
         raise typer.Exit(1)