bt-cli 0.4.13__py3-none-any.whl → 0.4.21__py3-none-any.whl

bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.13"
+__version__ = "0.4.21"

bt_cli/cli.py

@@ -3,6 +3,14 @@
 import sys
 from typing import Optional
 
+# Use OS certificate store instead of bundled certifi (for enterprise CAs)
+# This must be done before any SSL connections are made
+try:
+    import truststore
+    truststore.inject_into_ssl()
+except ImportError:
+    pass  # Python < 3.10 or truststore not available
+
 import typer
 
 # Check rich version early to give helpful error
@@ -131,6 +139,13 @@ except Exception:
     pass  # Quick module not ready yet
 
 
+def _version_callback(value: bool) -> None:
+    """Print version and exit."""
+    if value:
+        print(f"bt-cli version {__version__}")
+        raise typer.Exit()
+
+
 @app.callback()
 def main_callback(
     profile: Optional[str] = typer.Option(
@@ -145,6 +160,13 @@ def main_callback(
         help="Show REST API calls (method, URL, headers, body)",
         envvar="BT_SHOW_REST",
     ),
+    version: bool = typer.Option(
+        False,
+        "--version", "-V",
+        help="Show version and exit",
+        callback=_version_callback,
+        is_eager=True,
+    ),
 ) -> None:
     """BeyondTrust Platform CLI.
 

bt_cli/commands/configure.py

@@ -179,8 +179,8 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
                 default=str(default) if default else ""
             )
 
-        # Skip empty optional fields
-        if not value and not field_info.get("required"):
+        # Skip empty optional fields (but keep False booleans - they're valid)
+        if value is None or (value == "" and not field_info.get("required")):
             continue
 
         # Store secrets in keyring if enabled
@@ -285,7 +285,7 @@ def _test_connection(product: str, profile: str) -> None:
         elif product == "epmw":
             from ..epmw.client import get_client
             with get_client() as client:
-                client.authenticate()
+                # EPMW auto-authenticates on first request via OAuth
                 client.get("/Computers", params={"pageSize": 1})
             print_success("EPM Windows connection successful!")
 

bt_cli/core/config_file.py

@@ -205,6 +205,7 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
     # This prevents TOCTOU race where file could be readable between
     # creation and chmod.
     import os
+    import sys
     import tempfile
 
     # Write to temp file in same directory, then atomic rename
@@ -213,12 +214,22 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
         # Create temp file with secure permissions
         fd, tmp_path = tempfile.mkstemp(dir=dir_path, prefix=".config_", suffix=".tmp")
         try:
-            # Set permissions on file descriptor before writing
-            os.fchmod(fd, 0o600)
+            # Set permissions on file descriptor before writing (POSIX only)
+            # Windows doesn't support fchmod - permissions work differently there
+            if sys.platform != "win32" and hasattr(os, "fchmod"):
+                os.fchmod(fd, 0o600)
             with os.fdopen(fd, "w") as f:
                 yaml.dump(data, f, default_flow_style=False, sort_keys=False)
-            # Atomic rename
+            # Atomic rename (on Windows, need to remove target first if exists)
+            if sys.platform == "win32" and path.exists():
+                os.unlink(path)
             os.rename(tmp_path, path)
+            # On Windows, set permissions after the fact using chmod
+            if sys.platform == "win32":
+                try:
+                    os.chmod(path, 0o600)
+                except OSError:
+                    pass  # Best effort on Windows
         except Exception:
             # Clean up temp file on error
             try:

bt_cli/data/skills/entitle/SKILL.md

@@ -14,6 +14,40 @@ description: Entitle commands for JIT access, bundles, workflows, and permission
 
 List affected resources first, then ask for explicit confirmation.
 
+## Performance Tips
+
+**ALWAYS use server-side filters** - never download all data and filter locally.
+
+```bash
+# ✓ FAST - Server-side filtering
+bt entitle permissions list --resource <resource_id>
+bt entitle permissions list --user <user_id>
+bt entitle permissions list --integration <integration_id>
+
+# ✗ SLOW - Downloads ALL 23k+ permissions, filters locally
+bt entitle permissions list | jq 'select(...)'
+bt entitle permissions list -o json | grep "something"
+```
+
+**Available filters for permissions list:**
+
+| Flag | Purpose |
+|------|---------|
+| `--resource -r` | Filter by resource ID |
+| `--user -u` | Filter by user ID |
+| `--integration -i` | Filter by integration ID |
+
+**Dataset size warning:** Entitle can have 20,000+ permissions. Unfiltered queries will be very slow.
+
+**Workflow - Check standing access for a resource:**
+```bash
+# 1. Find resource ID
+bt entitle resources list --integration <integration_id> | grep -i "admin"
+
+# 2. Query permissions with resource filter (fast)
+bt entitle permissions list --resource <resource_id> -o json | jq -r '.[] | "\(.actor.name) | \(.actor.email)"'
+```
+
 ## Integrations & Resources
 
 ```bash

bt_cli/entitle/client/base.py

@@ -351,10 +351,10 @@ class EntitleClient:
     # =========================================================================
 
     def list_users(
-        self, search: Optional[str] = None, limit: int = 100
+        self, search: Optional[str] = None, limit: int = 100, max_pages: Optional[int] = None
     ) -> list[dict[str, Any]]:
-        """List all users."""
-        return self.paginate("/users", {"search": search}, page_size=limit)
+        """List users with optional pagination limit."""
+        return self.paginate("/users", {"search": search}, page_size=limit, max_pages=max_pages)
 
     def get_user(self, user_id: str) -> dict[str, Any]:
         """Get a user by ID."""

bt_cli/entitle/commands/users.py

@@ -14,7 +14,8 @@ app = typer.Typer(no_args_is_help=True, help="Manage users")
 @app.command("list")
 def list_users(
     search: Optional[str] = typer.Option(None, "--search", "-s", help="Search by email or name"),
-    limit: int = typer.Option(100, "--limit", "-l", help="Maximum results to return"),
+    limit: int = typer.Option(50, "--limit", "-l", help="Results per page"),
+    fetch_all: bool = typer.Option(False, "--all", help="Fetch all results (may be slow for large datasets)"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table, json"),
 ) -> None:
     """List users in Entitle.
@@ -22,11 +23,14 @@ def list_users(
     Examples:
         bt entitle users list
         bt entitle users list -s "john"
-        bt entitle users list -l 50 -o json
+        bt entitle users list -l 100 --all
+        bt entitle users list -o json
     """
     try:
         with get_client() as client:
-            data = client.list_users(search=search, limit=limit)
+            # Only fetch first page by default, use --all for everything
+            max_pages = None if fetch_all else 1
+            data = client.list_users(search=search, limit=limit, max_pages=max_pages)
 
         if output == "json":
             print_json(data)

bt_cli/epmw/commands/policies.py

@@ -288,15 +288,29 @@ def revert_policy(
 @app.command("download")
 def download_policy(
     policy_id: str = typer.Argument(..., help="Policy ID (UUID)"),
+    file: Optional[str] = typer.Option(None, "--file", "-f", help="Save to file instead of stdout"),
 ):
-    """Download policy content (XML format)."""
+    """Download policy content (XML format).
+
+    Examples:
+        bt epmw policies download <policy_id>
+        bt epmw policies download <policy_id> --file policy.xml
+        bt epmw policies download <policy_id> > policy.xml
+    """
     from bt_cli.epmw.client import get_client
 
     try:
         client = get_client()
         content = client.download_policy(policy_id)
-        # Policy content is XML
-        typer.echo(content)
+
+        if file:
+            # Write to file
+            with open(file, "w", encoding="utf-8") as f:
+                f.write(content)
+            print_success(f"Policy saved to: {file}")
+        else:
+            # Output to stdout
+            typer.echo(content)
     except httpx.HTTPStatusError as e:
         print_api_error(e, "download policy")
         raise typer.Exit(1)

bt_cli/pws/commands/import_export.py

@@ -16,10 +16,10 @@ import_app = typer.Typer(no_args_is_help=True, help="Import resources from CSV f
 export_app = typer.Typer(no_args_is_help=True, help="Export sample CSV templates")
 console = Console()
 
-# Column definitions for CSV formats
+# Column definitions for CSV formats - using NAMES not IDs for readability
 SYSTEMS_COLUMNS = [
-    "name", "ip_address", "workgroup_id", "platform_id", "port",
-    "functional_account_id", "elevation_command", "auto_manage",
+    "system_name", "ip_address", "workgroup", "platform", "port",
+    "functional_account", "elevation_command", "auto_manage",
     "account_name", "account_password", "account_description"
 ]
 
@@ -27,31 +27,36 @@ SECRETS_COLUMNS = [
     "folder_path", "title", "username", "password", "description", "notes"
 ]
 
-# Sample data for templates
+# Sample data for templates - uses names that will be resolved to IDs
+# NOTE: account_password only required if auto_manage=false
+#       If auto_manage=true with functional_account, PWS rotates password automatically
 SYSTEMS_SAMPLE = [
     {
-        "name": "web-server-01", "ip_address": "10.0.1.50", "workgroup_id": "3",
-        "platform_id": "2", "port": "22", "functional_account_id": "7",
+        "system_name": "linux-managed-01", "ip_address": "10.0.1.50",
+        "workgroup": "Default",  # Use workgroup NAME (run: bt pws workgroups list)
+        "platform": "Linux SSH",  # Use platform NAME (run: bt pws platforms list)
+        "port": "22",
+        "functional_account": "Linux - Local",  # FA DisplayName (run: bt pws functional list)
         "elevation_command": "sudo", "auto_manage": "true",
-        "account_name": "root", "account_password": "", "account_description": "Root account"
+        "account_name": "root", "account_password": "", "account_description": "Auto-managed root"
     },
     {
-        "name": "web-server-01", "ip_address": "10.0.1.50", "workgroup_id": "3",
-        "platform_id": "2", "port": "22", "functional_account_id": "7",
-        "elevation_command": "sudo", "auto_manage": "true",
-        "account_name": "svc-backup", "account_password": "Backup#2026!", "account_description": "Backup service"
+        "system_name": "linux-managed-01", "ip_address": "10.0.1.50",
+        "workgroup": "Default", "platform": "Linux SSH", "port": "22",
+        "functional_account": "Linux - Local", "elevation_command": "sudo", "auto_manage": "true",
+        "account_name": "appuser", "account_password": "", "account_description": "Auto-managed app account"
     },
     {
-        "name": "db-server-01", "ip_address": "10.0.1.60", "workgroup_id": "3",
-        "platform_id": "2", "port": "22", "functional_account_id": "7",
-        "elevation_command": "sudo", "auto_manage": "true",
-        "account_name": "postgres", "account_password": "", "account_description": "Database admin"
+        "system_name": "linux-manual-01", "ip_address": "10.0.1.60",
+        "workgroup": "Default", "platform": "Linux SSH", "port": "22",
+        "functional_account": "", "elevation_command": "", "auto_manage": "false",
+        "account_name": "dbadmin", "account_password": "InitialP@ss123!", "account_description": "Manual - password required"
     },
     {
-        "name": "win-server-01", "ip_address": "10.0.2.10", "workgroup_id": "2",
-        "platform_id": "1", "port": "5985", "functional_account_id": "",
-        "elevation_command": "", "auto_manage": "false",
-        "account_name": "Administrator", "account_password": "InitialPass123!", "account_description": "Local admin"
+        "system_name": "win-manual-01", "ip_address": "10.0.2.10",
+        "workgroup": "Default", "platform": "Windows", "port": "5985",
+        "functional_account": "", "elevation_command": "", "auto_manage": "false",
+        "account_name": "Administrator", "account_password": "WinP@ss456!", "account_description": "Manual - password required"
     },
 ]
 
@@ -74,25 +79,89 @@ SECRETS_SAMPLE = [
 ]
 
 
+def _resolve_name_to_id(name: str, lookup: dict, resource_type: str) -> Optional[int]:
+    """Resolve a name to ID using case-insensitive partial matching."""
+    if not name:
+        return None
+
+    # Try exact match first (case-insensitive)
+    name_lower = name.lower().strip()
+    for key, value in lookup.items():
+        if key.lower() == name_lower:
+            return value
+
+    # Try partial match (name contains search term)
+    for key, value in lookup.items():
+        if name_lower in key.lower():
+            return value
+
+    return None
+
+
+def _build_folder_path_map(safes: list, folders: list) -> dict[str, str]:
+    """Build a map of folder paths to folder IDs.
+
+    Safes are top-level containers, folders can be nested.
+    Returns a dict like {"SafeName/FolderName": "folder-guid", ...}
+    """
+    # Build ID -> object lookups
+    safe_by_id = {s.get("Id"): s for s in safes}
+    folder_by_id = {f.get("Id"): f for f in folders}
+
+    # Build path for each folder
+    path_map: dict[str, str] = {}
+
+    def get_path(folder_id: str) -> str:
+        """Recursively build path for a folder."""
+        if folder_id in safe_by_id:
+            # It's a safe (top-level)
+            return safe_by_id[folder_id].get("Name", "")
+
+        folder = folder_by_id.get(folder_id)
+        if not folder:
+            return ""
+
+        parent_id = folder.get("ParentId")
+        folder_name = folder.get("Name", "")
+
+        if parent_id:
+            parent_path = get_path(parent_id)
+            if parent_path:
+                return f"{parent_path}/{folder_name}"
+
+        return folder_name
+
+    # Map all folders
+    for folder in folders:
+        folder_id = folder.get("Id")
+        path = get_path(folder_id)
+        if path:
+            path_map[path.lower()] = folder_id
+
+    return path_map
+
+
 @import_app.command("systems")
 def import_systems(
     file: str = typer.Option(..., "--file", "-f", help="CSV file path"),
     dry_run: bool = typer.Option(False, "--dry-run", help="Validate without creating"),
-    workgroup: Optional[int] = typer.Option(None, "--workgroup", "-w", help="Override workgroup ID for all rows"),
+    workgroup_override: Optional[str] = typer.Option(None, "--workgroup", "-w", help="Override workgroup for all rows (name or ID)"),
 ) -> None:
     """Import managed systems and accounts from CSV.
 
     Each row creates a system + account. Multiple accounts per system use
     multiple rows with the same system name (system is created only once).
 
-    Required columns: name, ip_address, workgroup_id, account_name
-    Optional: platform_id, port, functional_account_id, elevation_command,
+    Uses NAMES for workgroup, platform, functional_account - resolved to IDs automatically.
+
+    Required columns: system_name, ip_address, workgroup, account_name
+    Optional: platform, port, functional_account, elevation_command,
               auto_manage, account_password, account_description
 
     Examples:
         bt pws import systems --file systems.csv --dry-run
         bt pws import systems --file systems.csv
-        bt pws import systems --file systems.csv --workgroup 3
+        bt pws import systems --file systems.csv --workgroup "Default"
     """
     try:
         rows = read_csv(file)
@@ -102,73 +171,148 @@ def import_systems(
 
         console.print(f"[dim]Read {len(rows)} rows from {file}[/dim]")
 
-        # Validate all rows first
-        errors = []
-        required = ["name", "ip_address", "account_name"]
-        if not workgroup:
-            required.append("workgroup_id")
-
-        for i, row in enumerate(rows, 1):
-            row_errors = validate_required_fields(row, required, i)
-            errors.extend(row_errors)
-
-        if errors:
-            print_error("Validation errors:")
-            for err in errors[:20]:
-                console.print(f"  [red]{err}[/red]")
-            if len(errors) > 20:
-                console.print(f"  [red]... and {len(errors) - 20} more errors[/red]")
-            raise typer.Exit(1)
-
-        # Group rows by system name
-        systems_rows: dict[str, list[dict]] = {}
-        for row in rows:
-            name = row["name"].strip()
-            if name not in systems_rows:
-                systems_rows[name] = []
-            systems_rows[name].append(row)
-
-        console.print(f"[dim]Found {len(systems_rows)} unique systems with {len(rows)} total accounts[/dim]")
-
-        if dry_run:
-            console.print("\n[yellow]DRY RUN - No changes will be made[/yellow]\n")
-            table = Table(title="Systems to Create")
-            table.add_column("System", style="green")
-            table.add_column("IP", style="cyan")
-            table.add_column("Workgroup", style="yellow")
-            table.add_column("Platform", style="magenta")
-            table.add_column("Accounts", style="blue")
-
-            for name, sys_rows in systems_rows.items():
-                first = sys_rows[0]
-                wg = workgroup or parse_int(first.get("workgroup_id", ""))
-                accounts = ", ".join(r["account_name"] for r in sys_rows)
-                table.add_row(
-                    name,
-                    first.get("ip_address", ""),
-                    str(wg),
-                    first.get("platform_id", "2"),
-                    accounts
-                )
-
-            console.print(table)
-            console.print(f"\n[dim]Would create {len(systems_rows)} systems with {len(rows)} accounts[/dim]")
-            return
-
-        # Actually import
+        # Connect and build lookup tables for name resolution
         with get_client() as client:
             client.authenticate()
 
+            console.print("[dim]Loading workgroups, platforms, functional accounts...[/dim]")
+
+            # Build name -> ID lookup tables
+            workgroups = client.list_workgroups()
+            workgroup_lookup = {w.get("Name", ""): w.get("ID") for w in workgroups}
+
+            platforms = client.list_platforms()
+            platform_lookup = {p.get("Name", ""): p.get("PlatformID") for p in platforms}
+
+            func_accounts = client.list_functional_accounts()
+            # Use DisplayName as the primary lookup key, also add AccountName as fallback
+            func_acct_lookup = {}
+            for f in func_accounts:
+                fa_id = f.get("FunctionalAccountID")
+                # Primary: DisplayName (e.g., "Linux - Local")
+                if f.get("DisplayName"):
+                    func_acct_lookup[f["DisplayName"]] = fa_id
+                # Fallback: AccountName (e.g., "svc_passwordsafe")
+                if f.get("AccountName"):
+                    func_acct_lookup[f["AccountName"]] = fa_id
+
+            # Resolve workgroup override
+            wg_override_id = None
+            if workgroup_override:
+                # Try as ID first
+                try:
+                    wg_override_id = int(workgroup_override)
+                except ValueError:
+                    wg_override_id = _resolve_name_to_id(workgroup_override, workgroup_lookup, "workgroup")
+                    if not wg_override_id:
+                        print_error(f"Workgroup not found: {workgroup_override}")
+                        console.print("[dim]Available workgroups:[/dim]")
+                        for name in workgroup_lookup.keys():
+                            console.print(f"  - {name}")
+                        raise typer.Exit(1)
+
+            # Validate all rows first
+            errors = []
+            # Support both old column names (backward compat) and new names
+            name_col = "system_name" if "system_name" in rows[0] else "name"
+            wg_col = "workgroup" if "workgroup" in rows[0] else "workgroup_id"
+
+            required = [name_col, "ip_address", "account_name"]
+            if not wg_override_id:
+                required.append(wg_col)
+
+            for i, row in enumerate(rows, 1):
+                row_errors = validate_required_fields(row, required, i)
+                errors.extend(row_errors)
+
+            if errors:
+                print_error("Validation errors:")
+                for err in errors[:20]:
+                    console.print(f"  [red]{err}[/red]")
+                if len(errors) > 20:
+                    console.print(f"  [red]... and {len(errors) - 20} more errors[/red]")
+                raise typer.Exit(1)
+
+            # Group rows by system name
+            systems_rows: dict[str, list[dict]] = {}
+            for row in rows:
+                name = row.get(name_col, "").strip()
+                if name not in systems_rows:
+                    systems_rows[name] = []
+                systems_rows[name].append(row)
+
+            console.print(f"[dim]Found {len(systems_rows)} unique systems with {len(rows)} total accounts[/dim]")
+
+            if dry_run:
+                console.print("\n[yellow]DRY RUN - No changes will be made[/yellow]\n")
+                table = Table(title="Systems to Create")
+                table.add_column("System", style="green")
+                table.add_column("IP", style="cyan")
+                table.add_column("Workgroup", style="yellow")
+                table.add_column("Platform", style="magenta")
+                table.add_column("Accounts", style="blue")
+
+                for name, sys_rows in systems_rows.items():
+                    first = sys_rows[0]
+                    wg_name = first.get(wg_col, "")
+                    plat_name = first.get("platform", first.get("platform_id", "Linux"))
+                    accounts = ", ".join(r["account_name"] for r in sys_rows)
+                    table.add_row(name, first.get("ip_address", ""), wg_name, plat_name, accounts)
+
+                console.print(table)
+                console.print(f"\n[dim]Would create {len(systems_rows)} systems with {len(rows)} accounts[/dim]")
+                return
+
+            # Actually import
             created_systems = 0
             created_accounts = 0
-            system_ids: dict[str, int] = {}  # Map system name to ID
+            system_ids: dict[str, int] = {}
 
             for name, sys_rows in systems_rows.items():
                 first = sys_rows[0]
-                wg_id = workgroup or parse_int(first.get("workgroup_id", ""))
+
+                # Resolve workgroup
+                if wg_override_id:
+                    wg_id = wg_override_id
+                else:
+                    wg_val = first.get(wg_col, "").strip()
+                    try:
+                        wg_id = int(wg_val)
+                    except ValueError:
+                        wg_id = _resolve_name_to_id(wg_val, workgroup_lookup, "workgroup")
 
                 if not wg_id:
-                    print_warning(f"Skipping {name}: No workgroup ID")
+                    print_warning(f"Skipping {name}: Could not resolve workgroup '{first.get(wg_col, '')}'")
+                    continue
+
+                # Resolve platform
+                plat_val = first.get("platform", first.get("platform_id", "")).strip()
+                try:
+                    platform_id = int(plat_val) if plat_val else 2
+                except ValueError:
+                    platform_id = _resolve_name_to_id(plat_val, platform_lookup, "platform") or 2
+
+                # Resolve functional account
+                func_val = first.get("functional_account", first.get("functional_account_id", "")).strip()
+                func_acct_id = None
+                if func_val:
+                    try:
+                        func_acct_id = int(func_val)
+                    except ValueError:
+                        func_acct_id = _resolve_name_to_id(func_val, func_acct_lookup, "functional account")
+
+                # Get auto_manage flag early for validation
+                auto_manage = parse_bool(first.get("auto_manage", ""))
+
+                # Validate auto_manage + functional account combination
+                if auto_manage and func_val and not func_acct_id:
+                    print_warning(f"Skipping {name}: auto_manage=true but functional account '{func_val}' not found")
+                    console.print("[dim]Available functional accounts:[/dim]")
+                    for fa_name in func_acct_lookup.keys():
+                        console.print(f"  - {fa_name}")
+                    continue
+                if auto_manage and not func_val:
+                    print_warning(f"Skipping {name}: auto_manage=true requires a functional_account")
                     continue
 
                 try:
@@ -183,10 +327,7 @@ def import_systems(
 
                     # Create managed system
                     console.print(f"[dim]Creating managed system '{name}'...[/dim]")
-                    platform_id = parse_int(first.get("platform_id", ""), 2)
                     port = parse_int(first.get("port", ""), 22)
-                    func_acct = parse_int(first.get("functional_account_id", ""))
-                    auto_manage = parse_bool(first.get("auto_manage", ""))
                     elevation = first.get("elevation_command", "").strip() or None
 
                     system = client.create_managed_system(
@@ -194,8 +335,8 @@ def import_systems(
                         platform_id=platform_id,
                         asset_id=asset_id,
                         port=port,
-                        functional_account_id=func_acct,
-                        auto_management_flag=auto_manage if func_acct else False,
+                        functional_account_id=func_acct_id,
+                        auto_management_flag=auto_manage if func_acct_id else False,
                         elevation_command=elevation,
                     )
                     system_id = system.get("ManagedSystemID")
@@ -214,7 +355,7 @@ def import_systems(
                             system_id=system_id,
                             account_name=account_name,
                             password=password,
-                            auto_management_flag=auto_manage if func_acct else False,
+                            auto_management_flag=auto_manage if func_acct_id else False,
                         )
                         account_id = account.get("ManagedAccountID")
                         created_accounts += 1
@@ -301,13 +442,11 @@ def import_secrets(
         with get_client() as client:
             client.authenticate()
 
-            # Get all folders to map paths to IDs
+            # Build folder path -> ID map from safes and folders
+            console.print("[dim]Loading safes and folders...[/dim]")
+            safes = client.list_safes()
             all_folders = client.list_folders()
-            folder_map: dict[str, int] = {}
-            for f in all_folders:
-                path = f.get("FolderPath", "") or f.get("Name", "")
-                if path:
-                    folder_map[path.lower()] = f.get("Id")
+            folder_map = _build_folder_path_map(safes, all_folders)
 
             created = 0
             for row in rows:
@@ -318,6 +457,11 @@ def import_secrets(
                 folder_id = folder_map.get(folder_path.lower())
                 if not folder_id:
                     print_warning(f"Folder not found: {folder_path}, skipping {title}")
+                    console.print("[dim]Available folder paths:[/dim]")
+                    for path in sorted(folder_map.keys())[:10]:
+                        console.print(f"  - {path}")
+                    if len(folder_map) > 10:
+                        console.print(f"  ... and {len(folder_map) - 10} more")
                     continue
 
                 try:
@@ -355,22 +499,46 @@ def export_systems(
     file: str = typer.Option("pws-systems-template.csv", "--file", "-f", help="Output file path"),
     sample: bool = typer.Option(True, "--sample/--no-sample", help="Export sample template (default) or current data"),
 ) -> None:
-    """Export sample systems CSV template.
+    """Export systems CSV template or current data.
+
+    Uses human-readable NAMES for workgroup, platform, functional_account.
 
     Examples:
         bt pws export systems --file systems-template.csv
-        bt pws export systems --file systems-template.csv --sample
+        bt pws export systems --file current-systems.csv --no-sample
     """
     try:
         if sample:
             write_csv(file, SYSTEMS_SAMPLE, SYSTEMS_COLUMNS)
             print_success(f"Sample systems template exported to: {file}")
             console.print(f"[dim]Contains {len(SYSTEMS_SAMPLE)} example rows[/dim]")
+            console.print("\n[dim]Column descriptions:[/dim]")
+            console.print("  system_name        - Unique name for the managed system")
+            console.print("  ip_address         - IP or hostname")
+            console.print("  workgroup          - Workgroup NAME (run: bt pws workgroups list)")
+            console.print("  platform           - Platform NAME, partial match OK (run: bt pws platforms list)")
+            console.print("  port               - Connection port (22 for SSH, 5985 for WinRM)")
+            console.print("  functional_account - Functional account NAME for auto-management (bt pws functional list)")
+            console.print("  elevation_command  - 'sudo' or other elevation command (optional)")
+            console.print("  auto_manage        - true=PWS rotates password, false=manual management")
+            console.print("  account_name       - Account username to manage")
+            console.print("  account_password   - Required if auto_manage=false, empty if auto_manage=true")
+            console.print("  account_description- Description for the account")
         else:
-            # Export actual data from API
+            # Export actual data from API with names resolved
             with get_client() as client:
                 client.authenticate()
 
+                # Build ID -> name lookup tables
+                workgroups = client.list_workgroups()
+                wg_names = {w.get("ID"): w.get("Name", "") for w in workgroups}
+
+                platforms = client.list_platforms()
+                plat_names = {p.get("PlatformID"): p.get("Name", "") for p in platforms}
+
+                func_accounts = client.list_functional_accounts()
+                func_names = {f.get("FunctionalAccountID"): f.get("FunctionalAccountName", "") for f in func_accounts}
+
                 systems = client.list_managed_systems()
                 rows = []
 
@@ -378,14 +546,18 @@ def export_systems(
                     system_id = sys.get("ManagedSystemID")
                     accounts = client.list_managed_accounts(system_id=system_id)
 
+                    wg_id = sys.get("WorkgroupID")
+                    plat_id = sys.get("PlatformID")
+                    func_id = sys.get("FunctionalAccountID")
+
                     for acc in accounts:
                         rows.append({
-                            "name": sys.get("SystemName", ""),
+                            "system_name": sys.get("SystemName", ""),
                             "ip_address": sys.get("IPAddress", ""),
-                            "workgroup_id": str(sys.get("WorkgroupID", "")),
-                            "platform_id": str(sys.get("PlatformID", "")),
+                            "workgroup": wg_names.get(wg_id, str(wg_id or "")),
+                            "platform": plat_names.get(plat_id, str(plat_id or "")),
                             "port": str(sys.get("Port", "")),
-                            "functional_account_id": str(sys.get("FunctionalAccountID", "") or ""),
+                            "functional_account": func_names.get(func_id, "") if func_id else "",
                             "elevation_command": sys.get("ElevationCommand", "") or "",
                             "auto_manage": "true" if sys.get("AutoManagementFlag") else "false",
                             "account_name": acc.get("AccountName", ""),
@@ -419,22 +591,25 @@ def export_secrets(
             write_csv(file, SECRETS_SAMPLE, SECRETS_COLUMNS)
             print_success(f"Sample secrets template exported to: {file}")
             console.print(f"[dim]Contains {len(SECRETS_SAMPLE)} example rows[/dim]")
+            console.print("\n[dim]Column descriptions:[/dim]")
+            console.print("  folder_path  - Full path: SafeName/FolderName (run: bt pws secrets folders list)")
+            console.print("  title        - Unique title for the secret")
+            console.print("  username     - Username/identifier (optional)")
+            console.print("  password     - Password/secret value")
+            console.print("  description  - Description of the secret")
+            console.print("  notes        - Additional notes (can be JSON)")
         else:
             # Export actual data from API
             with get_client() as client:
                 client.authenticate()
 
                 secrets = client.list_secrets()
-                folders = client.list_folders()
-
-                # Map folder IDs to paths
-                folder_paths = {f.get("Id"): f.get("FolderPath", "") or f.get("Name", "") for f in folders}
 
                 rows = []
                 for s in secrets:
-                    folder_id = s.get("FolderId")
+                    # Secrets have FolderPath directly (e.g., "SafeName/FolderName")
                     rows.append({
-                        "folder_path": folder_paths.get(folder_id, ""),
+                        "folder_path": s.get("FolderPath", "") or s.get("Folder", ""),
                         "title": s.get("Title", ""),
                         "username": s.get("Username", "") or "",
                         "password": "",  # Don't export passwords

bt_cli/pws/commands/secrets.py

@@ -568,7 +568,7 @@ def print_secrets_table(secrets: list[dict], title: str = "Secrets") -> None:
     table.add_column("ID", style="cyan", no_wrap=True, max_width=36)
     table.add_column("Title", style="green")
     table.add_column("Username", style="yellow")
-    table.add_column("Folder", style="blue")
+    table.add_column("Folder Path", style="blue")
     table.add_column("Modified", style="dim")
 
     for secret in secrets:
@@ -576,7 +576,7 @@ def print_secrets_table(secrets: list[dict], title: str = "Secrets") -> None:
             secret.get("Id", "")[:36],
             secret.get("Title", ""),
             secret.get("Username", "-"),
-            secret.get("Folder", secret.get("FolderPath", "-")),
+            secret.get("FolderPath", secret.get("Folder", "-")),
             str(secret.get("ModifiedOn", "-"))[:19],
         )
 
@@ -653,7 +653,7 @@ def get_secret(
                 console.print(f"  Password: {secret.get('Password', '-')}")
             else:
                 console.print("  Password: ********")
-            console.print(f"  Folder: {secret.get('Folder', secret.get('FolderPath', '-'))}")
+            console.print(f"  Folder Path: {secret.get('FolderPath', secret.get('Folder', '-'))}")
             console.print(f"  Description: {secret.get('Description', '-') or '-'}")
             if secret.get("Notes"):
                 console.print(f"  Notes: {secret.get('Notes')}")
@@ -961,7 +961,7 @@ def get_text_secret(
         else:
             console.print(f"\n[bold cyan]Text Secret: {secret.get('Title', 'Unknown')}[/bold cyan]\n")
             console.print(f"  ID: {secret.get('Id', 'N/A')}")
-            console.print(f"  Folder: {secret.get('Folder', secret.get('FolderPath', '-'))}")
+            console.print(f"  Folder Path: {secret.get('FolderPath', secret.get('Folder', '-'))}")
             console.print(f"  Description: {secret.get('Description', '-') or '-'}")
             if show_text:
                 console.print(f"  Text Content:\n{secret.get('Password', '-')}")
@@ -1065,7 +1065,7 @@ def get_file_secret(
             console.print(f"\n[bold cyan]File Secret: {secret.get('Title', 'Unknown')}[/bold cyan]\n")
             console.print(f"  ID: {secret.get('Id', 'N/A')}")
             console.print(f"  FileName: {secret.get('FileName', '-')}")
-            console.print(f"  Folder: {secret.get('Folder', secret.get('FolderPath', '-'))}")
+            console.print(f"  Folder Path: {secret.get('FolderPath', secret.get('Folder', '-'))}")
             console.print(f"  Description: {secret.get('Description', '-') or '-'}")
             console.print(f"  Created: {secret.get('CreatedOn', '-')}")
             console.print(f"  Modified: {secret.get('ModifiedOn', '-')}")

{bt_cli-0.4.13.dist-info → bt_cli-0.4.21.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.13
+Version: 0.4.21
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT
@@ -23,8 +23,9 @@ Requires-Dist: httpx>=0.27.0
 Requires-Dist: pydantic>=2.0.0
 Requires-Dist: python-dotenv>=1.0.0
 Requires-Dist: pyyaml>=6.0.0
-Requires-Dist: rich<15.0.0,>=13.7.0
+Requires-Dist: rich<14.0.0,>=13.7.0
 Requires-Dist: shellingham>=1.5.0
+Requires-Dist: truststore>=0.8.0; python_version >= '3.10'
 Requires-Dist: typer<1.0.0,>=0.12.0
 Provides-Extra: all
 Requires-Dist: keyring>=24.0.0; extra == 'all'

{bt_cli-0.4.13.dist-info → bt_cli-0.4.21.dist-info}/RECORD

@@ -1,14 +1,14 @@
-bt_cli/__init__.py,sha256=2Ec_fVFIfrTcwoI2dlXG3AashEKBkbaNUp9YUdyZiOw,61
-bt_cli/cli.py,sha256=-V7Q_DcP7Ryw-mRBLMyj-iwlFpof8_eLgFAx-fN5seM,29640
+bt_cli/__init__.py,sha256=U7QGvJ3oZ-05cWQBNsFcsNb9PBwey_czwwhL4aqBcqo,61
+bt_cli/cli.py,sha256=Fd-p9O2IR-LJfDewkQbLRE6tPe9FVLkGJgUHup2Z08Q,30254
 bt_cli/commands/__init__.py,sha256=Wrf3ZV1sf7JCilbv93VqoWWTyj0d-y4saAaVFD5apU8,38
-bt_cli/commands/configure.py,sha256=f3tn09eRDqlGQIq1gpuxj984S4CARYbmKI4XrqxPAAM,14270
+bt_cli/commands/configure.py,sha256=WElK9grslla0_rqdAmDh0vYpLVH5jP21l1fiYl7vvOw,14364
 bt_cli/commands/learn.py,sha256=BHt4bTH3orQfR-eB9FMGPQZVfTrwakHNYi0QkHQLOy0,7228
 bt_cli/commands/quick.py,sha256=cAQfJgkdxJcWZ4OLasmWoXVyiDjydwD6Nv0AyKLqsNc,32806
 bt_cli/core/__init__.py,sha256=Yv_0gTKQcbEYNbNQ07YiK4sC8ueHktI-D20YlPWlT7g,49
 bt_cli/core/auth.py,sha256=-vzGCgk2ZOsHExZBcxMHer68K3Bi0RMWF-17wtIZvsg,6723
 bt_cli/core/client.py,sha256=pGxk5vI-U5_csiwBvMr_YwloOTmmWuFhX9TAA9ynoZw,8808
 bt_cli/core/config.py,sha256=lQZgNH858HCIuizyDDFU0Bs1VbHjy3vaA2OthVgc7-w,13485
-bt_cli/core/config_file.py,sha256=I0RdHJEW4ytc2onNcsTGjCnetSuVCNzKA7-tTTIvU8M,13163
+bt_cli/core/config_file.py,sha256=k7yH-M53fEt9ahQBABWCcd9CBdfwjwGK20chNndF_UQ,13740
 bt_cli/core/csv_utils.py,sha256=L7i-YGSeQV9RnzanKSQM1yvXgkmaQCpBoxUk9fV6RLg,2412
 bt_cli/core/errors.py,sha256=-LWipqdn8w-FMAC1W1jFbTMAlooiJqmyuR5j1VWMPyM,8783
 bt_cli/core/output.py,sha256=ACazDf3XAfJhAlns5fh6bQXkRIIGlBFuq1z2M-IBrwQ,5156
@@ -17,13 +17,13 @@ bt_cli/core/rest_debug.py,sha256=7KsqsrsPXUqaYLePjZbwnoqMcg5ivJgYGS35ygaeLfM,597
 bt_cli/data/CLAUDE.md,sha256=3Y_afs1RGTKLkn4Vr9wMKiReIr4EEtBdjFrqSs2NymQ,3228
 bt_cli/data/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 bt_cli/data/skills/bt/SKILL.md,sha256=DZTvRtSYjiDxDbg7WTpgklYs5Dn-2Z-9w3X8RQJbGNo,3077
-bt_cli/data/skills/entitle/SKILL.md,sha256=yOHP9U_1vKh1yLmrAqKl4rNo16n4f3hia0xj_ZJRRYM,4413
+bt_cli/data/skills/entitle/SKILL.md,sha256=_Koad7n6zTfEafbBiSJgRlEoDjXxKv7mGWAX99_l-d0,5529
 bt_cli/data/skills/epmw/SKILL.md,sha256=brfIXR9MnB5_FwRa-SyX1TwqVRyefgtr2foQfErpVVA,3541
 bt_cli/data/skills/pra/SKILL.md,sha256=-LTUJvjvLvZn0rMmy0KOeEBtUsotjbHvXX3RCk7mDBw,3749
 bt_cli/data/skills/pws/SKILL.md,sha256=lrOIN06hVrbHfph5rdu78W5N4UKzjrjuHxcJG4eK5hA,5401
 bt_cli/entitle/__init__.py,sha256=l2fasFHO_0zgCS1FgmGdAikumU8QimpaFD9Gvh3Jyqg,30
 bt_cli/entitle/client/__init__.py,sha256=kIQohXlEFGrRAyVWMO9GdESrnAg5J4dmoyJQ6q9NxSo,114
-bt_cli/entitle/client/base.py,sha256=Jov6v7iM8DZ6o_DL7esBpdnYyM-WVFzI8u_0Bjh9MgA,14623
+bt_cli/entitle/client/base.py,sha256=s8odTU0tZ32RLdkiDCVxt-8ctZIDePkPfez-nPvIMvU,14704
 bt_cli/entitle/commands/__init__.py,sha256=07FdoMmXaJwmgqwPM24Qyzojt4Xcrqmf8KWmNSiGtBg,1009
 bt_cli/entitle/commands/accounts.py,sha256=26C8NQg9ZajVjwsfpjoZ1ZChy8d8oikL-Ndc2C8g3GA,1872
 bt_cli/entitle/commands/applications.py,sha256=m2khdc0eUlb2OctjFIB_CtPU0omECjEB4_verrD58s0,1139
@@ -34,7 +34,7 @@ bt_cli/entitle/commands/permissions.py,sha256=GJD-Lv0jCQ6XJknD1KhYcE-kwwFCO_eAK0
 bt_cli/entitle/commands/policies.py,sha256=H1GF7Q2pvF9ukkpX2mhyq7Mm4w-L2PX33yvOKyBJ-tE,3396
 bt_cli/entitle/commands/resources.py,sha256=SnIndzmoHt8Sr1N_1FPacHx1laDRpC4LhOHwRSuk-Hk,4791
 bt_cli/entitle/commands/roles.py,sha256=6Jw0tXO26MclrHeIJ1CFLmGTT9Sj5RhGmbuMPxG2DNU,2320
-bt_cli/entitle/commands/users.py,sha256=C7BQ_8X2Hv6c6WfO86BGBdKCf-pU0NCxhaCHJNk5Np0,4152
+bt_cli/entitle/commands/users.py,sha256=Epv_2B0lUdmw1SOki2uGIXT5ln2eso1QAj0vmFy33qA,4433
 bt_cli/entitle/commands/workflows.py,sha256=voroHo_vLKveXoqOkwSy-8WkALr7hjOY5GvYEA2poDw,6944
 bt_cli/entitle/models/__init__.py,sha256=ThEQ_r4GbdxGjuzqng-MXms2brxF8XM6o7TS9tmiwDc,620
 bt_cli/entitle/models/bundle.py,sha256=v5vFZI8baaF01chtc8hEQLKyCRNo_RoHtpz8VDNb8sc,787
@@ -55,7 +55,7 @@ bt_cli/epmw/commands/auth.py,sha256=2oC3h01_eh4XyEvsar_ffJAqGKXGE_PrhHQJWFswlN8,
 bt_cli/epmw/commands/computers.py,sha256=K0eBd8HOaVCe8hhHPlUuqCrZduhPuvwlkxdYt6YjJxM,4146
 bt_cli/epmw/commands/events.py,sha256=not-9_poxQWRBB4sqZSzJo6031A3IZTdg6uAl2Agk2g,7707
 bt_cli/epmw/commands/groups.py,sha256=PaMcjqfr2b3xS3W3V2A9CFTlMOAs38UmJbi5LKXbbg0,6759
-bt_cli/epmw/commands/policies.py,sha256=mCewGU2Sr9H628JIrW9fMJfG0xeI137NaVIPRdQTmkM,24103
+bt_cli/epmw/commands/policies.py,sha256=0jFQ-ZLzTAC6rPbMWL3DfWm0jdgvE2iwR_dHUHI-QG4,24600
 bt_cli/epmw/commands/quick.py,sha256=X2iTwnDgAvatW8wVY4nqQztLmIEoGmbn1YeCVwHyvzY,13876
 bt_cli/epmw/commands/requests.py,sha256=qcx6MsPXVm2UkaBIkhpf3RZh6Lo-BBz2OPF4Tl3h4p8,8251
 bt_cli/epmw/commands/roles.py,sha256=WYAelLUwzJkBB7rlKoR4FqSxfdoDjV310KcNl6ixCCM,2396
@@ -102,11 +102,11 @@ bt_cli/pws/commands/credentials.py,sha256=p1efDBCI35exGS-6iHQ5IHBQIo0TJMfWuCBoek
 bt_cli/pws/commands/databases.py,sha256=hHGg7hNtE5mwClCpWoSmVSB1-LdY3PORu9iMRuhbxOg,11961
 bt_cli/pws/commands/directories.py,sha256=NBZfivK-gh3BlC7nXyM_iWeE-qjPIPMlsptkNGtsQJk,7985
 bt_cli/pws/commands/functional.py,sha256=C9iMSjNfG2VF-kDAM8a3rlMwp_wMePZpGRPNWwkSTBI,12705
-bt_cli/pws/commands/import_export.py,sha256=JVYdul4geotAmwkfV04cMHuQD_KVyJ7EYIPbf2FibXg,18536
+bt_cli/pws/commands/import_export.py,sha256=jGrGqInxmWAGWVdUxVBt1hHtu_CqmXO65oV5RoUsaAA,27395
 bt_cli/pws/commands/platforms.py,sha256=1NZM8BFMG8-AL3AzRZjU0X8zZwt584Z4FOxQf6mGemc,3999
 bt_cli/pws/commands/quick.py,sha256=3i985r7A8_0zhXTDNxG9NLbGHXlXAAxZL2tMyAAIUyg,70769
 bt_cli/pws/commands/search.py,sha256=6AHJgk30mLneviODOYX4xL9VwPZo1bDUoix3oC99LMM,9875
-bt_cli/pws/commands/secrets.py,sha256=ig3V-CzenF-8YCle_LbszA6-cOj96LCwghUPDd1_Veg,51644
+bt_cli/pws/commands/secrets.py,sha256=-8WInmkRxhq2kESDyMwvtx3hS7OvB-60-puj_2GnH_4,51664
 bt_cli/pws/commands/systems.py,sha256=UFWNgyfI--NjKXqSWVbw_g_Ar_td4-Roa0tK1AJSuQE,16905
 bt_cli/pws/commands/users.py,sha256=yMMC1I32QOjsMr2taU4qD7WajdJ7W3mNDQITbqKCEP4,14078
 bt_cli/pws/commands/workgroups.py,sha256=fvjGniHE6T_oktQSvGhjFXeeDxeubkJXTwR4RNtrA4E,6080
@@ -115,7 +115,7 @@ bt_cli/pws/models/account.py,sha256=OSCMyULPOH1Yu2WOzK0ZQhSRrggGpb2JPHScwGLqUgI,
 bt_cli/pws/models/asset.py,sha256=Fl0AlR4_9Yyyu36FL1eKF29DNsxsB-r7FaOBRlfOg2Q,4081
 bt_cli/pws/models/common.py,sha256=D9Ah4ob5CIiFhTt_IR9nF2cBWRHS2z9OyBR2Sss5yzw,3487
 bt_cli/pws/models/system.py,sha256=D_J0x1A92H2n6BsaBEK9PSAAcs3BTifA5-M9SQqQFGA,5856
-bt_cli-0.4.13.dist-info/METADATA,sha256=42cb2_7fGR8F0GZYH7oUvoc7H0mgfBSjm3chxB2NJFY,11803
-bt_cli-0.4.13.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-bt_cli-0.4.13.dist-info/entry_points.txt,sha256=NCOEqTI-XKpJOux0JKKhbRElz0B7upayh_d99X5hoLs,38
-bt_cli-0.4.13.dist-info/RECORD,,
+bt_cli-0.4.21.dist-info/METADATA,sha256=0riXjVaI5llOe8bbYGWGF0bxg1YwznhX0DUadjOqLhs,11862
+bt_cli-0.4.21.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+bt_cli-0.4.21.dist-info/entry_points.txt,sha256=NCOEqTI-XKpJOux0JKKhbRElz0B7upayh_d99X5hoLs,38
+bt_cli-0.4.21.dist-info/RECORD,,