bt-cli 0.4.13__py3-none-any.whl

bt_cli/data/skills/epmw/SKILL.md

@@ -0,0 +1,144 @@
+---
+name: epmw
+description: EPM Windows commands for endpoint privilege management. Use when working with Windows computers, policies, admin access requests, or audit logs.
+---
+
+# EPM Windows Commands (`bt epmw`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt epmw computers archive` - Archives computer from management
+- `bt epmw groups delete` - Deletes computer group
+- `bt epmw policies delete` - Deletes policy
+- `bt epmw quick stale --delete` - Deletes stale computers
+
+List affected resources first, then ask for explicit confirmation.
+
+## Quick Commands
+
+```bash
+# Find stale computers (not checked in recently)
+bt epmw quick stale                     # 24+ hours
+bt epmw quick stale --hours 48          # 48+ hours
+bt epmw quick stale -h 12 -g "Workstations"
+
+# Delete stale computers
+bt epmw quick stale --delete            # With confirmation
+bt epmw quick stale --delete --force    # Skip confirmation
+
+# Find disconnected computers
+bt epmw quick disconnected
+bt epmw quick disconnected -g "Servers"
+
+# Status summary by group
+bt epmw quick status
+bt epmw quick status -g "Datacenter"
+```
+
+## Computers
+
+```bash
+bt epmw computers list
+bt epmw computers list -o json
+bt epmw computers get <computer_id>
+bt epmw computers delete <computer_id>
+bt epmw computers archive <computer_id>
+bt epmw computers unarchive <computer_id>
+```
+
+## Groups
+
+```bash
+bt epmw groups list
+bt epmw groups get <group_id>
+bt epmw groups create --name "NewGroup" --description "Description"
+bt epmw groups update <group_id> --name "UpdatedName"
+bt epmw groups delete <group_id>
+bt epmw groups assign-policy <group_id> --policy <policy_id>
+bt epmw groups assign-computers <group_id> --computers <id1>,<id2>
+```
+
+## Policies
+
+```bash
+bt epmw policies list
+bt epmw policies get <policy_id>
+bt epmw policies groups <policy_id>      # Show assigned groups
+
+# Download policy XML (for template)
+bt epmw policies download <policy_id> > template.xml
+
+# Create policy from XML
+bt epmw policies create -n "My Policy" -f template.xml
+
+# Policy revisions
+bt epmw policies revisions list <policy_id>
+bt epmw policies revisions get <policy_id> <revision_id>
+bt epmw policies revisions upload <policy_id> -f policy.xml
+```
+
+## Admin Access Requests
+
+```bash
+bt epmw requests list
+bt epmw requests get <request_id>
+bt epmw requests create --computer <id> --duration 30 --reason "Maintenance"
+bt epmw requests approve <request_id>
+bt epmw requests deny <request_id> --reason "Not authorized"
+```
+
+## Users & Roles
+
+```bash
+bt epmw users list
+bt epmw users get <user_id>
+bt epmw users create --username "newuser" --email "user@example.com"
+bt epmw users enable <user_id>
+bt epmw users disable <user_id>
+bt epmw users assign-roles <user_id> --roles <role1>,<role2>
+
+bt epmw roles list
+bt epmw roles get <role_id>
+```
+
+## Audits
+
+```bash
+# Activity audits
+bt epmw audits activity list
+bt epmw audits activity get <audit_id>
+
+# Authorization requests
+bt epmw audits authorization list
+bt epmw audits authorization get <audit_id>
+
+# Request audits
+bt epmw audits requests list
+bt epmw audits requests get <audit_id>
+```
+
+## Discover IDs
+
+```bash
+# Find group IDs
+bt epmw groups list
+
+# Find computer IDs
+bt epmw computers list
+
+# Find policy IDs
+bt epmw policies list
+
+# Find user IDs
+bt epmw users list
+```
+
+## API Notes
+
+- Base path: `/management-api/v3`
+- Token endpoint: `/oauth/token`
+- Pagination: `pageNumber`/`pageSize`
+- Response: `{"data": [...], "totalCount": N}`
+- All IDs are UUIDs
+- Delete returns 405 - use archive instead

bt_cli/data/skills/pra/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: pra
+description: Privileged Remote Access commands for jump items, vault accounts, and remote sessions. Use when working with PRA shell jumps, RDP, protocol tunnels, or SSH CA authentication.
+---
+
+# PRA Commands (`bt pra`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt pra jump-items shell delete` - Deletes shell jump item
+- `bt pra jump-items rdp delete` - Deletes RDP jump item
+- `bt pra jump-items tunnel delete` - Deletes protocol tunnel
+- `bt pra jump-groups delete` - Deletes jump group
+- `bt pra vault accounts delete` - Deletes vault account
+
+List affected resources first, then ask for explicit confirmation.
+
+## Quick Commands
+
+```bash
+# Vault credential checkout
+bt pra quick vault                      # Interactive - shows accounts, prompts
+bt pra quick vault -n "server-admin"
+bt pra quick vault -n postgres --raw
+
+# Search jump items and vault
+bt pra quick search axion
+bt pra quick search admin -o json
+```
+
+## Jump Items
+
+### Shell Jump (SSH/Telnet)
+
+```bash
+bt pra jump-items shell list
+bt pra jump-items shell get <jump_item_id>
+bt pra jump-items shell create \
+    --name "web-server-01" \
+    --hostname "10.0.1.50" \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
+    --protocol ssh \
+    --port 22 \
+    --username "admin"
+bt pra jump-items shell delete <jump_item_id>
+```
+
+### RDP Jump
+
+```bash
+bt pra jump-items rdp list
+bt pra jump-items rdp get <jump_item_id>
+bt pra jump-items rdp create \
+    --name "win-server-01" \
+    --hostname "10.0.2.10" \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
+    --port 3389
+```
+
+### Protocol Tunnels (TCP/MSSQL/K8s)
+
+```bash
+bt pra jump-items tunnel list
+bt pra jump-items tunnel create \
+    --name "production-k8s" \
+    --hostname "k8s-api.example.com" \
+    --jumpoint <jumpoint_id> \
+    --jump-group <jump_group_id> \
+    --type k8s \
+    --url "https://k8s-api.example.com:6443" \
+    --ca-cert "$(cat /path/to/ca.crt)"
+```
+
+## Jump Groups
+
+```bash
+bt pra jump-groups list
+bt pra jump-groups get <group_id>
+bt pra jump-groups create \
+    --name "Customer-05" \
+    --code-name customer05 \
+    --comments "New customer environment"
+bt pra jump-groups delete <group_id>
+```
+
+## Vault Accounts
+
+```bash
+bt pra vault accounts list
+bt pra vault accounts get <account_id>
+bt pra vault accounts checkout <account_id>
+bt pra vault accounts checkin <account_id>
+bt pra vault accounts rotate <account_id>
+
+# SSH CA - get public key for provisioning
+bt pra vault accounts get-public-key <ssh_ca_account_id>
+```
+
+## SSH CA Authentication
+
+PRA supports SSH CA for ephemeral access - no static keys on hosts.
+
+```bash
+# Find SSH CA vault accounts
+bt pra vault accounts list | grep -i ssh
+
+# Get CA public key (ready for authorized_keys)
+bt pra vault accounts get-public-key <ssh_ca_account_id>
+# Output: cert-authority ssh-rsa AAAAB3NzaC1yc2E...
+
+# Provision EC2 with SSH CA
+PRA_CA_KEY=$(bt pra vault accounts get-public-key <ssh_ca_account_id>)
+# Embed in user-data script for EC2
+```
+
+## CSV Import/Export
+
+```bash
+bt pra export jump-items --file jump-items-template.csv
+bt pra export vault-accounts --file vault-accounts-template.csv
+bt pra import jump-items --file jump-items.csv --dry-run
+bt pra import jump-items --file jump-items.csv
+```
+
+## Discover IDs
+
+```bash
+# Find jumpoint IDs
+bt pra jumpoint list
+
+# Find jump group IDs
+bt pra jump-groups list
+
+# Find vault account IDs
+bt pra vault accounts list
+
+# Find vault account group IDs
+bt pra vault groups list
+```
+
+## API Notes
+
+- Base path: `/api/config/v1`
+- Pagination: `per_page`/`current_page` (1-indexed)
+- Response: Array directly (pagination in headers)
+- Jump item types have separate endpoints
+- K8s tunnels require Linux jumpoint

bt_cli/data/skills/pws/SKILL.md

@@ -0,0 +1,198 @@
+---
+name: pws
+description: Password Safe commands for credentials, systems, accounts, secrets, and user management. Use when working with PWS checkouts, managed systems, Secrets Safe, or credential rotation.
+---
+
+# Password Safe Commands (`bt pws`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt pws systems delete` - Deletes managed system
+- `bt pws accounts delete` - Deletes managed account
+- `bt pws secrets safes delete` - Deletes entire safe
+- `bt pws secrets folders delete` - Deletes folder and contents
+- `bt pws quick offboard` - Removes system + accounts + asset
+
+List affected resources first, then ask for explicit confirmation.
+
+## Quick Commands (Most Common)
+
+```bash
+# Checkout credentials
+bt pws quick checkout -s "axion-finapp-01" -a "root"
+bt pws quick checkout -s axion -a root --duration 30 --reason "Maintenance"
+PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
+
+# Check in
+bt pws quick checkin 17
+bt pws quick checkin 17 --rotate
+
+# Quick password lookup with auto-checkin
+bt pws quick password -s "axion-finapp-01" -a "root"
+
+# Search systems and accounts
+bt pws quick search axion
+bt pws quick search root -o json
+
+# Rotate password
+bt pws quick rotate -s "axion-finapp-01" -a "root"
+
+# Onboard system (asset + system + account)
+# First find your workgroup and functional account IDs (see "Discover IDs" below)
+bt pws quick onboard -n "my-server" -i "10.0.1.50" -w <workgroup_id>
+bt pws quick onboard -n "web-01" -i "10.0.1.100" -w <workgroup_id> -f <func_acct_id> -e "sudo"
+
+# Offboard system
+bt pws quick offboard -s "my-server"
+bt pws quick offboard -s "web-01" --force
+```
+
+## Systems & Accounts
+
+```bash
+# List systems
+bt pws systems list
+bt pws systems list --workgroup <workgroup_id>
+bt pws systems list -o json
+
+# Get system details
+bt pws systems get <system_id>
+
+# List accounts on a system
+bt pws accounts list --system <system_id>
+bt pws accounts get <account_id>
+```
+
+## Secrets Safe
+
+```bash
+# Safes
+bt pws secrets safes list
+bt pws secrets safes create --name "MyApp" --description "App credentials"
+bt pws secrets safes delete <safe_id>
+
+# Folders
+bt pws secrets folders list
+bt pws secrets folders create --name "Database" --parent <safe_id>
+bt pws secrets folders delete <folder_id>
+
+# Secrets
+bt pws secrets secrets list
+bt pws secrets secrets get <secret_id>
+bt pws secrets secrets create --folder <folder_id> --title "db-admin" \
+    --username "admin" --password "secret123"
+
+# Search secrets
+bt pws quick find-secret database
+bt pws quick get-secret "MySafe/Folder/SecretName"
+PASSWORD=$(bt pws quick get-secret "MySafe/Secret" --raw)
+```
+
+### Storing SSH Private Keys
+
+Use **TEXT type** for SSH keys - simpler retrieval for automation:
+
+```bash
+# Store SSH key as TEXT (recommended for automation)
+bt pws secrets secrets create-text --folder <folder_id> --title "svc-deploy SSH Key" \
+    --file /path/to/id_rsa --description "Deployment service account key"
+
+# Retrieve SSH key (one API call)
+bt pws secrets secrets get <secret_id> --show-password
+
+# Alternative: FILE type (preserves filename metadata)
+bt pws secrets secrets create-file --folder <folder_id> --title "svc-deploy Key" \
+    --file /path/to/id_rsa
+
+# Download FILE type secret
+bt pws secrets secrets download <secret_id> -o /tmp/key
+```
+
+**Note:** TEXT type stores content in Password field (retrieved with `-p`). FILE type requires separate download command.
+
+## Users & Groups
+
+```bash
+bt pws users list
+bt pws users list -s "admin"           # Search
+bt pws users get 4
+bt pws users groups
+bt pws users group 1 --members
+bt pws users roles
+
+# User entitlements report
+bt pws quick user-entitlements dave
+```
+
+## Credential Checkout Flow (Manual)
+
+```bash
+# 1. Find system
+bt pws systems list -o json | jq '.[] | select(.SystemName=="my-server")'
+
+# 2. Find account
+bt pws accounts list --system <system_id>
+
+# 3. Checkout
+bt pws credentials checkout --system "my-server" --account "root"
+
+# 4. Get password
+bt pws credentials show <request_id>
+
+# 5. Checkin
+bt pws credentials checkin <request_id>
+```
+
+## CSV Import/Export
+
+```bash
+# Export template
+bt pws export systems --file systems-template.csv
+bt pws export secrets --file secrets-template.csv
+
+# Dry run validation
+bt pws import systems --file systems.csv --dry-run
+
+# Import
+bt pws import systems --file systems.csv
+bt pws import secrets --file secrets.csv
+```
+
+## Discover IDs
+
+```bash
+# Find workgroup IDs
+bt pws workgroups list
+
+# Find platform IDs
+bt pws platforms list
+
+# Find functional account IDs (for auto-management)
+bt pws functional list
+```
+
+## EC2 Systems in AWS
+
+When onboarding EC2 instances to Password Safe, use the **internal AWS DNS name** (not public IP) for reliable connectivity:
+
+```bash
+# Use internal DNS for EC2 systems
+bt pws quick onboard -n "web-prod-01" \
+    -i "ip-10-0-12-45.us-east-1.compute.internal" \
+    -w <workgroup_id> -f <func_acct_id>
+
+# Or set DNS separately
+bt pws systems update <system_id> --dns "ip-10-0-12-45.us-east-1.compute.internal"
+```
+
+**Why internal DNS?**
+- Public IPs change on instance restart
+- Internal DNS resolves correctly from VPC-connected jumpoints
+- Enables ECM integration (PWS system name must match PRA jump item)
+
+## API Notes
+
+- Pagination: `limit`/`offset` (not page/perPage)
+- Response format: `{"TotalCount": N, "Data": [...]}`
+- Asset creation requires workgroup: `POST /Workgroups/{id}/Assets`

bt_cli/entitle/__init__.py

@@ -0,0 +1 @@
+"""Entitle product module."""

bt_cli/entitle/client/__init__.py

@@ -0,0 +1,5 @@
+"""Entitle API client."""
+
+from .base import EntitleClient, get_client
+
+__all__ = ["EntitleClient", "get_client"]