bt-cli 0.4.19__tar.gz → 0.4.22__tar.gz

{bt_cli-0.4.19 → bt_cli-0.4.22}/.claude/skills/entitle/SKILL.md

@@ -14,6 +14,40 @@ description: Entitle commands for JIT access, bundles, workflows, and permission
 
 List affected resources first, then ask for explicit confirmation.
 
+## Performance Tips
+
+**ALWAYS use server-side filters** - never download all data and filter locally.
+
+```bash
+# ✓ FAST - Server-side filtering
+bt entitle permissions list --resource <resource_id>
+bt entitle permissions list --user <user_id>
+bt entitle permissions list --integration <integration_id>
+
+# ✗ SLOW - Downloads ALL 23k+ permissions, filters locally
+bt entitle permissions list | jq 'select(...)'
+bt entitle permissions list -o json | grep "something"
+```
+
+**Available filters for permissions list:**
+
+| Flag | Purpose |
+|------|---------|
+| `--resource -r` | Filter by resource ID |
+| `--user -u` | Filter by user ID |
+| `--integration -i` | Filter by integration ID |
+
+**Dataset size warning:** Entitle can have 20,000+ permissions. Unfiltered queries will be very slow.
+
+**Workflow - Check standing access for a resource:**
+```bash
+# 1. Find resource ID
+bt entitle resources list --integration <integration_id> | grep -i "admin"
+
+# 2. Query permissions with resource filter (fast)
+bt entitle permissions list --resource <resource_id> -o json | jq -r '.[] | "\(.actor.name) | \(.actor.email)"'
+```
+
 ## Integrations & Resources
 
 ```bash

{bt_cli-0.4.19 → bt_cli-0.4.22}/.github/workflows/release.yml

@@ -236,6 +236,9 @@ jobs:
       (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) ||
       (github.event_name == 'workflow_dispatch' && inputs.skip_pypi == false)
 
+    permissions:
+      id-token: write  # Required for trusted publishing to PyPI
+
     environment:
       name: pypi
       url: https://pypi.org/project/bt-cli/

{bt_cli-0.4.19/src/bt_cli/data → bt_cli-0.4.22}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows.
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, and EPM Windows. **Version: 0.4.22**
 
 ## Setup
 
@@ -35,6 +35,9 @@ Use these slash commands for detailed product guidance:
 ## Common Patterns
 
 ```bash
+# Version info
+bt version          # or bt --version or bt -V
+
 # All list commands support JSON output
 bt pws systems list -o json
 bt pra jump-items shell list -o json
@@ -61,6 +64,9 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - PRA K8s tunnels: Require Linux jumpoint
 - PWS assets: Must create via workgroup endpoint
 - ECM integration: PWS system name must match PRA jump item name
+- Entitle permissions: Use server-side filters (`--resource`, `--user`, `--integration`) - dataset can be 20k+ records
+- Entitle users: Use `--all` flag only when needed - default fetches first page only
+- Windows builds: Rich must be pinned to `<14.0.0` (Rich 14 has PyInstaller unicode issues)
 
 ## Functional vs Managed Accounts
 

{bt_cli-0.4.19 → bt_cli-0.4.22}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.19
+Version: 0.4.22
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT
@@ -23,7 +23,7 @@ Requires-Dist: httpx>=0.27.0
 Requires-Dist: pydantic>=2.0.0
 Requires-Dist: python-dotenv>=1.0.0
 Requires-Dist: pyyaml>=6.0.0
-Requires-Dist: rich<15.0.0,>=13.7.0
+Requires-Dist: rich<14.0.0,>=13.7.0
 Requires-Dist: shellingham>=1.5.0
 Requires-Dist: truststore>=0.8.0; python_version >= '3.10'
 Requires-Dist: typer<1.0.0,>=0.12.0

{bt_cli-0.4.19 → bt_cli-0.4.22}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.19"
+version = "0.4.22"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -39,7 +39,7 @@ dependencies = [
     "typer>=0.12.0,<1.0.0",
     "httpx>=0.27.0",
     "pydantic>=2.0.0",
-    "rich>=13.7.0,<15.0.0",
+    "rich>=13.7.0,<14.0.0",  # Pin to 13.x - Rich 14 has PyInstaller issues
     "python-dotenv>=1.0.0",
     "pyyaml>=6.0.0",
     "shellingham>=1.5.0",

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.19"
+__version__ = "0.4.21"

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/cli.py

@@ -139,6 +139,13 @@ except Exception:
     pass  # Quick module not ready yet
 
 
+def _version_callback(value: bool) -> None:
+    """Print version and exit."""
+    if value:
+        print(f"bt-cli version {__version__}")
+        raise typer.Exit()
+
+
 @app.callback()
 def main_callback(
     profile: Optional[str] = typer.Option(
@@ -153,6 +160,13 @@ def main_callback(
         help="Show REST API calls (method, URL, headers, body)",
         envvar="BT_SHOW_REST",
     ),
+    version: bool = typer.Option(
+        False,
+        "--version", "-V",
+        help="Show version and exit",
+        callback=_version_callback,
+        is_eager=True,
+    ),
 ) -> None:
     """BeyondTrust Platform CLI.
 

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/data/skills/entitle/SKILL.md

@@ -14,6 +14,40 @@ description: Entitle commands for JIT access, bundles, workflows, and permission
 
 List affected resources first, then ask for explicit confirmation.
 
+## Performance Tips
+
+**ALWAYS use server-side filters** - never download all data and filter locally.
+
+```bash
+# ✓ FAST - Server-side filtering
+bt entitle permissions list --resource <resource_id>
+bt entitle permissions list --user <user_id>
+bt entitle permissions list --integration <integration_id>
+
+# ✗ SLOW - Downloads ALL 23k+ permissions, filters locally
+bt entitle permissions list | jq 'select(...)'
+bt entitle permissions list -o json | grep "something"
+```
+
+**Available filters for permissions list:**
+
+| Flag | Purpose |
+|------|---------|
+| `--resource -r` | Filter by resource ID |
+| `--user -u` | Filter by user ID |
+| `--integration -i` | Filter by integration ID |
+
+**Dataset size warning:** Entitle can have 20,000+ permissions. Unfiltered queries will be very slow.
+
+**Workflow - Check standing access for a resource:**
+```bash
+# 1. Find resource ID
+bt entitle resources list --integration <integration_id> | grep -i "admin"
+
+# 2. Query permissions with resource filter (fast)
+bt entitle permissions list --resource <resource_id> -o json | jq -r '.[] | "\(.actor.name) | \(.actor.email)"'
+```
+
 ## Integrations & Resources
 
 ```bash

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/entitle/client/base.py

@@ -351,10 +351,10 @@ class EntitleClient:
     # =========================================================================
 
     def list_users(
-        self, search: Optional[str] = None, limit: int = 100
+        self, search: Optional[str] = None, limit: int = 100, max_pages: Optional[int] = None
     ) -> list[dict[str, Any]]:
-        """List all users."""
-        return self.paginate("/users", {"search": search}, page_size=limit)
+        """List users with optional pagination limit."""
+        return self.paginate("/users", {"search": search}, page_size=limit, max_pages=max_pages)
 
     def get_user(self, user_id: str) -> dict[str, Any]:
         """Get a user by ID."""

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/entitle/commands/users.py

@@ -14,7 +14,8 @@ app = typer.Typer(no_args_is_help=True, help="Manage users")
 @app.command("list")
 def list_users(
     search: Optional[str] = typer.Option(None, "--search", "-s", help="Search by email or name"),
-    limit: int = typer.Option(100, "--limit", "-l", help="Maximum results to return"),
+    limit: int = typer.Option(50, "--limit", "-l", help="Results per page"),
+    fetch_all: bool = typer.Option(False, "--all", help="Fetch all results (may be slow for large datasets)"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table, json"),
 ) -> None:
     """List users in Entitle.
@@ -22,11 +23,14 @@ def list_users(
     Examples:
         bt entitle users list
         bt entitle users list -s "john"
-        bt entitle users list -l 50 -o json
+        bt entitle users list -l 100 --all
+        bt entitle users list -o json
     """
     try:
         with get_client() as client:
-            data = client.list_users(search=search, limit=limit)
+            # Only fetch first page by default, use --all for everything
+            max_pages = None if fetch_all else 1
+            data = client.list_users(search=search, limit=limit, max_pages=max_pages)
 
         if output == "json":
             print_json(data)

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/epmw/commands/quick.py

@@ -10,6 +10,7 @@ from rich.console import Console
 from rich.table import Table
 
 from ...core.output import print_api_error, print_error, print_warning, print_success
+from ...core.prompts import prompt_from_list
 
 app = typer.Typer(no_args_is_help=True, help="Quick commands - common multi-step operations in one command")
 console = Console()
@@ -346,3 +347,180 @@ def group_status(
     except Exception as e:
         print_api_error(e, "quick status")
         raise typer.Exit(1)
+
+
+@app.command("move-computer")
+def move_computer(
+    computer: Optional[str] = typer.Option(None, "--computer", "-c", help="Computer name or ID (partial match for name)"),
+    group: Optional[str] = typer.Option(None, "--group", "-g", help="Target group name or ID"),
+    force: bool = typer.Option(False, "--force", "-f", help="Skip confirmation"),
+    output: str = typer.Option("table", "--output", "-o", help="Output format: table or json"),
+) -> None:
+    """Move a computer to a different group.
+
+    Interactive workflow to change a computer's group membership.
+    Lists computers (optionally filtered), then lists available groups,
+    and moves the selected computer to the selected group.
+
+    Examples:
+        bt epmw quick move-computer                           # Interactive selection
+        bt epmw quick move-computer -c "CorpWS01"             # Filter by computer name
+        bt epmw quick move-computer -c "CorpWS01" -g "Servers"  # Specify both
+        bt epmw quick move-computer -c "CorpWS01" -g "Servers" -f  # Skip confirmation
+    """
+    from ..client import get_client
+
+    try:
+        client = get_client()
+
+        # Step 1: Get and filter computers
+        console.print("[dim]Fetching computers...[/dim]")
+        computers = client.list_computers()
+
+        if not computers:
+            print_error("No computers found")
+            raise typer.Exit(1)
+
+        # Filter by computer name/ID if provided
+        if computer:
+            computer_lower = computer.lower()
+            filtered = [
+                c for c in computers
+                if computer_lower in (c.get("host") or "").lower()
+                or computer_lower in (c.get("id") or "").lower()
+            ]
+            if not filtered:
+                print_error(f"No computers matching '{computer}'")
+                raise typer.Exit(1)
+            computers = filtered
+
+        # Show computers and select one
+        if len(computers) == 1:
+            selected_computer = computers[0]
+            console.print(f"[dim]Found computer: {selected_computer.get('host')}[/dim]")
+        else:
+            # Show list and prompt for selection
+            table = Table(title="Available Computers")
+            table.add_column("#", style="dim", justify="right")
+            table.add_column("Host", style="cyan")
+            table.add_column("Domain", style="yellow")
+            table.add_column("Current Group", style="green")
+            table.add_column("Status", style="magenta")
+
+            for idx, comp in enumerate(computers, 1):
+                table.add_row(
+                    str(idx),
+                    comp.get("host", ""),
+                    comp.get("domain", "") or "-",
+                    comp.get("groupName", "") or "-",
+                    comp.get("connectionStatus", ""),
+                )
+            console.print(table)
+
+            selection = typer.prompt("Select computer number", type=int)
+            if selection < 1 or selection > len(computers):
+                print_error(f"Invalid selection. Choose 1-{len(computers)}")
+                raise typer.Exit(1)
+            selected_computer = computers[selection - 1]
+
+        computer_id = selected_computer.get("id")
+        computer_host = selected_computer.get("host")
+        current_group = selected_computer.get("groupName") or "(No Group)"
+
+        # Step 2: Get and filter groups
+        console.print("[dim]Fetching groups...[/dim]")
+        groups = client.list_groups()
+
+        if not groups:
+            print_error("No groups found")
+            raise typer.Exit(1)
+
+        # Filter by group name/ID if provided
+        if group:
+            group_lower = group.lower()
+            filtered = [
+                g for g in groups
+                if group_lower in (g.get("name") or "").lower()
+                or group_lower in (g.get("id") or "").lower()
+            ]
+            if not filtered:
+                print_error(f"No groups matching '{group}'")
+                raise typer.Exit(1)
+            groups = filtered
+
+        # Show groups and select one
+        if len(groups) == 1:
+            selected_group = groups[0]
+            console.print(f"[dim]Target group: {selected_group.get('name')}[/dim]")
+        else:
+            # Show list and prompt for selection
+            table = Table(title="Available Groups")
+            table.add_column("#", style="dim", justify="right")
+            table.add_column("Name", style="cyan")
+            table.add_column("Computers", style="green", justify="right")
+            table.add_column("Policy", style="yellow")
+
+            for idx, grp in enumerate(groups, 1):
+                table.add_row(
+                    str(idx),
+                    grp.get("name", ""),
+                    str(grp.get("computerCount", 0)),
+                    grp.get("policyName", "") or "-",
+                )
+            console.print(table)
+
+            selection = typer.prompt("Select target group number", type=int)
+            if selection < 1 or selection > len(groups):
+                print_error(f"Invalid selection. Choose 1-{len(groups)}")
+                raise typer.Exit(1)
+            selected_group = groups[selection - 1]
+
+        group_id = selected_group.get("id")
+        group_name = selected_group.get("name")
+
+        # Check if already in target group
+        if current_group == group_name:
+            console.print(f"[yellow]Computer '{computer_host}' is already in group '{group_name}'[/yellow]")
+            raise typer.Exit(0)
+
+        # Step 3: Confirm and move
+        if not force:
+            console.print()
+            console.print(f"[bold]Move computer:[/bold] {computer_host}")
+            console.print(f"[bold]From group:[/bold] {current_group}")
+            console.print(f"[bold]To group:[/bold] {group_name}")
+            console.print()
+            confirm = typer.confirm("Proceed with move?")
+            if not confirm:
+                console.print("[yellow]Cancelled.[/yellow]")
+                raise typer.Exit(0)
+
+        # Perform the move
+        console.print("[dim]Moving computer to group...[/dim]")
+        client.assign_computers_to_group(group_id, [computer_id])
+
+        if output == "json":
+            result = {
+                "computer": {
+                    "id": computer_id,
+                    "host": computer_host,
+                },
+                "previousGroup": current_group,
+                "newGroup": group_name,
+                "success": True,
+            }
+            console.print_json(json.dumps(result, default=str))
+        else:
+            print_success(f"Moved '{computer_host}' from '{current_group}' to '{group_name}'")
+
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "quick move-computer")
+        raise typer.Exit(1)
+    except httpx.RequestError as e:
+        print_api_error(e, "quick move-computer")
+        raise typer.Exit(1)
+    except typer.Exit:
+        raise
+    except Exception as e:
+        print_api_error(e, "quick move-computer")
+        raise typer.Exit(1)

{bt_cli-0.4.19 → bt_cli-0.4.22}/src/bt_cli/pra/commands/vault.py

@@ -137,13 +137,16 @@ def create_vault_account(
     name: str = typer.Option(..., "--name", "-n", help="Account name"),
     account_type: str = typer.Option(
         ..., "--type", "-t",
-        help="Account type: username_password, ssh, or ssh_ca"
+        help="Account type: username_password, ssh, ssh_ca, or token"
     ),
     username: Optional[str] = typer.Option(None, "--username", "-u", help="Username (for username_password)"),
     password: Optional[str] = typer.Option(None, "--password", "-p", help="Password (for username_password)"),
+    token: Optional[str] = typer.Option(None, "--token", help="Token value (for token type)"),
+    token_file: Optional[str] = typer.Option(None, "--token-file", help="Path to file containing token"),
     private_key: Optional[str] = typer.Option(None, "--private-key", help="SSH private key (for ssh type)"),
     private_key_file: Optional[str] = typer.Option(None, "--private-key-file", help="Path to SSH private key file"),
     description: Optional[str] = typer.Option(None, "--description", "-d", help="Account description"),
+    account_group_id: Optional[int] = typer.Option(None, "--group-id", "-g", help="Vault Account Group ID"),
     personal: bool = typer.Option(False, "--personal", help="Mark as personal account"),
     output: OutputFormat = typer.Option(OutputFormat.JSON, "--output", "-o"),
 ):
@@ -158,20 +161,29 @@ def create_vault_account(
 
         # Create SSH CA account (for certificate-based auth)
         bt pra vault accounts create -n "ssh-ca" -t ssh_ca --private-key-file /path/to/ca_key
+
+        # Create token account (API keys, bearer tokens, etc.)
+        bt pra vault accounts create -n "api-key" -t token --token "sk-abc123..."
+
+        # Create token account from file
+        bt pra vault accounts create -n "service-token" -t token --token-file /path/to/token.txt
     """
     from bt_cli.pra.client import get_client
     from pathlib import Path
 
-    # Validate account type
-    valid_types = ["username_password", "ssh", "ssh_ca"]
+    # Validate account type (token maps to opaque_token in API)
+    valid_types = ["username_password", "ssh", "ssh_ca", "token"]
     if account_type not in valid_types:
         print_error(f"Invalid account type '{account_type}'. Must be one of: {', '.join(valid_types)}")
         raise typer.Exit(1)
 
+    # Map 'token' to API type 'opaque_token'
+    api_type = "opaque_token" if account_type == "token" else account_type
+
     # Build account data
     data = {
         "name": name,
-        "type": account_type,
+        "type": api_type,
     }
 
     if username:
@@ -180,9 +192,21 @@ def create_vault_account(
         data["password"] = password
     if description:
         data["description"] = description
+    if account_group_id:
+        data["account_group_id"] = account_group_id
     if personal:
         data["personal"] = True
 
+    # Handle token (from file or direct)
+    if token_file:
+        token_path = Path(token_file).expanduser()
+        if not token_path.exists():
+            print_error(f"Token file not found: {token_file}")
+            raise typer.Exit(1)
+        data["token"] = token_path.read_text().strip()
+    elif token:
+        data["token"] = token
+
     # Handle private key (from file or direct)
     if private_key_file:
         key_path = Path(private_key_file).expanduser()
@@ -202,6 +226,10 @@ def create_vault_account(
         if not data.get("private_key"):
             print_error(f"Private key is required for {account_type} type (use --private-key or --private-key-file)")
             raise typer.Exit(1)
+    elif account_type == "token":
+        if not data.get("token"):
+            print_error("Token is required for token type (use --token or --token-file)")
+            raise typer.Exit(1)
 
     try:
         client = get_client()