PyPI - bt-cli - Versions diffs - 0.4.39__tar.gz → 0.4.41__tar.gz - Mend

bt-cli 0.4.39tar.gz → 0.4.41tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

{bt_cli-0.4.39/src/bt_cli/data → bt_cli-0.4.41}/CLAUDE.md RENAMED Viewed

@@ -1,6 +1,6 @@
 # BT-CLI
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.39**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.41**
 ## Setup
@@ -10,6 +10,15 @@ source .venv/bin/activate && source .env
 bt whoami   # Test all connections
 ```
+Each product reads its own `BT_<PRODUCT>_*` env vars. EPM Linux is the odd one out — it uses a Personal Access Token (PAT) against the BeyondTrust public API gateway:
+```bash
+export BT_EPML_API_URL=https://api.beyondtrust.io   # default
+export BT_EPML_SITE_ID=<site-uuid>                  # required
+export BT_EPML_PAT=PAT_xxx                          # required (mint at app.beyondtrust.io)
+export BT_EPML_DEFAULT_HOST=100                     # default PMUL host id (optional)
+```
 ## Skills Available
 Use these slash commands for detailed product guidance:
@@ -72,6 +81,9 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - Windows builds: Rich must be pinned to `<14.0.0` (Rich 14 has PyInstaller unicode issues)
 - **EPML URL transform**: spec paths start with `/api/...` but real URL is `https://api.beyondtrust.io/site/<site-id>/epm/linux/<spec-path-minus-/api/>`. Encapsulated in client `_build_url` — never bypass it.
 - **EPML two authorizers**: spec claims `nomine-authorizer` (PAT) globally but the gateway has IAM-only routes (return 403 with AWS-flavored body). PAT cannot reach those. Documented per-op in `src/bt_cli/data/skills/epml/SKILL.md`. Where `/v6/pbul/rbp/...` exists alongside legacy `/pbul/{hostid}/rbp/...`, prefer legacy — v6 is mostly IAM-only.
+- **EPML body-shape gotchas**: role create needs `action ∈ {A,R}`; hostgrp/usergrp create needs `type ∈ {I,E}` (Internal=static / External=directory-resolved); role assignments need `--kind S|R|B` for hostgrps/usergrps (S=Submit user, R=Run-as user); collection deletes use `?id=N` query params (CLI loops); child collections (commands/hosts/users/tmdates) have **no per-item delete** — `clear` nukes all, use `replace` to keep some.
+- **EPML role update is upsert-on-id (overwrite, not partial)**: hitting `POST /roles` with `{id, ...}` clears any field you don't include. The CLI's `roles update` does read-modify-write so it feels partial; child relations are filtered out of the merge so assignments survive. Direct `curl` users must send the full record.
+- **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
 ## Functional vs Managed Accounts

{bt_cli-0.4.39 → bt_cli-0.4.41}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.39
+Version: 0.4.41
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.39 → bt_cli-0.4.41}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "bt-cli"
-version = "0.4.39"
+version = "0.4.41"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.39 → bt_cli-0.4.41}/src/bt_cli/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
-__version__ = "0.4.39"
+__version__ = "0.4.41"

bt_cli-0.4.41/src/bt_cli/core/prompts.py ADDED Viewed

@@ -0,0 +1,165 @@
+"""Reusable interactive prompts for CLI commands."""
+from typing import Any, Callable, Optional, TypeVar
+import typer
+from rich.console import Console
+console = Console()
+T = TypeVar("T")
+D = TypeVar("D")
+def prompt_if_missing(
+    value: Optional[T],
+    prompt_text: str,
+    value_type: type = str,
+) -> T:
+    """Prompt for a value if it's missing.
+    Args:
+        value: Current value (may be None)
+        prompt_text: Text to show in prompt
+        value_type: Type for typer.prompt (str, int, float)
+    Returns:
+        The value (either original or prompted)
+    """
+    if value is None or value == "":
+        return typer.prompt(prompt_text, type=value_type)
+    return value
+def prompt_from_list(
+    items: list[dict[str, Any]],
+    prompt_text: str,
+    id_key: str,
+    name_key: str,
+    title: str,
+    value_type: type = int,
+) -> Any:
+    """Show a list of items and prompt for selection.
+    Args:
+        items: List of dicts to display
+        prompt_text: Prompt text (e.g., "Workgroup ID")
+        id_key: Key for the ID field in each dict
+        name_key: Key for the display name field
+        title: Title to show above list
+        value_type: Type of the ID (int or str)
+    Returns:
+        The selected ID
+    """
+    console.print(f"\n[bold]{title}:[/bold]")
+    for item in items:
+        item_id = item.get(id_key, "")
+        item_name = item.get(name_key, "Unknown")
+        console.print(f"  {item_id}: {item_name}")
+    return typer.prompt(prompt_text, type=value_type)
+def prompt_choice(
+    prompt_text: str,
+    choices: list[tuple[str, str]],
+    default: Optional[str] = None,
+) -> str:
+    """Prompt for a choice from a list of options.
+    Args:
+        prompt_text: Text to show
+        choices: List of (value, description) tuples
+        default: Default value
+    Returns:
+        The selected value
+    """
+    console.print(f"\n[bold]{prompt_text}:[/bold]")
+    for value, desc in choices:
+        marker = " (default)" if value == default else ""
+        console.print(f"  {value}: {desc}{marker}")
+    result = typer.prompt("Choice", default=default or choices[0][0])
+    valid_values = [v for v, _ in choices]
+    while result not in valid_values:
+        console.print(f"[red]Invalid choice. Options: {', '.join(valid_values)}[/red]")
+        result = typer.prompt("Choice", default=default or choices[0][0])
+    return result
+def prompt_filtered_pick(
+    items: list[D],
+    label_fn: Callable[[D], str],
+    *,
+    title: str = "Select",
+    page_size: int = 20,
+) -> D:
+    """Paginated filter-then-pick selector.
+    User actions at the prompt:
+      - a number (1..N) picks the item shown on the current page
+      - any other text filters the list by case-insensitive substring of the label
+      - 'n' / 'p' moves to next / previous page
+      - empty input cancels (raises typer.Abort)
+    Args:
+        items: Source list to choose from
+        label_fn: Maps an item to the label shown in the list (also used for filtering)
+        title: Heading shown above the list
+        page_size: Items per page
+    Returns:
+        The chosen item from `items`.
+    """
+    if not items:
+        console.print(f"[yellow]No {title.lower()} available[/yellow]")
+        raise typer.Abort()
+    visible = list(items)
+    page = 0
+    while True:
+        total_pages = max(1, (len(visible) + page_size - 1) // page_size)
+        page = max(0, min(page, total_pages - 1))
+        start = page * page_size
+        chunk = visible[start : start + page_size]
+        match_count = len(visible)
+        suffix = f" — page {page + 1}/{total_pages}" if total_pages > 1 else ""
+        console.print(f"\n[bold]{title}[/bold] ({match_count} match{'es' if match_count != 1 else ''}{suffix}):")
+        for i, item in enumerate(chunk, start=1):
+            console.print(f"  {i}. {label_fn(item)}")
+        console.print(
+            "[dim]Type a number to pick, text to filter, n/p for next/prev page, blank to cancel[/dim]"
+        )
+        ans = typer.prompt(">", default="", show_default=False).strip()
+        if ans == "":
+            raise typer.Abort()
+        low = ans.lower()
+        if low == "n":
+            if page + 1 < total_pages:
+                page += 1
+            else:
+                console.print("[yellow]Already on last page[/yellow]")
+            continue
+        if low == "p":
+            if page > 0:
+                page -= 1
+            else:
+                console.print("[yellow]Already on first page[/yellow]")
+            continue
+        if ans.isdigit():
+            idx = int(ans) - 1
+            if 0 <= idx < len(chunk):
+                return chunk[idx]
+            console.print(f"[red]Invalid number — must be 1..{len(chunk)}[/red]")
+            continue
+        # Filter against the full source list, not the previously filtered view
+        needle = low
+        filtered = [it for it in items if needle in label_fn(it).lower()]
+        if not filtered:
+            console.print("[yellow]No matches — keeping previous list[/yellow]")
+            continue
+        visible = filtered
+        page = 0

{bt_cli-0.4.39 → bt_cli-0.4.41/src/bt_cli/data}/CLAUDE.md RENAMED Viewed

@@ -1,6 +1,6 @@
 # BT-CLI
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.39**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.41**
 ## Setup
@@ -10,6 +10,15 @@ source .venv/bin/activate && source .env
 bt whoami   # Test all connections
 ```
+Each product reads its own `BT_<PRODUCT>_*` env vars. EPM Linux is the odd one out — it uses a Personal Access Token (PAT) against the BeyondTrust public API gateway:
+```bash
+export BT_EPML_API_URL=https://api.beyondtrust.io   # default
+export BT_EPML_SITE_ID=<site-uuid>                  # required
+export BT_EPML_PAT=PAT_xxx                          # required (mint at app.beyondtrust.io)
+export BT_EPML_DEFAULT_HOST=100                     # default PMUL host id (optional)
+```
 ## Skills Available
 Use these slash commands for detailed product guidance:
@@ -72,6 +81,9 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - Windows builds: Rich must be pinned to `<14.0.0` (Rich 14 has PyInstaller unicode issues)
 - **EPML URL transform**: spec paths start with `/api/...` but real URL is `https://api.beyondtrust.io/site/<site-id>/epm/linux/<spec-path-minus-/api/>`. Encapsulated in client `_build_url` — never bypass it.
 - **EPML two authorizers**: spec claims `nomine-authorizer` (PAT) globally but the gateway has IAM-only routes (return 403 with AWS-flavored body). PAT cannot reach those. Documented per-op in `src/bt_cli/data/skills/epml/SKILL.md`. Where `/v6/pbul/rbp/...` exists alongside legacy `/pbul/{hostid}/rbp/...`, prefer legacy — v6 is mostly IAM-only.
+- **EPML body-shape gotchas**: role create needs `action ∈ {A,R}`; hostgrp/usergrp create needs `type ∈ {I,E}` (Internal=static / External=directory-resolved); role assignments need `--kind S|R|B` for hostgrps/usergrps (S=Submit user, R=Run-as user); collection deletes use `?id=N` query params (CLI loops); child collections (commands/hosts/users/tmdates) have **no per-item delete** — `clear` nukes all, use `replace` to keep some.
+- **EPML role update is upsert-on-id (overwrite, not partial)**: hitting `POST /roles` with `{id, ...}` clears any field you don't include. The CLI's `roles update` does read-modify-write so it feels partial; child relations are filtered out of the merge so assignments survive. Direct `curl` users must send the full record.
+- **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
 ## Functional vs Managed Accounts

{bt_cli-0.4.39/.claude → bt_cli-0.4.41/src/bt_cli/data}/skills/entitle/SKILL.md RENAMED Viewed

@@ -115,6 +115,55 @@ bt entitle permissions revoke <permission_id>
 bt entitle accounts list --integration <integration_id>
 ```
+## Access Requests
+Submit a JIT access request for a bundle or a single role. Hybrid UX — pass flags
+for non-interactive use, or omit them to get a filter-then-pick menu at every step.
+```bash
+# Fully interactive (asks: bundle/role -> target -> duration -> justification)
+bt entitle requests create
+# Non-interactive — bundle target
+bt entitle requests create --bundle <bundle_id> --duration 3600 -j "On-call investigation"
+# Non-interactive — role target
+bt entitle requests create --role <role_id> -d 1800 -j "Reviewing prod logs"
+# Look up a submitted request by id
+bt entitle requests get <request_id>
+```
+**Target shape (POST /accessRequests):**
+```json
+{
+  "duration": 3600,
+  "justification": "...",
+  "target": {
+    "type": "bundle",         // or "role"
+    "bundle": {"id": "<uuid>"} // or "role": {"id": "<uuid>"}
+  }
+}
+```
+**Duration menu** is curated 30-minute-aligned blocks (30m, 1h, 1h30m, 2h, 3h, 4h,
+8h, 12h, 1d, 2d, 3d, 7d). When the target is a bundle and that bundle has
+`allowedDurations` set, the menu restricts to those values instead — bundles
+enforce server-side.
+**Picker UX:** at any selection prompt, type a number to pick, any text to filter
+the list by substring, `n` / `p` to page, or blank to cancel.
+**Gotchas:**
+- The Entitle public API does **not** expose a list endpoint for access requests.
+  `bt entitle requests list` does not exist. Save the id printed by `requests
+  create` (or use the Entitle UI) to follow up on a request.
+- A bogus or policy-blocked role returns the same 404 with message `Role with id
+  ... does not exist or unattainable.` — "unattainable" means the requester's
+  policy disallows it, not that the role is missing.
+- The token used must have a user identity (personal API token). Pure read-only
+  org keys return `request.unauthenticated` on POST.
 ## Roles & Policies
 ```bash

{bt_cli-0.4.39 → bt_cli-0.4.41}/src/bt_cli/entitle/client/base.py RENAMED Viewed

@@ -433,6 +433,50 @@ class EntitleClient:
     # =========================================================================
+    # Access Requests
+    # =========================================================================
+    #
+    # Public API exposes:
+    #   POST /accessRequests           -- create
+    #   GET  /accessRequests/{id}      -- show
+    # There is no list endpoint (verified: GET /accessRequests is 404). Callers
+    # who need to revisit a request must keep its id from the create response.
+    def create_access_request(
+        self,
+        target_type: str,
+        target_id: str,
+        duration: int,
+        justification: str,
+    ) -> dict[str, Any]:
+        """Create an access request for a bundle or role.
+        Args:
+            target_type: "bundle" or "role"
+            target_id: UUID of the bundle or role being requested
+            duration: Requested access duration in seconds (>= 1)
+            justification: Business justification (1..2048 chars)
+        Returns:
+            Created access request payload (includes the request id).
+        """
+        if target_type not in ("bundle", "role"):
+            raise ValueError(f"target_type must be 'bundle' or 'role', got {target_type!r}")
+        payload: dict[str, Any] = {
+            "duration": duration,
+            "justification": justification,
+            "target": {
+                "type": target_type,
+                target_type: {"id": target_id},
+            },
+        }
+        return self.post("/accessRequests", json=payload)
+    def get_access_request(self, request_id: str) -> dict[str, Any]:
+        """Get an access request by ID."""
+        return self.get(f"/accessRequests/{request_id}")
 def get_client() -> EntitleClient:
     """Create a configured Entitle client.

{bt_cli-0.4.39 → bt_cli-0.4.41}/src/bt_cli/entitle/commands/__init__.py RENAMED Viewed

@@ -10,7 +10,7 @@ app = typer.Typer(
 # Import and register command groups
 from . import auth, integrations, resources, roles, bundles
-from . import workflows, users, permissions, policies, accounts
+from . import workflows, users, permissions, policies, accounts, requests
 app.add_typer(auth.app, name="auth", help="Authentication commands")
 app.add_typer(integrations.app, name="integrations", help="Manage integrations")
@@ -22,3 +22,4 @@ app.add_typer(users.app, name="users", help="Manage users")
 app.add_typer(permissions.app, name="permissions", help="Manage permissions")
 app.add_typer(policies.app, name="policies", help="Manage policies")
 app.add_typer(accounts.app, name="accounts", help="Manage accounts")
+app.add_typer(requests.app, name="requests", help="Manage access requests")

bt_cli-0.4.41/src/bt_cli/entitle/commands/requests.py ADDED Viewed

@@ -0,0 +1,295 @@
+"""Access request commands for Entitle.
+Hybrid UX: pass --bundle or --role + --duration + --justification for a fully
+non-interactive run, or omit any of those to drop into a filter-then-pick menu.
+"""
+from typing import Any, Optional
+import httpx
+import typer
+from ..client.base import EntitleClient, get_client
+from ...core.output import console, print_json, print_success, print_api_error
+from ...core.prompts import prompt_choice, prompt_filtered_pick
+app = typer.Typer(no_args_is_help=True, help="Manage access requests")
+# Curated 30-min-aligned duration menu (seconds)
+DURATION_BLOCKS_SEC: list[int] = [
+    1800,    # 30m
+    3600,    # 1h
+    5400,    # 1h30m
+    7200,    # 2h
+    10800,   # 3h
+    14400,   # 4h
+    28800,   # 8h
+    43200,   # 12h
+    86400,   # 1d
+    172800,  # 2d
+    259200,  # 3d
+    604800,  # 7d
+]
+def _fmt_duration(secs: int) -> str:
+    """Render a seconds value as a compact human label (e.g. 1h30m, 2d)."""
+    if secs <= 0:
+        return f"{secs}s"
+    days, rem = divmod(secs, 86400)
+    hours, rem = divmod(rem, 3600)
+    mins = rem // 60
+    parts: list[str] = []
+    if days:
+        parts.append(f"{days}d")
+    if hours:
+        parts.append(f"{hours}h")
+    if mins:
+        parts.append(f"{mins}m")
+    return "".join(parts) or f"{secs}s"
+def _pick_target_interactive(client: EntitleClient) -> tuple[str, str, str]:
+    """Walk the user through choosing a bundle or a role.
+    Returns (target_type, target_id, human_label).
+    """
+    target_type = prompt_choice(
+        "Target type",
+        [
+            ("role", "A single role on a resource (drill down: integration → resource → role)"),
+            ("bundle", "An access bundle (a curated group of roles)"),
+        ],
+        default="role",
+    )
+    if target_type == "bundle":
+        bundles = client.list_bundles()
+        chosen = prompt_filtered_pick(
+            bundles,
+            lambda b: f"{b.get('name', '?')}  [dim]{b.get('id', '')}[/dim]",
+            title="Pick a bundle",
+        )
+        return "bundle", chosen["id"], chosen.get("name") or chosen["id"]
+    integrations = client.list_integrations()
+    integration = prompt_filtered_pick(
+        integrations,
+        lambda x: f"{x.get('name', '?')}  [dim]({(x.get('application') or {}).get('name', '-')})[/dim]",
+        title="Pick an integration",
+    )
+    resources = client.list_resources(integration_id=integration["id"])
+    resource = prompt_filtered_pick(
+        resources,
+        lambda x: x.get("name", "?"),
+        title="Pick a resource",
+    )
+    roles = client.list_roles(resource_id=resource["id"])
+    role = prompt_filtered_pick(
+        roles,
+        lambda x: x.get("name", "?"),
+        title="Pick a role",
+    )
+    label = f"{integration.get('name', '?')} / {resource.get('name', '?')} / {role.get('name', '?')}"
+    return "role", role["id"], label
+def _pick_duration_interactive(
+    client: EntitleClient, target_type: str, target_id: str
+) -> int:
+    """Show a duration menu. For bundles with allowedDurations, restrict to those."""
+    options: list[int] = []
+    if target_type == "bundle":
+        try:
+            response = client.get_bundle(target_id)
+            bundle = response.get("result", response)
+            allowed = bundle.get("allowedDurations") or []
+            options = [int(d) for d in allowed if int(d) > 0]
+        except Exception:
+            # If the lookup fails for any reason, fall back to curated blocks
+            options = []
+    if not options:
+        options = list(DURATION_BLOCKS_SEC)
+    options.sort()
+    chosen = prompt_filtered_pick(
+        options,
+        lambda secs: f"{_fmt_duration(secs)}  [dim]({secs}s)[/dim]",
+        title="Pick a duration",
+    )
+    return chosen
+def _prompt_justification() -> str:
+    while True:
+        text = typer.prompt("Justification (business reason)").strip()
+        if 1 <= len(text) <= 2048:
+            return text
+        console.print("[red]Justification must be 1..2048 characters[/red]")
+@app.command("create")
+def create_access_request(
+    bundle: Optional[str] = typer.Option(None, "--bundle", "-b", help="Bundle ID to request"),
+    role: Optional[str] = typer.Option(None, "--role", "-r", help="Role ID to request"),
+    duration: Optional[int] = typer.Option(
+        None,
+        "--duration",
+        "-d",
+        help="Access duration in seconds (interactive picker uses 30-min blocks)",
+    ),
+    justification: Optional[str] = typer.Option(
+        None, "--justification", "-j", help="Business justification (1..2048 chars)"
+    ),
+    yes: bool = typer.Option(False, "--yes", "-y", help="Skip the pre-submit confirmation"),
+    output: str = typer.Option("table", "--output", "-o", help="Output format: table, json"),
+) -> None:
+    """Create a new access request.
+    Pass --bundle OR --role plus --duration and --justification for non-interactive
+    use. Omit any of them to drop into a filter-then-pick menu.
+    """
+    if bundle and role:
+        console.print("[red]Pass either --bundle or --role, not both[/red]")
+        raise typer.Exit(1)
+    try:
+        with get_client() as client:
+            # Resolve target
+            if bundle:
+                target_type, target_id, target_label = "bundle", bundle, bundle
+            elif role:
+                target_type, target_id, target_label = "role", role, role
+            else:
+                target_type, target_id, target_label = _pick_target_interactive(client)
+            # Resolve duration
+            if duration is None:
+                duration = _pick_duration_interactive(client, target_type, target_id)
+            elif duration < 1:
+                console.print("[red]--duration must be >= 1 second[/red]")
+                raise typer.Exit(1)
+            # Resolve justification
+            if justification is None:
+                justification = _prompt_justification()
+            else:
+                if not (1 <= len(justification) <= 2048):
+                    console.print("[red]--justification must be 1..2048 characters[/red]")
+                    raise typer.Exit(1)
+            # Pre-submit summary
+            console.print("\n[bold]Access request summary[/bold]")
+            console.print(f"  Target type   : {target_type}")
+            console.print(f"  Target        : {target_label}")
+            console.print(f"  Target ID     : {target_id}")
+            console.print(f"  Duration      : {_fmt_duration(duration)} ({duration}s)")
+            console.print(f"  Justification : {justification}")
+            if not yes:
+                typer.confirm("\nSubmit this request?", default=True, abort=True)
+            result = client.create_access_request(
+                target_type=target_type,
+                target_id=target_id,
+                duration=duration,
+                justification=justification,
+            )
+        request_id = (
+            (result.get("result") or {}).get("id")
+            if isinstance(result, dict) and "result" in result
+            else (result.get("id") if isinstance(result, dict) else None)
+        )
+        print_success("Access request submitted")
+        if request_id:
+            console.print(f"[dim]Follow up with:[/dim] bt entitle requests get {request_id}")
+        if output == "json":
+            print_json(result)
+        else:
+            print_json(result)  # response shape isn't documented; show full payload
+    except typer.Abort:
+        raise
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "create access request")
+        raise typer.Exit(1)
+    except httpx.RequestError as e:
+        print_api_error(e, "create access request")
+        raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "create access request")
+        raise typer.Exit(1)
+@app.command("get")
+def get_access_request(
+    request_id: str = typer.Argument(..., help="Access request ID"),
+    output: str = typer.Option("table", "--output", "-o", help="Output format: table, json"),
+) -> None:
+    """Get an access request by ID."""
+    try:
+        with get_client() as client:
+            response = client.get_access_request(request_id)
+        data: Any = response.get("result", response) if isinstance(response, dict) else response
+        if output == "json":
+            print_json(response)
+            return
+        from rich.panel import Panel
+        if not isinstance(data, dict):
+            print_json(response)
+            return
+        # Build a friendly summary line for each target. Role targets join in via
+        # `roles[]` (with nested resource + integration); bundle targets via
+        # `bundles[]`. Fall back to whatever's inside `targets[]` itself.
+        target_lines: list[str] = []
+        roles_by_id = {r.get("id"): r for r in (data.get("roles") or []) if r.get("id")}
+        bundles_by_id = {b.get("id"): b for b in (data.get("bundles") or []) if b.get("id")}
+        for t in (data.get("targets") or []):
+            t_type = t.get("type") or "?"
+            inner = t.get(t_type) or {}
+            inner_id = inner.get("id")
+            if t_type == "role" and inner_id in roles_by_id:
+                role = roles_by_id[inner_id]
+                resource = role.get("resource") or {}
+                integration = resource.get("integration") or {}
+                target_lines.append(
+                    f"role: {role.get('name', '?')} on {resource.get('name', '?')} ({integration.get('name', '?')})"
+                )
+            elif t_type == "bundle" and inner_id in bundles_by_id:
+                target_lines.append(f"bundle: {bundles_by_id[inner_id].get('name', '?')}")
+            else:
+                target_lines.append(f"{t_type}: {inner.get('name') or inner_id or '?'}")
+        targets_str = "\n           ".join(target_lines) if target_lines else "-"
+        user = data.get("user") or data.get("behalfOf") or {}
+        requester = user.get("email") or user.get("id") or "-"
+        number = data.get("number")
+        id_line = f"{data.get('id', '-')}" + (f"  [dim](#{number})[/dim]" if number else "")
+        body = (
+            f"[dim]ID:[/dim] {id_line}\n"
+            f"[dim]Status:[/dim] {data.get('status', '-')}\n"
+            f"[dim]Requester:[/dim] {requester}\n"
+            f"[dim]Duration:[/dim] {_fmt_duration(int(data.get('duration', 0))) if data.get('duration') else '-'}\n"
+            f"[dim]Targets:[/dim] {targets_str}\n"
+            f"[dim]Justification:[/dim] {data.get('justification', '-')}"
+        )
+        console.print(Panel(body, title="Access Request"))
+    except httpx.HTTPStatusError as e:
+        print_api_error(e, "get access request")
+        raise typer.Exit(1)
+    except httpx.RequestError as e:
+        print_api_error(e, "get access request")
+        raise typer.Exit(1)
+    except Exception as e:
+        print_api_error(e, "get access request")
+        raise typer.Exit(1)

bt-cli 0.4.39__tar.gz → 0.4.41__tar.gz

bt-cli 0.4.39tar.gz → 0.4.41tar.gz