bt-cli 0.4.42__tar.gz → 0.4.45__tar.gz

{bt_cli-0.4.42 → bt_cli-0.4.45}/.claude/skills/entitle/SKILL.md

@@ -5,6 +5,33 @@ description: Entitle commands for JIT access, bundles, workflows, and permission
 
 # Entitle Commands (`bt entitle`)
 
+## Two API tokens — read vs. write-on-behalf-of-user
+
+Entitle issues two distinct kinds of bearer token. The CLI uses both:
+
+| Token | Config field | Env var | Used for |
+|---|---|---|---|
+| **Org / admin** | `entitle.api_key` | `BT_ENTITLE_API_KEY` | All read-only commands (`list`, `get`) and admin writes (revoke, delete) |
+| **User-context** | `entitle.user_api_key` | `BT_ENTITLE_USER_API_KEY` | On-behalf-of-a-user writes — currently `bt entitle requests create` |
+
+The org/admin token **cannot** create access requests because requests are
+made *as* a person, not on behalf of the org. If only the admin token is
+configured, `bt entitle requests create` exits early with a panel explaining
+how to add a user token.
+
+```yaml
+# ~/.bt-cli/config.yaml
+profiles:
+  default:
+    entitle:
+      api_url: https://api.us.entitle.io
+      api_key: <ORG_TOKEN>           # broad read access
+      user_api_key: <USER_TOKEN>     # personal token, for `requests create`
+```
+
+The user token is generated from `app.entitle.io` → user profile → API tokens
+→ **Create user token** (different page from the org token).
+
 ## IMPORTANT: Destructive Operations
 
 **ALWAYS confirm with the user before:**

{bt_cli-0.4.42/src/bt_cli/data → bt_cli-0.4.45/.claude}/skills/pra/SKILL.md

@@ -13,6 +13,9 @@ description: Privileged Remote Access commands for jump items, vault accounts, a
 - `bt pra jump-items tunnel delete` - Deletes protocol tunnel
 - `bt pra jump-groups delete` - Deletes jump group
 - `bt pra vault accounts delete` - Deletes vault account
+- `bt pra users delete` - Deletes a user (non-admins only)
+- `bt pra policies group delete` - Deletes a Group Policy
+- `bt pra policies group {jumpoints|members|jump-groups|vault-accounts|vault-account-groups|teams} remove` - Detaches a sub-resource from a Group Policy
 
 List affected resources first, then ask for explicit confirmation.
 

{bt_cli-0.4.42/src/bt_cli/data → bt_cli-0.4.45}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.41**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, and EPM Linux. **Version: 0.4.45**
 
 ## Setup
 

{bt_cli-0.4.42 → bt_cli-0.4.45}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.42
+Version: 0.4.45
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT
@@ -23,6 +23,7 @@ Requires-Dist: httpx>=0.27.0
 Requires-Dist: pydantic>=2.0.0
 Requires-Dist: python-dotenv>=1.0.0
 Requires-Dist: pyyaml>=6.0.0
+Requires-Dist: questionary>=2.0.0
 Requires-Dist: rich<14.0.0,>=13.7.0
 Requires-Dist: shellingham>=1.5.0
 Requires-Dist: truststore>=0.8.0; python_version >= '3.10'

{bt_cli-0.4.42 → bt_cli-0.4.45}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.42"
+version = "0.4.45"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -44,6 +44,7 @@ dependencies = [
     "pyyaml>=6.0.0",
     "shellingham>=1.5.0",
     "truststore>=0.8.0;python_version>='3.10'",  # Use OS certificate store
+    "questionary>=2.0.0",
 ]
 
 [project.optional-dependencies]

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.42"
+__version__ = "0.4.45"

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/cli.py

@@ -340,7 +340,16 @@ def tree_command(
         vault.add("accounts list|get|create|delete|checkout|checkin|get-user-data|get-public-key")
         vault.add("groups list|get")
 
-        pra.add("[green]quick[/green] shell-jump|rdp-jump")
+        pra.add("[green]users[/green] list|get|update|delete|group-policies|provision")
+        pra.add("[green]teams[/green] list|get")
+        pol = pra.add("[green]policies[/green]")
+        pol.add("jump list|get")
+        pol.add("session list")
+        pol.add("group list|get|create|update|delete|copy|provision")
+        pol.add("  + jumpoints|members|jump-groups|vault-accounts|")
+        pol.add("    vault-account-groups|teams (list|add|remove)")
+
+        pra.add("[green]quick[/green] shell-jump|rdp-jump|change-group-policy-update")
 
     # Entitle
     if not product or product == "entitle":
@@ -467,6 +476,18 @@ def _get_all_commands() -> list[tuple[str, str]]:
         ("bt pra vault accounts checkout", "Checkout vault credentials"),
         ("bt pra vault accounts get-user-data", "Generate EC2 user-data for SSH CA"),
         ("bt pra vault accounts get-public-key", "Get SSH CA public key"),
+        ("bt pra users list", "List PRA users"),
+        ("bt pra users update", "Update a user (--unlock to clear failed_logins)"),
+        ("bt pra users group-policies", "Show GPs a user is a member of"),
+        ("bt pra users provision -u <id>", "Recompute permissions for a user"),
+        ("bt pra policies group list", "List Group Policies"),
+        ("bt pra policies group create --name X", "Create a Group Policy"),
+        ("bt pra policies group copy <id> --name Y", "Duplicate a Group Policy"),
+        ("bt pra policies group members list <id>", "List members of a GP"),
+        ("bt pra policies group jump-groups add <id>", "Attach a Jump Group to a GP"),
+        ("bt pra policies group vault-accounts add <id>", "Attach a Vault Account to a GP"),
+        ("bt pra policies group teams add <id>", "Attach a Team to a GP"),
+        ("bt pra quick change-group-policy-update", "Interactive: toggle a user's GP memberships"),
         # Entitle
         ("bt entitle auth test", "Test Entitle connection"),
         ("bt entitle integrations list", "List integrations"),

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/commands/configure.py

@@ -43,6 +43,11 @@ def configure_callback(
     client_id: Optional[str] = typer.Option(None, "--client-id", help="OAuth Client ID"),
     client_secret: Optional[str] = typer.Option(None, "--client-secret", help="OAuth Client Secret"),
     api_key: Optional[str] = typer.Option(None, "--api-key", help="API Key"),
+    user_api_key: Optional[str] = typer.Option(
+        None,
+        "--user-api-key",
+        help="Entitle user-context API key (only required for `bt entitle requests create`)",
+    ),
 ) -> None:
     """Configure bt-cli interactively or via flags.
 
@@ -65,11 +70,13 @@ def configure_callback(
         return
 
     # Check if any non-interactive flags were provided
-    has_flags = any([api_url, client_id, client_secret, api_key])
+    has_flags = any([api_url, client_id, client_secret, api_key, user_api_key])
 
     if has_flags and product:
         # Non-interactive mode with flags
-        _configure_with_flags(product, profile, api_url, client_id, client_secret, api_key)
+        _configure_with_flags(
+            product, profile, api_url, client_id, client_secret, api_key, user_api_key
+        )
     else:
         # Interactive mode
         _configure_interactive(product, profile)
@@ -219,6 +226,7 @@ def _configure_with_flags(
     client_id: Optional[str],
     client_secret: Optional[str],
     api_key: Optional[str],
+    user_api_key: Optional[str] = None,
 ) -> None:
     """Configure using command-line flags (non-interactive)."""
     if product not in PRODUCTS:
@@ -240,6 +248,11 @@ def _configure_with_flags(
         new_config["client_secret"] = client_secret
     if api_key:
         new_config["api_key"] = api_key
+    if user_api_key is not None:
+        if product != "entitle":
+            print_error("--user-api-key is only valid for product=entitle")
+            raise typer.Exit(2)
+        new_config["user_api_key"] = user_api_key
 
     # Infer auth method
     if api_key:
@@ -481,6 +494,7 @@ def import_from_env(
         "entitle": {
             "api_url": "BT_ENTITLE_API_URL",
             "api_key": "BT_ENTITLE_API_KEY",
+            "user_api_key": "BT_ENTITLE_USER_API_KEY",
             "verify_ssl": "BT_ENTITLE_VERIFY_SSL",
             "timeout": "BT_ENTITLE_TIMEOUT",
         },
@@ -582,6 +596,7 @@ def show_effective_config(
         "Entitle": {
             "api_url": "BT_ENTITLE_API_URL",
             "api_key": "BT_ENTITLE_API_KEY",
+            "user_api_key": "BT_ENTITLE_USER_API_KEY",
             "verify_ssl": "BT_ENTITLE_VERIFY_SSL",
             "timeout": "BT_ENTITLE_TIMEOUT",
         },

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/core/config.py

@@ -60,6 +60,10 @@ class EntitleConfig(ProductConfig):
     """
 
     api_key: str = ""
+    # Optional separate token issued for a real user (not the org/admin token).
+    # Required for write operations performed *on behalf of* a user, like
+    # `bt entitle requests create`. Not required for read-only admin work.
+    user_api_key: str = ""
 
     def validate(self) -> None:
         """Validate configuration."""
@@ -290,10 +294,13 @@ def load_entitle_config(env_file: Optional[str] = None, profile: Optional[str] =
         2. Config file (~/.bt-cli/config.yaml)
 
     Environment variables:
-        BT_ENTITLE_API_URL    - API endpoint URL (default: https://api.us.entitle.io)
-        BT_ENTITLE_API_KEY    - API key for Bearer authentication (required)
-        BT_ENTITLE_VERIFY_SSL - SSL verification (default: true)
-        BT_ENTITLE_TIMEOUT    - Request timeout in seconds (default: 30)
+        BT_ENTITLE_API_URL      - API endpoint URL (default: https://api.us.entitle.io)
+        BT_ENTITLE_API_KEY      - Org/admin Bearer token (required for read ops)
+        BT_ENTITLE_USER_API_KEY - User-context Bearer token (optional; required
+                                  for `bt entitle requests create` since access
+                                  requests are made on behalf of a real user)
+        BT_ENTITLE_VERIFY_SSL   - SSL verification (default: true)
+        BT_ENTITLE_TIMEOUT      - Request timeout in seconds (default: 30)
     """
     if env_file:
         load_dotenv(env_file)
@@ -307,10 +314,13 @@ def load_entitle_config(env_file: Optional[str] = None, profile: Optional[str] =
     # Resolve any keyring references
     if "api_key" in layered:
         layered["api_key"] = _resolve_value(layered["api_key"])
+    if "user_api_key" in layered:
+        layered["user_api_key"] = _resolve_value(layered["user_api_key"])
 
     config = EntitleConfig(
         api_url=layered.get("api_url") or os.getenv("BT_ENTITLE_API_URL", "https://api.us.entitle.io"),
         api_key=layered.get("api_key") or os.getenv("BT_ENTITLE_API_KEY", ""),
+        user_api_key=layered.get("user_api_key") or os.getenv("BT_ENTITLE_USER_API_KEY", ""),
         verify_ssl=_to_bool(layered.get("verify_ssl")) if "verify_ssl" in layered else _get_bool(os.getenv("BT_ENTITLE_VERIFY_SSL")),
         timeout=_to_float(layered.get("timeout")) if "timeout" in layered else _get_float(os.getenv("BT_ENTITLE_TIMEOUT"), 30.0),
     )

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/core/config_file.py

@@ -51,7 +51,16 @@ PRODUCTS = {
                 "default": "https://api.us.entitle.io",
                 "example": "https://api.us.entitle.io or https://api.eu.entitle.io",
             },
-            "api_key": {"prompt": "API Key", "required": True, "secret": True},
+            "api_key": {
+                "prompt": "Org/Admin API Key (read + admin writes)",
+                "required": True,
+                "secret": True,
+            },
+            "user_api_key": {
+                "prompt": "User-context API Key (only for `requests create`; leave blank to skip)",
+                "required": False,
+                "secret": True,
+            },
             "verify_ssl": {"prompt": "Verify SSL", "required": False, "secret": False, "default": True},
             "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
         },
@@ -341,6 +350,8 @@ def _get_env_mappings(product: str) -> dict[str, str]:
     if product == "pws":
         mappings["run_as"] = f"{prefix}_RUN_AS"
         mappings["api_version"] = f"{prefix}_API_VERSION"
+    elif product == "entitle":
+        mappings["user_api_key"] = f"{prefix}_USER_API_KEY"
     elif product == "epml":
         mappings["site_id"] = f"{prefix}_SITE_ID"
         mappings["pat"] = f"{prefix}_PAT"

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/entitle/client/base.py

@@ -13,23 +13,55 @@ from ...core.client import _warn_ssl_disabled
 logger = logging.getLogger(__name__)
 
 
+class MissingUserTokenError(RuntimeError):
+    """Raised when a user-context op is requested but no user token is set."""
+
+
 class EntitleClient:
     """HTTP client for BeyondTrust Entitle API.
 
-    Uses simple Bearer token authentication with API key.
+    Entitle issues two distinct kinds of bearer tokens:
+
+    * **Org / admin token** — broad read access across the whole tenant. Used
+      for `list`, `get`, and admin-only writes. Stored as `api_key`.
+    * **User-context token** — issued for an individual user; access requests
+      and other on-behalf-of writes must use this one. Stored as
+      `user_api_key`. If absent, `MissingUserTokenError` is raised at
+      construction time.
+
+    Pass ``use_user_token=True`` to opt into the user-context token.
     """
 
-    def __init__(self, config: EntitleConfig):
+    def __init__(self, config: EntitleConfig, use_user_token: bool = False):
         """Initialize the Entitle client.
 
         Args:
-            config: Configuration with API URL and API key
+            config: Configuration with API URL and one or both API keys
+            use_user_token: If True, authenticate with `user_api_key` instead
+                of `api_key`. Required for `requests create`.
+
+        Raises:
+            MissingUserTokenError: if `use_user_token=True` but no user token
+                is configured.
         """
         self.config = config
         # Entitle API uses /public/v1 suffix
         self.base_url = f"{config.api_url.rstrip('/')}/public/v1"
         self._client: Optional[httpx.Client] = None
-        self._auth = BearerTokenAuth(config.api_key)
+
+        if use_user_token:
+            if not config.user_api_key:
+                raise MissingUserTokenError(
+                    "No user-context token configured. Set "
+                    "BT_ENTITLE_USER_API_KEY or `entitle.user_api_key` in "
+                    "~/.bt-cli/config.yaml. The current admin/org token "
+                    "cannot create access requests on behalf of a user."
+                )
+            token = config.user_api_key
+        else:
+            token = config.api_key
+        self._auth = BearerTokenAuth(token)
+        self._using_user_token = use_user_token
 
     def __enter__(self) -> "EntitleClient":
         """Context manager entry - create HTTP client."""
@@ -477,11 +509,24 @@ class EntitleClient:
         return self.get(f"/accessRequests/{request_id}")
 
 
-def get_client() -> EntitleClient:
+def get_client(user_token: bool = False) -> EntitleClient:
     """Create a configured Entitle client.
 
+    Args:
+        user_token: If True, build a client authenticated with the
+            user-context token (`config.user_api_key`). Required for
+            on-behalf-of-user writes such as creating access requests.
+
     Returns:
         EntitleClient instance
     """
     config = load_entitle_config()
-    return EntitleClient(config)
+    return EntitleClient(config, use_user_token=user_token)
+
+
+def has_user_token() -> bool:
+    """True if a user-context token is configured (without raising)."""
+    try:
+        return bool(load_entitle_config().user_api_key)
+    except Exception:
+        return False

{bt_cli-0.4.42 → bt_cli-0.4.45}/src/bt_cli/entitle/commands/requests.py

@@ -2,14 +2,30 @@
 
 Hybrid UX: pass --bundle or --role + --duration + --justification for a fully
 non-interactive run, or omit any of those to drop into a filter-then-pick menu.
+
+Auth note
+---------
+Entitle issues two kinds of API tokens:
+
+* **Org / admin** token — used for read-only listings (the default for
+  `bt entitle ...`).
+* **User-context** token — required for any operation made *on behalf of*
+  a real user. `bt entitle requests create` is one of those, so it always
+  uses the user token (`config.user_api_key` /
+  `BT_ENTITLE_USER_API_KEY`). If that token is missing the command bails
+  out with a friendly explanation rather than silently submitting under the
+  wrong identity.
 """
 
 from typing import Any, Optional
 
 import httpx
 import typer
+from rich.panel import Panel
+from rich.table import Table
+from rich.text import Text
 
-from ..client.base import EntitleClient, get_client
+from ..client.base import EntitleClient, MissingUserTokenError, get_client, has_user_token
 from ...core.output import console, print_json, print_success, print_api_error
 from ...core.prompts import prompt_choice, prompt_filtered_pick
 
@@ -131,6 +147,42 @@ def _prompt_justification() -> str:
         console.print("[red]Justification must be 1..2048 characters[/red]")
 
 
+def _abort_missing_user_token() -> None:
+    """Render a friendly panel explaining how to add a user-context token."""
+    body = Text.from_markup(
+        "[bold]No user-context token configured.[/bold]\n\n"
+        "Creating an access request is an [italic]on-behalf-of-a-user[/italic] "
+        "action and requires a personal Entitle token, not the org/admin "
+        "token used for listings.\n\n"
+        "[bold]Add one:[/bold]\n\n"
+        "  • [cyan]Env var[/cyan]\n"
+        "      [dim]export[/dim] BT_ENTITLE_USER_API_KEY=eyJhb...\n"
+        "  • [cyan]~/.bt-cli/config.yaml[/cyan]\n"
+        "      [dim]profiles:\n"
+        "        default:\n"
+        "          entitle:\n"
+        "            user_api_key:[/dim] eyJhb...\n\n"
+        "Get the token from [link]https://app.entitle.io[/link] → "
+        "your profile → API tokens → [bold]Create user token[/bold]. "
+        "(Org/admin tokens are issued from a different page and won't work "
+        "here.)"
+    )
+    console.print(Panel(body, title="[red]Cannot create access request[/red]", border_style="red"))
+
+
+def _summary_panel(target_type: str, target_label: str, target_id: str,
+                   duration: int, justification: str) -> Panel:
+    table = Table.grid(padding=(0, 2))
+    table.add_column(style="dim", justify="right")
+    table.add_column()
+    table.add_row("Target type", target_type)
+    table.add_row("Target", target_label)
+    table.add_row("Target ID", f"[dim]{target_id}[/dim]")
+    table.add_row("Duration", f"{_fmt_duration(duration)}  [dim]({duration}s)[/dim]")
+    table.add_row("Justification", justification)
+    return Panel(table, title="[bold]Access Request Summary[/bold]", border_style="cyan")
+
+
 @app.command("create")
 def create_access_request(
     bundle: Optional[str] = typer.Option(None, "--bundle", "-b", help="Bundle ID to request"),
@@ -147,52 +199,63 @@ def create_access_request(
     yes: bool = typer.Option(False, "--yes", "-y", help="Skip the pre-submit confirmation"),
     output: str = typer.Option("table", "--output", "-o", help="Output format: table, json"),
 ) -> None:
-    """Create a new access request.
+    """Create a new access request (uses the user-context token).
+
+    Pass --bundle OR --role plus --duration and --justification for
+    non-interactive use. Omit any of them to drop into a filter-then-pick menu.
 
-    Pass --bundle OR --role plus --duration and --justification for non-interactive
-    use. Omit any of them to drop into a filter-then-pick menu.
+    Authentication: this command always uses `BT_ENTITLE_USER_API_KEY` /
+    `entitle.user_api_key`, NOT the org/admin token. If that token is not
+    configured, the command exits before contacting the API.
     """
     if bundle and role:
         console.print("[red]Pass either --bundle or --role, not both[/red]")
         raise typer.Exit(1)
 
+    if not has_user_token():
+        _abort_missing_user_token()
+        raise typer.Exit(2)
+
+    # Read-only target/duration discovery uses the admin/org token (broad read
+    # access). The actual create POST uses the user-context token.
     try:
-        with get_client() as client:
-            # Resolve target
+        with get_client(user_token=False) as reader:
             if bundle:
                 target_type, target_id, target_label = "bundle", bundle, bundle
             elif role:
                 target_type, target_id, target_label = "role", role, role
             else:
-                target_type, target_id, target_label = _pick_target_interactive(client)
+                console.rule("[bold cyan]Pick what to request[/bold cyan]")
+                target_type, target_id, target_label = _pick_target_interactive(reader)
 
-            # Resolve duration
             if duration is None:
-                duration = _pick_duration_interactive(client, target_type, target_id)
+                console.rule("[bold cyan]Pick a duration[/bold cyan]")
+                duration = _pick_duration_interactive(reader, target_type, target_id)
             elif duration < 1:
                 console.print("[red]--duration must be >= 1 second[/red]")
                 raise typer.Exit(1)
 
-            # Resolve justification
-            if justification is None:
-                justification = _prompt_justification()
-            else:
-                if not (1 <= len(justification) <= 2048):
-                    console.print("[red]--justification must be 1..2048 characters[/red]")
-                    raise typer.Exit(1)
-
-            # Pre-submit summary
-            console.print("\n[bold]Access request summary[/bold]")
-            console.print(f"  Target type   : {target_type}")
-            console.print(f"  Target        : {target_label}")
-            console.print(f"  Target ID     : {target_id}")
-            console.print(f"  Duration      : {_fmt_duration(duration)} ({duration}s)")
-            console.print(f"  Justification : {justification}")
-
-            if not yes:
-                typer.confirm("\nSubmit this request?", default=True, abort=True)
-
-            result = client.create_access_request(
+        if justification is None:
+            console.rule("[bold cyan]Justification[/bold cyan]")
+            justification = _prompt_justification()
+        else:
+            if not (1 <= len(justification) <= 2048):
+                console.print("[red]--justification must be 1..2048 characters[/red]")
+                raise typer.Exit(1)
+
+        # Pre-submit panel
+        console.print()
+        console.print(_summary_panel(target_type, target_label, target_id, duration, justification))
+        console.print(
+            "[dim]Submitting under the [bold]user-context[/bold] Entitle token "
+            "(BT_ENTITLE_USER_API_KEY).[/dim]"
+        )
+
+        if not yes:
+            typer.confirm("Submit this request?", default=True, abort=True)
+
+        with get_client(user_token=True) as writer:
+            result = writer.create_access_request(
                 target_type=target_type,
                 target_id=target_id,
                 duration=duration,
@@ -204,16 +267,30 @@ def create_access_request(
             if isinstance(result, dict) and "result" in result
             else (result.get("id") if isinstance(result, dict) else None)
         )
-        print_success("Access request submitted")
-        if request_id:
-            console.print(f"[dim]Follow up with:[/dim] bt entitle requests get {request_id}")
 
         if output == "json":
             print_json(result)
-        else:
-            print_json(result)  # response shape isn't documented; show full payload
+            return
+
+        success_table = Table.grid(padding=(0, 2))
+        success_table.add_column(style="dim", justify="right")
+        success_table.add_column()
+        if request_id:
+            success_table.add_row("Request ID", f"[bold]{request_id}[/bold]")
+        success_table.add_row("Target", target_label)
+        success_table.add_row("Duration", _fmt_duration(duration))
+        if request_id:
+            success_table.add_row(
+                "Follow up", f"[cyan]bt entitle requests get {request_id}[/cyan]"
+            )
+        console.print(Panel(success_table, title="[green]Submitted[/green]", border_style="green"))
+
+    except MissingUserTokenError as e:
+        console.print(f"[red]{e}[/red]")
+        raise typer.Exit(2)
     except typer.Abort:
-        raise
+        console.print("[yellow]Aborted — nothing submitted.[/yellow]")
+        raise typer.Exit(1)
     except httpx.HTTPStatusError as e:
         print_api_error(e, "create access request")
         raise typer.Exit(1)