bt-cli 0.4.47__tar.gz → 0.4.49__tar.gz

{bt_cli-0.4.47 → bt_cli-0.4.49}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.47**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.49**
 
 ## Setup
 

{bt_cli-0.4.47 → bt_cli-0.4.49}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.47
+Version: 0.4.49
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.47 → bt_cli-0.4.49}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.47"
+version = "0.4.49"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.47 → bt_cli-0.4.49}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.47"
+__version__ = "0.4.49"

{bt_cli-0.4.47 → bt_cli-0.4.49}/src/bt_cli/data/skills/secrets/SKILL.md

@@ -97,12 +97,24 @@ bt secrets dynamic get lab/aws/ec2-readonly
 
 # Mint fresh credentials — default prints shell `export AWS_*` lines.
 bt secrets dynamic generate lab/aws/ec2-readonly
-eval $(bt secrets dynamic generate lab/aws/ec2-readonly)   # one-liner load into shell
-aws sts get-caller-identity                                # verify
+
+# Apply to the current session (a child process can't mutate its parent's env,
+# so the CLI emits shell-native syntax that you eval into your shell):
+
+# bash / zsh:
+eval $(bt secrets dynamic generate lab/aws/ec2-readonly)
+
+# PowerShell:
+bt secrets dynamic generate lab/aws/ec2-readonly --format powershell | iex
+
+# cmd.exe:
+for /f "delims=" %i in ('bt secrets dynamic generate lab/aws/ec2-readonly --format cmd') do %i
+
+aws sts get-caller-identity   # verify the creds are active
 
 # Other formats:
 bt secrets dynamic generate lab/aws/ec2-readonly --format json    # full payload w/ leaseId
-bt secrets dynamic generate lab/aws/ec2-readonly --format env     # KEY=value (no `export`)
+bt secrets dynamic generate lab/aws/ec2-readonly --format env     # bare KEY=value
 bt secrets dynamic generate lab/aws/ec2-readonly --format dotenv  # KEY="value" for .env files
 ```
 

{bt_cli-0.4.47 → bt_cli-0.4.49}/src/bt_cli/secrets/commands/dynamic.py

@@ -28,10 +28,12 @@ app = typer.Typer(no_args_is_help=True, help="Dynamic secrets (e.g. AWS STS, min
 class GenerateFormat(str, Enum):
     """Output formats for `dynamic generate`."""
 
-    EXPORT = "export"   # default — shell `export AWS_*` lines
-    ENV = "env"         # KEY=value lines (no `export` prefix)
-    JSON = "json"       # raw API payload
-    DOTENV = "dotenv"   # KEY="value" lines suitable for .env files
+    EXPORT = "export"          # default — bash/zsh `export AWS_*` lines
+    POWERSHELL = "powershell"  # PowerShell `$env:AWS_* = "..."` lines
+    CMD = "cmd"                # Windows cmd.exe `set AWS_*=...` lines
+    ENV = "env"                # bare KEY=value lines (no `export`)
+    JSON = "json"              # raw API payload
+    DOTENV = "dotenv"          # KEY="value" lines suitable for .env files
 
 
 def _dynamic_row(item: dict) -> dict:
@@ -44,6 +46,32 @@ def _dynamic_row(item: dict) -> dict:
     }
 
 
+def _apply_hint(full_path: str, fmt: GenerateFormat) -> str:
+    """Build a one-line apply-recipe in syntax valid for the chosen format.
+
+    `eval $(...)`, `| iex`, and `for /f` all swallow comment lines harmlessly,
+    so embedding the hint costs nothing when the output is piped through —
+    it's just discoverable for users who run the command on its own first.
+
+    Non-shell formats (env / dotenv / json) get no hint: env/dotenv are for
+    writing to files, json is for scripts; neither has a single canonical
+    apply command.
+    """
+    if fmt is GenerateFormat.EXPORT:
+        return f"# Tip: apply with -> eval $(bt secrets dynamic generate {full_path})"
+    if fmt is GenerateFormat.POWERSHELL:
+        return (
+            f"# Tip: apply with -> "
+            f"bt secrets dynamic generate {full_path} --format powershell | iex"
+        )
+    if fmt is GenerateFormat.CMD:
+        return (
+            f'REM Tip: apply with -> for /f "delims=" %i in '
+            f"('bt secrets dynamic generate {full_path} --format cmd') do %i"
+        )
+    return ""
+
+
 def _format_credentials(secret: dict, fmt: GenerateFormat) -> str:
     """Format an AWS STS credential triplet in the requested shape.
 
@@ -51,6 +79,13 @@ def _format_credentials(secret: dict, fmt: GenerateFormat) -> str:
     (``accessKeyId``, ``secretAccessKey``, ``sessionToken``). For shell
     consumption we map those to the standard ``AWS_*`` env-var names that
     boto3, aws-cli, and the EC2 SDK all read.
+
+    A subprocess can't mutate its parent shell's environment, so each
+    format is designed to be piped into the shell's eval mechanism:
+
+      * EXPORT     → `eval $(bt secrets dynamic generate <path>)`
+      * POWERSHELL → `bt secrets dynamic generate <path> --format powershell | iex`
+      * CMD        → cmd.exe needs a temp .bat or a `for /f` loop — see SKILL.md
     """
     aws_map = [
         ("AWS_ACCESS_KEY_ID", "accessKeyId"),
@@ -63,6 +98,16 @@ def _format_credentials(secret: dict, fmt: GenerateFormat) -> str:
             value = secret[payload_key]
             if fmt is GenerateFormat.EXPORT:
                 lines.append(f"export {env_name}={value}")
+            elif fmt is GenerateFormat.POWERSHELL:
+                # `Invoke-Expression` parses these as statements that set the
+                # process env. Quote the value so PowerShell doesn't try to
+                # interpret embedded characters.
+                lines.append(f'$env:{env_name} = "{value}"')
+            elif fmt is GenerateFormat.CMD:
+                # `set` in cmd.exe doesn't quote and doesn't tolerate spaces
+                # around `=`. Values from STS are alphanumeric-plus-/+=_-, so
+                # bare assignment is safe.
+                lines.append(f"set {env_name}={value}")
             elif fmt is GenerateFormat.ENV:
                 lines.append(f"{env_name}={value}")
             elif fmt is GenerateFormat.DOTENV:
@@ -70,8 +115,13 @@ def _format_credentials(secret: dict, fmt: GenerateFormat) -> str:
     if not lines:
         return ""
     if "expiration" in secret:
-        # Trailing comment is purely informational — doesn't affect `eval $(...)`.
-        lines.append(f"# expires: {secret['expiration']}")
+        # Trailing comment is informational — all four script-y formats
+        # tolerate `#` (bash/PowerShell) or treat the line as a label-style
+        # noop for cmd's set, which we replace with REM below.
+        if fmt is GenerateFormat.CMD:
+            lines.append(f"REM expires: {secret['expiration']}")
+        else:
+            lines.append(f"# expires: {secret['expiration']}")
     return "\n".join(lines)
 
 
@@ -150,15 +200,21 @@ def generate(
     full_path: str = typer.Argument(..., help="Full dynamic-secret path"),
     format_: GenerateFormat = typer.Option(
         GenerateFormat.EXPORT, "--format", "-F",
-        help="Output format: export | env | json | dotenv",
+        help="Output format: export | powershell | cmd | env | json | dotenv",
         case_sensitive=False,
     ),
 ) -> None:
     """Mint fresh credentials from a dynamic-secret config.
 
-    Default ``--format export`` prints shell ``export AWS_*`` lines suitable
-    for ``eval $(bt secrets dynamic generate <path>)``. Use ``--format json``
-    to see the full payload (lease id, expiration, etc.).
+    Default ``--format export`` prints shell ``export AWS_*`` lines.
+
+    \b
+    Apply in your current session:
+      bash / zsh:    eval $(bt secrets dynamic generate <path>)
+      PowerShell:    bt secrets dynamic generate <path> --format powershell | iex
+      cmd.exe:       for /f "delims=" %i in ('bt secrets dynamic generate <path> --format cmd') do %i
+
+    Use ``--format json`` to see the full payload (lease id, expiration).
 
     Heads up: every call mints real STS credentials and shows up in the
     audit trail. Don't loop this in development.
@@ -197,6 +253,9 @@ def generate(
         print_error("Unrecognized credential shape; printing raw payload")
         print_json(secret)
         raise typer.Exit(1)
+    hint = _apply_hint(full_path, format_)
+    if hint:
+        text = f"{text}\n{hint}"
     typer.echo(text)
 
 

{bt_cli-0.4.47 → bt_cli-0.4.49}/tests/secrets/test_commands.py

@@ -194,6 +194,57 @@ class TestDynamic:
         assert "export AWS_SESSION_TOKEN=TOK-FAKE" in result.stdout
         # PAT must not leak in any form
         assert "PAT_test" not in result.stdout
+        # Inline apply-hint includes the actual path the user passed
+        assert "eval $(bt secrets dynamic generate lab/aws/ec2-readonly)" in result.stdout
+
+    @respx.mock
+    def test_dynamic_generate_powershell_hint(self, env_overrides):
+        respx.post(_url("/dynamic/ec2-readonly/generate")).mock(
+            return_value=httpx.Response(201, json={"secret": {
+                "accessKeyId": "ASIA-FAKE", "secretAccessKey": "SAK-FAKE",
+                "sessionToken": "TOK-FAKE", "expiration": "2026-01-01T00:00:00Z",
+            }})
+        )
+        result = CliRunner().invoke(
+            secrets_app, ["dynamic", "generate", "lab/aws/ec2-readonly", "--format", "powershell"],
+        )
+        assert result.exit_code == 0
+        assert "--format powershell | iex" in result.stdout
+        # Hint must use # (valid PowerShell comment); not REM
+        assert "REM Tip" not in result.stdout
+
+    @respx.mock
+    def test_dynamic_generate_cmd_hint(self, env_overrides):
+        respx.post(_url("/dynamic/ec2-readonly/generate")).mock(
+            return_value=httpx.Response(201, json={"secret": {
+                "accessKeyId": "ASIA-FAKE", "secretAccessKey": "SAK-FAKE",
+                "sessionToken": "TOK-FAKE", "expiration": "2026-01-01T00:00:00Z",
+            }})
+        )
+        result = CliRunner().invoke(
+            secrets_app, ["dynamic", "generate", "lab/aws/ec2-readonly", "--format", "cmd"],
+        )
+        assert result.exit_code == 0
+        assert "for /f" in result.stdout
+        assert "--format cmd" in result.stdout
+        # cmd format must use REM (not #) for the apply hint
+        assert "REM Tip" in result.stdout
+
+    @respx.mock
+    def test_dynamic_generate_no_hint_for_non_shell_formats(self, env_overrides):
+        """env / dotenv / json shouldn't carry an apply hint — no canonical apply mode."""
+        respx.post(_url("/dynamic/ec2-readonly/generate")).mock(
+            return_value=httpx.Response(201, json={"secret": {
+                "accessKeyId": "ASIA-FAKE", "secretAccessKey": "SAK-FAKE",
+                "sessionToken": "TOK-FAKE", "expiration": "2026-01-01T00:00:00Z",
+            }})
+        )
+        for fmt in ("env", "dotenv"):
+            result = CliRunner().invoke(
+                secrets_app, ["dynamic", "generate", "lab/aws/ec2-readonly", "--format", fmt],
+            )
+            assert result.exit_code == 0, fmt
+            assert "Tip: apply with" not in result.stdout, fmt
 
     @respx.mock
     def test_dynamic_generate_json(self, env_overrides):
@@ -226,6 +277,52 @@ class TestDynamic:
         assert "AWS_ACCESS_KEY_ID=AKIA-FAKE" in result.stdout
         assert "export" not in result.stdout.split("\n")[0]
 
+    @respx.mock
+    def test_dynamic_generate_powershell_shape(self, env_overrides):
+        """PowerShell format: $env:VAR = "val" — pipe to Invoke-Expression."""
+        respx.post(_url("/dynamic/ec2-readonly/generate")).mock(
+            return_value=httpx.Response(201, json={"secret": {
+                "accessKeyId": "ASIA-FAKE",
+                "secretAccessKey": "SAK-FAKE",
+                "sessionToken": "TOK-FAKE",
+                "expiration": "2026-01-01T00:00:00Z",
+            }})
+        )
+        result = CliRunner().invoke(
+            secrets_app,
+            ["dynamic", "generate", "lab/aws/ec2-readonly", "--format", "powershell"],
+        )
+        assert result.exit_code == 0
+        assert '$env:AWS_ACCESS_KEY_ID = "ASIA-FAKE"' in result.stdout
+        assert '$env:AWS_SECRET_ACCESS_KEY = "SAK-FAKE"' in result.stdout
+        assert '$env:AWS_SESSION_TOKEN = "TOK-FAKE"' in result.stdout
+        # Comment must use `#` (valid PowerShell line comment)
+        assert "# expires:" in result.stdout
+        # Must NOT contain bash `export` syntax
+        assert "export AWS_" not in result.stdout
+
+    @respx.mock
+    def test_dynamic_generate_cmd_shape(self, env_overrides):
+        """cmd.exe format: set VAR=val — for `for /f` extraction."""
+        respx.post(_url("/dynamic/ec2-readonly/generate")).mock(
+            return_value=httpx.Response(201, json={"secret": {
+                "accessKeyId": "ASIA-FAKE",
+                "secretAccessKey": "SAK-FAKE",
+                "sessionToken": "TOK-FAKE",
+                "expiration": "2026-01-01T00:00:00Z",
+            }})
+        )
+        result = CliRunner().invoke(
+            secrets_app,
+            ["dynamic", "generate", "lab/aws/ec2-readonly", "--format", "cmd"],
+        )
+        assert result.exit_code == 0
+        assert "set AWS_ACCESS_KEY_ID=ASIA-FAKE" in result.stdout
+        assert "set AWS_SECRET_ACCESS_KEY=SAK-FAKE" in result.stdout
+        # cmd.exe uses REM, not #, for comments
+        assert "REM expires:" in result.stdout
+        assert "# expires" not in result.stdout
+
 
 class TestLeases:
     @respx.mock