bt-cli 0.4.49__tar.gz → 0.4.51__tar.gz

{bt_cli-0.4.49 → bt_cli-0.4.51}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.49**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.51**
 
 ## Setup
 
@@ -87,7 +87,7 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - **EPML body-shape gotchas**: role create needs `action ∈ {A,R}`; hostgrp/usergrp create needs `type ∈ {I,E}` (Internal=static / External=directory-resolved); role assignments need `--kind S|R|B` for hostgrps/usergrps (S=Submit user, R=Run-as user); collection deletes use `?id=N` query params (CLI loops); child collections (commands/hosts/users/tmdates) have **no per-item delete** — `clear` nukes all, use `replace` to keep some.
 - **EPML role update is upsert-on-id (overwrite, not partial)**: hitting `POST /roles` with `{id, ...}` clears any field you don't include. The CLI's `roles update` does read-modify-write so it feels partial; child relations are filtered out of the merge so assignments survive. Direct `curl` users must send the full record.
 - **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
-- **Secrets dynamic path is `/dynamic`** (NOT `/dynamic-secrets` as the doc claims); version header is `2026-02-16` (NOT 2026-01-02); `dynamic/{name}/generate` returns 201; `/leases/revoke` is scope-gated and 403 is the expected lab response — `bt secrets leases revoke` exits 3 with a clean warning, not generic failure. Documented in `src/bt_cli/data/skills/secrets/SKILL.md`.
+- **Secrets dynamic path is `/dynamic`** (NOT `/dynamic-secrets` as the doc claims); version header is `2026-04-28` (NOT 2026-01-02; server also rejects every earlier dated header — bumps are mandatory, not optional); `dynamic/{name}/generate` returns 201; `/leases/revoke` is scope-gated and 403 is the expected lab response — `bt secrets leases revoke` exits 3 with a clean warning, not generic failure. Documented in `src/bt_cli/data/skills/secrets/SKILL.md`.
 - **Secrets `generate` mints real AWS STS credentials and is audited** — don't loop it in dev. Use `dynamic list`/`get` + `leases list` for browsing.
 
 ## Functional vs Managed Accounts

{bt_cli-0.4.49 → bt_cli-0.4.51}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.49
+Version: 0.4.51
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.49 → bt_cli-0.4.51}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.49"
+version = "0.4.51"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.49"
+__version__ = "0.4.51"

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/core/config.py

@@ -1,6 +1,7 @@
 """Multi-product configuration management for BeyondTrust CLI."""
 
 import os
+import re
 from dataclasses import dataclass, field
 from typing import Any, Optional
 
@@ -133,7 +134,7 @@ class SecretsConfig(ProductConfig):
 
     site_id: str = ""
     pat: str = ""
-    api_version: str = "2026-02-16"
+    api_version: str = "2026-04-28"
 
     def validate(self) -> None:
         """Validate configuration."""
@@ -222,6 +223,31 @@ def _resolve_value(value: Any) -> Any:
     return value
 
 
+_ANSI_CSI = re.compile(r"\x1b\[[0-?]*[ -/]*[@-~]")
+
+
+def _strip_controls(value: Any) -> Any:
+    """Remove ANSI escape sequences and bare control bytes from a config string.
+
+    Why: interactive prompts and copy-paste from terminals occasionally
+    capture ANSI escape sequences (cursor-arrow keystrokes are the usual
+    culprit) into values that end up in URLs or HTTP headers. httpx and
+    most HTTP libraries refuse to send a URL containing non-printables and
+    surface a confusing "Invalid non-printable ASCII character" error
+    instead of the real config problem.
+
+    We strip the *whole* CSI sequence (ESC + ``[`` + params + final byte)
+    before the lone-control pass — otherwise the visible tail bytes like
+    ``[C`` and ``[D`` survive as ASCII garbage glued onto an otherwise
+    valid UUID, producing a clean URL that 404s instead of one the user
+    can see is wrong.
+    """
+    if isinstance(value, str):
+        cleaned = _ANSI_CSI.sub("", value)
+        return "".join(c for c in cleaned if c >= " " and c != "\x7f")
+    return value
+
+
 def _to_bool(value: Any) -> bool:
     """Convert value to boolean."""
     if isinstance(value, bool):
@@ -488,7 +514,7 @@ def load_secrets_config(env_file: Optional[str] = None, profile: Optional[str] =
         BT_SECRETS_API_URL      - Gateway URL (default: https://api.beyondtrust.io)
         BT_SECRETS_SITE_ID      - Site UUID (required)
         BT_SECRETS_PAT          - Personal Access Token (required)
-        BT_SECRETS_API_VERSION  - API version header (default: 2026-02-16)
+        BT_SECRETS_API_VERSION  - API version header (default: 2026-04-28)
         BT_SECRETS_VERIFY_SSL   - SSL verification (default: true)
         BT_SECRETS_TIMEOUT      - Request timeout in seconds (default: 30)
     """
@@ -503,11 +529,15 @@ def load_secrets_config(env_file: Optional[str] = None, profile: Optional[str] =
     if "pat" in layered:
         layered["pat"] = _resolve_value(layered["pat"])
 
+    # Strip ANSI/C0 control bytes from values that flow into URLs and
+    # headers — arrow keys captured at a `bt configure` prompt have been
+    # observed to leave ESC sequences in site_id, breaking every request
+    # with a misleading "non-printable ASCII" error from httpx.
     config = SecretsConfig(
-        api_url=layered.get("api_url") or os.getenv("BT_SECRETS_API_URL", "https://api.beyondtrust.io"),
-        site_id=layered.get("site_id") or os.getenv("BT_SECRETS_SITE_ID", ""),
-        pat=layered.get("pat") or os.getenv("BT_SECRETS_PAT", ""),
-        api_version=layered.get("api_version") or os.getenv("BT_SECRETS_API_VERSION", "2026-02-16"),
+        api_url=_strip_controls(layered.get("api_url") or os.getenv("BT_SECRETS_API_URL", "https://api.beyondtrust.io")),
+        site_id=_strip_controls(layered.get("site_id") or os.getenv("BT_SECRETS_SITE_ID", "")),
+        pat=_strip_controls(layered.get("pat") or os.getenv("BT_SECRETS_PAT", "")),
+        api_version=_strip_controls(layered.get("api_version") or os.getenv("BT_SECRETS_API_VERSION", "2026-04-28")),
         verify_ssl=_to_bool(layered.get("verify_ssl")) if "verify_ssl" in layered else _get_bool(os.getenv("BT_SECRETS_VERIFY_SSL")),
         timeout=_to_float(layered.get("timeout")) if "timeout" in layered else _get_float(os.getenv("BT_SECRETS_TIMEOUT"), 30.0),
     )

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/core/config_file.py

@@ -116,7 +116,7 @@ PRODUCTS = {
                 "prompt": "API version (bt-secrets-api-version header)",
                 "required": False,
                 "secret": False,
-                "default": "2026-02-16",
+                "default": "2026-04-28",
             },
             "verify_ssl": {"prompt": "Verify SSL", "required": False, "secret": False, "default": True},
             "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/core/errors.py

@@ -165,6 +165,19 @@ def get_http_error_message(error: httpx.HTTPStatusError) -> str:
         # Response may not be JSON
         pass
 
+    # plain-text bodies (e.g. PWS 400 responses that aren't JSON)
+    if not detail:
+        try:
+            raw = error.response.text
+            if raw:
+                orig_len = len(raw)
+                sanitized = sanitize_error_message(raw[:300])
+                if sanitized:
+                    detail = sanitized + ("..." if orig_len > 300 else "")
+                    return f"{base_message}: {detail}"
+        except Exception:
+            pass
+
     if detail:
         # Additional regex sanitization for any patterns in the extracted detail
         detail = sanitize_error_message(str(detail))

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/core/prompts.py

@@ -1,16 +1,24 @@
 """Reusable interactive prompts for CLI commands."""
 
+import re
 from typing import Any, Callable, Optional, TypeVar
 
 import typer
 from rich.console import Console
 
+_ANSI_ESCAPE = re.compile(r"\x1b(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])")
+
 console = Console()
 
 T = TypeVar("T")
 D = TypeVar("D")
 
 
+def _clean_str(raw: Any) -> str:
+    """Strip ANSI escape sequences from a prompted string value."""
+    return _ANSI_ESCAPE.sub("", raw).strip()
+
+
 def prompt_if_missing(
     value: Optional[T],
     prompt_text: str,
@@ -27,7 +35,10 @@ def prompt_if_missing(
         The value (either original or prompted)
     """
     if value is None or value == "":
-        return typer.prompt(prompt_text, type=value_type)
+        raw = typer.prompt(prompt_text, type=value_type)
+        if value_type is str:
+            return _clean_str(raw)  # type: ignore[return-value]
+        return raw
     return value
 
 
@@ -57,7 +68,10 @@ def prompt_from_list(
         item_id = item.get(id_key, "")
         item_name = item.get(name_key, "Unknown")
         console.print(f"  {item_id}: {item_name}")
-    return typer.prompt(prompt_text, type=value_type)
+    raw = typer.prompt(prompt_text, type=value_type)
+    if value_type is str:
+        return _clean_str(raw)  # type: ignore[return-value]
+    return raw
 
 
 def prompt_choice(

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/data/skills/secrets/SKILL.md

@@ -34,7 +34,7 @@ Set these before running commands. PAT comes from `app.beyondtrust.io`.
 export BT_SECRETS_API_URL=https://api.beyondtrust.io    # default
 export BT_SECRETS_SITE_ID=<site-uuid>                   # required
 export BT_SECRETS_PAT=PAT_xxx                           # required
-export BT_SECRETS_API_VERSION=2026-02-16                # default; doc page is stale
+export BT_SECRETS_API_VERSION=2026-04-28                # default; doc page is stale
 ```
 
 ```bash
@@ -166,8 +166,13 @@ bt secrets integrations delete my-aws --force
 - **Dynamic path is `/dynamic`, NOT `/dynamic-secrets`** — the static doc
   page hasn't caught up to the live API. The client handles this; never
   hand-hack URLs.
-- **API version**: header value is `bt-secrets-api-version: 2026-02-16`. The
-  doc says `2026-01-02` and the server rejects it.
+- **API version**: header value is `bt-secrets-api-version: 2026-04-28`. The
+  doc says `2026-01-02` and the server rejects it. The server also rejects
+  every earlier dated header it has retired, so an old default surfaces as
+  `API version not found: <date> is not a known API version` (helpfully the
+  error names the current version when you send one that's *newer* than
+  current — `is newer than current version <date>`). Periodic bumps are
+  mandatory; treat the default as a moving target, not a constant.
 - **POST `/dynamic/{name}/generate` returns 201**, not 200. The client
   accepts both via `raise_for_status` semantics.
 - **`/leases/revoke` is scope-gated** — `bt secrets leases revoke` exits 3
@@ -220,5 +225,5 @@ directly at the requested path (this trips up newcomers — passing
 
 - Base URL: `https://api.beyondtrust.io/site/<site-id>/secrets`
 - Auth: `Authorization: Bearer <PAT>`
-- Version header: `bt-secrets-api-version: 2026-02-16`
+- Version header: `bt-secrets-api-version: 2026-04-28`
 - Rate limit: 500/window — respect `x-ratelimit-reset` on 429.

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/secrets/client/base.py

@@ -14,9 +14,11 @@ from bt_cli.core.rest_debug import get_event_hooks
 logger = logging.getLogger(__name__)
 
 
-# Deltas vs the static doc page (live as of 2026-05-13):
-#   * Version header value is "2026-02-16" — the doc claims 2026-01-02 which
-#     the server rejects.
+# Deltas vs the static doc page (live as of 2026-05-14):
+#   * Version header value is "2026-04-28" — the doc claims 2026-01-02 which
+#     the server rejects. The server also rejects any earlier dated header,
+#     so a stale default surfaces as "API version not found" rather than a
+#     working-but-old response.
 #   * The dynamic-secret path is "/dynamic" not "/dynamic-secrets".
 #   * POST /dynamic/{name}/generate returns 201, not 200.
 #   * /leases/revoke is scope-gated; the lab PAT returns 403. Surface that

{bt_cli-0.4.49 → bt_cli-0.4.51}/src/bt_cli/secrets/commands/auth.py

@@ -53,7 +53,7 @@ def status() -> None:
     api_url = os.getenv("BT_SECRETS_API_URL", "https://api.beyondtrust.io")
     site_id = os.getenv("BT_SECRETS_SITE_ID", "")
     pat = os.getenv("BT_SECRETS_PAT", "")
-    api_version = os.getenv("BT_SECRETS_API_VERSION", "2026-02-16")
+    api_version = os.getenv("BT_SECRETS_API_VERSION", "2026-04-28")
 
     typer.echo("Secrets API Configuration:")
     typer.echo(f"  Gateway URL:  {api_url}")

{bt_cli-0.4.49 → bt_cli-0.4.51}/tests/secrets/test_client.py

@@ -18,7 +18,7 @@ def secrets_config() -> SecretsConfig:
         api_url="https://mock-secrets.example.com",
         site_id=SITE,
         pat="PAT_test_xxxxxxxxxxxxxxxxxxxxxxxxxx",
-        api_version="2026-02-16",
+        api_version="2026-04-28",
         verify_ssl=False,
         timeout=5.0,
     )
@@ -58,7 +58,7 @@ class TestHeadersAndURL:
     def test_base_url_trailing_slash_normalized(self):
         cfg = SecretsConfig(
             api_url="https://mock-secrets.example.com/",
-            site_id=SITE, pat="PAT", api_version="2026-02-16", verify_ssl=False,
+            site_id=SITE, pat="PAT", api_version="2026-04-28", verify_ssl=False,
         )
         c = SecretsClient(cfg)
         assert c._url("/folders") == f"{BASE}/folders"
@@ -66,7 +66,7 @@ class TestHeadersAndURL:
     def test_headers_include_bearer_and_version(self, secrets_config):
         h = SecretsClient(secrets_config)._headers()
         assert h["Authorization"] == "Bearer PAT_test_xxxxxxxxxxxxxxxxxxxxxxxxxx"
-        assert h["bt-secrets-api-version"] == "2026-02-16"
+        assert h["bt-secrets-api-version"] == "2026-04-28"
         assert h["Accept"] == "application/json"
 
     @respx.mock
@@ -77,7 +77,7 @@ class TestHeadersAndURL:
         SecretsClient(secrets_config).list_folders()
         req = route.calls[0].request
         assert req.headers["Authorization"].startswith("Bearer PAT_test")
-        assert req.headers["bt-secrets-api-version"] == "2026-02-16"
+        assert req.headers["bt-secrets-api-version"] == "2026-04-28"
 
 
 # ---------------------------------------------------------------------------
@@ -261,3 +261,27 @@ class TestResponseUnwrapping:
         )
         SecretsClient(secrets_config).list_integrations(type_="aws")
         assert "type=aws" in str(route.calls[0].request.url)
+
+
+# ---------------------------------------------------------------------------
+# Config loader strips ANSI/C0 control bytes from URL/header-bound fields
+# ---------------------------------------------------------------------------
+
+class TestLoaderSanitization:
+    def test_strip_controls_removes_ansi_escapes(self, monkeypatch, tmp_path):
+        from bt_cli.core.config import load_secrets_config
+
+        # Pretend the user typed arrow keys at the `bt configure` prompt:
+        # the site_id picks up cursor-forward/back ESC sequences. Without
+        # the sanitizer these would land in the URL and httpx would reject
+        # the request with a misleading non-printable-ASCII error.
+        dirty_site = "7f735e1b-5ecb-49fa-87e8-eddf54a9c745\x1b[C\x1b[D"
+        monkeypatch.setenv("BT_SECRETS_SITE_ID", dirty_site)
+        monkeypatch.setenv("BT_SECRETS_PAT", "PAT_x")
+        monkeypatch.setenv("BT_SECRETS_API_URL", "https://api.example.com")
+        # Isolate from any real ~/.bt-cli/config.yaml on the dev box.
+        monkeypatch.setenv("HOME", str(tmp_path))
+
+        cfg = load_secrets_config()
+        assert cfg.site_id == "7f735e1b-5ecb-49fa-87e8-eddf54a9c745"
+        assert "\x1b" not in cfg.site_id

{bt_cli-0.4.49 → bt_cli-0.4.51}/tests/secrets/test_commands.py

@@ -20,7 +20,7 @@ def env_overrides(monkeypatch):
     monkeypatch.setenv("BT_SECRETS_API_URL", "https://mock-secrets.example.com")
     monkeypatch.setenv("BT_SECRETS_SITE_ID", SITE)
     monkeypatch.setenv("BT_SECRETS_PAT", "PAT_test_xxxxxxxxxxxxxxxxxxxxxxxxxx")
-    monkeypatch.setenv("BT_SECRETS_API_VERSION", "2026-02-16")
+    monkeypatch.setenv("BT_SECRETS_API_VERSION", "2026-04-28")
     monkeypatch.setenv("BT_SECRETS_VERIFY_SSL", "false")
 
 
@@ -33,7 +33,7 @@ class TestAuth:
         result = CliRunner().invoke(secrets_app, ["auth", "test"])
         assert result.exit_code == 0
         assert "Connected to Secrets API" in result.stdout
-        assert "2026-02-16" in result.stdout
+        assert "2026-04-28" in result.stdout
 
     @respx.mock
     def test_auth_test_401_explains_pat(self, env_overrides):