bt-cli 0.4.53__tar.gz → 0.4.55__tar.gz

{bt_cli-0.4.53 → bt_cli-0.4.55}/.github/workflows/ci.yml

@@ -16,10 +16,10 @@ jobs:
         python-version: ['3.10', '3.11', '3.12']
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -48,7 +48,7 @@ jobs:
           pytest tests/ --ignore=tests/integration -v --cov=bt_cli --cov-report=term-missing --cov-report=xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         if: matrix.python-version == '3.12'
         with:
           files: ./coverage.xml
@@ -58,10 +58,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -87,10 +87,10 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

{bt_cli-0.4.53 → bt_cli-0.4.55}/.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
       image: python:3.11-slim-bullseye
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Install build dependencies
         run: |
@@ -44,7 +44,7 @@ jobs:
         run: mv dist/bt dist/bt-linux-amd64
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: bt-linux-amd64
           path: dist/bt-linux-amd64
@@ -67,10 +67,10 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -92,7 +92,7 @@ jobs:
         run: move dist\bt.exe dist\${{ matrix.asset_name }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.asset_name }}
           path: dist/${{ matrix.asset_name }}
@@ -102,10 +102,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -121,7 +121,7 @@ jobs:
         run: twine check dist/*
 
       - name: Upload package artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: python-package
           path: dist/*
@@ -132,10 +132,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           path: artifacts
 
@@ -149,7 +149,7 @@ jobs:
           fi
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v3
         with:
           name: bt-cli v${{ steps.version.outputs.version }}
           tag_name: v${{ steps.version.outputs.version }}
@@ -245,7 +245,7 @@ jobs:
 
     steps:
       - name: Download package artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: python-package
           path: dist

{bt_cli-0.4.53 → bt_cli-0.4.55}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.53**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.55**
 
 ## Setup
 
@@ -32,6 +32,7 @@ Use these slash commands for detailed product guidance:
 | `/epmw` | EPM Windows - computers, policies, requests |
 | `/epml` | EPM Linux - RBP roles/cmdgrps/usergrps, policy, test suites, transactions |
 | `/secrets` | Secrets API - folders, static, dynamic AWS credentials, leases, integrations |
+| `/pf` | Pathfinder platform - whoami, site/product access, PAT/MCP tokens, machines |
 
 ## Command Structure
 
@@ -44,6 +45,7 @@ Use these slash commands for detailed product guidance:
 | EPM Windows | `bt epmw` | `computers`, `groups`, `policies`, `requests`, `quick` |
 | EPM Linux | `bt epml` | `rbp` (cmdgrps/hostgrps/usergrps/tmdategrps/roles/policy/tests/tx), `settings`, `users`, `audit`, `siems`, `quick` |
 | Secrets API | `bt secrets` | `folders`, `static`, `dynamic` (incl. `generate`), `leases`, `integrations` |
+| Pathfinder | `bt pf` | `whoami`, `access`, `pats`, `mcp-tokens`, `machines` |
 
 ## Common Patterns
 
@@ -89,6 +91,7 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
 - **Secrets dynamic path is `/dynamic`** (NOT `/dynamic-secrets` as the doc claims); version header is `2026-04-28` (NOT 2026-01-02; server also rejects every earlier dated header — bumps are mandatory, not optional); `dynamic/{name}/generate` returns 201; `/leases/revoke` is scope-gated and 403 is the expected lab response — `bt secrets leases revoke` exits 3 with a clean warning, not generic failure. Documented in `src/bt_cli/data/skills/secrets/SKILL.md`.
 - **Secrets `generate` mints real AWS STS credentials and is audited** — don't loop it in dev. Use `dynamic list`/`get` + `leases list` for browsing.
+- **PF URL mapping**: Nomine swagger paths `/api/auth/X` → gateway `https://api.beyondtrust.io/site/<site-id>/platform/auth/X`. **PATs are site-bound** (minted on the active portal site; other sites → `401 Access denied for this site`). Org-level endpoints (`auth/Users`, `auth/Auditing`, `auth/SAMLProviders`) are 403 for PAT principals; user onboarding & token create/revoke need cookie auth on app.beyondtrust.io. Details in `src/bt_cli/data/skills/pf/SKILL.md`.
 
 ## Functional vs Managed Accounts
 
@@ -118,7 +121,8 @@ src/bt_cli/
 ├── entitle/            # Entitle
 ├── epmw/               # EPM Windows
 ├── epml/               # EPM Linux (PAT auth, /site/<id>/epm/linux/... URLs)
-└── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+├── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+└── pf/                 # Pathfinder platform (PAT auth, /site/<id>/platform/auth/... URLs)
 ```
 
 Each product follows: `client/` (API), `commands/` (CLI), `models/` (Pydantic)

{bt_cli-0.4.53 → bt_cli-0.4.55}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.53
+Version: 0.4.55
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.53 → bt_cli-0.4.55}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.53"
+version = "0.4.55"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.53"
+__version__ = "0.4.55"

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/cli.py

@@ -95,6 +95,12 @@ def _get_secrets_app() -> typer.Typer:
     return secrets_app
 
 
+def _get_pf_app() -> typer.Typer:
+    """Lazy load Pathfinder platform commands."""
+    from .pf.commands import app as pf_app
+    return pf_app
+
+
 def _get_configure_app() -> typer.Typer:
     """Lazy load configure commands."""
     from .commands.configure import app as configure_app
@@ -145,6 +151,11 @@ try:
 except Exception:
     pass  # Secrets module not ready yet
 
+try:
+    app.add_typer(_get_pf_app(), name="pf", help="Pathfinder platform commands")
+except Exception:
+    pass  # PF module not ready yet
+
 try:
     app.add_typer(_get_configure_app(), name="configure", help="Configure bt-cli settings")
 except Exception:
@@ -299,9 +310,9 @@ def tree_command(
 
     if product:
         product = product.lower()
-        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "quick", "configure"]:
+        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "pf", "quick", "configure"]:
             console.print(f"[red]Unknown product: {product}[/red]")
-            console.print("Available: pws, pra, entitle, epmw, epml, secrets, quick, configure")
+            console.print("Available: pws, pra, entitle, epmw, epml, secrets, pf, quick, configure")
             raise typer.Exit(1)
 
     tree = Tree("[bold cyan]bt[/bold cyan]")
@@ -868,6 +879,11 @@ def whoami(
     if secrets_result:
         results.append(secrets_result)
 
+    # Test Pathfinder platform
+    pf_result = _test_pf_connection()
+    if pf_result:
+        results.append(pf_result)
+
     if not results:
         console.print("[yellow]No products configured.[/yellow]")
         console.print("\nTo configure products, set environment variables or run:")
@@ -1108,6 +1124,39 @@ def _test_secrets_connection() -> Optional[dict]:
         }
 
 
+def _test_pf_connection() -> Optional[dict]:
+    """Test Pathfinder platform connection and return status."""
+    try:
+        from .core.config import load_pf_config
+        from .pf.client import get_client
+
+        config = load_pf_config()
+        masked_pat = config.pat[:12] + "..." if len(config.pat) > 12 else "***"
+        result = {
+            "product": "Pathfinder",
+            "url": f"{config.api_url}/site/{config.site_id}/platform",
+            "auth_method": f"PAT ({masked_pat})",
+            "connected": False,
+        }
+
+        with get_client() as client:
+            info = client.get_user_info() or {}
+            result["connected"] = True
+            result["user_info"] = f"{info.get('email', '?')} ({info.get('role', '?')})"
+
+        return result
+    except ValueError:
+        return None
+    except Exception as e:
+        return {
+            "product": "Pathfinder",
+            "url": "",
+            "auth_method": "-",
+            "connected": False,
+            "error": str(e)[:50],
+        }
+
+
 def run() -> None:
     """Run the CLI application."""
     app()

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/commands/configure.py

@@ -41,12 +41,26 @@ def configure_callback(
     ),
     api_url: Optional[str] = typer.Option(None, "--api-url", help="API URL"),
     client_id: Optional[str] = typer.Option(None, "--client-id", help="OAuth Client ID"),
-    client_secret: Optional[str] = typer.Option(None, "--client-secret", help="OAuth Client Secret"),
-    api_key: Optional[str] = typer.Option(None, "--api-key", help="API Key"),
+    client_secret: Optional[str] = typer.Option(
+        None,
+        "--client-secret",
+        help="OAuth Client Secret (visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
+    api_key: Optional[str] = typer.Option(
+        None,
+        "--api-key",
+        help="API Key (visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
     user_api_key: Optional[str] = typer.Option(
         None,
         "--user-api-key",
-        help="Entitle user-context API key (only required for `bt entitle requests create`)",
+        help="Entitle user-context API key, only required for `bt entitle requests create` "
+        "(visible in shell history/process list — prefer interactive `bt configure`)",
+    ),
+    show_input: bool = typer.Option(
+        False,
+        "--show-input",
+        help="Show secret values while typing/pasting in interactive mode (default: hidden)",
     ),
 ) -> None:
     """Configure bt-cli interactively or via flags.
@@ -79,10 +93,14 @@ def configure_callback(
         )
     else:
         # Interactive mode
-        _configure_interactive(product, profile)
+        _configure_interactive(product, profile, show_input=show_input)
 
 
-def _configure_interactive(product: Optional[str] = None, profile: Optional[str] = None) -> None:
+def _configure_interactive(
+    product: Optional[str] = None,
+    profile: Optional[str] = None,
+    show_input: bool = False,
+) -> None:
     """Run interactive configuration wizard."""
     console.print()
     console.print(Panel.fit(
@@ -154,6 +172,10 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
         if "example" in field_info:
             console.print(f"  [dim]Example: {field_info['example']}[/dim]")
 
+        # Show how-to-find-it hint if available
+        if "hint" in field_info:
+            console.print(f"  [dim]{field_info['hint']}[/dim]")
+
         # Handle boolean fields
         if isinstance(default, bool):
             value = Confirm.ask(prompt_text, default=default)
@@ -164,17 +186,19 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
                 choices=field_info["choices"],
                 default=str(default) if default else None
             )
-        # Handle secret fields - show the value (not hidden) for easier pasting verification
+        # Handle secret fields - input hidden by default (--show-input to reveal for
+        # paste verification); never echo more than the last 4 chars of an existing value
         elif field_info.get("secret"):
             if existing.get(field_name):
                 existing_val = str(existing[field_name])
                 if existing_val.startswith("keyring://"):
                     console.print(f"  [dim](current: stored in keyring)[/dim]")
                 else:
-                    console.print(f"  [dim](current: {existing_val[:20]}...)[/dim]" if len(existing_val) > 20 else f"  [dim](current: {existing_val})[/dim]")
-            # Don't use password=True so users can see what they paste
+                    hint = "****" + existing_val[-4:] if len(existing_val) > 4 else "****"
+                    console.print(f"  [dim](current: {hint}, press Enter to keep)[/dim]")
             value = Prompt.ask(
                 prompt_text,
+                password=not show_input,
                 default="" if not default else None
             )
             if not value and default:
@@ -198,6 +222,10 @@ def _configure_interactive(product: Optional[str] = None, profile: Optional[str]
                 console.print(f"  [dim]Stored in keyring[/dim]")
             else:
                 new_config[field_name] = value
+                print_warning(
+                    f"Keyring storage failed for '{field_name}' — "
+                    "value saved to config file instead (file mode 0600)"
+                )
         else:
             new_config[field_name] = value
 

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/core/config.py

@@ -146,6 +146,33 @@ class SecretsConfig(ProductConfig):
             raise ValueError("BT_SECRETS_PAT is required")
 
 
+@dataclass
+class PFConfig(ProductConfig):
+    """Pathfinder platform (Nomine auth service) configuration.
+
+    Uses Personal Access Token (PAT) bearer authentication against the
+    BeyondTrust public API gateway. URLs are composed as:
+
+        {api_url}/site/{site_id}/platform/auth/<path>
+
+    PATs are bound to the site that was active in the Pathfinder portal
+    when they were minted — a PAT for one site gets
+    `401 Access denied for this site` on every other site's paths.
+    """
+
+    site_id: str = ""
+    pat: str = ""
+
+    def validate(self) -> None:
+        """Validate configuration."""
+        if not self.api_url:
+            raise ValueError("BT_PF_API_URL is required")
+        if not self.site_id:
+            raise ValueError("BT_PF_SITE_ID is required")
+        if not self.pat:
+            raise ValueError("BT_PF_PAT is required")
+
+
 @dataclass
 class EPMLConfig(ProductConfig):
     """EPM Linux configuration.
@@ -545,6 +572,42 @@ def load_secrets_config(env_file: Optional[str] = None, profile: Optional[str] =
     return config
 
 
+def load_pf_config(env_file: Optional[str] = None, profile: Optional[str] = None) -> PFConfig:
+    """Load Pathfinder platform configuration.
+
+    Configuration sources (in order of precedence):
+        1. Environment variables
+        2. Config file (~/.bt-cli/config.yaml)
+
+    Environment variables:
+        BT_PF_API_URL      - Gateway URL (default: https://api.beyondtrust.io)
+        BT_PF_SITE_ID      - Site UUID the PAT was minted on (required)
+        BT_PF_PAT          - Personal Access Token (required)
+        BT_PF_VERIFY_SSL   - SSL verification (default: true)
+        BT_PF_TIMEOUT      - Request timeout in seconds (default: 30)
+    """
+    if env_file:
+        load_dotenv(env_file)
+    else:
+        load_dotenv()
+
+    profile = profile or _get_profile()
+    layered = get_layered_config("pf", profile)
+
+    if "pat" in layered:
+        layered["pat"] = _resolve_value(layered["pat"])
+
+    config = PFConfig(
+        api_url=_strip_controls(layered.get("api_url") or os.getenv("BT_PF_API_URL", "https://api.beyondtrust.io")),
+        site_id=_strip_controls(layered.get("site_id") or os.getenv("BT_PF_SITE_ID", "")),
+        pat=_strip_controls(layered.get("pat") or os.getenv("BT_PF_PAT", "")),
+        verify_ssl=_to_bool(layered.get("verify_ssl")) if "verify_ssl" in layered else _get_bool(os.getenv("BT_PF_VERIFY_SSL")),
+        timeout=_to_float(layered.get("timeout")) if "timeout" in layered else _get_float(os.getenv("BT_PF_TIMEOUT"), 30.0),
+    )
+    config.validate()
+    return config
+
+
 def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
     """Load configuration for a specific product.
 
@@ -565,6 +628,7 @@ def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
         "epmw": load_epmw_config,
         "epml": load_epml_config,
         "secrets": load_secrets_config,
+        "pf": load_pf_config,
     }
 
     loader = loaders.get(product.lower())

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/core/config_file.py

@@ -9,6 +9,8 @@ Supports:
 
 import logging
 import os
+import sys
+import tempfile
 from dataclasses import dataclass, field
 from pathlib import Path
 from typing import Any, Optional
@@ -110,6 +112,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "7f735e1b-5ecb-49fa-87e8-eddf54a9c745",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "api_version": {
@@ -122,6 +125,28 @@ PRODUCTS = {
             "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
         },
     },
+    "pf": {
+        "name": "Pathfinder Platform",
+        "fields": {
+            "api_url": {
+                "prompt": "Gateway URL",
+                "required": True,
+                "secret": False,
+                "default": "https://api.beyondtrust.io",
+                "example": "https://api.beyondtrust.io",
+            },
+            "site_id": {
+                "prompt": "Site ID (UUID — the site the PAT was minted on)",
+                "required": True,
+                "secret": False,
+                "example": "6a7546a7-e111-4fe3-bc14-d6de9c2177b9",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
+            },
+            "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
+            "verify_ssl": {"prompt": "Verify SSL", "required": False, "secret": False, "default": True},
+            "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
+        },
+    },
     "epml": {
         "name": "EPM Linux",
         "fields": {
@@ -137,6 +162,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "c882e07c-753b-4fcd-a1e6-7d39defec5ae",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "default_host_id": {
@@ -242,7 +268,14 @@ def load_config_file(path: Optional[Path] = None) -> ConfigFile:
             profiles=data.get("profiles", {}),
         )
     except (yaml.YAMLError, OSError) as e:
-        # Return empty config on error, caller can handle
+        # Fall back to empty config, but tell the user — a corrupt/unreadable
+        # file silently ignored looks like "my profiles disappeared"
+        logger.warning(f"Failed to load config file {path}: {e}")
+        print(
+            f"\033[93mWarning: could not read config file {path} ({type(e).__name__}) - "
+            "ignoring it. Fix or delete the file to silence this warning.\033[0m",
+            file=sys.stderr,
+        )
         return ConfigFile()
 
 
@@ -267,9 +300,6 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
     # Security: Create file atomically with secure permissions (0o600)
     # This prevents TOCTOU race where file could be readable between
     # creation and chmod.
-    import os
-    import sys
-    import tempfile
 
     # Write to temp file in same directory, then atomic rename
     dir_path = path.parent
@@ -283,10 +313,9 @@ def save_config_file(config: ConfigFile, path: Optional[Path] = None) -> None:
                 os.fchmod(fd, 0o600)
             with os.fdopen(fd, "w") as f:
                 yaml.dump(data, f, default_flow_style=False, sort_keys=False)
-            # Atomic rename (on Windows, need to remove target first if exists)
-            if sys.platform == "win32" and path.exists():
-                os.unlink(path)
-            os.rename(tmp_path, path)
+            # os.replace overwrites atomically on POSIX and Windows alike —
+            # no delete-then-rename window where the config doesn't exist
+            os.replace(tmp_path, path)
             # On Windows, set permissions after the fact using chmod
             if sys.platform == "win32":
                 try:
@@ -356,6 +385,7 @@ def _get_env_prefix(product: str) -> str:
         "epmw": "BT_EPM",
         "epml": "BT_EPML",
         "secrets": "BT_SECRETS",
+        "pf": "BT_PF",
     }
     return prefixes.get(product, f"BT_{product.upper()}")
 
@@ -394,6 +424,12 @@ def _get_env_mappings(product: str) -> dict[str, str]:
         # Secrets API doesn't use api_key/client_id/client_secret — drop the inherited mappings
         for unused in ("api_key", "client_id", "client_secret"):
             mappings.pop(unused, None)
+    elif product == "pf":
+        mappings["site_id"] = f"{prefix}_SITE_ID"
+        mappings["pat"] = f"{prefix}_PAT"
+        # Pathfinder uses PAT auth only — drop the inherited mappings
+        for unused in ("api_key", "client_id", "client_secret"):
+            mappings.pop(unused, None)
 
     return mappings
 

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/core/output.py

@@ -5,6 +5,7 @@ from enum import Enum
 from typing import Any, Optional
 
 from rich.console import Console
+from rich.markup import escape
 from rich.panel import Panel
 from rich.table import Table
 
@@ -141,7 +142,7 @@ def print_success(message: str) -> None:
     Args:
         message: Message to display
     """
-    console.print(f"[green]{message}[/green]")
+    console.print(f"[green]{escape(message)}[/green]")
 
 
 def print_error(message: str) -> None:
@@ -150,7 +151,7 @@ def print_error(message: str) -> None:
     Args:
         message: Error message to display
     """
-    console.print(f"[red]Error:[/red] {message}")
+    console.print(f"[red]Error:[/red] {escape(message)}")
 
 
 def print_warning(message: str) -> None:
@@ -159,7 +160,7 @@ def print_warning(message: str) -> None:
     Args:
         message: Warning message to display
     """
-    console.print(f"[yellow]Warning:[/yellow] {message}")
+    console.print(f"[yellow]Warning:[/yellow] {escape(message)}")
 
 
 def print_info(message: str) -> None:
@@ -168,7 +169,7 @@ def print_info(message: str) -> None:
     Args:
         message: Info message to display
     """
-    console.print(f"[blue]{message}[/blue]")
+    console.print(f"[blue]{escape(message)}[/blue]")
 
 
 def confirm_action(message: str, default: bool = False) -> bool:
@@ -202,4 +203,4 @@ def print_api_error(error: Exception, operation: str) -> None:
         operation: Description of the operation that failed (e.g., "list systems")
     """
     message = handle_api_error(error, operation)
-    console.print(f"[red]Error:[/red] {message}")
+    console.print(f"[red]Error:[/red] {escape(message)}")

{bt_cli-0.4.53 → bt_cli-0.4.55}/src/bt_cli/core/prompts.py

@@ -64,10 +64,11 @@ def prompt_from_list(
         The selected ID
     """
     console.print(f"\n[bold]{title}:[/bold]")
+    id_width = max((len(str(item.get(id_key, ""))) for item in items), default=1)
     for item in items:
         item_id = item.get(id_key, "")
         item_name = item.get(name_key, "Unknown")
-        console.print(f"  {item_id}: {item_name}")
+        console.print(f"  {str(item_id):>{id_width}}: {item_name}")
     raw = typer.prompt(prompt_text, type=value_type)
     if value_type is str:
         return _clean_str(raw)  # type: ignore[return-value]