bt-cli 0.4.54__tar.gz → 0.4.55__tar.gz

{bt_cli-0.4.54 → bt_cli-0.4.55}/.github/workflows/ci.yml

@@ -16,10 +16,10 @@ jobs:
         python-version: ['3.10', '3.11', '3.12']
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -48,7 +48,7 @@ jobs:
           pytest tests/ --ignore=tests/integration -v --cov=bt_cli --cov-report=term-missing --cov-report=xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         if: matrix.python-version == '3.12'
         with:
           files: ./coverage.xml
@@ -58,10 +58,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -87,10 +87,10 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

{bt_cli-0.4.54 → bt_cli-0.4.55}/.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
       image: python:3.11-slim-bullseye
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Install build dependencies
         run: |
@@ -44,7 +44,7 @@ jobs:
         run: mv dist/bt dist/bt-linux-amd64
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: bt-linux-amd64
           path: dist/bt-linux-amd64
@@ -67,10 +67,10 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -92,7 +92,7 @@ jobs:
         run: move dist\bt.exe dist\${{ matrix.asset_name }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.asset_name }}
           path: dist/${{ matrix.asset_name }}
@@ -102,10 +102,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -121,7 +121,7 @@ jobs:
         run: twine check dist/*
 
       - name: Upload package artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: python-package
           path: dist/*
@@ -132,10 +132,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           path: artifacts
 
@@ -149,7 +149,7 @@ jobs:
           fi
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v3
         with:
           name: bt-cli v${{ steps.version.outputs.version }}
           tag_name: v${{ steps.version.outputs.version }}
@@ -245,7 +245,7 @@ jobs:
 
     steps:
       - name: Download package artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: python-package
           path: dist

{bt_cli-0.4.54 → bt_cli-0.4.55}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.54**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.55**
 
 ## Setup
 
@@ -32,6 +32,7 @@ Use these slash commands for detailed product guidance:
 | `/epmw` | EPM Windows - computers, policies, requests |
 | `/epml` | EPM Linux - RBP roles/cmdgrps/usergrps, policy, test suites, transactions |
 | `/secrets` | Secrets API - folders, static, dynamic AWS credentials, leases, integrations |
+| `/pf` | Pathfinder platform - whoami, site/product access, PAT/MCP tokens, machines |
 
 ## Command Structure
 
@@ -44,6 +45,7 @@ Use these slash commands for detailed product guidance:
 | EPM Windows | `bt epmw` | `computers`, `groups`, `policies`, `requests`, `quick` |
 | EPM Linux | `bt epml` | `rbp` (cmdgrps/hostgrps/usergrps/tmdategrps/roles/policy/tests/tx), `settings`, `users`, `audit`, `siems`, `quick` |
 | Secrets API | `bt secrets` | `folders`, `static`, `dynamic` (incl. `generate`), `leases`, `integrations` |
+| Pathfinder | `bt pf` | `whoami`, `access`, `pats`, `mcp-tokens`, `machines` |
 
 ## Common Patterns
 
@@ -89,6 +91,7 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
 - **Secrets dynamic path is `/dynamic`** (NOT `/dynamic-secrets` as the doc claims); version header is `2026-04-28` (NOT 2026-01-02; server also rejects every earlier dated header — bumps are mandatory, not optional); `dynamic/{name}/generate` returns 201; `/leases/revoke` is scope-gated and 403 is the expected lab response — `bt secrets leases revoke` exits 3 with a clean warning, not generic failure. Documented in `src/bt_cli/data/skills/secrets/SKILL.md`.
 - **Secrets `generate` mints real AWS STS credentials and is audited** — don't loop it in dev. Use `dynamic list`/`get` + `leases list` for browsing.
+- **PF URL mapping**: Nomine swagger paths `/api/auth/X` → gateway `https://api.beyondtrust.io/site/<site-id>/platform/auth/X`. **PATs are site-bound** (minted on the active portal site; other sites → `401 Access denied for this site`). Org-level endpoints (`auth/Users`, `auth/Auditing`, `auth/SAMLProviders`) are 403 for PAT principals; user onboarding & token create/revoke need cookie auth on app.beyondtrust.io. Details in `src/bt_cli/data/skills/pf/SKILL.md`.
 
 ## Functional vs Managed Accounts
 
@@ -118,7 +121,8 @@ src/bt_cli/
 ├── entitle/            # Entitle
 ├── epmw/               # EPM Windows
 ├── epml/               # EPM Linux (PAT auth, /site/<id>/epm/linux/... URLs)
-└── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+├── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+└── pf/                 # Pathfinder platform (PAT auth, /site/<id>/platform/auth/... URLs)
 ```
 
 Each product follows: `client/` (API), `commands/` (CLI), `models/` (Pydantic)

{bt_cli-0.4.54 → bt_cli-0.4.55}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.54
+Version: 0.4.55
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.54 → bt_cli-0.4.55}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.54"
+version = "0.4.55"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.54"
+__version__ = "0.4.55"

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/cli.py

@@ -95,6 +95,12 @@ def _get_secrets_app() -> typer.Typer:
     return secrets_app
 
 
+def _get_pf_app() -> typer.Typer:
+    """Lazy load Pathfinder platform commands."""
+    from .pf.commands import app as pf_app
+    return pf_app
+
+
 def _get_configure_app() -> typer.Typer:
     """Lazy load configure commands."""
     from .commands.configure import app as configure_app
@@ -145,6 +151,11 @@ try:
 except Exception:
     pass  # Secrets module not ready yet
 
+try:
+    app.add_typer(_get_pf_app(), name="pf", help="Pathfinder platform commands")
+except Exception:
+    pass  # PF module not ready yet
+
 try:
     app.add_typer(_get_configure_app(), name="configure", help="Configure bt-cli settings")
 except Exception:
@@ -299,9 +310,9 @@ def tree_command(
 
     if product:
         product = product.lower()
-        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "quick", "configure"]:
+        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "pf", "quick", "configure"]:
             console.print(f"[red]Unknown product: {product}[/red]")
-            console.print("Available: pws, pra, entitle, epmw, epml, secrets, quick, configure")
+            console.print("Available: pws, pra, entitle, epmw, epml, secrets, pf, quick, configure")
             raise typer.Exit(1)
 
     tree = Tree("[bold cyan]bt[/bold cyan]")
@@ -868,6 +879,11 @@ def whoami(
     if secrets_result:
         results.append(secrets_result)
 
+    # Test Pathfinder platform
+    pf_result = _test_pf_connection()
+    if pf_result:
+        results.append(pf_result)
+
     if not results:
         console.print("[yellow]No products configured.[/yellow]")
         console.print("\nTo configure products, set environment variables or run:")
@@ -1108,6 +1124,39 @@ def _test_secrets_connection() -> Optional[dict]:
         }
 
 
+def _test_pf_connection() -> Optional[dict]:
+    """Test Pathfinder platform connection and return status."""
+    try:
+        from .core.config import load_pf_config
+        from .pf.client import get_client
+
+        config = load_pf_config()
+        masked_pat = config.pat[:12] + "..." if len(config.pat) > 12 else "***"
+        result = {
+            "product": "Pathfinder",
+            "url": f"{config.api_url}/site/{config.site_id}/platform",
+            "auth_method": f"PAT ({masked_pat})",
+            "connected": False,
+        }
+
+        with get_client() as client:
+            info = client.get_user_info() or {}
+            result["connected"] = True
+            result["user_info"] = f"{info.get('email', '?')} ({info.get('role', '?')})"
+
+        return result
+    except ValueError:
+        return None
+    except Exception as e:
+        return {
+            "product": "Pathfinder",
+            "url": "",
+            "auth_method": "-",
+            "connected": False,
+            "error": str(e)[:50],
+        }
+
+
 def run() -> None:
     """Run the CLI application."""
     app()

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/commands/configure.py

@@ -172,6 +172,10 @@ def _configure_interactive(
         if "example" in field_info:
             console.print(f"  [dim]Example: {field_info['example']}[/dim]")
 
+        # Show how-to-find-it hint if available
+        if "hint" in field_info:
+            console.print(f"  [dim]{field_info['hint']}[/dim]")
+
         # Handle boolean fields
         if isinstance(default, bool):
             value = Confirm.ask(prompt_text, default=default)

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/core/config.py

@@ -146,6 +146,33 @@ class SecretsConfig(ProductConfig):
             raise ValueError("BT_SECRETS_PAT is required")
 
 
+@dataclass
+class PFConfig(ProductConfig):
+    """Pathfinder platform (Nomine auth service) configuration.
+
+    Uses Personal Access Token (PAT) bearer authentication against the
+    BeyondTrust public API gateway. URLs are composed as:
+
+        {api_url}/site/{site_id}/platform/auth/<path>
+
+    PATs are bound to the site that was active in the Pathfinder portal
+    when they were minted — a PAT for one site gets
+    `401 Access denied for this site` on every other site's paths.
+    """
+
+    site_id: str = ""
+    pat: str = ""
+
+    def validate(self) -> None:
+        """Validate configuration."""
+        if not self.api_url:
+            raise ValueError("BT_PF_API_URL is required")
+        if not self.site_id:
+            raise ValueError("BT_PF_SITE_ID is required")
+        if not self.pat:
+            raise ValueError("BT_PF_PAT is required")
+
+
 @dataclass
 class EPMLConfig(ProductConfig):
     """EPM Linux configuration.
@@ -545,6 +572,42 @@ def load_secrets_config(env_file: Optional[str] = None, profile: Optional[str] =
     return config
 
 
+def load_pf_config(env_file: Optional[str] = None, profile: Optional[str] = None) -> PFConfig:
+    """Load Pathfinder platform configuration.
+
+    Configuration sources (in order of precedence):
+        1. Environment variables
+        2. Config file (~/.bt-cli/config.yaml)
+
+    Environment variables:
+        BT_PF_API_URL      - Gateway URL (default: https://api.beyondtrust.io)
+        BT_PF_SITE_ID      - Site UUID the PAT was minted on (required)
+        BT_PF_PAT          - Personal Access Token (required)
+        BT_PF_VERIFY_SSL   - SSL verification (default: true)
+        BT_PF_TIMEOUT      - Request timeout in seconds (default: 30)
+    """
+    if env_file:
+        load_dotenv(env_file)
+    else:
+        load_dotenv()
+
+    profile = profile or _get_profile()
+    layered = get_layered_config("pf", profile)
+
+    if "pat" in layered:
+        layered["pat"] = _resolve_value(layered["pat"])
+
+    config = PFConfig(
+        api_url=_strip_controls(layered.get("api_url") or os.getenv("BT_PF_API_URL", "https://api.beyondtrust.io")),
+        site_id=_strip_controls(layered.get("site_id") or os.getenv("BT_PF_SITE_ID", "")),
+        pat=_strip_controls(layered.get("pat") or os.getenv("BT_PF_PAT", "")),
+        verify_ssl=_to_bool(layered.get("verify_ssl")) if "verify_ssl" in layered else _get_bool(os.getenv("BT_PF_VERIFY_SSL")),
+        timeout=_to_float(layered.get("timeout")) if "timeout" in layered else _get_float(os.getenv("BT_PF_TIMEOUT"), 30.0),
+    )
+    config.validate()
+    return config
+
+
 def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
     """Load configuration for a specific product.
 
@@ -565,6 +628,7 @@ def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
         "epmw": load_epmw_config,
         "epml": load_epml_config,
         "secrets": load_secrets_config,
+        "pf": load_pf_config,
     }
 
     loader = loaders.get(product.lower())

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/core/config_file.py

@@ -112,6 +112,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "7f735e1b-5ecb-49fa-87e8-eddf54a9c745",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "api_version": {
@@ -124,6 +125,28 @@ PRODUCTS = {
             "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
         },
     },
+    "pf": {
+        "name": "Pathfinder Platform",
+        "fields": {
+            "api_url": {
+                "prompt": "Gateway URL",
+                "required": True,
+                "secret": False,
+                "default": "https://api.beyondtrust.io",
+                "example": "https://api.beyondtrust.io",
+            },
+            "site_id": {
+                "prompt": "Site ID (UUID — the site the PAT was minted on)",
+                "required": True,
+                "secret": False,
+                "example": "6a7546a7-e111-4fe3-bc14-d6de9c2177b9",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
+            },
+            "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
+            "verify_ssl": {"prompt": "Verify SSL", "required": False, "secret": False, "default": True},
+            "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
+        },
+    },
     "epml": {
         "name": "EPM Linux",
         "fields": {
@@ -139,6 +162,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "c882e07c-753b-4fcd-a1e6-7d39defec5ae",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "default_host_id": {
@@ -361,6 +385,7 @@ def _get_env_prefix(product: str) -> str:
         "epmw": "BT_EPM",
         "epml": "BT_EPML",
         "secrets": "BT_SECRETS",
+        "pf": "BT_PF",
     }
     return prefixes.get(product, f"BT_{product.upper()}")
 
@@ -399,6 +424,12 @@ def _get_env_mappings(product: str) -> dict[str, str]:
         # Secrets API doesn't use api_key/client_id/client_secret — drop the inherited mappings
         for unused in ("api_key", "client_id", "client_secret"):
             mappings.pop(unused, None)
+    elif product == "pf":
+        mappings["site_id"] = f"{prefix}_SITE_ID"
+        mappings["pat"] = f"{prefix}_PAT"
+        # Pathfinder uses PAT auth only — drop the inherited mappings
+        for unused in ("api_key", "client_id", "client_secret"):
+            mappings.pop(unused, None)
 
     return mappings
 

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/data/skills/epml/SKILL.md

@@ -98,8 +98,20 @@ bt epml iolog list -H 200 --start 0 --len 200
 bt epml client-pkg list                            # signed S3 URLs (~30min TTL)
 bt epml client-pkg status                          # build queue
 bt epml client-pkg link epml-client.x86_64.rpm
+bt epml client-pkg build --wait                    # trigger build, poll to done (~15min max)
+bt epml client-pkg download --all -d ./pkgs        # fetch via pre-signed link (NO auth header)
+bt epml client-pkg download epml-client.x86_64.rpm
+bt epml client-pkg install-token --expiry 480      # agent registration JWT (pbactivate -t <token>)
+TOKEN=$(bt epml client-pkg install-token --raw)    # scripting
+bt epml quick agent-setup -d ./pkgs --expiry 480   # list→build-if-empty→download-all→token
 ```
 
+**Agent onboarding notes:** installation token expiry is minutes, 30–525600 (one
+year); the token is a JWT consumed by `pbactivate -t <token>` on the endpoint.
+Package download links are pre-signed S3 URLs that expire ~30 min after listing
+and REJECT requests carrying an `Authorization` header — the CLI handles both
+(fresh listing + headerless download).
+
 ## RBP — Role-Based Policy
 
 All under `/api/pbul/{hostid}/rbp/...` (default host = `BT_EPML_DEFAULT_HOST`).

bt_cli-0.4.55/src/bt_cli/data/skills/pf/SKILL.md

@@ -0,0 +1,76 @@
+---
+name: pf
+description: Pathfinder platform commands — whoami, site/product access, PAT/MCP token listing, machine registry. Use when working with the Pathfinder portal API (Nomine), platform PATs, site IDs, or registered machine identities.
+---
+
+# Pathfinder Platform (`bt pf`)
+
+The Pathfinder platform API (internal name: **Nomine**) manages the BeyondTrust
+cloud portal layer: users, sites, product access, tokens, and machine
+identities. `bt pf` talks to it through the public API gateway with PAT auth —
+the same pattern as `bt secrets` / `bt epml`.
+
+## Configuration
+
+```bash
+export BT_PF_API_URL=https://api.beyondtrust.io   # default
+export BT_PF_SITE_ID=<site-uuid>                  # required — the site the PAT was minted on
+export BT_PF_PAT=PAT_xxx                          # required (mint at app.beyondtrust.io → Manage Profile)
+```
+
+Site ID discovery: log into app.beyondtrust.io, choose your site, then browse
+to `https://app.beyondtrust.io/api/platform/currentSite`.
+
+## URL mapping (the thing everyone gets wrong)
+
+The Nomine swagger writes paths as `/api/auth/X`. On the gateway the product
+segment is `platform` and the `auth/` prefix stays:
+
+    spec /api/auth/UserInfo  →  https://api.beyondtrust.io/site/<site-id>/platform/auth/UserInfo
+
+**PATs are site-bound**: minted while a site is active in the portal, valid
+only for that site's `/site/<id>/...` paths. Any other site → `401 Access
+denied for this site`. A just-minted PAT can take ~1s to propagate
+(transient `401 Personal access token not found` — retry once).
+
+## Commands
+
+```bash
+bt pf auth test            # connectivity + PAT validity
+bt pf whoami               # UserInfo for the PAT owner
+bt pf access               # site + product access rules (also -o json)
+bt pf pats list            # PATs (values masked; --show-tokens to reveal)
+bt pf mcp-tokens list      # MCP tokens (same masking)
+bt pf machines list        # registered machine IDs
+bt pf machines get <uuid>  # one machine's record (secret hash never shown)
+```
+
+## What works over PAT vs what doesn't (verified 2026-06-11)
+
+| Endpoint | PAT result |
+|----------|------------|
+| `auth/UserInfo`, `auth/User/Access`, `auth/User/Token`, `auth/User/McpToken` | 200 — any valid PAT |
+| `auth/Machine`, `auth/Machine/{id}` | 200 — only with a PAT from a product-bearing site (Administration-site PATs get 403) |
+| `auth/Users`, `auth/SAMLProviders`, `auth/Auditing` | 403 — org-level, blocked for PAT principals regardless of scopes seen so far |
+| `auth/UserInvitation` | 405 on GET (POST-only; reachable — onboarding over PAT untested) |
+
+PAT `access` scopes are the lowercase product IDs of the mint site (visible in
+`bt pf pats list`). The org-level 403s may require a scope no UI-minted PAT
+carries — unresolved.
+
+## Machines
+
+Platform machine identities: non-user principals (machineId + machineSecret)
+used by agents/integrations to authenticate. `POST
+login.beyondtrust.io/bt.identity/Machine/AccessToken {machineId,
+machineSecret}` → 30-min JWT (machineEndpoints.* scopes only). Records carry
+an activation-token lifecycle (created/expiration) and `active` flag —
+an entry with `active: false` and a pending activation token was registered
+but never activated.
+
+## Not exposed via PAT (cookie-auth only, app.beyondtrust.io/api/auth/*)
+
+User onboarding (UserInvitation POST + Accept), PAT/MCP token creation and
+revocation, user listing, auditing, SAML providers. These need the `access`
+session cookie (browser JWT ~5min TTL, or the programmatic
+SignIn → /session/login flow — password-auth users only, not federated).

{bt_cli-0.4.54 → bt_cli-0.4.55}/src/bt_cli/epml/client/base.py

@@ -232,6 +232,49 @@ class EPMLClient:
         """GET /api/epml/clientpkg/status — `{building: bool}` build queue status."""
         return self.get("/api/epml/clientpkg/status")
 
+    def trigger_client_package_build(self) -> Any:
+        """POST /api/epml/clientpkg — queue a fresh client package build.
+
+        Builds usually finish within a few minutes but can take ~15 during
+        busy periods. Poll `get_client_package_status()` until building=false.
+        """
+        return self.post("/api/epml/clientpkg")
+
+    def download_package(self, link: str, dest_path: str) -> int:
+        """Download a client package from its pre-signed S3 link.
+
+        Pre-signed URLs carry their own authorization and REJECT requests
+        that also include an Authorization header — so unlike every other
+        call, this one sends no auth. Links expire ~30 minutes after the
+        package listing that produced them.
+
+        Returns:
+            Number of bytes written to dest_path.
+        """
+        bytes_written = 0
+        with self._client.stream("GET", link, follow_redirects=True) as response:
+            response.raise_for_status()
+            with open(dest_path, "wb") as f:
+                for chunk in response.iter_bytes():
+                    f.write(chunk)
+                    bytes_written += len(chunk)
+        return bytes_written
+
+    # ----- Installation tokens (agent registration) -----------------------
+
+    def get_installation_token(self, expiry: int) -> Dict[str, Any]:
+        """GET /api/btplatform/installationtoken — short-lived agent registration JWT.
+
+        Args:
+            expiry: Token lifetime in minutes, 30 (half an hour) to
+                525600 (one year). Required by the API.
+
+        Returns:
+            ``{"token": "eyJ..."}`` — passed to ``pbactivate -t <token>``
+            on the endpoint being registered.
+        """
+        return self.get("/api/btplatform/installationtoken", params={"expiry": expiry})
+
     # ----- License clients (installed agents) ----------------------------
 
     def list_license_clients(self, host_id: Optional[int] = None) -> Dict[str, Any]: