bt-cli 0.4.54__tar.gz → 0.4.56__tar.gz

{bt_cli-0.4.54 → bt_cli-0.4.56}/.github/workflows/ci.yml

@@ -16,10 +16,10 @@ jobs:
         python-version: ['3.10', '3.11', '3.12']
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -48,7 +48,7 @@ jobs:
           pytest tests/ --ignore=tests/integration -v --cov=bt_cli --cov-report=term-missing --cov-report=xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         if: matrix.python-version == '3.12'
         with:
           files: ./coverage.xml
@@ -58,10 +58,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -87,10 +87,10 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

{bt_cli-0.4.54 → bt_cli-0.4.56}/.github/workflows/release.yml

@@ -28,7 +28,7 @@ jobs:
       image: python:3.11-slim-bullseye
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Install build dependencies
         run: |
@@ -44,7 +44,7 @@ jobs:
         run: mv dist/bt dist/bt-linux-amd64
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: bt-linux-amd64
           path: dist/bt-linux-amd64
@@ -67,10 +67,10 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -92,7 +92,7 @@ jobs:
         run: move dist\bt.exe dist\${{ matrix.asset_name }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.asset_name }}
           path: dist/${{ matrix.asset_name }}
@@ -102,10 +102,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -121,7 +121,7 @@ jobs:
         run: twine check dist/*
 
       - name: Upload package artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: python-package
           path: dist/*
@@ -132,10 +132,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           path: artifacts
 
@@ -149,7 +149,7 @@ jobs:
           fi
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v3
         with:
           name: bt-cli v${{ steps.version.outputs.version }}
           tag_name: v${{ steps.version.outputs.version }}
@@ -245,7 +245,7 @@ jobs:
 
     steps:
       - name: Download package artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v8
         with:
           name: python-package
           path: dist

{bt_cli-0.4.54 → bt_cli-0.4.56}/CLAUDE.md

@@ -1,6 +1,6 @@
 # BT-CLI
 
-BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.54**
+BeyondTrust Platform CLI for Password Safe, Entitle, PRA, EPM Windows, EPM Linux, and the BeyondTrust Secrets API. **Version: 0.4.56**
 
 ## Setup
 
@@ -32,6 +32,7 @@ Use these slash commands for detailed product guidance:
 | `/epmw` | EPM Windows - computers, policies, requests |
 | `/epml` | EPM Linux - RBP roles/cmdgrps/usergrps, policy, test suites, transactions |
 | `/secrets` | Secrets API - folders, static, dynamic AWS credentials, leases, integrations |
+| `/pf` | Pathfinder platform - whoami, site/product access, PAT/MCP tokens, machines |
 
 ## Command Structure
 
@@ -44,6 +45,7 @@ Use these slash commands for detailed product guidance:
 | EPM Windows | `bt epmw` | `computers`, `groups`, `policies`, `requests`, `quick` |
 | EPM Linux | `bt epml` | `rbp` (cmdgrps/hostgrps/usergrps/tmdategrps/roles/policy/tests/tx), `settings`, `users`, `audit`, `siems`, `quick` |
 | Secrets API | `bt secrets` | `folders`, `static`, `dynamic` (incl. `generate`), `leases`, `integrations` |
+| Pathfinder | `bt pf` | `whoami`, `access`, `pats`, `mcp-tokens`, `machines` |
 
 ## Common Patterns
 
@@ -89,6 +91,7 @@ PASSWORD=$(bt pws quick checkout -s server -a admin --raw)
 - **EPML role banner format**: `bt epml rbp roles create --banner-text "Title"` builds a `############`-framed message using `%rbprole%`/`%event%` server substitutions, mirroring the appliance's existing roles. See the worked role example in the EPM-L SKILL.md.
 - **Secrets dynamic path is `/dynamic`** (NOT `/dynamic-secrets` as the doc claims); version header is `2026-04-28` (NOT 2026-01-02; server also rejects every earlier dated header — bumps are mandatory, not optional); `dynamic/{name}/generate` returns 201; `/leases/revoke` is scope-gated and 403 is the expected lab response — `bt secrets leases revoke` exits 3 with a clean warning, not generic failure. Documented in `src/bt_cli/data/skills/secrets/SKILL.md`.
 - **Secrets `generate` mints real AWS STS credentials and is audited** — don't loop it in dev. Use `dynamic list`/`get` + `leases list` for browsing.
+- **PF URL mapping**: Nomine swagger paths `/api/auth/X` → gateway `https://api.beyondtrust.io/site/<site-id>/platform/auth/X`. **PATs are site-bound** (minted on the active portal site; other sites → `401 Access denied for this site`). Org-level endpoints (`auth/Users`, `auth/Auditing`, `auth/SAMLProviders`) are 403 for PAT principals; user onboarding & token create/revoke need cookie auth on app.beyondtrust.io. Details in `src/bt_cli/data/skills/pf/SKILL.md`.
 
 ## Functional vs Managed Accounts
 
@@ -118,7 +121,8 @@ src/bt_cli/
 ├── entitle/            # Entitle
 ├── epmw/               # EPM Windows
 ├── epml/               # EPM Linux (PAT auth, /site/<id>/epm/linux/... URLs)
-└── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+├── secrets/            # BeyondTrust Secrets API (PAT auth, /site/<id>/secrets/... URLs)
+└── pf/                 # Pathfinder platform (PAT auth, /site/<id>/platform/auth/... URLs)
 ```
 
 Each product follows: `client/` (API), `commands/` (CLI), `models/` (Pydantic)

{bt_cli-0.4.54 → bt_cli-0.4.56}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bt-cli
-Version: 0.4.54
+Version: 0.4.56
 Summary: BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM
 Author-email: Dave Grendysz <dgrendysz@beyondtrust.com>
 License: MIT

{bt_cli-0.4.54 → bt_cli-0.4.56}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "bt-cli"
-version = "0.4.54"
+version = "0.4.56"
 description = "BeyondTrust Platform CLI (unofficial) - Password Safe, Entitle, PRA, EPM"
 readme = "README.md"
 requires-python = ">=3.9"

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/__init__.py

@@ -1,3 +1,3 @@
 """BeyondTrust Unified Admin CLI."""
 
-__version__ = "0.4.54"
+__version__ = "0.4.56"

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/cli.py

@@ -95,6 +95,12 @@ def _get_secrets_app() -> typer.Typer:
     return secrets_app
 
 
+def _get_pf_app() -> typer.Typer:
+    """Lazy load Pathfinder platform commands."""
+    from .pf.commands import app as pf_app
+    return pf_app
+
+
 def _get_configure_app() -> typer.Typer:
     """Lazy load configure commands."""
     from .commands.configure import app as configure_app
@@ -145,6 +151,11 @@ try:
 except Exception:
     pass  # Secrets module not ready yet
 
+try:
+    app.add_typer(_get_pf_app(), name="pf", help="Pathfinder platform commands")
+except Exception:
+    pass  # PF module not ready yet
+
 try:
     app.add_typer(_get_configure_app(), name="configure", help="Configure bt-cli settings")
 except Exception:
@@ -299,9 +310,9 @@ def tree_command(
 
     if product:
         product = product.lower()
-        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "quick", "configure"]:
+        if product not in ["pws", "pra", "entitle", "epmw", "epml", "secrets", "pf", "quick", "configure"]:
             console.print(f"[red]Unknown product: {product}[/red]")
-            console.print("Available: pws, pra, entitle, epmw, epml, secrets, quick, configure")
+            console.print("Available: pws, pra, entitle, epmw, epml, secrets, pf, quick, configure")
             raise typer.Exit(1)
 
     tree = Tree("[bold cyan]bt[/bold cyan]")
@@ -868,6 +879,11 @@ def whoami(
     if secrets_result:
         results.append(secrets_result)
 
+    # Test Pathfinder platform
+    pf_result = _test_pf_connection()
+    if pf_result:
+        results.append(pf_result)
+
     if not results:
         console.print("[yellow]No products configured.[/yellow]")
         console.print("\nTo configure products, set environment variables or run:")
@@ -1108,6 +1124,39 @@ def _test_secrets_connection() -> Optional[dict]:
         }
 
 
+def _test_pf_connection() -> Optional[dict]:
+    """Test Pathfinder platform connection and return status."""
+    try:
+        from .core.config import load_pf_config
+        from .pf.client import get_client
+
+        config = load_pf_config()
+        masked_pat = config.pat[:12] + "..." if len(config.pat) > 12 else "***"
+        result = {
+            "product": "Pathfinder",
+            "url": f"{config.api_url}/site/{config.site_id}/platform",
+            "auth_method": f"PAT ({masked_pat})",
+            "connected": False,
+        }
+
+        with get_client() as client:
+            info = client.get_user_info() or {}
+            result["connected"] = True
+            result["user_info"] = f"{info.get('email', '?')} ({info.get('role', '?')})"
+
+        return result
+    except ValueError:
+        return None
+    except Exception as e:
+        return {
+            "product": "Pathfinder",
+            "url": "",
+            "auth_method": "-",
+            "connected": False,
+            "error": str(e)[:50],
+        }
+
+
 def run() -> None:
     """Run the CLI application."""
     app()

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/commands/configure.py

@@ -57,6 +57,15 @@ def configure_callback(
         help="Entitle user-context API key, only required for `bt entitle requests create` "
         "(visible in shell history/process list — prefer interactive `bt configure`)",
     ),
+    site_id: Optional[str] = typer.Option(
+        None, "--site-id", help="Site UUID (pf, secrets, epml)"
+    ),
+    pat: Optional[str] = typer.Option(
+        None,
+        "--pat",
+        help="Personal Access Token (pf, secrets, epml) — visible in shell "
+        "history/process list; prefer interactive `bt configure`",
+    ),
     show_input: bool = typer.Option(
         False,
         "--show-input",
@@ -84,18 +93,25 @@ def configure_callback(
         return
 
     # Check if any non-interactive flags were provided
-    has_flags = any([api_url, client_id, client_secret, api_key, user_api_key])
+    has_flags = any([api_url, client_id, client_secret, api_key, user_api_key, site_id, pat])
 
     if has_flags and product:
         # Non-interactive mode with flags
         _configure_with_flags(
-            product, profile, api_url, client_id, client_secret, api_key, user_api_key
+            product, profile, api_url, client_id, client_secret, api_key, user_api_key,
+            site_id, pat,
         )
     else:
         # Interactive mode
         _configure_interactive(product, profile, show_input=show_input)
 
 
+def _confirm_received(value: str) -> None:
+    """Echo a masked confirmation so the user knows a hidden paste landed."""
+    hint = "****" + value[-4:] if len(value) > 4 else "****"
+    console.print(f"  [dim]Received {len(value)} characters ({hint})[/dim]")
+
+
 def _configure_interactive(
     product: Optional[str] = None,
     profile: Optional[str] = None,
@@ -172,6 +188,10 @@ def _configure_interactive(
         if "example" in field_info:
             console.print(f"  [dim]Example: {field_info['example']}[/dim]")
 
+        # Show how-to-find-it hint if available
+        if "hint" in field_info:
+            console.print(f"  [dim]{field_info['hint']}[/dim]")
+
         # Handle boolean fields
         if isinstance(default, bool):
             value = Confirm.ask(prompt_text, default=default)
@@ -192,6 +212,8 @@ def _configure_interactive(
                 else:
                     hint = "****" + existing_val[-4:] if len(existing_val) > 4 else "****"
                     console.print(f"  [dim](current: {hint}, press Enter to keep)[/dim]")
+            if not show_input:
+                console.print("  [dim](input hidden — nothing echoes while you type/paste)[/dim]")
             value = Prompt.ask(
                 prompt_text,
                 password=not show_input,
@@ -199,6 +221,19 @@ def _configure_interactive(
             )
             if not value and default:
                 value = default
+            elif value:
+                _confirm_received(value)
+            elif field_info.get("required") and not show_input:
+                # Hidden prompts don't receive pastes on some terminals (notably
+                # Windows consoles) — offer a visible retry instead of failing.
+                if Confirm.ask(
+                    "  Nothing received — paste may not work with hidden input. "
+                    "Retry with input visible?",
+                    default=True,
+                ):
+                    value = Prompt.ask(prompt_text, default="")
+                    if value:
+                        _confirm_received(value)
         # Handle regular fields
         else:
             value = Prompt.ask(
@@ -251,6 +286,8 @@ def _configure_with_flags(
     client_secret: Optional[str],
     api_key: Optional[str],
     user_api_key: Optional[str] = None,
+    site_id: Optional[str] = None,
+    pat: Optional[str] = None,
 ) -> None:
     """Configure using command-line flags (non-interactive)."""
     if product not in PRODUCTS:
@@ -277,6 +314,17 @@ def _configure_with_flags(
             print_error("--user-api-key is only valid for product=entitle")
             raise typer.Exit(2)
         new_config["user_api_key"] = user_api_key
+    pat_products = ("pf", "secrets", "epml")
+    if site_id is not None:
+        if product not in pat_products:
+            print_error(f"--site-id is only valid for product={'|'.join(pat_products)}")
+            raise typer.Exit(2)
+        new_config["site_id"] = site_id
+    if pat is not None:
+        if product not in pat_products:
+            print_error(f"--pat is only valid for product={'|'.join(pat_products)}")
+            raise typer.Exit(2)
+        new_config["pat"] = pat
 
     # Infer auth method
     if api_key:
@@ -326,6 +374,24 @@ def _test_connection(product: str, profile: str) -> None:
                 client.get("/Computers", params={"pageSize": 1})
             print_success("EPM Windows connection successful!")
 
+        elif product == "epml":
+            from ..epml.client import get_client
+            with get_client() as client:
+                client.get_settings()
+            print_success("EPM Linux connection successful!")
+
+        elif product == "secrets":
+            from ..secrets.client import get_client
+            with get_client() as client:
+                client.list_folders()
+            print_success("Secrets API connection successful!")
+
+        elif product == "pf":
+            from ..pf.client import get_client
+            with get_client() as client:
+                info = client.get_user_info() or {}
+            print_success(f"Pathfinder connection successful! ({info.get('email', '?')})")
+
     except Exception as e:
         print_error(f"Connection failed: {e}")
 
@@ -371,7 +437,7 @@ def show_config(
             first = True
             for key, value in settings.items():
                 # Mask secrets
-                if not show_secrets and any(s in key for s in ["secret", "key", "password"]):
+                if not show_secrets and (key == "pat" or any(s in key for s in ["secret", "key", "password"])):
                     if isinstance(value, str) and value.startswith("keyring://"):
                         display_value = "[dim]<stored in keyring>[/dim]"
                     else:
@@ -595,7 +661,7 @@ def show_effective_config(
     def mask_secret(key: str, value: str) -> str:
         if not value:
             return "[dim]not set[/dim]"
-        if not show_secrets and any(s in key.lower() for s in ["secret", "key", "password"]):
+        if not show_secrets and (key.lower() == "pat" or any(s in key.lower() for s in ["secret", "key", "password"])):
             return "****" + value[-4:] if len(value) > 4 else "****"
         return value
 

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/core/config.py

@@ -146,6 +146,33 @@ class SecretsConfig(ProductConfig):
             raise ValueError("BT_SECRETS_PAT is required")
 
 
+@dataclass
+class PFConfig(ProductConfig):
+    """Pathfinder platform (Nomine auth service) configuration.
+
+    Uses Personal Access Token (PAT) bearer authentication against the
+    BeyondTrust public API gateway. URLs are composed as:
+
+        {api_url}/site/{site_id}/platform/auth/<path>
+
+    PATs are bound to the site that was active in the Pathfinder portal
+    when they were minted — a PAT for one site gets
+    `401 Access denied for this site` on every other site's paths.
+    """
+
+    site_id: str = ""
+    pat: str = ""
+
+    def validate(self) -> None:
+        """Validate configuration."""
+        if not self.api_url:
+            raise ValueError("BT_PF_API_URL is required")
+        if not self.site_id:
+            raise ValueError("BT_PF_SITE_ID is required")
+        if not self.pat:
+            raise ValueError("BT_PF_PAT is required")
+
+
 @dataclass
 class EPMLConfig(ProductConfig):
     """EPM Linux configuration.
@@ -545,6 +572,42 @@ def load_secrets_config(env_file: Optional[str] = None, profile: Optional[str] =
     return config
 
 
+def load_pf_config(env_file: Optional[str] = None, profile: Optional[str] = None) -> PFConfig:
+    """Load Pathfinder platform configuration.
+
+    Configuration sources (in order of precedence):
+        1. Environment variables
+        2. Config file (~/.bt-cli/config.yaml)
+
+    Environment variables:
+        BT_PF_API_URL      - Gateway URL (default: https://api.beyondtrust.io)
+        BT_PF_SITE_ID      - Site UUID the PAT was minted on (required)
+        BT_PF_PAT          - Personal Access Token (required)
+        BT_PF_VERIFY_SSL   - SSL verification (default: true)
+        BT_PF_TIMEOUT      - Request timeout in seconds (default: 30)
+    """
+    if env_file:
+        load_dotenv(env_file)
+    else:
+        load_dotenv()
+
+    profile = profile or _get_profile()
+    layered = get_layered_config("pf", profile)
+
+    if "pat" in layered:
+        layered["pat"] = _resolve_value(layered["pat"])
+
+    config = PFConfig(
+        api_url=_strip_controls(layered.get("api_url") or os.getenv("BT_PF_API_URL", "https://api.beyondtrust.io")),
+        site_id=_strip_controls(layered.get("site_id") or os.getenv("BT_PF_SITE_ID", "")),
+        pat=_strip_controls(layered.get("pat") or os.getenv("BT_PF_PAT", "")),
+        verify_ssl=_to_bool(layered.get("verify_ssl")) if "verify_ssl" in layered else _get_bool(os.getenv("BT_PF_VERIFY_SSL")),
+        timeout=_to_float(layered.get("timeout")) if "timeout" in layered else _get_float(os.getenv("BT_PF_TIMEOUT"), 30.0),
+    )
+    config.validate()
+    return config
+
+
 def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
     """Load configuration for a specific product.
 
@@ -565,6 +628,7 @@ def load_config(product: str, env_file: Optional[str] = None) -> ProductConfig:
         "epmw": load_epmw_config,
         "epml": load_epml_config,
         "secrets": load_secrets_config,
+        "pf": load_pf_config,
     }
 
     loader = loaders.get(product.lower())

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/core/config_file.py

@@ -112,6 +112,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "7f735e1b-5ecb-49fa-87e8-eddf54a9c745",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "api_version": {
@@ -124,6 +125,28 @@ PRODUCTS = {
             "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
         },
     },
+    "pf": {
+        "name": "Pathfinder Platform",
+        "fields": {
+            "api_url": {
+                "prompt": "Gateway URL",
+                "required": True,
+                "secret": False,
+                "default": "https://api.beyondtrust.io",
+                "example": "https://api.beyondtrust.io",
+            },
+            "site_id": {
+                "prompt": "Site ID (UUID — the site the PAT was minted on)",
+                "required": True,
+                "secret": False,
+                "example": "6a7546a7-e111-4fe3-bc14-d6de9c2177b9",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
+            },
+            "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
+            "verify_ssl": {"prompt": "Verify SSL", "required": False, "secret": False, "default": True},
+            "timeout": {"prompt": "Timeout (seconds)", "required": False, "secret": False, "default": 30},
+        },
+    },
     "epml": {
         "name": "EPM Linux",
         "fields": {
@@ -139,6 +162,7 @@ PRODUCTS = {
                 "required": True,
                 "secret": False,
                 "example": "c882e07c-753b-4fcd-a1e6-7d39defec5ae",
+                "hint": "Find yours: log into app.beyondtrust.io, choose your site, then browse to https://app.beyondtrust.io/api/platform/currentSite",
             },
             "pat": {"prompt": "Personal Access Token", "required": True, "secret": True},
             "default_host_id": {
@@ -361,6 +385,7 @@ def _get_env_prefix(product: str) -> str:
         "epmw": "BT_EPM",
         "epml": "BT_EPML",
         "secrets": "BT_SECRETS",
+        "pf": "BT_PF",
     }
     return prefixes.get(product, f"BT_{product.upper()}")
 
@@ -399,6 +424,12 @@ def _get_env_mappings(product: str) -> dict[str, str]:
         # Secrets API doesn't use api_key/client_id/client_secret — drop the inherited mappings
         for unused in ("api_key", "client_id", "client_secret"):
             mappings.pop(unused, None)
+    elif product == "pf":
+        mappings["site_id"] = f"{prefix}_SITE_ID"
+        mappings["pat"] = f"{prefix}_PAT"
+        # Pathfinder uses PAT auth only — drop the inherited mappings
+        for unused in ("api_key", "client_id", "client_secret"):
+            mappings.pop(unused, None)
 
     return mappings
 

{bt_cli-0.4.54 → bt_cli-0.4.56}/src/bt_cli/data/skills/epml/SKILL.md

@@ -98,8 +98,20 @@ bt epml iolog list -H 200 --start 0 --len 200
 bt epml client-pkg list                            # signed S3 URLs (~30min TTL)
 bt epml client-pkg status                          # build queue
 bt epml client-pkg link epml-client.x86_64.rpm
+bt epml client-pkg build --wait                    # trigger build, poll to done (~15min max)
+bt epml client-pkg download --all -d ./pkgs        # fetch via pre-signed link (NO auth header)
+bt epml client-pkg download epml-client.x86_64.rpm
+bt epml client-pkg install-token --expiry 480      # agent registration JWT (pbactivate -t <token>)
+TOKEN=$(bt epml client-pkg install-token --raw)    # scripting
+bt epml quick agent-setup -d ./pkgs --expiry 480   # list→build-if-empty→download-all→token
 ```
 
+**Agent onboarding notes:** installation token expiry is minutes, 30–525600 (one
+year); the token is a JWT consumed by `pbactivate -t <token>` on the endpoint.
+Package download links are pre-signed S3 URLs that expire ~30 min after listing
+and REJECT requests carrying an `Authorization` header — the CLI handles both
+(fresh listing + headerless download).
+
 ## RBP — Role-Based Policy
 
 All under `/api/pbul/{hostid}/rbp/...` (default host = `BT_EPML_DEFAULT_HOST`).