bt-cli 0.4.7__tar.gz

bt_cli-0.4.7/.claude/settings.local.json

@@ -0,0 +1,128 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(tree:*)",
+      "Bash(wc:*)",
+      "Bash(source .venv/bin/activate)",
+      "Bash(source:*)",
+      "Bash(bt --profile default pws auth:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(git push:*)",
+      "Bash(pip install:*)",
+      "Bash(bt pws auth:*)",
+      "Bash(bt epmw auth test:*)",
+      "Bash(bt epmw events --help:*)",
+      "Bash(bt epmw events list:*)",
+      "Bash(bt epmw requests list:*)",
+      "Bash(ls:*)",
+      "Bash(bt --show-rest pws auth:*)",
+      "Bash(bt --show-rest entitle auth test:*)",
+      "Bash(pytest:*)",
+      "Bash(python -m pytest:*)",
+      "Bash(set -a)",
+      "Bash(set +a)",
+      "Bash(grep:*)",
+      "Bash(python3 -m pip check:*)",
+      "Bash(bt pws credentials checkin:*)",
+      "Bash(bt pws accounts list --help:*)",
+      "Bash(bt pws accounts list:*)",
+      "Bash(python3:*)",
+      "Bash(bt pws accounts get:*)",
+      "Bash(bt pws quick --help:*)",
+      "Bash(bt pws quick checkout:*)",
+      "Bash(bt pws quick checkin:*)",
+      "Bash(bt pws:*)",
+      "Bash(bt epmw computers list:*)",
+      "Bash(bt epmw quick status:*)",
+      "Bash(bt pra quick --help:*)",
+      "Bash(bt epmw quick --help:*)",
+      "Bash(bt pra:*)",
+      "Bash(bt epmw quick stale:*)",
+      "Bash(git config:*)",
+      "Bash(GIT_TERMINAL_PROMPT=0 git -c credential.helper= push https://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@github.com/BTSolution-Engineering/btcli.git master)",
+      "Bash(bt entitle bundles list:*)",
+      "Bash(bt entitle bundles get:*)",
+      "Bash(bt --show-rest entitle bundles get:*)",
+      "Bash(bt entitle workflows list:*)",
+      "Bash(bt entitle users list:*)",
+      "Bash(bt entitle integrations list:*)",
+      "Bash(bt entitle workflows get:*)",
+      "Bash(bt entitle resources list:*)",
+      "Bash(bt entitle roles list:*)",
+      "Bash(bt entitle permissions:*)",
+      "Bash(bt entitle policies list:*)",
+      "Bash(bt entitle accounts list:*)",
+      "Bash(bt entitle:*)",
+      "Bash(bt epmw groups list:*)",
+      "Bash(bt epmw policies list:*)",
+      "Bash(bt epmw users list:*)",
+      "Bash(bt epmw roles list:*)",
+      "Bash(bt epmw policies --help:*)",
+      "Bash(bt epmw policies appgroups list:*)",
+      "Bash(BT_DEBUG=1 bt epmw:*)",
+      "Bash(echo:*)",
+      "Bash(bt epmw policies groups:*)",
+      "Bash(bt epmw policies download:*)",
+      "Bash(bt --help:*)",
+      "Bash(bt context:*)",
+      "Bash(bt docs:*)",
+      "Bash(bt learn --help:*)",
+      "Bash(bt learn add:*)",
+      "Bash(bt learn clear:*)",
+      "Bash(bt epmw policies revisions list:*)",
+      "Bash(bt whoami:*)",
+      "Bash(__NEW_LINE_05222021dc21be1a__ echo \"=== Testing Dry-Run Imports ===\")",
+      "Bash(__NEW_LINE_05222021dc21be1a__ echo \"\")",
+      "Bash(jq '.[] | select\\(.SystemName | contains\\(\"\"\"\"csv-import-test\"\"\"\"\\)\\)' __NEW_LINE_d68138bce5e86b8b__ echo \"\" echo \"=== Verify Accounts Were Created ===\" bt pws accounts list -o json)",
+      "Bash(jq '.[] | select\\(.SystemName | contains\\(\"\"\"\"csv-import-test\"\"\"\"\\)\\)' __NEW_LINE_d68138bce5e86b8b__ echo \"\" echo \"=== Cleaning Up Test System ===\" bt pws quick offboard -s \"csv-import-test-01\" --force)",
+      "Bash(bt epmw --help:*)",
+      "WebFetch(domain:docs.beyondtrust.com)",
+      "Bash(git remote set-url:*)",
+      "Bash(bt version:*)",
+      "Bash(bt epmw computers delete:*)",
+      "Bash(bt epmw:*)",
+      "Bash(find:*)",
+      "Bash(bt skills:*)",
+      "Bash(aws sts get-caller-identity:*)",
+      "Bash(aws iam list-attached-user-policies:*)",
+      "Bash(aws iam get-user:*)",
+      "Bash(aws ec2 describe-instances:*)",
+      "Bash(aws ec2 run-instances:*)",
+      "Bash(clear)",
+      "Bash(bt quick --help:*)",
+      "Bash(bt quick:*)",
+      "Bash(aws ec2 wait:*)",
+      "Bash(jq -r \".[] | select\\(.SystemName | test\\(\"\"axion\"\"\\)\\) | \"\"\\\\\\(.SystemName\\)\\\\t\\\\\\(.IPAddress\\)\\\\tFA:\\\\\\(.FunctionalAccountID\\)\"\"\" __NEW_LINE_403e7a2c58439d4f__ echo echo '=== PRA - Axion Jump Items ===' bt pra jump-items shell list -o json)",
+      "Bash(env)",
+      "Bash(aws ec2 terminate-instances:*)",
+      "Bash(GIT_TERMINAL_PROMPT=0 git push:*)",
+      "Bash(sshpass -p 'Passgo123!' ssh -o StrictHostKeyChecking=no admin@192.168.100.132 'curl -s -X POST -d \"\"grant_type=client_credentials&client_id=d3b50b99-1650-4ddb-b00b-7fc27b963976&client_secret=/tUEmXpUrfy4K71Cqx29XemZomNCkWogYvLs5r0w9m8=\"\" \"\"https://semcp.ps-dev.beyondtrustcloud.com/BeyondTrust/api/public/v3/Auth/connect/token\"\"')",
+      "Bash(sshpass -p 'Passgo123!' ssh -o StrictHostKeyChecking=no -o PreferredAuthentications=password admin@192.168.100.132 'echo connected')",
+      "Bash(SSHPASS='Passgo123!' sshpass -e ssh -o StrictHostKeyChecking=no admin@192.168.100.132 'echo connected')",
+      "Bash(ssh:*)",
+      "Bash(REST_DEBUG=1 bt pws:*)",
+      "Bash(bt --debug-rest pws functional create:*)",
+      "Bash(bt --show-rest pws functional create:*)",
+      "Bash(bt:*)",
+      "Bash(git tag:*)",
+      "Bash(gh run list:*)",
+      "Bash(python:*)",
+      "Bash(pyinstaller:*)",
+      "Bash(gh release list:*)",
+      "Bash(./dist/bt:*)",
+      "Bash(if [ -n \"$GH_TOKEN\" ])",
+      "Bash([ -n \"$GITHUB_TOKEN\" ])",
+      "Bash(then echo \"Token found\")",
+      "Bash(else echo \"No GH token in .env - checking git credentials\")",
+      "Bash(fi)",
+      "Bash(export GH_TOKEN=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)",
+      "Bash(gh release:*)",
+      "Bash(gh release delete:*)",
+      "Bash(pip show:*)",
+      "Bash(unset:*)",
+      "Bash(git mv:*)",
+      "Bash(twine upload:*)"
+    ]
+  }
+}

bt_cli-0.4.7/.claude/skills/bt/SKILL.md

@@ -0,0 +1,98 @@
+---
+name: bt
+description: BeyondTrust platform CLI cross-product commands. Use when working across PWS, PRA, Entitle, or EPMW together, or for PASM workflows combining Password Safe and PRA.
+---
+
+# BT-Admin Cross-Product Commands
+
+CLI for BeyondTrust platform: Password Safe, PRA, Entitle, EPM Windows.
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before running destructive commands:**
+- `delete` - Removes resources permanently
+- `offboard` - Removes systems/accounts from management
+- `archive` - Archives computers (EPMW)
+- `revoke` - Revokes permissions (Entitle)
+
+Before executing any destructive operation:
+1. List what will be affected
+2. Ask user for explicit confirmation
+3. Never use `--force` flag without user approval
+
+## Setup
+
+```bash
+cd /home/admin/entitl-sko/bt-cli
+source .venv/bin/activate && source .env
+```
+
+## Test All Connections
+
+```bash
+bt whoami                    # Test all configured products
+bt whoami -o json            # JSON output
+```
+
+## Cross-Product Quick Commands (`bt quick`)
+
+### PASM Search (PWS + PRA)
+Find systems/accounts across both products. Shows ECM alignment (names must match for credential injection).
+
+```bash
+bt quick pasm-search axion
+bt quick pasm-search web-server -o json
+```
+
+### PASM Onboard (PWS + PRA)
+Onboard a host to both Password Safe and PRA in one command.
+
+```bash
+# Linux SSH host
+bt quick pasm-onboard -n "my-server" -i "10.0.1.50" -w 3 -j 3 -g 24
+
+# Full options
+bt quick pasm-onboard \
+    --name "web-01" \
+    --ip "10.0.1.100" \
+    --workgroup 3 \
+    --jumpoint 3 \
+    --jump-group 24 \
+    --functional-account 7 \
+    --elevation "sudo" \
+    --pra-username "ec2-admin"
+
+# Windows RDP host
+bt quick pasm-onboard -n "win-srv" -i "10.0.2.10" -w 2 -p 1 -j 3 -g 31 --jump-type rdp --port 3389
+
+# Skip one product
+bt quick pasm-onboard -n "pra-only" -i "10.0.1.5" -j 3 -g 24 --skip-pws
+bt quick pasm-onboard -n "pws-only" -i "10.0.1.6" -w 3 --skip-pra
+```
+
+### PASM Offboard
+Remove from both products.
+
+```bash
+bt quick pasm-offboard -n "my-server"
+bt quick pasm-offboard -n "web-01" --force
+```
+
+## Environment Reference IDs
+
+| Resource | ID | Notes |
+|----------|-----|-------|
+| PWS Workgroup (AWS) | 3 | AWS_Account Workgroup |
+| PWS Workgroup (Datacenter) | 2 | Datacenter_West |
+| PWS Functional Account | 7 | pws-functional SSH key |
+| PWS Platform Linux | 2 | |
+| PWS Platform Windows | 1 | |
+| PRA Jumpoint (AWS) | 3 | AWS Account |
+| PRA Jumpoint (Datacenter) | 2 | Data Center 01 |
+| PRA Vault Account (ec2-admin) | 31 | SSH CA for EC2 |
+| Entitle PRA Integration | bb2a3c79-02a9-45d9-be7f-f209d97cb1d7 | |
+| Entitle Customer Access | 22f4960f-b2ee-435f-9fa2-b82baeca06b2 | Virtual integration |
+
+## Product-Specific Skills
+
+Use `/pws`, `/pra`, `/entitle`, `/epmw` for product-specific commands.

bt_cli-0.4.7/.claude/skills/entitle/SKILL.md

@@ -0,0 +1,159 @@
+---
+name: entitle
+description: Entitle commands for JIT access, bundles, workflows, and permissions. Use when working with access requests, approval workflows, or managing user entitlements.
+---
+
+# Entitle Commands (`bt entitle`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt entitle resources delete` - Deletes resource from integration
+- `bt entitle bundles delete` - Deletes access bundle
+- `bt entitle permissions revoke` - Revokes active permission
+
+List affected resources first, then ask for explicit confirmation.
+
+## Integrations & Resources
+
+```bash
+# List integrations (connected apps)
+bt entitle integrations list
+bt entitle integrations get <integration_id>
+
+# List resources in an integration
+bt entitle resources list --integration <integration_id>
+bt entitle resources get <resource_id>
+
+# Virtual integration resources
+bt entitle resources create-virtual \
+    --name "Customer-05 (Bing7)" \
+    --integration 22f4960f-b2ee-435f-9fa2-b82baeca06b2 \
+    --source-role-id <role_id> \
+    --role-name "Start Session"
+bt entitle resources delete <resource_id>
+```
+
+## Bundles
+
+Access bundles group multiple roles across integrations.
+
+```bash
+bt entitle bundles list
+bt entitle bundles get <bundle_id>
+bt entitle bundles create \
+    --name "Dev AWS Access" \
+    --description "Development AWS console access" \
+    --workflow <workflow_id> \
+    --role <role_id> \
+    --duration 3600
+bt entitle bundles delete <bundle_id>
+```
+
+## Workflows
+
+```bash
+bt entitle workflows list
+bt entitle workflows get <workflow_id>
+```
+
+**Available Workflows:**
+| Name | Type | Use Case |
+|------|------|----------|
+| Auto Approve | Automatic | Requests <= 12 hours |
+| Low sensitivity | Simple | Single approver |
+| Medium Sensitivity | Standard | Standard approval |
+| Production access | Multi-step | Duration-based tiers |
+
+## Users & Permissions
+
+```bash
+# Users
+bt entitle users list
+bt entitle users get <user_id>
+
+# Active permissions
+bt entitle permissions list
+bt entitle permissions list --user <user_id>
+bt entitle permissions revoke <permission_id>
+
+# Accounts
+bt entitle accounts list --integration <integration_id>
+```
+
+## Roles & Policies
+
+```bash
+bt entitle roles list
+bt entitle roles list --resource <resource_id>
+bt entitle roles get <role_id>
+
+bt entitle policies list
+bt entitle policies get <policy_id>
+```
+
+## Common Workflows
+
+### Add PRA Jump Group to Entitle
+
+**Important:** PRA integration sync is **asynchronous** (runs hourly). After creating a new PRA jump group, either:
+- Wait up to 1 hour for auto-sync
+- Or manually trigger sync in Entitle UI: Integrations → PRA → Sync Now
+
+```bash
+# 1. Trigger PRA sync in Entitle UI (or wait for hourly sync)
+
+# 2. Find the new PRA resource
+bt entitle resources list --integration bb2a3c79-02a9-45d9-be7f-f209d97cb1d7
+
+# 3. Get "Start Sessions Only" role ID
+bt entitle roles list --resource <pra_resource_id>
+
+# 4. Add to Customer Access virtual integration
+bt entitle resources create-virtual \
+    --name "Customer-05" \
+    --integration 22f4960f-b2ee-435f-9fa2-b82baeca06b2 \
+    --source-role-id <role_id> \
+    --role-name "Start Session"
+```
+
+### Check User Access
+
+```bash
+bt entitle permissions list --user "user@example.com" -o json
+```
+
+## Key IDs
+
+| Resource | ID |
+|----------|-----|
+| PRA Integration | bb2a3c79-02a9-45d9-be7f-f209d97cb1d7 |
+| Customer Access (Virtual) | 22f4960f-b2ee-435f-9fa2-b82baeca06b2 |
+| AWS SandBox | (check `bt entitle integrations list`) |
+
+## Integrations Available
+
+- Cloud10 (Virtual Application)
+- NexusDyn - Azure
+- Customer Access (Virtual)
+- Privileged Remote Access (PRA)
+- AWS - SandBox Account
+- Nexusdyn - Postgres ERP Database
+- NexusDyn - EntraID
+
+## Supported Applications (75+)
+
+**Cloud:** AWS, Azure, GCP, Oracle OCI
+**Identity:** Okta, Entra ID, OneLogin, JumpCloud
+**DevOps:** GitHub, GitLab, Jenkins, Terraform Cloud
+**Databases:** Postgres, MySQL, MSSQL, MongoDB, Snowflake
+**Kubernetes:** EKS, AKS, GKE, Rancher
+**BeyondTrust:** Password Safe, PRA, Remote Support
+
+## API Notes
+
+- Base path: `/public/v1`
+- Pagination: `page`/`perPage`
+- Response: `{"result": [...], "pagination": {...}}`
+- All IDs are UUIDs (strings)
+- Bearer token auth

bt_cli-0.4.7/.claude/skills/epmw/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: epmw
+description: EPM Windows commands for endpoint privilege management. Use when working with Windows computers, policies, admin access requests, or audit logs.
+---
+
+# EPM Windows Commands (`bt epmw`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt epmw computers archive` - Archives computer from management
+- `bt epmw groups delete` - Deletes computer group
+- `bt epmw policies delete` - Deletes policy
+- `bt epmw quick stale --delete` - Deletes stale computers
+
+List affected resources first, then ask for explicit confirmation.
+
+## Quick Commands
+
+```bash
+# Find stale computers (not checked in recently)
+bt epmw quick stale                     # 24+ hours
+bt epmw quick stale --hours 48          # 48+ hours
+bt epmw quick stale -h 12 -g "Workstations"
+
+# Delete stale computers
+bt epmw quick stale --delete            # With confirmation
+bt epmw quick stale --delete --force    # Skip confirmation
+
+# Find disconnected computers
+bt epmw quick disconnected
+bt epmw quick disconnected -g "Servers"
+
+# Status summary by group
+bt epmw quick status
+bt epmw quick status -g "Datacenter"
+```
+
+## Computers
+
+```bash
+bt epmw computers list
+bt epmw computers list -o json
+bt epmw computers get <computer_id>
+bt epmw computers delete <computer_id>
+bt epmw computers archive <computer_id>
+bt epmw computers unarchive <computer_id>
+```
+
+## Groups
+
+```bash
+bt epmw groups list
+bt epmw groups get <group_id>
+bt epmw groups create --name "NewGroup" --description "Description"
+bt epmw groups update <group_id> --name "UpdatedName"
+bt epmw groups delete <group_id>
+bt epmw groups assign-policy <group_id> --policy <policy_id>
+bt epmw groups assign-computers <group_id> --computers <id1>,<id2>
+```
+
+## Policies
+
+```bash
+bt epmw policies list
+bt epmw policies get <policy_id>
+bt epmw policies groups <policy_id>      # Show assigned groups
+
+# Download policy XML (for template)
+bt epmw policies download <policy_id> > template.xml
+
+# Create policy from XML
+bt epmw policies create -n "My Policy" -f template.xml
+
+# Policy revisions
+bt epmw policies revisions list <policy_id>
+bt epmw policies revisions get <policy_id> <revision_id>
+bt epmw policies revisions upload <policy_id> -f policy.xml
+```
+
+## Admin Access Requests
+
+```bash
+bt epmw requests list
+bt epmw requests get <request_id>
+bt epmw requests create --computer <id> --duration 30 --reason "Maintenance"
+bt epmw requests approve <request_id>
+bt epmw requests deny <request_id> --reason "Not authorized"
+```
+
+## Users & Roles
+
+```bash
+bt epmw users list
+bt epmw users get <user_id>
+bt epmw users create --username "newuser" --email "user@example.com"
+bt epmw users enable <user_id>
+bt epmw users disable <user_id>
+bt epmw users assign-roles <user_id> --roles <role1>,<role2>
+
+bt epmw roles list
+bt epmw roles get <role_id>
+```
+
+## Audits
+
+```bash
+# Activity audits
+bt epmw audits activity list
+bt epmw audits activity get <audit_id>
+
+# Authorization requests
+bt epmw audits authorization list
+bt epmw audits authorization get <audit_id>
+
+# Request audits
+bt epmw audits requests list
+bt epmw audits requests get <audit_id>
+```
+
+## Key Groups
+
+| ID | Name | Computers |
+|----|------|-----------|
+| 042267ec-... | Servers - Datacenter1 | CorpMem01, CorpMem02 |
+| 1c8f6310-... | Workstations - Datacenter1 | CorpWS01, CorpWS02 |
+| 67ca23ad-... | Engineering | BenC-Skynet |
+
+## Key Computers
+
+| Host | Domain | Group | Status |
+|------|--------|-------|--------|
+| CorpMem01 | nexusdyn.corp | Servers | Connected |
+| CorpMem02 | nexusdyn.corp | Servers | Connected |
+| CorpWS01 | nexusdyn.corp | Workstations | Connected |
+| CorpWS02 | nexusdyn.corp | Workstations | Connected |
+
+## API Notes
+
+- Base path: `/management-api/v3`
+- Token endpoint: `/oauth/token`
+- Pagination: `pageNumber`/`pageSize`
+- Response: `{"data": [...], "totalCount": N}`
+- All IDs are UUIDs
+- Delete returns 405 - use archive instead

bt_cli-0.4.7/.claude/skills/pra/SKILL.md

@@ -0,0 +1,149 @@
+---
+name: pra
+description: Privileged Remote Access commands for jump items, vault accounts, and remote sessions. Use when working with PRA shell jumps, RDP, protocol tunnels, or SSH CA authentication.
+---
+
+# PRA Commands (`bt pra`)
+
+## IMPORTANT: Destructive Operations
+
+**ALWAYS confirm with the user before:**
+- `bt pra jump-items shell delete` - Deletes shell jump item
+- `bt pra jump-items rdp delete` - Deletes RDP jump item
+- `bt pra jump-items tunnel delete` - Deletes protocol tunnel
+- `bt pra jump-groups delete` - Deletes jump group
+- `bt pra vault accounts delete` - Deletes vault account
+
+List affected resources first, then ask for explicit confirmation.
+
+## Quick Commands
+
+```bash
+# Vault credential checkout
+bt pra quick vault                      # Interactive - shows accounts, prompts
+bt pra quick vault -n "server-admin"
+bt pra quick vault -n postgres --raw
+
+# Search jump items and vault
+bt pra quick search axion
+bt pra quick search admin -o json
+```
+
+## Jump Items
+
+### Shell Jump (SSH/Telnet)
+
+```bash
+bt pra jump-items shell list
+bt pra jump-items shell get 55
+bt pra jump-items shell create \
+    --name "web-server-01" \
+    --hostname "10.0.1.50" \
+    --jumpoint 3 \
+    --jump-group 24 \
+    --protocol ssh \
+    --port 22 \
+    --username "ec2-admin"
+bt pra jump-items shell delete 55
+```
+
+### RDP Jump
+
+```bash
+bt pra jump-items rdp list
+bt pra jump-items rdp get 1
+bt pra jump-items rdp create \
+    --name "win-server-01" \
+    --hostname "10.0.2.10" \
+    --jumpoint 3 \
+    --jump-group 31 \
+    --port 3389
+```
+
+### Protocol Tunnels (TCP/MSSQL/K8s)
+
+```bash
+bt pra jump-items tunnel list
+bt pra jump-items tunnel create \
+    --name "production-k8s" \
+    --hostname "k8s-api.example.com" \
+    --jumpoint 3 \
+    --jump-group 24 \
+    --type k8s \
+    --url "https://k8s-api.example.com:6443" \
+    --ca-cert "$(cat /path/to/ca.crt)"
+```
+
+## Jump Groups
+
+```bash
+bt pra jump-groups list
+bt pra jump-groups get 24
+bt pra jump-groups create \
+    --name "Customer-05 (Bing7)" \
+    --code-name bing7 \
+    --comments "Demo customer"
+bt pra jump-groups delete 30
+```
+
+## Vault Accounts
+
+```bash
+bt pra vault accounts list
+bt pra vault accounts get 6
+bt pra vault accounts checkout 6
+bt pra vault accounts checkin 6
+bt pra vault accounts rotate 6
+
+# SSH CA - get public key for provisioning
+bt pra vault accounts get-public-key 31
+```
+
+## SSH CA Authentication
+
+PRA supports SSH CA for ephemeral access - no static keys on hosts.
+
+```bash
+# Get CA public key (ready for authorized_keys)
+bt pra vault accounts get-public-key 31
+# Output: cert-authority ssh-rsa AAAAB3NzaC1yc2E...
+
+# Provision EC2 with SSH CA
+PRA_CA_KEY=$(bt pra vault accounts get-public-key 31)
+# Embed in user-data script for EC2
+```
+
+**SSH CA Vault Accounts:**
+| ID | Name | Username |
+|----|------|----------|
+| 3 | Ephemeral Admin SSH CA | admin-ephemeral |
+| 31 | ec2-admin | ec2-admin |
+
+## CSV Import/Export
+
+```bash
+bt pra export jump-items --file jump-items-template.csv
+bt pra export vault-accounts --file vault-accounts-template.csv
+bt pra import jump-items --file jump-items.csv --dry-run
+bt pra import jump-items --file jump-items.csv
+```
+
+## Key IDs
+
+| Resource | ID |
+|----------|-----|
+| Jumpoint: Data Center 01 | 2 |
+| Jumpoint: AWS Account | 3 |
+| Jump Group: Datacenter 01 (West) | 1 |
+| Jump Group: Customer-01 (Axion) | 24 |
+| Jump Group: Customer-02 (Meridian) | 25 |
+| Jump Group: Cloud Containers | 26 |
+| Vault: ec2-admin (SSH CA) | 31 |
+
+## API Notes
+
+- Base path: `/api/config/v1`
+- Pagination: `per_page`/`current_page` (1-indexed)
+- Response: Array directly (pagination in headers)
+- Jump item types have separate endpoints
+- K8s tunnels require Linux jumpoint