proxcli 0.12.0__tar.gz → 0.13.0__tar.gz

{proxcli-0.12.0 → proxcli-0.13.0}/CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.13.0] - 2026-06-21
+
+### Added
+- **``--output log`` format**: plain-text log lines with timestamps.
+  ``cluster log`` and ``ceph log`` default to this format.
+- **``--follow`` / ``-f``** for ``cluster log`` and ``ceph log``:
+  polls every second and prints new entries until Ctrl+C.
+- **``proxmox auth setup``**: creates the four recommended
+  ``proxcli-*`` roles and ACLs in one command (requires Administrator).
+- **``proxmox auth check``**: live permission test — hits each proxcli
+  endpoint and reports PASS/FAIL in a table.  39 checks across cluster,
+  storage, VMs, snapshots, backups, containers, firewall, pools, and
+  admin operations.
+- **``proxmox auth status --permissions`` / ``-p``**: fetches effective
+  permissions from the API.
+
+### Changed
+- **Cluster/ceph log output** is now oldest-first (reversed from API order).
+- ``--help`` no longer triggers misplaced-global-flag hint.
+- ``docs/api-permissions.md`` restructured around four path-scoped roles
+  and a 3-step quickstart.
+
+### Fixed
+- Ctrl+C / broken pipe in ``--follow`` mode exits cleanly (no error).
+- ``auth check`` defaults to table output.
+
 ## [0.12.0] - 2026-06-20
 
 ### Added
@@ -25,6 +51,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   ``proxmox ceph log [--node] [--limit N]`` (Ceph log entries),
   ``proxmox ceph disks [--node]`` (all physical disks with health,
   wearout, SMART status, OSD mapping).
+- **``--output log`` format**: plain text log lines with timestamps.
+  ``cluster log`` and ``ceph log`` default to this format.  Override with
+  ``--output json``, ``--output table``, or ``--output yaml`.
+- **API coverage doc**: ``docs/api-coverage.md`` tracks all implemented
+  and remaining Proxmox VE REST API endpoints.
 
 ### Changed
 - **ConfigLoader is now read-only**.  ``proxmox auth login`` and

{proxcli-0.12.0 → proxcli-0.13.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxcli
-Version: 0.12.0
+Version: 0.13.0
 Summary: A CLI tool to interact with Proxmox VE nodes and clusters via the REST API
 Author-email: Xabi Ezpeleta <xezpeleta@gmail.com>
 License: MIT
@@ -175,7 +175,7 @@ For password auth, use `"auth_method": "password"` with a `"password"` field ins
 | `--password` | — | Password |
 | `--password-stdin` | — | Read password from stdin |
 | `--api-token` | — | API token (`user!tokenid=secret`) |
-| `--output` | `json` | Output format: `json`, `table`, `yaml` |
+| `--output` | `json` | Output format: `json`, `table`, `yaml`, `log` |
 | `--columns` | all | Columns to display in table output (e.g. `--columns vmid,name,status`) |
 | `--dry-run` | off | Print the API request without executing |
 | `--insecure` | off | Skip TLS verification |
@@ -186,7 +186,10 @@ For password auth, use `"auth_method": "password"` with a `"password"` field ins
 ### Auth
 
 ```bash
-proxmox auth status  # Show current auth context
+proxmox auth status            # Show current auth context
+proxmox auth status --permissions  # + effective permissions from API
+proxmox auth setup             # Create recommended roles + ACLs (needs Administrator)
+proxmox auth check             # Live permission test table (39 checks)
 ```
 
 ### Completion
@@ -414,8 +417,9 @@ proxmox task show <upid>
 proxmox task log <upid> [--follow]
 ```
 
-`proxmox task log --follow` polls `/nodes/{node}/tasks/{upid}/log` every second
+`proxmox task log --follow` polls the log endpoint every second
 and streams new lines until the task completes (like `tail -f`).
+`cluster log --follow` and `ceph log --follow <node>` work the same way.
 
 ### Backup (vzdump)
 

{proxcli-0.12.0 → proxcli-0.13.0}/README.md

@@ -152,7 +152,7 @@ For password auth, use `"auth_method": "password"` with a `"password"` field ins
 | `--password` | — | Password |
 | `--password-stdin` | — | Read password from stdin |
 | `--api-token` | — | API token (`user!tokenid=secret`) |
-| `--output` | `json` | Output format: `json`, `table`, `yaml` |
+| `--output` | `json` | Output format: `json`, `table`, `yaml`, `log` |
 | `--columns` | all | Columns to display in table output (e.g. `--columns vmid,name,status`) |
 | `--dry-run` | off | Print the API request without executing |
 | `--insecure` | off | Skip TLS verification |
@@ -163,7 +163,10 @@ For password auth, use `"auth_method": "password"` with a `"password"` field ins
 ### Auth
 
 ```bash
-proxmox auth status  # Show current auth context
+proxmox auth status            # Show current auth context
+proxmox auth status --permissions  # + effective permissions from API
+proxmox auth setup             # Create recommended roles + ACLs (needs Administrator)
+proxmox auth check             # Live permission test table (39 checks)
 ```
 
 ### Completion
@@ -391,8 +394,9 @@ proxmox task show <upid>
 proxmox task log <upid> [--follow]
 ```
 
-`proxmox task log --follow` polls `/nodes/{node}/tasks/{upid}/log` every second
+`proxmox task log --follow` polls the log endpoint every second
 and streams new lines until the task completes (like `tail -f`).
+`cluster log --follow` and `ceph log --follow <node>` work the same way.
 
 ### Backup (vzdump)
 

proxcli-0.13.0/docs/api-permissions.md

@@ -0,0 +1,216 @@
+# API Token Permissions
+
+proxcli uses the Proxmox VE REST API.  This document describes how to create
+an API token with the right permissions.
+
+## Creating an API Token
+
+In the Proxmox VE UI: **Datacenter → Permissions → API Tokens → Add**
+
+1. Select **User**
+2. Enter **Token ID** (e.g. `proxcli`)
+3. Uncheck **Privilege Separation** (recommended — see note below)
+
+The **Secret** is shown only once — save it immediately.
+
+> **Privilege Separation**: when unchecked, the token inherits all of the
+> user's roles.  When checked, you must assign roles directly to the token.
+> Unchecking is simpler but broader.  Check it if you want to lock down
+> the token independently of the user.
+
+## Quickstart (3 steps)
+
+```bash
+# 1. Bootstrap roles + ACLs (once, needs Administrator)
+proxmox auth setup
+
+# 2. Create API token (UI: Datacenter → Permissions → API Tokens → Add)
+#     User:     xezpeleta@pve
+#     Token ID: proxcli
+#     ☐ Privilege Separation (unchecked — inherits user's roles)
+#     Save the secret!
+
+# 3. Write credentials.json with the new token secret
+cat > ~/.config/proxmox-cli/credentials.json <<'EOF'
+{
+  "url": "https://your-pve.example.com:8006",
+  "username": "xezpeleta@pve",
+  "auth_method": "api_token",
+  "api_token_id": "proxcli",
+  "api_token_secret": "your-token-secret-here",
+  "verify_tls": false
+}
+EOF
+chmod 400 ~/.config/proxmox-cli/credentials.json
+
+# Done — everything works
+proxmox auth status
+proxmox cluster status
+proxmox vm list
+```
+
+## Recommended Roles
+
+Split privileges by path so each ACL only carries what it needs:
+
+```
+Role name: proxcli-sys
+
+  Sys.Audit                    ← cluster/nodes/status/tasks/logs (read-only)
+  Sys.Modify                   ← cluster firewall
+
+
+Role name: proxcli-storage
+
+  Datastore.Allocate
+  Datastore.AllocateSpace
+  Datastore.AllocateTemplate
+  Datastore.Audit
+
+
+Role name: proxcli-vm
+
+  VM.Allocate
+  VM.Audit
+  VM.Backup
+  VM.Clone
+  VM.Config.CDROM
+  VM.Config.Cloudinit
+  VM.Config.CPU
+  VM.Config.Disk
+  VM.Config.HWType
+  VM.Config.Memory
+  VM.Config.Network
+  VM.Config.Options
+  VM.Console
+  VM.Migrate
+  VM.PowerMgmt
+  VM.Snapshot
+  VM.Snapshot.Rollback
+
+  Pool.Allocate
+  Pool.Audit
+
+
+Role name: proxcli-node
+
+  VM.GuestAgent.Audit
+  VM.GuestAgent.FileRead
+```
+
+```bash
+# Assign each role to its path:
+pvesh set /access/acl --path /        --roles proxcli-sys    --users xezpeleta@pve
+pvesh set /access/acl --path /storage --roles proxcli-storage --users xezpeleta@pve
+pvesh set /access/acl --path /vms     --roles proxcli-vm     --users xezpeleta@pve
+pvesh set /access/acl --path /nodes   --roles proxcli-node   --users xezpeleta@pve
+```
+
+That's it.  Four roles, four ACLs, zero privilege creep — each path
+only gets what proxcli actually uses there.
+
+> **One-liner**: `proxmox auth setup` does all of this automatically
+> if your current token has Administrator privileges.
+
+| Path | Role | Why |
+|------|------|-----|
+| `/` | `proxcli-sys` | `cluster status`, `node show`, `task list`, `ceph status`, `cluster log`, `cluster firewall` |
+| `/storage` | `proxcli-storage` | `storage list/upload`, `vm create` (disk + import) |
+| `/vms` | `proxcli-vm` | `vm list/create/start/stop`, snapshots, backups, `pool` |
+| `/nodes` | `proxcli-node` | QEMU guest agent interfaces, per-node Ceph logs |
+
+> **ACL management** (`proxmox acl`) and **user management**
+> (`proxmox user`) require `Permissions.Modify`, which is only in the
+> built-in **Administrator** role.  These are admin-only operations —
+> add `Permissions.Modify` to `proxcli` if you need them, but it's a
+> powerful privilege.
+
+## Permission Model (Reference)
+
+Proxmox permissions follow the pattern:
+
+```
+/path/to/resource    PrivilegeName[,PrivilegeName...]
+```
+
+- Paths can be broad (`/`) or specific (`/vms/100`)
+- Privileges are inherited — permissions on `/` propagate to all sub-paths
+- An API token's effective permissions are the **intersection** of:
+  1. The token's own ACLs
+  2. The user's ACLs (if privilege separation is enabled)
+
+## Narrower Scoping (Optional)
+
+If you want to limit what a token can touch, use the bare minimum
+privileges per workflow:
+
+### Cloud-Init VM Workflow
+
+The complete workflow of uploading a cloud image, creating a VM with
+cloud-init, and starting it:
+
+| Step | Method | Endpoint | Privilege |
+|------|--------|----------|-----------|
+| 1 | GET | `/cluster/nextid` | `Sys.Audit` |
+| 2 | POST | `/nodes/{node}/storage/{storage}/upload` | `Datastore.AllocateTemplate` |
+| 3 | POST | `/nodes/{node}/qemu` | `VM.Allocate` |
+| 3 | — | (reads imported image) | `Datastore.Allocate` |
+| 3 | — | (allocates disk on target storage) | `Datastore.AllocateSpace` |
+| 3 | — | (attaches scsi0 disk) | `VM.Config.Disk` |
+| 3 | — | (sets net0) | `VM.Config.Network` |
+| 3 | — | (sets cloud-init: citype, ciuser, …) | `VM.Config.Cloudinit` |
+| 3 | — | (sets bios, machine, boot order) | `VM.Config.Options` |
+| 4 | POST | `/nodes/{node}/qemu/{vmid}/status/start` | `VM.PowerMgmt` |
+| 5 | GET | `/nodes/{node}/qemu/{vmid}/status/current` | `VM.Audit` |
+
+**Minimal role `PVECloudInitAdmin`**: `Sys.Audit`, `Datastore.Allocate`,
+`Datastore.AllocateSpace`, `Datastore.AllocateTemplate`, `VM.Allocate`,
+`VM.Audit`, `VM.Config.Cloudinit`, `VM.Config.Disk`, `VM.Config.Network`,
+`VM.Config.Options`, `VM.PowerMgmt`.
+
+### Additional Privileges by Feature
+
+| Feature | Extra Privileges Needed |
+|---------|------------------------|
+| Snapshots | `VM.Snapshot`, `VM.Snapshot.Rollback` |
+| Clone VM | `VM.Clone` |
+| Change memory/CPU | `VM.Config.Memory`, `VM.Config.CPU` |
+| Attach ISOs | `VM.Config.CDROM` |
+| Migrate VM | `VM.Migrate` |
+| Backup VM | `VM.Backup` |
+| Delete VM | `VM.Allocate` (already needed), `Datastore.AllocateSpace` |
+| QEMU guest agent | `VM.GuestAgent.Audit`, `VM.GuestAgent.FileRead` |
+| Containers | `VM.Allocate`, `VM.Audit`, `VM.PowerMgmt` |
+| Pools | `Pool.Allocate`, `Pool.Audit` |
+| Cluster/node/VM firewall | `Sys.Modify`, `Sys.Audit` |
+| ACL management | `Permissions.Modify` (Administrator role) |
+| User/role management | `Permissions.Modify` (Administrator role) |
+
+### Built-in Roles (for reference)
+
+**PVEVMAdmin**: `VM.Allocate`, `VM.Audit`, `VM.Backup`, `VM.Clone`,
+`VM.Config.CDROM`, `VM.Config.Cloudinit`, `VM.Config.CPU`,
+`VM.Config.Disk`, `VM.Config.HWType`, `VM.Config.Memory`,
+`VM.Config.Network`, `VM.Config.Options`, `VM.Console`, `VM.Migrate`,
+`VM.PowerMgmt`, `VM.Snapshot`, `VM.Snapshot.Rollback`
+
+**PVEDatastoreAdmin**: `Datastore.Allocate`, `Datastore.AllocateSpace`,
+`Datastore.AllocateTemplate`, `Datastore.Audit`, `Datastore.Copy`
+
+**PVEPoolAdmin**: `Pool.Allocate`, `Pool.Audit`
+
+## Verifying Permissions
+
+Check your current effective permissions:
+
+```bash
+proxmox auth permissions
+```
+
+Or test a specific action with dry-run:
+
+```bash
+proxmox --dry-run vm create --node <node> --memory 512 --cores 1
+```
+
+If any privilege is missing, Proxmox returns a **403 Forbidden**.

proxcli-0.13.0/proxmox/cli/auth.py

@@ -0,0 +1,259 @@
+"""`proxmox auth` subcommand — authentication status and permission setup."""
+
+from __future__ import annotations
+
+import argparse
+from urllib.parse import urlencode
+
+from proxmox.client.client import ProxmoxClient
+from proxmox.client.exceptions import ProxmoxAPIError
+from proxmox.config.config import ConfigLoader
+
+# Recommended roles for proxcli (see docs/api-permissions.md)
+PROXCLI_ROLES: dict[str, str] = {
+    "proxcli-sys": "Sys.Audit,Sys.Modify",
+    "proxcli-storage": "Datastore.Allocate,Datastore.AllocateSpace,"
+                       "Datastore.AllocateTemplate,Datastore.Audit",
+    "proxcli-vm": "VM.Allocate,VM.Audit,VM.Backup,VM.Clone,"
+                  "VM.Config.CDROM,VM.Config.Cloudinit,VM.Config.CPU,"
+                  "VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,"
+                  "VM.Config.Network,VM.Config.Options,VM.Console,"
+                  "VM.Migrate,VM.PowerMgmt,VM.Snapshot,"
+                  "VM.Snapshot.Rollback,Pool.Allocate,Pool.Audit",
+    "proxcli-node": "VM.GuestAgent.Audit,VM.GuestAgent.FileRead",
+}
+
+# ACL paths for each role
+PROXCLI_ACLS: list[tuple[str, str]] = [
+    ("/", "proxcli-sys"),
+    ("/storage", "proxcli-storage"),
+    ("/vms", "proxcli-vm"),
+    ("/nodes", "proxcli-node"),
+]
+
+
+# Permission checks: (label, method, path, privilege_needed)
+# The handler does a dry-run-like GET/POST to check if 403 is returned.
+PERMISSION_CHECKS: list[tuple[str, str, str, str]] = [
+    # ── read-only / system ──
+    ("Cluster status",          "GET",  "/cluster/status",      "Sys.Audit"),
+    ("Node list",               "GET",  "/nodes",               "Sys.Audit"),
+    ("Task list",               "GET",  "/cluster/tasks",       "Sys.Audit"),
+    ("Cluster log",             "GET",  "/cluster/log",         "Sys.Audit"),
+    ("Ceph status",             "GET",  "/cluster/ceph/status", "Sys.Audit"),
+    ("Cluster options",         "GET",  "/cluster/options",     "Sys.Audit"),
+
+    # ── storage ──
+    ("Storage list",            "GET",  "/storage",             "Datastore.Audit"),
+    ("Storage upload",          "POST", "/nodes/{node}/storage/{storage}/upload",
+     "Datastore.AllocateTemplate"),
+    ("Storage status",          "GET",  "/nodes/{node}/storage/{storage}/status",
+     "Datastore.Audit"),
+
+    # ── VMs (read) ──
+    ("VM list",                 "GET",  "/cluster/resources",   "VM.Audit"),
+    ("VM config",               "GET",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Audit"),
+    ("VM status",               "GET",  "/nodes/{node}/qemu/{vmid}/status/current",
+     "VM.Audit"),
+
+    # ── VMs (lifecycle) ──
+    ("VM create (nextid)",      "GET",  "/cluster/nextid",      "VM.Allocate"),
+    ("VM create (save)",        "POST", "/nodes/{node}/qemu",   "VM.Allocate"),
+    ("VM start",                "POST", "/nodes/{node}/qemu/{vmid}/status/start",
+     "VM.PowerMgmt"),
+    ("VM stop",                 "POST", "/nodes/{node}/qemu/{vmid}/status/stop",
+     "VM.PowerMgmt"),
+    ("VM delete",               "DELETE", "/nodes/{node}/qemu/{vmid}", "VM.Allocate"),
+
+    # ── VMs (config) ──
+    ("VM set memory/cores",     "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.Memory"),
+    ("VM set network",          "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.Network"),
+    ("VM set disk",             "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.Disk"),
+    ("VM set cloud-init",       "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.Cloudinit"),
+    ("VM set CDROM",            "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.CDROM"),
+    ("VM set options",          "PUT",  "/nodes/{node}/qemu/{vmid}/config",
+     "VM.Config.Options"),
+
+    # ── VMs (snapshots) ──
+    ("VM snapshot list",        "GET",  "/nodes/{node}/qemu/{vmid}/snapshot",
+     "VM.Snapshot"),
+    ("VM snapshot create",      "POST", "/nodes/{node}/qemu/{vmid}/snapshot",
+     "VM.Snapshot"),
+    ("VM snapshot rollback",    "POST", "/nodes/{node}/qemu/{vmid}/snapshot/{snapname}/rollback",
+     "VM.Snapshot.Rollback"),
+
+    # ── VMs (backup/clone/migrate) ──
+    ("VM backup",               "POST", "/nodes/{node}/vzdump",  "VM.Backup"),
+    ("VM clone",                "POST", "/nodes/{node}/qemu/{vmid}/clone",
+     "VM.Clone"),
+    ("VM migrate",              "POST", "/nodes/{node}/qemu/{vmid}/migrate",
+     "VM.Migrate"),
+
+    # ── QEMU guest agent ──
+    ("VM guest agent",          "GET",  "/nodes/{node}/qemu/{vmid}/agent/network-get-interfaces",
+     "VM.GuestAgent.Audit"),
+
+    # ── containers ──
+    ("Container list",          "GET",  "/nodes/{node}/lxc",    "VM.Audit"),
+    ("Container start",         "POST", "/nodes/{node}/lxc/{vmid}/status/start",
+     "VM.PowerMgmt"),
+
+    # ── firewall ──
+    ("Cluster firewall rules",  "GET",  "/cluster/firewall/rules",
+     "Sys.Modify"),
+    ("VM firewall rules",       "GET",  "/nodes/{node}/qemu/{vmid}/firewall/rules",
+     "VM.Allocate"),
+
+    # ── pools ──
+    ("Pool list",               "GET",  "/pools",               "Pool.Audit"),
+    ("Pool create",             "POST", "/pools",               "Pool.Allocate"),
+
+    # ── ACL / users / roles (admin-only) ──
+    ("User list",               "GET",  "/access/users",        "Permissions.Modify"),
+    ("Role list",               "GET",  "/access/roles",        "Permissions.Modify"),
+    ("ACL list",                "GET",  "/access/acl",          "Permissions.Modify"),
+]
+
+
+def _safe_encode(data: dict[str, str]) -> str:
+    """URL-encode dict as form data, preserving literal commas in values.
+
+    Proxmox expects literal commas in ``privs`` values, but httpx's
+    default form-encoding converts them to ``%2C``.
+    """
+    return urlencode(data, safe=",")
+
+
+def register_auth_parser(subparsers: argparse._SubParsersAction) -> None:
+    """Register the `proxmox auth` subcommand tree."""
+    auth_parser = subparsers.add_parser("auth", help="Authentication and permissions")
+    auth_sub = auth_parser.add_subparsers(dest="action", title="actions", required=True)
+
+    # --- auth status ---
+    status = auth_sub.add_parser("status", help="Show current authentication status")
+    status.add_argument("--permissions", "-p", action="store_true",
+                        help="Also show effective permissions of the current token")
+    status.set_defaults(func=_auth_status)
+
+    # --- auth setup ---
+    setup = auth_sub.add_parser("setup", help="Create recommended roles and ACLs for proxcli")
+    setup.set_defaults(func=_auth_setup)
+
+    # --- auth check ---
+    check = auth_sub.add_parser("check", help="Test each permission endpoint live")
+    check.set_defaults(func=_auth_check, output_format="table")
+
+
+def _auth_status(args: argparse.Namespace, client: ProxmoxClient | None = None) -> dict:
+    """Display current authentication status."""
+    loader = ConfigLoader()
+    creds = loader.load_or_none()
+    if creds is None:
+        return {"status": "not authenticated"}
+
+    found_path = loader.find_file()
+    result: dict = {
+        "status": "authenticated",
+        "url": creds.url,
+        "username": creds.username,
+        "auth_method": creds.auth_method.value,
+        "verify_tls": creds.verify_tls,
+        "config_file": str(found_path) if found_path else "unknown",
+    }
+
+    if client is not None and args.permissions:
+        perms = client.get("/access/permissions")
+        result["permissions"] = perms
+
+    return result
+
+
+def _auth_setup(args: argparse.Namespace, client: ProxmoxClient) -> dict:
+    """Create the recommended proxcli roles and ACLs."""
+    created_roles: list[str] = []
+    skipped_roles: list[str] = []
+    created_acls: list[str] = []
+    skipped_acls: list[str] = []
+
+    # 1. Create roles
+    for role_name, privs in PROXCLI_ROLES.items():
+        existing = client.get("/access/roles")
+        if any(r.get("roleid") == role_name for r in existing):
+            skipped_roles.append(role_name)
+            continue
+        content = _safe_encode({"roleid": role_name, "privs": privs})
+        client.request("POST", "/access/roles", content=content)
+        created_roles.append(role_name)
+
+    # 2. Create ACLs
+    # We need the username from config to assign ACLs
+    loader = ConfigLoader()
+    creds = loader.load()
+    ug = creds.username
+
+    for path, role in PROXCLI_ACLS:
+        existing_acls = client.get("/access/acl")
+        # Check if this exact ACL already exists
+        already = any(
+            a.get("path") == path
+            and a.get("roleid") == role
+            and a.get("ugid") == ug
+            for a in existing_acls
+        )
+        if already:
+            skipped_acls.append(f"{path} → {role} ({ug})")
+            continue
+        content = _safe_encode({"path": path, "roles": role, "users": ug})
+        client.request("PUT", "/access/acl", content=content)
+        created_acls.append(f"{path} → {role} ({ug})")
+
+    return {
+        "created_roles": created_roles,
+        "skipped_roles": skipped_roles,
+        "created_acls": created_acls,
+        "skipped_acls": skipped_acls,
+    }
+
+
+def _auth_check(args: argparse.Namespace, client: ProxmoxClient) -> list[dict]:
+    """Test each proxcli endpoint and report permission status."""
+    results: list[dict] = []
+
+    # Resolve a real node name for paths that need it
+    nodes = client.get("/nodes")
+    node = nodes[0]["node"] if nodes else "pve"
+
+    for label, method, path, needed_priv in PERMISSION_CHECKS:
+        # Replace placeholders
+        real_path = path.replace("{node}", node).replace("{vmid}", "99999") \
+                         .replace("{storage}", "local").replace("{snapname}", "test")
+
+        try:
+            if method in ("GET", "DELETE"):
+                client.request(method, real_path)
+            else:
+                # POST/PUT: send dummy body to check permission (not actual creation)
+                client.request(method, real_path, data={"dry": "1"})
+            status = "PASS"
+        except ProxmoxAPIError as exc:
+            if exc.status_code == 403:
+                status = "FAIL"
+            else:
+                # 404 (node not found), 500, etc. means we had permission
+                # to reach the endpoint but something else went wrong
+                status = "PASS"
+
+        results.append({
+            "feature": label,
+            "method": method,
+            "privilege": needed_priv,
+            "status": status,
+        })
+
+    return results

{proxcli-0.12.0 → proxcli-0.13.0}/proxmox/cli/ceph.py

@@ -20,7 +20,8 @@ def register_ceph_parser(subparsers: argparse._SubParsersAction) -> None:
     log = ceph_sub.add_parser("log", help="Show recent Ceph log entries")
     log.add_argument("--node", help="Show logs for a specific node (default: all nodes)")
     log.add_argument("--limit", type=int, default=50, help="Number of log entries (default: 50)")
-    log.set_defaults(func=_ceph_log)
+    log.add_argument("--follow", "-f", action="store_true", help="Follow log output")
+    log.set_defaults(func=_ceph_log, output_format="log")
 
     # --- ceph osd ---
     osd = ceph_sub.add_parser("osd", help="List Ceph OSDs")
@@ -79,8 +80,18 @@ def _ceph_status(args: argparse.Namespace, client: ProxmoxClient) -> dict:
     }
 
 
-def _ceph_log(args: argparse.Namespace, client: ProxmoxClient) -> list:
+def _ceph_log(args: argparse.Namespace, client: ProxmoxClient) -> list | None:
     """Fetch Ceph log entries."""
+    if args.follow:
+        # Follow only works with --node for ceph log (per-node endpoint)
+        if not args.node:
+            return {"error": "--follow requires --node for Ceph logs"}
+        client.stream_log(
+            f"/nodes/{args.node}/ceph/log", follow=True,
+            params={"limit": args.limit},
+        )
+        return None
+
     if args.node:
         node_list = [args.node]
     else:
@@ -102,13 +113,13 @@ def _ceph_log(args: argparse.Namespace, client: ProxmoxClient) -> list:
     all_entries.sort(key=lambda e: e.get("t", ""), reverse=True)
     entries = all_entries[: args.limit]
 
-    return [
+    return list(reversed([
         {
             "time": entry.get("t", ""),
             "node": entry.get("_node", ""),
         }
         for entry in entries
-    ]
+    ]))
 
 
 def _ceph_osd(args: argparse.Namespace, client: ProxmoxClient) -> list:

{proxcli-0.12.0 → proxcli-0.13.0}/proxmox/cli/cluster.py

@@ -20,7 +20,8 @@ def register_cluster_parser(subparsers: argparse._SubParsersAction) -> None:
     # --- cluster log ---
     cl_log = cl_sub.add_parser("log", help="Show cluster log")
     cl_log.add_argument("--limit", type=int, default=50, help="Number of entries (default: 50)")
-    cl_log.set_defaults(func=_cl_log)
+    cl_log.add_argument("--follow", "-f", action="store_true", help="Follow log output")
+    cl_log.set_defaults(func=_cl_log, output_format="log")
 
     # --- cluster options ---
     cl_opts = cl_sub.add_parser("options", help="Show cluster-wide options")
@@ -142,8 +143,12 @@ def _cl_status(_args: argparse.Namespace, client: ProxmoxClient) -> dict | list:
     return client.get("/cluster/status")
 
 
-def _cl_log(args: argparse.Namespace, client: ProxmoxClient) -> list:
-    return client.get("/cluster/log", params={"max": args.limit})
+def _cl_log(args: argparse.Namespace, client: ProxmoxClient) -> list | None:
+    if args.follow:
+        client.stream_log("/cluster/log", follow=True, params={"max": args.limit})
+        return None
+    data = client.get("/cluster/log", params={"max": args.limit})
+    return list(reversed(data)) if isinstance(data, list) else data
 
 
 def _cl_options(_args: argparse.Namespace, client: ProxmoxClient) -> dict: