ui-cli 1.2.1__py3-none-any.whl

ui_cli/local_client.py

@@ -0,0 +1,897 @@
+"""Async HTTP client for UniFi Local Controller API.
+
+Supports both UDM-based controllers (using /proxy/network/api/) and
+Cloud Key / self-hosted controllers (using /api/).
+"""
+
+import json
+from datetime import datetime, timezone
+from typing import Any
+
+import httpx
+
+from ui_cli.config import settings
+
+_API_KEY_REJECTED_MSG = (
+    "API key rejected by controller (HTTP 401). Check UNIFI_CONTROLLER_API_KEY."
+)
+
+
+def _get_quick_timeout() -> int | None:
+    """Get quick timeout from local commands if set.
+
+    This allows --quick flag to propagate to the client without
+    modifying every command file.
+    """
+    try:
+        from ui_cli.commands.local.utils import get_timeout
+        return get_timeout()
+    except ImportError:
+        return None
+
+
+class LocalAPIError(Exception):
+    """Base exception for local API errors."""
+
+    def __init__(self, message: str, status_code: int | None = None):
+        self.message = message
+        self.status_code = status_code
+        super().__init__(self.message)
+
+
+class LocalAuthenticationError(LocalAPIError):
+    """Raised when authentication fails."""
+
+    pass
+
+
+class LocalConnectionError(LocalAPIError):
+    """Raised when connection to controller fails."""
+
+    pass
+
+
+class SessionExpiredError(LocalAPIError):
+    """Raised when session has expired."""
+
+    pass
+
+
+class UniFiLocalClient:
+    """Async client for UniFi Local Controller API."""
+
+    def __init__(
+        self,
+        controller_url: str | None = None,
+        username: str | None = None,
+        password: str | None = None,
+        api_key: str | None = None,
+        site: str | None = None,
+        verify_ssl: bool | None = None,
+        timeout: int | None = None,
+    ):
+        self.controller_url = (controller_url or settings.controller_url).rstrip("/")
+        self.username = username or settings.controller_username
+        self.password = password or settings.controller_password
+        self._api_key: str = api_key or settings.controller_api_key
+        self.site = site or settings.controller_site
+        self.verify_ssl = verify_ssl if verify_ssl is not None else settings.controller_verify_ssl
+
+        # Timeout priority: explicit param > --quick flag > settings
+        if timeout is not None:
+            self.timeout = timeout
+        else:
+            quick_timeout = _get_quick_timeout()
+            self.timeout = quick_timeout if quick_timeout is not None else settings.timeout
+
+        # Session state
+        self._cookies: dict[str, str] = {}
+        self._csrf_token: str | None = None
+        self._is_udm: bool | None = None  # None = not detected yet
+
+        # API key auth only works on UniFi OS controllers; initialize UDM mode
+        if self._api_key:
+            self._is_udm = True
+
+        if not self.controller_url:
+            raise LocalAuthenticationError(
+                "Controller URL not configured. Set UNIFI_CONTROLLER_URL in .env file."
+            )
+        # When API key is set, username/password are not required
+        if not self._api_key and (not self.username or not self.password):
+            raise LocalAuthenticationError(
+                "Controller credentials not configured. Set UNIFI_CONTROLLER_USERNAME and UNIFI_CONTROLLER_PASSWORD in .env file."
+            )
+
+    @property
+    def api_prefix(self) -> str:
+        """Get API prefix based on controller type."""
+        if self._is_udm:
+            return f"{self.controller_url}/proxy/network/api/s/{self.site}"
+        return f"{self.controller_url}/api/s/{self.site}"
+
+    @property
+    def auth_url(self) -> str:
+        """Get authentication URL based on controller type."""
+        if self._is_udm:
+            return f"{self.controller_url}/api/auth/login"
+        return f"{self.controller_url}/api/login"
+
+    def _load_session(self) -> bool:
+        """Load session from file. Returns True if valid session loaded."""
+        session_file = settings.session_file
+        if not session_file.exists():
+            return False
+
+        try:
+            data = json.loads(session_file.read_text())
+
+            # Check if session is for same controller
+            if data.get("controller_url") != self.controller_url:
+                return False
+
+            # Check if session has expired (sessions typically last 24h)
+            expires_at = data.get("expires_at")
+            if expires_at:
+                expires = datetime.fromisoformat(expires_at)
+                if datetime.now(timezone.utc) >= expires:
+                    return False
+
+            self._cookies = data.get("cookies", {})
+            self._csrf_token = data.get("csrf_token")
+            self._is_udm = data.get("is_udm")
+            return bool(self._cookies)
+
+        except (json.JSONDecodeError, KeyError, ValueError):
+            return False
+
+    def _save_session(self) -> None:
+        """Save session to file."""
+        # Session expires in 24 hours
+        expires_at = datetime.now(timezone.utc).replace(
+            hour=23, minute=59, second=59
+        ).isoformat()
+
+        data = {
+            "controller_url": self.controller_url,
+            "cookies": self._cookies,
+            "csrf_token": self._csrf_token,
+            "is_udm": self._is_udm,
+            "expires_at": expires_at,
+        }
+
+        settings.session_file.write_text(json.dumps(data, indent=2))
+
+    def _clear_session(self) -> None:
+        """Clear stored session."""
+        self._cookies = {}
+        self._csrf_token = None
+        session_file = settings.session_file
+        if session_file.exists():
+            session_file.unlink()
+
+    async def _detect_controller_type(self, client: httpx.AsyncClient) -> None:
+        """Detect if this is a UDM-based controller or Cloud Key/self-hosted."""
+        # Check if UDM by trying to access a UDM-specific endpoint
+        try:
+            # UDM has /api/auth/login, Cloud Key has /api/login
+            # We check without credentials first to avoid wasting auth attempts
+            response = await client.get(
+                f"{self.controller_url}/api/users/self",
+            )
+            # UDM returns 401, Cloud Key returns 404 for this endpoint
+            if response.status_code == 401:
+                self._is_udm = True
+                return
+        except httpx.RequestError:
+            pass
+
+        # Try the status endpoint which doesn't require auth
+        try:
+            response = await client.get(f"{self.controller_url}/status")
+            # If we get here, likely Cloud Key or self-hosted
+            self._is_udm = False
+            return
+        except httpx.RequestError:
+            pass
+
+        # Default to trying UDM first (more common now)
+        self._is_udm = True
+
+    async def login(self) -> bool:
+        """Authenticate with the controller. Returns True on success."""
+        async with httpx.AsyncClient(
+            timeout=self.timeout,
+            verify=self.verify_ssl,
+        ) as client:
+            # Detect controller type if not known
+            if self._is_udm is None:
+                await self._detect_controller_type(client)
+
+            try:
+                # Try UDM-style auth first
+                if self._is_udm:
+                    response = await client.post(
+                        f"{self.controller_url}/api/auth/login",
+                        json={
+                            "username": self.username,
+                            "password": self.password,
+                            "remember": True,
+                        },
+                    )
+
+                    if response.status_code == 200:
+                        self._cookies = dict(response.cookies)
+                        self._csrf_token = response.headers.get("X-CSRF-Token")
+                        self._save_session()
+                        return True
+                    elif response.status_code == 403:
+                        # 403 on UDM often means wrong credentials
+                        raise LocalAuthenticationError(
+                            "Invalid username or password (or account lacks API access)"
+                        )
+                    elif response.status_code == 401:
+                        raise LocalAuthenticationError("Invalid username or password")
+
+                # Try Cloud Key / self-hosted style auth
+                response = await client.post(
+                    f"{self.controller_url}/api/login",
+                    json={
+                        "username": self.username,
+                        "password": self.password,
+                        "remember": True,
+                    },
+                )
+
+                if response.status_code == 200:
+                    self._cookies = dict(response.cookies)
+                    self._is_udm = False  # Confirmed not UDM
+                    self._save_session()
+                    return True
+                elif response.status_code == 400:
+                    # Check response for more details
+                    try:
+                        error_data = response.json()
+                        error_msg = error_data.get("meta", {}).get("msg", "")
+                        if "Invalid" in error_msg:
+                            raise LocalAuthenticationError("Invalid username or password")
+                    except Exception:
+                        pass
+                    raise LocalAuthenticationError(
+                        "Authentication failed - check credentials"
+                    )
+                elif response.status_code in (401, 403):
+                    raise LocalAuthenticationError("Invalid username or password")
+                else:
+                    raise LocalAuthenticationError(
+                        f"Authentication failed: HTTP {response.status_code}"
+                    )
+
+            except LocalAuthenticationError:
+                raise
+            except httpx.ConnectError as e:
+                raise LocalConnectionError(
+                    f"Could not connect to controller at {self.controller_url}: {e}"
+                )
+            except httpx.TimeoutException:
+                raise LocalConnectionError(
+                    f"Connection timeout to {self.controller_url}"
+                )
+
+    async def ensure_authenticated(self) -> None:
+        """Ensure we have a valid session, logging in if needed.
+
+        When API key auth is configured, this is a no-op — the key is sent
+        as a header on every request without any session handshake.
+        """
+        if self._api_key:
+            return  # API key mode: no session needed
+        if not self._load_session():
+            await self.login()
+
+    def _get_headers(self) -> dict[str, str]:
+        """Get request headers.
+
+        In API key mode: sends X-API-KEY, no cookies, no CSRF token.
+        In username/password mode: sends X-CSRF-Token if available.
+        """
+        headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+        }
+        if self._api_key:
+            headers["X-API-KEY"] = self._api_key
+        elif self._csrf_token:
+            headers["X-CSRF-Token"] = self._csrf_token
+        return headers
+
+    async def _request(
+        self,
+        method: str,
+        endpoint: str,
+        data: dict[str, Any] | None = None,
+        retry_auth: bool = True,
+    ) -> dict[str, Any]:
+        """Make an authenticated request to the local API."""
+        await self.ensure_authenticated()
+
+        url = f"{self.api_prefix}/{endpoint.lstrip('/')}"
+
+        # In API key mode: do not pass cookies (stateless header auth)
+        client_kwargs: dict[str, Any] = {
+            "timeout": self.timeout,
+            "verify": self.verify_ssl,
+        }
+        if not self._api_key:
+            client_kwargs["cookies"] = self._cookies
+
+        async with httpx.AsyncClient(**client_kwargs) as client:
+            try:
+                response = await client.request(
+                    method=method,
+                    url=url,
+                    headers=self._get_headers(),
+                    json=data,
+                )
+
+                # Handle 401 (API key rejection or session expiry)
+                if response.status_code == 401:
+                    if self._api_key:
+                        # API key mode: hard error, no fallback to username/password
+                        raise LocalAuthenticationError(_API_KEY_REJECTED_MSG)
+                    if retry_auth:
+                        self._clear_session()
+                        await self.login()
+                        return await self._request(
+                            method, endpoint, data, retry_auth=False
+                        )
+                    raise SessionExpiredError("Session expired and re-login failed")
+
+                # API key mode: 404/405 may indicate controller doesn't support proxy path
+                if self._api_key and response.status_code in (404, 405):
+                    if self.username and self.password:
+                        # Fall back to legacy auth path
+                        self._api_key = ""          # disable API key mode
+                        self._is_udm = None         # reset UDM detection
+                        self._clear_session()
+                        await self.login()          # re-authenticate via username/password
+                        # Retry the request on the legacy path (retry_auth=False to prevent loops)
+                        return await self._request(method, endpoint, data, retry_auth=False)
+                    else:
+                        raise LocalAuthenticationError(
+                            f"API key authentication requires UniFi OS (UDM/UDM-Pro/Cloud Gateway, "
+                            f"firmware >= 5.0.3). This controller returned HTTP {response.status_code}, "
+                            f"suggesting it does not support API keys. "
+                            f"Use UNIFI_CONTROLLER_USERNAME/UNIFI_CONTROLLER_PASSWORD for this controller type."
+                        )
+
+                if response.status_code >= 400:
+                    raise LocalAPIError(
+                        f"API error: {response.text}",
+                        status_code=response.status_code,
+                    )
+
+                return response.json()
+
+            except LocalAPIError:
+                raise  # Do not let future broad-catch clauses swallow auth errors
+            except httpx.ConnectError as e:
+                raise LocalConnectionError(f"Connection error: {e}")
+            except httpx.TimeoutException:
+                raise LocalConnectionError("Request timeout")
+
+    async def get(self, endpoint: str) -> dict[str, Any]:
+        """Make a GET request."""
+        return await self._request("GET", endpoint)
+
+    async def post(
+        self, endpoint: str, data: dict[str, Any] | None = None
+    ) -> dict[str, Any]:
+        """Make a POST request."""
+        return await self._request("POST", endpoint, data=data)
+
+    # ========== Clients ==========
+
+    async def list_clients(self) -> list[dict[str, Any]]:
+        """List active (connected) clients."""
+        response = await self.get("/stat/sta")
+        return response.get("data", [])
+
+    async def list_all_clients(self) -> list[dict[str, Any]]:
+        """List all known clients (including offline)."""
+        response = await self.get("/rest/user")
+        return response.get("data", [])
+
+    async def get_client(self, mac: str) -> dict[str, Any] | None:
+        """Get details for a specific client by MAC address."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.get(f"/stat/user/{mac}")
+        data = response.get("data", [])
+        return data[0] if data else None
+
+    async def block_client(self, mac: str) -> bool:
+        """Block a client by MAC address."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post("/cmd/stamgr", data={"cmd": "block-sta", "mac": mac})
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def unblock_client(self, mac: str) -> bool:
+        """Unblock a client by MAC address."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post(
+            "/cmd/stamgr", data={"cmd": "unblock-sta", "mac": mac}
+        )
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def kick_client(self, mac: str) -> bool:
+        """Kick (disconnect) a client by MAC address."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post("/cmd/stamgr", data={"cmd": "kick-sta", "mac": mac})
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def set_client_name(self, user_id: str, name: str) -> bool:
+        """Set the display name for a client.
+
+        Args:
+            user_id: The _id of the client/user record (not MAC address)
+            name: The name to set for the client
+
+        Returns:
+            True on success
+        """
+        response = await self._request(
+            "PUT",
+            f"/rest/user/{user_id}",
+            data={"_id": user_id, "name": name},
+        )
+        return response.get("meta", {}).get("rc") == "ok"
+
+    # ========== Configuration ==========
+
+    async def get_networks(self) -> list[dict[str, Any]]:
+        """Get all network configurations (VLANs, subnets)."""
+        response = await self.get("/rest/networkconf")
+        return response.get("data", [])
+
+    async def get_wlans(self) -> list[dict[str, Any]]:
+        """Get all wireless network (SSID) configurations."""
+        response = await self.get("/rest/wlanconf")
+        return response.get("data", [])
+
+    async def update_network(
+        self, network_id: str, payload: dict[str, Any]
+    ) -> dict[str, Any]:
+        """Update network settings.
+
+        Args:
+            network_id: The _id of the network to update
+            payload: Configuration to apply (merged with existing config)
+
+        Returns:
+            Updated network configuration
+        """
+        response = await self._request("PUT", f"/rest/networkconf/{network_id}", data=payload)
+        data = response.get("data", [])
+        return data[0] if data else {}
+
+    async def update_network_dns(
+        self,
+        network_id: str,
+        dns1: str | None = None,
+        dns2: str | None = None,
+        dns3: str | None = None,
+        dns4: str | None = None,
+        enabled: bool = True,
+    ) -> dict[str, Any]:
+        """Update DHCP DNS server configuration for a network.
+
+        When ``enabled`` is False, custom DNS is disabled and all
+        ``dhcpd_dns_{1..4}`` slots are cleared regardless of the dns*
+        arguments (controller falls back to auto / gateway DNS).
+
+        Args:
+            network_id: The _id of the network to update.
+            dns1: Primary DNS server IP (dhcpd_dns_1).
+            dns2: Secondary DNS server IP (dhcpd_dns_2).
+            dns3: Tertiary DNS server IP (dhcpd_dns_3).
+            dns4: Quaternary DNS server IP (dhcpd_dns_4).
+            enabled: Whether custom DHCP DNS is enabled.
+
+        Returns:
+            Updated network configuration.
+        """
+        payload: dict[str, Any] = {"_id": network_id, "dhcpd_dns_enabled": enabled}
+        if not enabled:
+            payload.update({
+                "dhcpd_dns_1": "",
+                "dhcpd_dns_2": "",
+                "dhcpd_dns_3": "",
+                "dhcpd_dns_4": "",
+            })
+        else:
+            if dns1 is not None:
+                payload["dhcpd_dns_1"] = dns1
+            if dns2 is not None:
+                payload["dhcpd_dns_2"] = dns2
+            if dns3 is not None:
+                payload["dhcpd_dns_3"] = dns3
+            if dns4 is not None:
+                payload["dhcpd_dns_4"] = dns4
+        return await self.update_network(network_id, payload)
+
+    # ========== AP Groups (Broadcasting Groups) ==========
+
+    async def _ensure_cookies_loaded(self) -> None:
+        """Ensure we have a valid session by making a simple API call."""
+        if self._api_key:
+            return  # API key mode: no session needed
+        if not self._cookies:
+            # Make a simple call to trigger authentication
+            await self.get("/stat/health")
+
+    async def _v2_request(
+        self, method: str, endpoint: str, data: dict[str, Any] | None = None
+    ) -> Any:
+        """Make a request to the v2 API.
+
+        Args:
+            method: HTTP method (GET, POST, PUT, DELETE)
+            endpoint: API endpoint path (without base URL)
+            data: Optional JSON payload
+
+        Returns:
+            Response JSON or True for successful DELETE
+        """
+        await self._ensure_cookies_loaded()
+
+        url = f"{self.controller_url}/proxy/network/v2/api/site/{self.site}{endpoint}"
+        headers: dict[str, str] = {}
+        if self._api_key:
+            headers["X-API-KEY"] = self._api_key
+        elif self._csrf_token:
+            headers["x-csrf-token"] = self._csrf_token
+        if method in ("POST", "PUT"):
+            headers["Content-Type"] = "application/json"
+
+        # In API key mode: stateless, no cookies
+        client_kwargs: dict[str, Any] = {
+            "verify": self.verify_ssl,
+            "timeout": self.timeout,
+        }
+        if not self._api_key:
+            client_kwargs["cookies"] = self._cookies
+
+        async with httpx.AsyncClient(**client_kwargs) as client:
+            if method == "GET":
+                response = await client.get(url, headers=headers)
+            elif method == "POST":
+                response = await client.post(url, headers=headers, json=data)
+            elif method == "PUT":
+                response = await client.put(url, headers=headers, json=data)
+            elif method == "DELETE":
+                response = await client.delete(url, headers=headers)
+            else:
+                raise ValueError(f"Unsupported HTTP method: {method}")
+
+            if response.status_code == 401:
+                if self._api_key:
+                    raise LocalAuthenticationError(_API_KEY_REJECTED_MSG)
+                raise LocalAuthenticationError("Session expired")
+            if not response.is_success:
+                raise LocalAPIError(
+                    f"API error: {response.text}", status_code=response.status_code
+                )
+
+            if method == "DELETE":
+                return True
+            return response.json()
+
+    async def get_ap_groups(self) -> list[dict[str, Any]]:
+        """Get all AP groups (broadcasting groups).
+
+        AP groups determine which WLANs are broadcast on which Access Points.
+        Uses the v2 API endpoint.
+
+        Returns:
+            List of AP group dicts with keys: _id, name, device_macs, for_wlanconf
+        """
+        return await self._v2_request("GET", "/apgroups")
+
+    async def create_ap_group(
+        self, name: str, device_macs: list[str] | None = None
+    ) -> dict[str, Any]:
+        """Create a new AP group.
+
+        Args:
+            name: Name for the new AP group
+            device_macs: Optional list of device MAC addresses to include
+
+        Returns:
+            The created AP group dict
+        """
+        payload = {"name": name, "device_macs": device_macs or []}
+        return await self._v2_request("POST", "/apgroups", payload)
+
+    async def update_ap_group(
+        self, group_id: str, name: str, device_macs: list[str]
+    ) -> dict[str, Any]:
+        """Update an existing AP group.
+
+        Args:
+            group_id: The AP group ID to update
+            name: New name for the group
+            device_macs: List of device MAC addresses for the group
+
+        Returns:
+            The updated AP group dict
+        """
+        payload = {"name": name, "device_macs": device_macs}
+        return await self._v2_request("PUT", f"/apgroups/{group_id}", payload)
+
+    async def delete_ap_group(self, group_id: str) -> bool:
+        """Delete an AP group.
+
+        Args:
+            group_id: The AP group ID to delete
+
+        Returns:
+            True if deletion was successful
+        """
+        return await self._v2_request("DELETE", f"/apgroups/{group_id}")
+
+    async def get_firewall_rules(self) -> list[dict[str, Any]]:
+        """Get all firewall rules."""
+        response = await self.get("/rest/firewallrule")
+        return response.get("data", [])
+
+    async def get_firewall_groups(self) -> list[dict[str, Any]]:
+        """Get all firewall groups."""
+        response = await self.get("/rest/firewallgroup")
+        return response.get("data", [])
+
+    async def get_port_forwards(self) -> list[dict[str, Any]]:
+        """Get all port forwarding rules."""
+        response = await self.get("/rest/portforward")
+        return response.get("data", [])
+
+    async def get_devices(self) -> list[dict[str, Any]]:
+        """Get all device configurations and status."""
+        response = await self.get("/stat/device")
+        return response.get("data", [])
+
+    async def get_device(self, mac: str) -> dict[str, Any] | None:
+        """Get a specific device by MAC address."""
+        mac = mac.lower().replace("-", ":")
+        devices = await self.get_devices()
+        for device in devices:
+            if device.get("mac", "").lower() == mac:
+                return device
+        return None
+
+    async def restart_device(self, mac: str) -> bool:
+        """Restart/reboot a device."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post("/cmd/devmgr", data={"cmd": "restart", "mac": mac})
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def upgrade_device(self, mac: str) -> bool:
+        """Upgrade device firmware."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post("/cmd/devmgr", data={"cmd": "upgrade", "mac": mac})
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def locate_device(self, mac: str, enabled: bool = True) -> bool:
+        """Enable/disable locate LED on device."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post(
+            "/cmd/devmgr",
+            data={"cmd": "set-locate", "mac": mac, "locate_enable": enabled},
+        )
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def adopt_device(self, mac: str) -> bool:
+        """Adopt a device."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.post("/cmd/devmgr", data={"cmd": "adopt", "mac": mac})
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def get_dhcp_reservations(self) -> list[dict[str, Any]]:
+        """Get DHCP reservations (clients with fixed IPs)."""
+        # Fixed IPs are stored in user records with use_fixedip=True
+        response = await self.get("/rest/user")
+        users = response.get("data", [])
+        return [u for u in users if u.get("use_fixedip", False)]
+
+    async def set_client_fixed_ip(
+        self,
+        client_id: str,
+        fixed_ip: str | None = None,
+        network_id: str | None = None,
+        *,
+        use_fixedip: bool = True,
+    ) -> bool:
+        """Set or remove a fixed IP for a client.
+
+        Args:
+            client_id: The _id of the client (user record)
+            fixed_ip: The IP address to assign (required if use_fixedip=True)
+            network_id: The network _id (optional, uses client's current network)
+            use_fixedip: True to enable fixed IP, False to disable
+
+        Returns:
+            True on success
+        """
+        payload: dict[str, Any] = {
+            "_id": client_id,
+            "use_fixedip": use_fixedip,
+        }
+        if use_fixedip:
+            if fixed_ip:
+                payload["fixed_ip"] = fixed_ip
+            if network_id:
+                payload["network_id"] = network_id
+
+        response = await self._request("PUT", f"/rest/user/{client_id}", data=payload)
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def get_traffic_rules(self) -> list[dict[str, Any]]:
+        """Get traffic rules/schedules."""
+        response = await self.get("/rest/trafficrule")
+        return response.get("data", [])
+
+    async def get_routing(self) -> list[dict[str, Any]]:
+        """Get static routes."""
+        response = await self.get("/rest/routing")
+        return response.get("data", [])
+
+    async def get_site_settings(self) -> list[dict[str, Any]]:
+        """Get site settings."""
+        response = await self.get("/rest/setting")
+        return response.get("data", [])
+
+    async def get_running_config(self) -> dict[str, Any]:
+        """Get full running configuration."""
+        config: dict[str, Any] = {}
+
+        # Fetch each section, handling errors gracefully
+        async def safe_fetch(name: str, func):
+            try:
+                config[name] = await func()
+            except LocalAPIError:
+                config[name] = []  # Empty list on error
+
+        await safe_fetch("networks", self.get_networks)
+        await safe_fetch("wireless", self.get_wlans)
+        await safe_fetch("firewall_rules", self.get_firewall_rules)
+        await safe_fetch("firewall_groups", self.get_firewall_groups)
+        await safe_fetch("port_forwards", self.get_port_forwards)
+        await safe_fetch("devices", self.get_devices)
+        await safe_fetch("dhcp_reservations", self.get_dhcp_reservations)
+        await safe_fetch("traffic_rules", self.get_traffic_rules)
+        await safe_fetch("routing", self.get_routing)
+
+        return config
+
+    # ========== Monitoring ==========
+
+    async def get_events(self, limit: int = 50) -> list[dict[str, Any]]:
+        """Get recent events."""
+        response = await self.post("/stat/event", data={"_limit": limit, "_sort": "-time"})
+        return response.get("data", [])
+
+    async def get_alarms(self, archived: bool = False) -> list[dict[str, Any]]:
+        """Get alarms. Set archived=True to include archived alarms."""
+        response = await self.get("/stat/alarm")
+        alarms = response.get("data", [])
+        if not archived:
+            alarms = [a for a in alarms if not a.get("archived", False)]
+        return alarms
+
+    async def archive_alarm(self, alarm_id: str) -> bool:
+        """Archive an alarm by ID."""
+        response = await self.post(
+            "/cmd/evtmgr", data={"cmd": "archive-alarm", "_id": alarm_id}
+        )
+        return response.get("meta", {}).get("rc") == "ok"
+
+    async def get_health(self) -> list[dict[str, Any]]:
+        """Get site health information."""
+        response = await self.get("/stat/health")
+        return response.get("data", [])
+
+    # ========== Vouchers ==========
+
+    async def get_vouchers(self) -> list[dict[str, Any]]:
+        """Get all vouchers."""
+        response = await self.get("/stat/voucher")
+        return response.get("data", [])
+
+    async def create_voucher(
+        self,
+        count: int = 1,
+        duration: int = 1440,  # minutes (24h default)
+        quota: int = 0,  # MB (0 = unlimited)
+        up_limit: int = 0,  # kbps (0 = unlimited)
+        down_limit: int = 0,  # kbps (0 = unlimited)
+        multi_use: int = 1,  # number of uses
+        note: str | None = None,
+    ) -> list[dict[str, Any]]:
+        """Create voucher(s).
+
+        Args:
+            count: Number of vouchers to create
+            duration: Duration in minutes
+            quota: Data quota in MB (0 = unlimited)
+            up_limit: Upload limit in kbps (0 = unlimited)
+            down_limit: Download limit in kbps (0 = unlimited)
+            multi_use: Number of uses per voucher
+            note: Optional note/description
+
+        Returns:
+            List of created voucher data
+        """
+        data: dict[str, Any] = {
+            "cmd": "create-voucher",
+            "n": count,
+            "expire": duration,
+            "quota": multi_use,  # quota field is actually multi-use count
+        }
+
+        if quota > 0:
+            data["bytes"] = quota  # MB
+
+        if up_limit > 0:
+            data["up"] = up_limit
+
+        if down_limit > 0:
+            data["down"] = down_limit
+
+        if note:
+            data["note"] = note
+
+        response = await self.post("/cmd/hotspot", data=data)
+        return response.get("data", [])
+
+    async def revoke_voucher(self, voucher_id: str) -> bool:
+        """Revoke/delete a voucher by ID."""
+        response = await self.post(
+            "/cmd/hotspot", data={"cmd": "delete-voucher", "_id": voucher_id}
+        )
+        return response.get("meta", {}).get("rc") == "ok"
+
+    # ========== DPI (Deep Packet Inspection) ==========
+
+    async def get_site_dpi(self) -> list[dict[str, Any]]:
+        """Get site-level DPI statistics."""
+        response = await self.get("/stat/sitedpi")
+        return response.get("data", [])
+
+    async def get_client_dpi(self, mac: str) -> list[dict[str, Any]]:
+        """Get DPI statistics for a specific client."""
+        mac = mac.lower().replace("-", ":")
+        response = await self.get(f"/stat/stadpi/{mac}")
+        return response.get("data", [])
+
+    # ========== Statistics ==========
+
+    async def get_daily_stats(self, days: int = 30) -> list[dict[str, Any]]:
+        """Get daily site statistics."""
+        response = await self.post(
+            "/stat/report/daily.site",
+            data={
+                "attrs": ["time", "rx_bytes", "tx_bytes", "num_sta", "wan-rx_bytes", "wan-tx_bytes"],
+                "n": days,
+            },
+        )
+        return response.get("data", [])
+
+    async def get_hourly_stats(self, hours: int = 24) -> list[dict[str, Any]]:
+        """Get hourly site statistics."""
+        response = await self.post(
+            "/stat/report/hourly.site",
+            data={
+                "attrs": ["time", "rx_bytes", "tx_bytes", "num_sta", "wan-rx_bytes", "wan-tx_bytes"],
+                "n": hours,
+            },
+        )
+        return response.get("data", [])