Documentation

Admin By Request CLI

adminbyrequest-pp-cli

Install

npx -y @mvanhorn/printing-press-library install adminbyrequest

Installs the CLI binary and the agent skill for Claude Code, Codex, Cursor, Gemini CLI, Copilot, and more. Add --cli-only or --skill-only for one half. Requires Node.

Documentation

Every Admin By Request portal action, plus a local SQLite mirror of audit, events, inventory and requests for ad-hoc SQL and offline search.

Pull audit log, events, inventory and requests into a local store with one sync, then approve or deny elevations, generate offline PIN codes, and answer cross-resource questions (repeat requestors, agent-version drift, audit/event correlation) the portal does not surface.

Created by @joltsconsulting (joltsconsulting).

Authentication

Set ADMINBYREQUEST_API_KEY in your environment. The CLI sends it via the apikey header. AbR enforces a 100,000-call daily quota per tenant; the CLI tracks calls locally and warns you before exhaustion via quota forecast.

Quick Start

# Confirm key works and detect which AbR data center your tenant lives on.
adminbyrequest-pp-cli doctor

# Pull audit log, events, inventory and requests into the local SQLite store.
adminbyrequest-pp-cli sync --full

# Surface pending elevation requests to approve or deny.
adminbyrequest-pp-cli requests list --status pending --json

# Identify users repeatedly requesting elevation over the last 30 days.
adminbyrequest-pp-cli requests repeat-offenders --window 30d --json

# Check whether the current API usage pace will exceed the 100k daily quota.
adminbyrequest-pp-cli quota forecast --json

Unique Features

These capabilities aren't available in any other tool for this API.

Local state that compounds

  • requests repeat-offenders — Surface the top users by elevation-request count over a configurable window, so admins can spot patterns the portal does not visualize.

    When tracing repeated elevation attempts across a fleet, this is the single query that names the people; without it, an agent has to walk every request and aggregate manually.

    adminbyrequest-pp-cli requests repeat-offenders --window 30d --json
    
  • correlate — Given an audit log entry ID, join it to nearby events on the same computer to reconstruct a full elevation timeline.

    Incident response often asks what else happened on this machine when this admin session opened; this is the single command that answers it.

    adminbyrequest-pp-cli correlate 50461167 --window 5m --json
    

Fleet hygiene

  • inventory drift — List endpoints whose AbR client version is older than a target version, useful for upgrade campaigns.

    Before any compliance audit, the agent should know which endpoints are running an old client; this is the one-liner.

    adminbyrequest-pp-cli inventory drift --client-version 8.7.2 --json
    
  • inventory risk-score — Score each endpoint by elevation frequency, local-admin count, and AbR client version recency.

    Lets an admin focus remediation effort on the endpoints most likely to be abused.

    adminbyrequest-pp-cli inventory risk-score --top 10 --json
    

Reachability mitigation

  • quota forecast — Track local API call count against the 100k-per-day quota and predict whether the current pace will exceed it before midnight.

    Reachability mitigation: an agent that calls the API in a loop needs to know before it bricks the tenant for the day.

    adminbyrequest-pp-cli quota forecast --json
    

Compliance and review

  • requests denied-reasons — Tokenize the free-text deniedReason field across all denied requests and emit a top-N word distribution.

    For compliance review and tone-of-policy checks, surfacing the actual words used is faster than reading each row.

    adminbyrequest-pp-cli requests denied-reasons --top 20 --json
    
  • report compliance — Render audit entries for a user or computer over a window in a format suitable for auditors (CSV or markdown).

    Auditor evidence requests always want a single artifact; this generates it in one command.

    adminbyrequest-pp-cli report compliance --since 2026-01-01 --user CHRISCOOMBES --format md
    

Usage

Run adminbyrequest-pp-cli --help for the full command reference and flag list.

Commands

auditlog

Admin session and elevation audit log entries

  • adminbyrequest-pp-cli auditlog delta - Delta query for audit log changes (use timeNow/deltaTime ticks for resumable sync)
  • adminbyrequest-pp-cli auditlog list - List audit log entries (admin sessions, app elevations, denied requests). Pagination is by id cursor.

events

Security and operational events emitted by AbR clients

  • adminbyrequest-pp-cli events list - List events. Use code filter to narrow to specific event types.

inventory

Endpoint inventory: hardware, software, OS, AbR agent version

  • adminbyrequest-pp-cli inventory list - List inventoried endpoints. Use wantsoftware/wanthardware to expand.
  • adminbyrequest-pp-cli inventory pin - Generate an offline elevation PIN code for a device. Pass --challenge for challenge-response mode.

requests

Pending, approved, and denied elevation requests

  • adminbyrequest-pp-cli requests approve - Approve a pending elevation request.
  • adminbyrequest-pp-cli requests deny - Deny a pending elevation request.
  • adminbyrequest-pp-cli requests list - List elevation requests filtered by status.

Output Formats

# Human-readable table (default in terminal, JSON when piped)
adminbyrequest-pp-cli auditlog list

# JSON for scripting and agents
adminbyrequest-pp-cli auditlog list --json

# Filter to specific fields
adminbyrequest-pp-cli auditlog list --json --select id,name,status

# Dry run — show the request without sending
adminbyrequest-pp-cli auditlog list --dry-run

# Agent mode — JSON + compact + no prompts in one flag
adminbyrequest-pp-cli auditlog list --agent

Agent Usage

This CLI is designed for AI agent consumption:

  • Non-interactive - never prompts, every input is a flag
  • Pipeable - --json output to stdout, errors to stderr
  • Filterable - --select id,name returns only fields you need
  • Previewable - --dry-run shows the request without sending
  • Explicit retries - add --idempotent to create retries when a no-op success is acceptable
  • Confirmable - --yes for explicit confirmation of destructive actions
  • Piped input - write commands can accept structured input when their help lists --stdin
  • Offline-friendly - sync/search commands can use the local SQLite store when available
  • Agent-safe by default - no colors or formatting unless --human-friendly is set

Exit codes: 0 success, 2 usage error, 3 not found, 4 auth error, 5 API error, 7 rate limited, 10 config error.

Health Check

adminbyrequest-pp-cli doctor

Verifies configuration, credentials, and connectivity to the API.

Configuration

Config file: ~/.config/adminbyrequest-pp-cli/config.toml

Static request headers can be configured under headers; per-command header overrides take precedence.

Environment variables:

NameKindRequiredDescription
ADMINBYREQUEST_API_KEYper_callYesSet to your API credential.

Troubleshooting

Authentication errors (exit code 4)

  • Run adminbyrequest-pp-cli doctor to check credentials
  • Verify the environment variable is set: echo $ADMINBYREQUEST_API_KEY Not found errors (exit code 3)
  • Check the resource ID is correct
  • Run the list command to see available items

API-specific

  • doctor reports HTTP 500 from every data center — API key may be wrong; verify ADMINBYREQUEST_API_KEY is the value from your portal Settings > Tenant Settings > Data > API Keys.
  • Sync stalls at exactly 100,000 calls — You hit the daily quota; AbR blocks the tenant until next business day. Run quota forecast next time to predict before it happens.
  • PIN code endpoint returns General error — Pass the challenge code via --challenge; the bare endpoint without a challenge returns this error by design.

Generated by CLI Printing Press

For agents: pass /documentation/adminbyrequest/agents.md to install this CLI from a prompt.