Documentation
Admin By Request CLI
adminbyrequest-pp-cli
Install
npx -y @mvanhorn/printing-press-library install adminbyrequestInstalls the CLI binary and the agent skill for Claude Code, Codex, Cursor, Gemini CLI, Copilot, and more. Add --cli-only or --skill-only for one half. Requires Node.
Documentation
Every Admin By Request portal action, plus a local SQLite mirror of audit, events, inventory and requests for ad-hoc SQL and offline search.
Pull audit log, events, inventory and requests into a local store with one sync, then approve or deny elevations, generate offline PIN codes, and answer cross-resource questions (repeat requestors, agent-version drift, audit/event correlation) the portal does not surface.
Created by @joltsconsulting (joltsconsulting).
Authentication
Set ADMINBYREQUEST_API_KEY in your environment. The CLI sends it via the apikey header. AbR enforces a 100,000-call daily quota per tenant; the CLI tracks calls locally and warns you before exhaustion via quota forecast.
Quick Start
# Confirm key works and detect which AbR data center your tenant lives on.
adminbyrequest-pp-cli doctor
# Pull audit log, events, inventory and requests into the local SQLite store.
adminbyrequest-pp-cli sync --full
# Surface pending elevation requests to approve or deny.
adminbyrequest-pp-cli requests list --status pending --json
# Identify users repeatedly requesting elevation over the last 30 days.
adminbyrequest-pp-cli requests repeat-offenders --window 30d --json
# Check whether the current API usage pace will exceed the 100k daily quota.
adminbyrequest-pp-cli quota forecast --json
Unique Features
These capabilities aren't available in any other tool for this API.
Local state that compounds
-
requests repeat-offenders— Surface the top users by elevation-request count over a configurable window, so admins can spot patterns the portal does not visualize.When tracing repeated elevation attempts across a fleet, this is the single query that names the people; without it, an agent has to walk every request and aggregate manually.
adminbyrequest-pp-cli requests repeat-offenders --window 30d --json -
correlate— Given an audit log entry ID, join it to nearby events on the same computer to reconstruct a full elevation timeline.Incident response often asks what else happened on this machine when this admin session opened; this is the single command that answers it.
adminbyrequest-pp-cli correlate 50461167 --window 5m --json
Fleet hygiene
-
inventory drift— List endpoints whose AbR client version is older than a target version, useful for upgrade campaigns.Before any compliance audit, the agent should know which endpoints are running an old client; this is the one-liner.
adminbyrequest-pp-cli inventory drift --client-version 8.7.2 --json -
inventory risk-score— Score each endpoint by elevation frequency, local-admin count, and AbR client version recency.Lets an admin focus remediation effort on the endpoints most likely to be abused.
adminbyrequest-pp-cli inventory risk-score --top 10 --json
Reachability mitigation
-
quota forecast— Track local API call count against the 100k-per-day quota and predict whether the current pace will exceed it before midnight.Reachability mitigation: an agent that calls the API in a loop needs to know before it bricks the tenant for the day.
adminbyrequest-pp-cli quota forecast --json
Compliance and review
-
requests denied-reasons— Tokenize the free-text deniedReason field across all denied requests and emit a top-N word distribution.For compliance review and tone-of-policy checks, surfacing the actual words used is faster than reading each row.
adminbyrequest-pp-cli requests denied-reasons --top 20 --json -
report compliance— Render audit entries for a user or computer over a window in a format suitable for auditors (CSV or markdown).Auditor evidence requests always want a single artifact; this generates it in one command.
adminbyrequest-pp-cli report compliance --since 2026-01-01 --user CHRISCOOMBES --format md
Usage
Run adminbyrequest-pp-cli --help for the full command reference and flag list.
Commands
auditlog
Admin session and elevation audit log entries
adminbyrequest-pp-cli auditlog delta- Delta query for audit log changes (use timeNow/deltaTime ticks for resumable sync)adminbyrequest-pp-cli auditlog list- List audit log entries (admin sessions, app elevations, denied requests). Pagination is by id cursor.
events
Security and operational events emitted by AbR clients
adminbyrequest-pp-cli events list- List events. Use code filter to narrow to specific event types.
inventory
Endpoint inventory: hardware, software, OS, AbR agent version
adminbyrequest-pp-cli inventory list- List inventoried endpoints. Use wantsoftware/wanthardware to expand.adminbyrequest-pp-cli inventory pin- Generate an offline elevation PIN code for a device. Pass --challenge for challenge-response mode.
requests
Pending, approved, and denied elevation requests
adminbyrequest-pp-cli requests approve- Approve a pending elevation request.adminbyrequest-pp-cli requests deny- Deny a pending elevation request.adminbyrequest-pp-cli requests list- List elevation requests filtered by status.
Output Formats
# Human-readable table (default in terminal, JSON when piped)
adminbyrequest-pp-cli auditlog list
# JSON for scripting and agents
adminbyrequest-pp-cli auditlog list --json
# Filter to specific fields
adminbyrequest-pp-cli auditlog list --json --select id,name,status
# Dry run — show the request without sending
adminbyrequest-pp-cli auditlog list --dry-run
# Agent mode — JSON + compact + no prompts in one flag
adminbyrequest-pp-cli auditlog list --agent
Agent Usage
This CLI is designed for AI agent consumption:
- Non-interactive - never prompts, every input is a flag
- Pipeable -
--jsonoutput to stdout, errors to stderr - Filterable -
--select id,namereturns only fields you need - Previewable -
--dry-runshows the request without sending - Explicit retries - add
--idempotentto create retries when a no-op success is acceptable - Confirmable -
--yesfor explicit confirmation of destructive actions - Piped input - write commands can accept structured input when their help lists
--stdin - Offline-friendly - sync/search commands can use the local SQLite store when available
- Agent-safe by default - no colors or formatting unless
--human-friendlyis set
Exit codes: 0 success, 2 usage error, 3 not found, 4 auth error, 5 API error, 7 rate limited, 10 config error.
Health Check
adminbyrequest-pp-cli doctor
Verifies configuration, credentials, and connectivity to the API.
Configuration
Config file: ~/.config/adminbyrequest-pp-cli/config.toml
Static request headers can be configured under headers; per-command header overrides take precedence.
Environment variables:
| Name | Kind | Required | Description |
|---|---|---|---|
ADMINBYREQUEST_API_KEY | per_call | Yes | Set to your API credential. |
Troubleshooting
Authentication errors (exit code 4)
- Run
adminbyrequest-pp-cli doctorto check credentials - Verify the environment variable is set:
echo $ADMINBYREQUEST_API_KEYNot found errors (exit code 3) - Check the resource ID is correct
- Run the
listcommand to see available items
API-specific
- doctor reports HTTP 500 from every data center — API key may be wrong; verify ADMINBYREQUEST_API_KEY is the value from your portal Settings > Tenant Settings > Data > API Keys.
- Sync stalls at exactly 100,000 calls — You hit the daily quota; AbR blocks the tenant until next business day. Run quota forecast next time to predict before it happens.
- PIN code endpoint returns General error — Pass the challenge code via --challenge; the bare endpoint without a challenge returns this error by design.
Generated by CLI Printing Press
For agents: pass /documentation/adminbyrequest/agents.md to install this CLI from a prompt.