Devices

Admin By Request

pp-adminbyrequest

Sync Admin By Request audit, event, inventory, and elevation-request data for approvals, quota checks, and admin-risk reports.

Printed by @joltsconsulting

Install

npx — recommended

npx -y @mvanhorn/printing-press-library install adminbyrequest

Installs the CLI binary and the agent skill (Claude Code, Codex, Cursor, Gemini CLI, Copilot, and more). Add --cli-only or --skill-only for one half. Requires Node.

Hermes

hermes skills install mvanhorn/printing-press-library/cli-skills/pp-adminbyrequest --force

From the Hermes CLI. Inside a chat session use /skills install with the same path.

OpenClaw

Install the pp-adminbyrequest skill from https://github.com/mvanhorn/printing-press-library/tree/main/cli-skills/pp-adminbyrequest. The skill defines how its required CLI can be installed.

Paste this to your OpenClaw agent — the skill describes how to install its CLI.

Claude Desktop

This CLI ships an MCPB bundle. Download the latest release .mcpb and double-click it — Claude Desktop walks you through the install.

View source on GitHub →

Every Admin By Request portal action, plus a local SQLite mirror of audit, events, inventory and requests for ad-hoc SQL and offline search.

Pull audit log, events, inventory and requests into a local store with one sync, then approve or deny elevations, generate offline PIN codes, and answer cross-resource questions (repeat requestors, agent-version drift, audit/event correlation) the portal does not surface.

Authentication

Set ADMINBYREQUEST_API_KEY in your environment. The CLI sends it via the apikey header. AbR enforces a 100,000-call daily quota per tenant; the CLI tracks calls locally and warns you before exhaustion via quota forecast.

Quick Start

# Confirm key works and detect which AbR data center your tenant lives on.
adminbyrequest-pp-cli doctor

# Pull audit log, events, inventory and requests into the local SQLite store.
adminbyrequest-pp-cli sync --full

# Surface pending elevation requests to approve or deny.
adminbyrequest-pp-cli requests list --status pending --json

# Identify users repeatedly requesting elevation over the last 30 days.
adminbyrequest-pp-cli requests repeat-offenders --window 30d --json

# Check whether the current API usage pace will exceed the 100k daily quota.
adminbyrequest-pp-cli quota forecast --json

Unique Features

These capabilities aren't available in any other tool for this API.

Local state that compounds

requests repeat-offenders — Surface the top users by elevation-request count over a configurable window, so admins can spot patterns the portal does not visualize.

When tracing repeated elevation attempts across a fleet, this is the single query that names the people; without it, an agent has to walk every request and aggregate manually.
```
adminbyrequest-pp-cli requests repeat-offenders --window 30d --json
```
correlate — Given an audit log entry ID, join it to nearby events on the same computer to reconstruct a full elevation timeline.

Incident response often asks what else happened on this machine when this admin session opened; this is the single command that answers it.
```
adminbyrequest-pp-cli correlate 50461167 --window 5m --json
```

Fleet hygiene

inventory drift — List endpoints whose AbR client version is older than a target version, useful for upgrade campaigns.

Before any compliance audit, the agent should know which endpoints are running an old client; this is the one-liner.
```
adminbyrequest-pp-cli inventory drift --client-version 8.7.2 --json
```
inventory risk-score — Score each endpoint by elevation frequency, local-admin count, and AbR client version recency.

Lets an admin focus remediation effort on the endpoints most likely to be abused.
```
adminbyrequest-pp-cli inventory risk-score --top 10 --json
```

Reachability mitigation

quota forecast — Track local API call count against the 100k-per-day quota and predict whether the current pace will exceed it before midnight.

Reachability mitigation: an agent that calls the API in a loop needs to know before it bricks the tenant for the day.
```
adminbyrequest-pp-cli quota forecast --json
```

Compliance and review

requests denied-reasons — Tokenize the free-text deniedReason field across all denied requests and emit a top-N word distribution.

For compliance review and tone-of-policy checks, surfacing the actual words used is faster than reading each row.
```
adminbyrequest-pp-cli requests denied-reasons --top 20 --json
```
report compliance — Render audit entries for a user or computer over a window in a format suitable for auditors (CSV or markdown).

Auditor evidence requests always want a single artifact; this generates it in one command.
```
adminbyrequest-pp-cli report compliance --since 2026-01-01 --user CHRISCOOMBES --format md
```

Usage

Run adminbyrequest-pp-cli --help for the full command reference and flag list.

Commands

auditlog

Admin session and elevation audit log entries

adminbyrequest-pp-cli auditlog delta - Delta query for audit log changes (use timeNow/deltaTime ticks for resumable sync)
adminbyrequest-pp-cli auditlog list - List audit log entries (admin sessions, app elevations, denied requests). Pagination is by id cursor.

events

Security and operational events emitted by AbR clients

adminbyrequest-pp-cli events list - List events. Use code filter to narrow to specific event types.

inventory

Endpoint inventory: hardware, software, OS, AbR agent version

adminbyrequest-pp-cli inventory list - List inventoried endpoints. Use wantsoftware/wanthardware to expand.
adminbyrequest-pp-cli inventory pin - Generate an offline elevation PIN code for a device. Pass --challenge for challenge-response mode.

requests

Pending, approved, and denied elevation requests

adminbyrequest-pp-cli requests approve - Approve a pending elevation request.
adminbyrequest-pp-cli requests deny - Deny a pending elevation request.
adminbyrequest-pp-cli requests list - List elevation requests filtered by status.

Output Formats

# Human-readable table (default in terminal, JSON when piped)
adminbyrequest-pp-cli auditlog list

# JSON for scripting and agents
adminbyrequest-pp-cli auditlog list --json

# Filter to specific fields
adminbyrequest-pp-cli auditlog list --json --select id,name,status

# Dry run — show the request without sending
adminbyrequest-pp-cli auditlog list --dry-run

# Agent mode — JSON + compact + no prompts in one flag
adminbyrequest-pp-cli auditlog list --agent

Agent Usage

This CLI is designed for AI agent consumption:

Non-interactive - never prompts, every input is a flag
Pipeable - --json output to stdout, errors to stderr
Filterable - --select id,name returns only fields you need
Previewable - --dry-run shows the request without sending
Explicit retries - add --idempotent to create retries when a no-op success is acceptable
Confirmable - --yes for explicit confirmation of destructive actions
Piped input - write commands can accept structured input when their help lists --stdin
Offline-friendly - sync/search commands can use the local SQLite store when available
Agent-safe by default - no colors or formatting unless --human-friendly is set

Exit codes: 0 success, 2 usage error, 3 not found, 4 auth error, 5 API error, 7 rate limited, 10 config error.

Health Check

adminbyrequest-pp-cli doctor

Verifies configuration, credentials, and connectivity to the API.

Configuration

Config file: ~/.config/adminbyrequest-pp-cli/config.toml

Static request headers can be configured under headers; per-command header overrides take precedence.

Environment variables:

Name	Kind	Required	Description
`ADMINBYREQUEST_API_KEY`	per_call	Yes	Set to your API credential.

Troubleshooting

Authentication errors (exit code 4)

Run adminbyrequest-pp-cli doctor to check credentials
Verify the environment variable is set: echo $ADMINBYREQUEST_API_KEY Not found errors (exit code 3)
Check the resource ID is correct
Run the list command to see available items

API-specific

doctor reports HTTP 500 from every data center — API key may be wrong; verify ADMINBYREQUEST_API_KEY is the value from your portal Settings > Tenant Settings > Data > API Keys.
Sync stalls at exactly 100,000 calls — You hit the daily quota; AbR blocks the tenant until next business day. Run quota forecast next time to predict before it happens.
PIN code endpoint returns General error — Pass the challenge code via --challenge; the bare endpoint without a challenge returns this error by design.

Generated by CLI Printing Press