fix(bitdefender): doc LOWs + sweep pagination + selftest alignment

Batched the audit doc/LOW findings plus the two pagination LOWs:
- Pagination (gz_client): security_sweep and refresh_inventory stopped on a
  'total' field some responses omit, truncating after page 1. Now page until a
  short page (< per_page) - the reliable last-page signal.
- isolate/restore docstrings (gz_client): removed the stale 'v1.2 takes an ARRAY
  endpointIds' lines that contradicted the verified single-endpointId code.
- Cache 'no PII' wording corrected (gz_client header + SKILL.md): cache holds infra
  identifiers (hostnames/FQDNs); no secrets. Dead _require_company_for_sweep removed.
- Doc drift fixed: delete-package is '--id <packageId>' not '--package <name>'
  (SKILL.md + api-reference.md, verified live); module docstring + sweep --company
  help corrected (sweep with no --company fans out to ALL companies).
- selftest aligned to the improved behavior: malformed ids now exit rc2 client-side
  (H3) instead of rc1; gate-refusal 'Would' messages now assert on stderr (they
  moved off stdout so --json isn't polluted). 75/75 pass; live sweep verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-25 13:28:01 -07:00
parent 5b3dd84fb9
commit 1852f755ad
5 changed files with 43 additions and 40 deletions

View File

@@ -1,9 +1,12 @@
#!/usr/bin/env python3
"""CLI for the bitdefender skill - GravityZone Cloud Public API.
Read-only subcommands run freely. Destructive subcommands (delete-endpoint,
delete-package, delete-group) refuse to run unless --confirm is passed; without
it they print what they WOULD do and exit non-zero.
Read-only subcommands run freely. State-changing subcommands (delete-endpoint,
delete-package, delete-group, move, scan, create-package, make-group, isolate,
unisolate, blocklist-add/remove, assign-policy, set-label, reconfigure, push-set,
company create/suspend/activate/delete, account/report create, push-test, and any
destructive `raw` method) refuse to run unless --confirm is passed; without it
they print what they WOULD do and exit non-zero. See SKILL.md for the full list.
Output: --json emits raw JSON; otherwise a readable table/summary.
@@ -338,13 +341,6 @@ def cmd_sweep(client, args):
_print_sweep_table(summaries)
def _require_company_for_sweep() -> str:
from gz_client import ACG_COMPANIES_CONTAINER_ID
print("[INFO] No --company given; sweeping the ACG companies container.",
file=sys.stderr)
return ACG_COMPANIES_CONTAINER_ID
def cmd_policies(client, args):
_emit(client.list_policies(), args.json, _print_policy_table)
@@ -948,7 +944,9 @@ def build_parser() -> argparse.ArgumentParser:
sp.add_argument("endpoint_id")
sp = sub.add_parser("sweep", help="Live security posture sweep.", parents=[common])
sp.add_argument("--company", help="Parent id (defaults to ACG container).")
sp.add_argument("--company",
help="Parent company id. Omit to sweep ALL client companies "
"(many live API calls).")
sub.add_parser("policies", help="List policies (id + name).", parents=[common])
sp = sub.add_parser("policy",