fix(bitdefender): all-clients sweep, quarantine path, EDR controls, self-test

Several bugs found and fixed during live testing against the ACG GravityZone
tenant:
- security_sweep_all_clients: iterate each company (the companies container is
  not a valid endpoint parent; passing it 400'd the whole sweep)
- list_quarantine: use service-scoped path quarantine/computers with companyId
  (bare quarantine module 404'd; param is companyId not parentId)
- rename GZEndpointSummary.detection_active -> threat_detected with corrected
  semantics (True = active threat, tracks with infected; not an engine-on flag)
- status: readable sectioned table renderer for the nested apiKey/license dict
- portable CLAUDETOOLS_ROOT resolution (derive from file path, not a Windows
  literal) so it works on the Mac/Linux fleet

Adds scripts/selftest.py: a 29-check read-only harness (all passing) covering
every read command, --json, error exit codes, and destructive-action gating.
EDR/incident commands (blocklist, isolate/unisolate, blocklist-add/remove) and
raw destructive-method gating are included from this session's work.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.claude/skills/bitdefender/references/api-reference.md

@@ -119,6 +119,39 @@ In `getNetworkInventoryItems` results, `type == 1` denotes a company node.
 | `createRemoveQuarantineItemTask` | uncertain | UNVERIFIED (destructive) | Param shape not confirmed. `raw` only. |
 | `createRestoreQuarantineItemTask` | uncertain | UNVERIFIED | Param shape not confirmed. `raw` only. |
 
+## incidents (`/incidents`) — EDR / incident response
+
+> The incidents module backs the EDR controls: endpoint isolation, the hash
+> blocklist, and the incident list. READ methods are safe; the state-changing
+> methods (isolate / restore / blocklist add+remove) are CLI-gated behind
+> `--confirm`. `isolate` and `addToBlocklist` / `removeFromBlocklist` are NEW
+> destructive verbs — the `raw` subcommand also gates any method whose name
+> contains `isolat`, `addtoblocklist`, or `removefromblocklist`.
+
+| Method | Params | Status | Notes |
+|---|---|---|---|
+| `getBlocklistItems` | `companyId?, page?, perPage?` | VERIFIED LIVE | Returns `{total, page, perPage, pagesCount, items:[{id, source, sourceInfo, hashType, hash, companyId}]}`. Returned 26 items live. `perPage` defaults to 100 in the CLI. `companyId` scopes to one company; omit for the whole tenant. |
+| `getIncidentsList` | `parentId, page?, perPage (500-10000), filters?` | UNVERIFIED / possibly unavailable | `parentId` = a company/group id and is REQUIRED. `perPage` must be 500-10000 (the API rejected 100 with "Invalid value for 'perPage' parameter. The value should be between 500 and 10000"); the CLI defaults it to 500. **However**, live re-testing on 2026-05-30 returned `Method not found` for this method on the `/incidents` module, while `getBlocklistItems` on the SAME module succeeds in the same request — so this is NOT rate-limiting or a bad key. The method is likely gated behind an EDR/incidents license feature that is OFF on this tenant, or is named differently in this API version. The CLI `incidents` subcommand is wired up but will surface `Method not found` until the feature is enabled / the correct name is confirmed. |
+| `createIsolateEndpointTask` | `endpointIds[]` | VERIFIED (destructive) | v1.2: takes an ARRAY `endpointIds` (max 1000), returns an array of task ids. Cuts the endpoint off the network. CLI-gated behind `--confirm`; the client enforces the 1000-id cap. |
+| `createRestoreEndpointFromIsolationTask` | `endpointIds[]` | VERIFIED (destructive) | v1.2: takes an ARRAY `endpointIds` (max 1000), returns an array of task ids. Un-isolates (reverses `createIsolateEndpointTask`). CLI-gated behind `--confirm`; the client enforces the 1000-id cap. |
+| `addToBlocklist` | `companyId, hashType, hashList[], sourceInfo, operatingSystems?` | VERIFIED (destructive) | `hashType` is an int (1 is the common value seen live; see the console / API docs for the full mapping). `hashList` is an array of hash strings. `sourceInfo` is a free-text description. CLI-gated behind `--confirm`. |
+| `removeFromBlocklist` | `hashItemId` *(UNVERIFIED param name)* | VERIFIED method, UNVERIFIED param | Removes one blocklist entry. The param name `hashItemId` is UNVERIFIED — the `id` field from `getBlocklistItems` is the candidate. Confirm against the official API reference before relying on it. CLI-gated behind `--confirm`; the CLI `--id` value comes from `blocklist` output. |
+| `changeIncidentStatus` | uncertain | UNVERIFIED | Not implemented. `raw` only. |
+| `updateIncidentNote` | uncertain | UNVERIFIED | Not implemented. `raw` only. |
+| `createCustomRule` | uncertain | UNVERIFIED | Not implemented. `raw` only. |
+| `getCustomRulesList` | uncertain | UNVERIFIED | Not implemented. `raw` only. |
+| `deleteCustomRule` | uncertain | UNVERIFIED (destructive) | Not implemented. `raw` only. |
+
+## Other modules — raw-reachable only
+
+The following modules are reachable via `raw --module <name>` but have no
+dedicated CLI methods and no verified signatures here:
+
+- `patchmanagement` — raw only. NOTE: the patchmanagement / PHASR license
+  features are OFF on this tenant, so these calls will not return useful data.
+- `integrations` — raw only, UNVERIFIED.
+- `maintenancewindows` — raw only, UNVERIFIED.
+
 ---
 
 ## Verified vs Unverified summary
@@ -132,13 +165,26 @@ network.moveCustomGroup, network.deleteEndpoint (gated),
 network.deleteCustomGroup (gated), packages.getPackagesList,
 packages.createPackage, packages.getInstallationLinks, packages.deletePackage
 (gated), policies.getPoliciesList, policies.getPolicyDetails,
-quarantine.getQuarantineItemsList.
+quarantine.getQuarantineItemsList, incidents.getBlocklistItems,
+incidents.createIsolateEndpointTask (gated),
+incidents.createRestoreEndpointFromIsolationTask (gated),
+incidents.addToBlocklist (gated), incidents.removeFromBlocklist (gated;
+param name UNVERIFIED).
+
+> NOTE: `incidents.getIncidentsList` is wired into the CLI (`incidents`
+> subcommand) but returned `Method not found` on live re-test (2026-05-30) —
+> see the incidents module table. Likely a license-gated EDR feature that is OFF
+> on this tenant. Not counted as VERIFIED LIVE.
 
 **UNVERIFIED (raw subcommand only — do NOT trust the param shape):**
 network.assignPolicy, network.createReconfigureClientTask,
 network.createUninstallTask, network.setEndpointLabel,
 companies.getCompanyDetailsByUser, quarantine.createRemoveQuarantineItemTask,
-quarantine.createRestoreQuarantineItemTask.
+quarantine.createRestoreQuarantineItemTask, incidents.changeIncidentStatus,
+incidents.updateIncidentNote, incidents.createCustomRule,
+incidents.getCustomRulesList, incidents.deleteCustomRule (destructive).
+Whole modules raw-only/UNVERIFIED: patchmanagement (license OFF),
+integrations, maintenancewindows.
 
 Confirm any UNVERIFIED signature against the official Bitdefender API reference
 before relying on it. The generic `raw --module M --method m --params '<json>'`