Add tests for iconTag parameter in entity-types create (#183)

* Release 1.6.1: Three bug fixes #patch (#180)

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs

* feat: add support for Cortex Secrets API (#161)

* chore: update HISTORY.md for main

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)

* refactor: separate trigger-evaluation test to avoid scorecard evaluation race conditions

- Create dedicated cli-test-evaluation-scorecard for trigger-evaluation testing
- Remove retry logic complexity from test_scorecards() and test_scorecards_drafts()
- Add new test_scorecard_trigger_evaluation() that creates/deletes its own scorecard
- Eliminates race condition where import triggers evaluation conflicting with tests

* refactor: remove unnecessary mock decorator from _get_rule helper function

The helper function doesn't need its own environment patching since it's called
from fixtures that already have their own @mock.patch.dict decorators.

* Revert "perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)"

This reverts commit 8879fcf.

The --dist loadfile optimization caused race conditions between tests that
share resources (e.g., test_custom_events_uuid and test_custom_events_list
both operate on custom events and can interfere with each other when run in
parallel by file).

Reliability > speed. Better to have tests take 40s with no race conditions
than 30s with intermittent failures.

* perf: rename test_deploys.py to test_000_deploys.py for early scheduling

Pytest collects tests alphabetically by filename. With pytest-xdist --dist load,
tests collected earlier are more likely to be scheduled first. Since test_deploys
is the longest-running test (~19s), scheduling it early maximizes parallel
efficiency with 12 workers.

This is our general strategy: prefix slow tests with numbers (000, 001, etc.) to
control scheduling order without introducing race conditions like --dist loadfile.

* feat: add support for Cortex Secrets API

Add complete CLI support for managing secrets via the Cortex Secrets API:
- cortex secrets list: List secrets (with optional entity tag filter)
- cortex secrets get: Get secret by alias
- cortex secrets create: Create new secret
- cortex secrets update: Update existing secret
- cortex secrets delete: Delete secret

All commands support entity tags as required by the API.
Tests skip gracefully if API key lacks secrets permissions.

Also fixes HISTORY.md generation by using Angular convention in git-changelog,
which properly recognizes feat:, fix:, and perf: commit types instead of only
recognizing the basic convention (add:, fix:, change:, remove:).

Closes #158

* fix: update secret test to use valid tag format

Change test secret tag from 'cli-test-secret' to 'cli_test_secret' to comply
with API validation that only allows alphanumeric and underscore characters.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* feat: add entity relationships API support with optimized backup/restore (#160)

* chore: update HISTORY.md for main

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)

* refactor: separate trigger-evaluation test to avoid scorecard evaluation race conditions

- Create dedicated cli-test-evaluation-scorecard for trigger-evaluation testing
- Remove retry logic complexity from test_scorecards() and test_scorecards_drafts()
- Add new test_scorecard_trigger_evaluation() that creates/deletes its own scorecard
- Eliminates race condition where import triggers evaluation conflicting with tests

* refactor: remove unnecessary mock decorator from _get_rule helper function

The helper function doesn't need its own environment patching since it's called
from fixtures that already have their own @mock.patch.dict decorators.

* Revert "perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)"

This reverts commit 8879fcf.

The --dist loadfile optimization caused race conditions between tests that
share resources (e.g., test_custom_events_uuid and test_custom_events_list
both operate on custom events and can interfere with each other when run in
parallel by file).

Reliability > speed. Better to have tests take 40s with no race conditions
than 30s with intermittent failures.

* perf: rename test_deploys.py to test_000_deploys.py for early scheduling

Pytest collects tests alphabetically by filename. With pytest-xdist --dist load,
tests collected earlier are more likely to be scheduled first. Since test_deploys
is the longest-running test (~19s), scheduling it early maximizes parallel
efficiency with 12 workers.

This is our general strategy: prefix slow tests with numbers (000, 001, etc.) to
control scheduling order without introducing race conditions like --dist loadfile.

* feat: add entity relationships API support and fix backup export bug

- Fix double-encoding bug in backup export for entity-types and ip-allowlist
  - entity-types and ip-allowlist were being converted to strings before json.dump
  - This caused import failures with "TypeError: string indices must be integers"

- Add entity-relationship-types commands:
  - list: List all relationship types
  - get: Get relationship type by tag
  - create: Create new relationship type
  - update: Update existing relationship type
  - delete: Delete relationship type

- Add entity-relationships commands:
  - list: List all relationships for a type
  - list-destinations: Get destinations for source entity
  - list-sources: Get sources for destination entity
  - add-destinations: Add destinations to source
  - add-sources: Add sources to destination
  - update-destinations: Replace all destinations for source
  - update-sources: Replace all sources for destination
  - add-bulk: Add multiple relationships
  - update-bulk: Replace all relationships for type

- Integrate entity relationships into backup/restore:
  - Export entity-relationship-types and entity-relationships
  - Import with proper ordering (types before catalog, relationships after)
  - Transform export format to bulk update format for import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: clean up entity relationships import output and fix bugs

- Add _print parameter to entity_relationship_types.create() and entity_relationships.update_bulk()
- Use _print=False when importing to suppress JSON output
- Fix import to use correct keys: sourceEntity.tag and destinationEntity.tag instead of source.tag
- Replace typer.unstable.TempFile with standard tempfile.NamedTemporaryFile
- Improve output: show only tag names instead of full JSON when importing
- Add missing tempfile import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: support re-importing existing entity relationship types

- Check if relationship type already exists before importing
- Use update instead of create for existing relationship types
- Add _print parameter to entity_relationship_types.update()
- Matches pattern used by entity_types import

This allows backup imports to be idempotent and run multiple times
without encountering "already exists" errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: improve error handling in backup import

- Add detailed error reporting for catalog imports
  - Show filename, error type, and error message for failures
  - Add total failure count at end of catalog import

- Add error handling for entity relationship type imports
  - Wrap create/update in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

- Add error handling for entity relationship imports
  - Wrap import operations in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

This makes it much easier to diagnose import failures by showing
exactly which files are failing and what the error is.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve catalog import error handling and make sequential

- Change catalog import from parallel to sequential execution
  - This allows errors to be correlated with specific files
  - HTTP errors from cortex_client are now shown with filenames

- Catch typer.Exit exceptions in catalog import
  - The HTTP client raises typer.Exit on errors
  - Now catches and reports which file caused the error

- Remove unused imports added for parallel error capture
- Simplify catalog import logic

Note: The plugin import failures with "string indices must be integers"
are due to exports created before the double-encoding bug fix. Re-export
with the current code to fix these.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* perf: parallelize entity relationships and catalog imports

- Restore parallel execution for catalog import (30 workers)
  - Previously made sequential for error debugging
  - Now handles typer.Exit exceptions properly
  - Maintains good error reporting with filenames

- Parallelize entity relationship type imports (30 workers)
  - Check existing types once, then import in parallel
  - Properly handles create vs update decision

- Parallelize entity relationship imports (30 workers)
  - Each relationship type is independent
  - Can safely import in parallel

All imports now use ThreadPoolExecutor with 30 workers for
maximum performance while maintaining error reporting.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: add comprehensive import summary and retry commands

- All import functions now return statistics (type, imported count, failures)
- Import summary section shows:
  - Per-type import counts and failures
  - Total imported and failed counts

- Failed imports section lists:
  - Full file paths for all failures
  - Error type and message for each

- Retry commands section provides:
  - Ready-to-run cortex commands for each failed file
  - Can copy/paste directly from terminal
  - Commands use proper quoting for file paths with spaces

- Updated all import functions to track file paths in parallel execution
- Added typer.Exit exception handling to plugins, scorecards, workflows
- Consistent error reporting across all import types

Example output:
  IMPORT SUMMARY
  catalog: 250 imported, 5 failed
  TOTAL: 500 imported, 5 failed

  FAILED IMPORTS
  /path/to/file.yaml
    Error: HTTP - Validation or HTTP error

  RETRY COMMANDS
  cortex catalog create -f "/path/to/file.yaml"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: show catalog filename before import attempt

- Print "Importing: filename" before attempting catalog import
- HTTP errors now appear immediately after the filename
- Remove duplicate success messages at end
- Only show failure count summary

This makes it immediately clear which file is causing each HTTP 400 error:

Before:
  Processing: .../catalog
  HTTP Error 400: Unknown error
  HTTP Error 400: Unknown error

After:
  Processing: .../catalog
     Importing: docs.yaml
  HTTP Error 400: Unknown error
     Importing: another.yaml
  HTTP Error 400: Unknown error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve test isolation for custom events list test

Delete all event types (not just VALIDATE_SERVICE) at test start to prevent
interference from parallel tests. The connection pooling performance improvements
made tests run much faster, increasing temporal overlap between parallel tests
and exposing this existing test isolation issue.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: initialize variables before conditional to prevent NameError

When entity-relationship-types or entity-relationships directories don't exist
(like in test data), the import functions would reference undefined `results` and
`failed_count` variables, causing a NameError and preventing subsequent imports
from running (including catalog import, breaking tests).

This bug was causing test_catalog_delete_entity and test_custom_events_list to
fail because the import would crash before importing catalog entities.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* fix: add client-side rate limiting and make tests idempotent (#165) #minor

* chore: update HISTORY.md for main

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)

* refactor: separate trigger-evaluation test to avoid scorecard evaluation race conditions

- Create dedicated cli-test-evaluation-scorecard for trigger-evaluation testing
- Remove retry logic complexity from test_scorecards() and test_scorecards_drafts()
- Add new test_scorecard_trigger_evaluation() that creates/deletes its own scorecard
- Eliminates race condition where import triggers evaluation conflicting with tests

* refactor: remove unnecessary mock decorator from _get_rule helper function

The helper function doesn't need its own environment patching since it's called
from fixtures that already have their own @mock.patch.dict decorators.

* Revert "perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)"

This reverts commit 8879fcf.

The --dist loadfile optimization caused race conditions between tests that
share resources (e.g., test_custom_events_uuid and test_custom_events_list
both operate on custom events and can interfere with each other when run in
parallel by file).

Reliability > speed. Better to have tests take 40s with no race conditions
than 30s with intermittent failures.

* perf: rename test_deploys.py to test_000_deploys.py for early scheduling

Pytest collects tests alphabetically by filename. With pytest-xdist --dist load,
tests collected earlier are more likely to be scheduled first. Since test_deploys
is the longest-running test (~19s), scheduling it early maximizes parallel
efficiency with 12 workers.

This is our general strategy: prefix slow tests with numbers (000, 001, etc.) to
control scheduling order without introducing race conditions like --dist loadfile.

* feat: add entity relationships API support and fix backup export bug

- Fix double-encoding bug in backup export for entity-types and ip-allowlist
  - entity-types and ip-allowlist were being converted to strings before json.dump
  - This caused import failures with "TypeError: string indices must be integers"

- Add entity-relationship-types commands:
  - list: List all relationship types
  - get: Get relationship type by tag
  - create: Create new relationship type
  - update: Update existing relationship type
  - delete: Delete relationship type

- Add entity-relationships commands:
  - list: List all relationships for a type
  - list-destinations: Get destinations for source entity
  - list-sources: Get sources for destination entity
  - add-destinations: Add destinations to source
  - add-sources: Add sources to destination
  - update-destinations: Replace all destinations for source
  - update-sources: Replace all sources for destination
  - add-bulk: Add multiple relationships
  - update-bulk: Replace all relationships for type

- Integrate entity relationships into backup/restore:
  - Export entity-relationship-types and entity-relationships
  - Import with proper ordering (types before catalog, relationships after)
  - Transform export format to bulk update format for import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: clean up entity relationships import output and fix bugs

- Add _print parameter to entity_relationship_types.create() and entity_relationships.update_bulk()
- Use _print=False when importing to suppress JSON output
- Fix import to use correct keys: sourceEntity.tag and destinationEntity.tag instead of source.tag
- Replace typer.unstable.TempFile with standard tempfile.NamedTemporaryFile
- Improve output: show only tag names instead of full JSON when importing
- Add missing tempfile import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: support re-importing existing entity relationship types

- Check if relationship type already exists before importing
- Use update instead of create for existing relationship types
- Add _print parameter to entity_relationship_types.update()
- Matches pattern used by entity_types import

This allows backup imports to be idempotent and run multiple times
without encountering "already exists" errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: improve error handling in backup import

- Add detailed error reporting for catalog imports
  - Show filename, error type, and error message for failures
  - Add total failure count at end of catalog import

- Add error handling for entity relationship type imports
  - Wrap create/update in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

- Add error handling for entity relationship imports
  - Wrap import operations in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

This makes it much easier to diagnose import failures by showing
exactly which files are failing and what the error is.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve catalog import error handling and make sequential

- Change catalog import from parallel to sequential execution
  - This allows errors to be correlated with specific files
  - HTTP errors from cortex_client are now shown with filenames

- Catch typer.Exit exceptions in catalog import
  - The HTTP client raises typer.Exit on errors
  - Now catches and reports which file caused the error

- Remove unused imports added for parallel error capture
- Simplify catalog import logic

Note: The plugin import failures with "string indices must be integers"
are due to exports created before the double-encoding bug fix. Re-export
with the current code to fix these.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* perf: parallelize entity relationships and catalog imports

- Restore parallel execution for catalog import (30 workers)
  - Previously made sequential for error debugging
  - Now handles typer.Exit exceptions properly
  - Maintains good error reporting with filenames

- Parallelize entity relationship type imports (30 workers)
  - Check existing types once, then import in parallel
  - Properly handles create vs update decision

- Parallelize entity relationship imports (30 workers)
  - Each relationship type is independent
  - Can safely import in parallel

All imports now use ThreadPoolExecutor with 30 workers for
maximum performance while maintaining error reporting.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: add comprehensive import summary and retry commands

- All import functions now return statistics (type, imported count, failures)
- Import summary section shows:
  - Per-type import counts and failures
  - Total imported and failed counts

- Failed imports section lists:
  - Full file paths for all failures
  - Error type and message for each

- Retry commands section provides:
  - Ready-to-run cortex commands for each failed file
  - Can copy/paste directly from terminal
  - Commands use proper quoting for file paths with spaces

- Updated all import functions to track file paths in parallel execution
- Added typer.Exit exception handling to plugins, scorecards, workflows
- Consistent error reporting across all import types

Example output:
  IMPORT SUMMARY
  catalog: 250 imported, 5 failed
  TOTAL: 500 imported, 5 failed

  FAILED IMPORTS
  /path/to/file.yaml
    Error: HTTP - Validation or HTTP error

  RETRY COMMANDS
  cortex catalog create -f "/path/to/file.yaml"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: show catalog filename before import attempt

- Print "Importing: filename" before attempting catalog import
- HTTP errors now appear immediately after the filename
- Remove duplicate success messages at end
- Only show failure count summary

This makes it immediately clear which file is causing each HTTP 400 error:

Before:
  Processing: .../catalog
  HTTP Error 400: Unknown error
  HTTP Error 400: Unknown error

After:
  Processing: .../catalog
     Importing: docs.yaml
  HTTP Error 400: Unknown error
     Importing: another.yaml
  HTTP Error 400: Unknown error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve test isolation for custom events list test

Delete all event types (not just VALIDATE_SERVICE) at test start to prevent
interference from parallel tests. The connection pooling performance improvements
made tests run much faster, increasing temporal overlap between parallel tests
and exposing this existing test isolation issue.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: initialize variables before conditional to prevent NameError

When entity-relationship-types or entity-relationships directories don't exist
(like in test data), the import functions would reference undefined `results` and
`failed_count` variables, causing a NameError and preventing subsequent imports
from running (including catalog import, breaking tests).

This bug was causing test_catalog_delete_entity and test_custom_events_list to
fail because the import would crash before importing catalog entities.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* chore: merge staging to main #minor (#162)

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs

* feat: add support for Cortex Secrets API (#161)

* chore: update HISTORY.md for main

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)

* refactor: separate trigger-evaluation test to avoid scorecard evaluation race conditions

- Create dedicated cli-test-evaluation-scorecard for trigger-evaluation testing
- Remove retry logic complexity from test_scorecards() and test_scorecards_drafts()
- Add new test_scorecard_trigger_evaluation() that creates/deletes its own scorecard
- Eliminates race condition where import triggers evaluation conflicting with tests

* refactor: remove unnecessary mock decorator from _get_rule helper function

The helper function doesn't need its own environment patching since it's called
from fixtures that already have their own @mock.patch.dict decorators.

* Revert "perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)"

This reverts commit 8879fcf.

The --dist loadfile optimization caused race conditions between tests that
share resources (e.g., test_custom_events_uuid and test_custom_events_list
both operate on custom events and can interfere with each other when run in
parallel by file).

Reliability > speed. Better to have tests take 40s with no race conditions
than 30s with intermittent failures.

* perf: rename test_deploys.py to test_000_deploys.py for early scheduling

Pytest collects tests alphabetically by filename. With pytest-xdist --dist load,
tests collected earlier are more likely to be scheduled first. Since test_deploys
is the longest-running test (~19s), scheduling it early maximizes parallel
efficiency with 12 workers.

This is our general strategy: prefix slow tests with numbers (000, 001, etc.) to
control scheduling order without introducing race conditions like --dist loadfile.

* feat: add support for Cortex Secrets API

Add complete CLI support for managing secrets via the Cortex Secrets API:
- cortex secrets list: List secrets (with optional entity tag filter)
- cortex secrets get: Get secret by alias
- cortex secrets create: Create new secret
- cortex secrets update: Update existing secret
- cortex secrets delete: Delete secret

All commands support entity tags as required by the API.
Tests skip gracefully if API key lacks secrets permissions.

Also fixes HISTORY.md generation by using Angular convention in git-changelog,
which properly recognizes feat:, fix:, and perf: commit types instead of only
recognizing the basic convention (add:, fix:, change:, remove:).

Closes #158

* fix: update secret test to use valid tag format

Change test secret tag from 'cli-test-secret' to 'cli_test_secret' to comply
with API validation that only allows alphanumeric and underscore characters.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* feat: add entity relationships API support with optimized backup/restore (#160)

* chore: update HISTORY.md for main

* perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)

* refactor: separate trigger-evaluation test to avoid scorecard evaluation race conditions

- Create dedicated cli-test-evaluation-scorecard for trigger-evaluation testing
- Remove retry logic complexity from test_scorecards() and test_scorecards_drafts()
- Add new test_scorecard_trigger_evaluation() that creates/deletes its own scorecard
- Eliminates race condition where import triggers evaluation conflicting with tests

* refactor: remove unnecessary mock decorator from _get_rule helper function

The helper function doesn't need its own environment patching since it's called
from fixtures that already have their own @mock.patch.dict decorators.

* Revert "perf: optimize test scheduling with --dist loadfile for 25% faster test runs (#157)"

This reverts commit 8879fcf.

The --dist loadfile optimization caused race conditions between tests that
share resources (e.g., test_custom_events_uuid and test_custom_events_list
both operate on custom events and can interfere with each other when run in
parallel by file).

Reliability > speed. Better to have tests take 40s with no race conditions
than 30s with intermittent failures.

* perf: rename test_deploys.py to test_000_deploys.py for early scheduling

Pytest collects tests alphabetically by filename. With pytest-xdist --dist load,
tests collected earlier are more likely to be scheduled first. Since test_deploys
is the longest-running test (~19s), scheduling it early maximizes parallel
efficiency with 12 workers.

This is our general strategy: prefix slow tests with numbers (000, 001, etc.) to
control scheduling order without introducing race conditions like --dist loadfile.

* feat: add entity relationships API support and fix backup export bug

- Fix double-encoding bug in backup export for entity-types and ip-allowlist
  - entity-types and ip-allowlist were being converted to strings before json.dump
  - This caused import failures with "TypeError: string indices must be integers"

- Add entity-relationship-types commands:
  - list: List all relationship types
  - get: Get relationship type by tag
  - create: Create new relationship type
  - update: Update existing relationship type
  - delete: Delete relationship type

- Add entity-relationships commands:
  - list: List all relationships for a type
  - list-destinations: Get destinations for source entity
  - list-sources: Get sources for destination entity
  - add-destinations: Add destinations to source
  - add-sources: Add sources to destination
  - update-destinations: Replace all destinations for source
  - update-sources: Replace all sources for destination
  - add-bulk: Add multiple relationships
  - update-bulk: Replace all relationships for type

- Integrate entity relationships into backup/restore:
  - Export entity-relationship-types and entity-relationships
  - Import with proper ordering (types before catalog, relationships after)
  - Transform export format to bulk update format for import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: clean up entity relationships import output and fix bugs

- Add _print parameter to entity_relationship_types.create() and entity_relationships.update_bulk()
- Use _print=False when importing to suppress JSON output
- Fix import to use correct keys: sourceEntity.tag and destinationEntity.tag instead of source.tag
- Replace typer.unstable.TempFile with standard tempfile.NamedTemporaryFile
- Improve output: show only tag names instead of full JSON when importing
- Add missing tempfile import

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: support re-importing existing entity relationship types

- Check if relationship type already exists before importing
- Use update instead of create for existing relationship types
- Add _print parameter to entity_relationship_types.update()
- Matches pattern used by entity_types import

This allows backup imports to be idempotent and run multiple times
without encountering "already exists" errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: improve error handling in backup import

- Add detailed error reporting for catalog imports
  - Show filename, error type, and error message for failures
  - Add total failure count at end of catalog import

- Add error handling for entity relationship type imports
  - Wrap create/update in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

- Add error handling for entity relationship imports
  - Wrap import operations in try/except blocks
  - Show which relationship type failed and why
  - Add total failure count

This makes it much easier to diagnose import failures by showing
exactly which files are failing and what the error is.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve catalog import error handling and make sequential

- Change catalog import from parallel to sequential execution
  - This allows errors to be correlated with specific files
  - HTTP errors from cortex_client are now shown with filenames

- Catch typer.Exit exceptions in catalog import
  - The HTTP client raises typer.Exit on errors
  - Now catches and reports which file caused the error

- Remove unused imports added for parallel error capture
- Simplify catalog import logic

Note: The plugin import failures with "string indices must be integers"
are due to exports created before the double-encoding bug fix. Re-export
with the current code to fix these.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* perf: parallelize entity relationships and catalog imports

- Restore parallel execution for catalog import (30 workers)
  - Previously made sequential for error debugging
  - Now handles typer.Exit exceptions properly
  - Maintains good error reporting with filenames

- Parallelize entity relationship type imports (30 workers)
  - Check existing types once, then import in parallel
  - Properly handles create vs update decision

- Parallelize entity relationship imports (30 workers)
  - Each relationship type is independent
  - Can safely import in parallel

All imports now use ThreadPoolExecutor with 30 workers for
maximum performance while maintaining error reporting.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: add comprehensive import summary and retry commands

- All import functions now return statistics (type, imported count, failures)
- Import summary section shows:
  - Per-type import counts and failures
  - Total imported and failed counts

- Failed imports section lists:
  - Full file paths for all failures
  - Error type and message for each

- Retry commands section provides:
  - Ready-to-run cortex commands for each failed file
  - Can copy/paste directly from terminal
  - Commands use proper quoting for file paths with spaces

- Updated all import functions to track file paths in parallel execution
- Added typer.Exit exception handling to plugins, scorecards, workflows
- Consistent error reporting across all import types

Example output:
  IMPORT SUMMARY
  catalog: 250 imported, 5 failed
  TOTAL: 500 imported, 5 failed

  FAILED IMPORTS
  /path/to/file.yaml
    Error: HTTP - Validation or HTTP error

  RETRY COMMANDS
  cortex catalog create -f "/path/to/file.yaml"

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: show catalog filename before import attempt

- Print "Importing: filename" before attempting catalog import
- HTTP errors now appear immediately after the filename
- Remove duplicate success messages at end
- Only show failure count summary

This makes it immediately clear which file is causing each HTTP 400 error:

Before:
  Processing: .../catalog
  HTTP Error 400: Unknown error
  HTTP Error 400: Unknown error

After:
  Processing: .../catalog
     Importing: docs.yaml
  HTTP Error 400: Unknown error
     Importing: another.yaml
  HTTP Error 400: Unknown error

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: improve test isolation for custom events list test

Delete all event types (not just VALIDATE_SERVICE) at test start to prevent
interference from parallel tests. The connection pooling performance improvements
made tests run much faster, increasing temporal overlap between parallel tests
and exposing this existing test isolation issue.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: initialize variables before conditional to prevent NameError

When entity-relationship-types or entity-relationships directories don't exist
(like in test data), the import functions would reference undefined `results` and
`failed_count` variables, causing a NameError and preventing subsequent imports
from running (including catalog import, breaking tests).

This bug was causing test_catalog_delete_entity and test_custom_events_list to
fail because the import would crash before importing catalog entities.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* chore: update HISTORY.md for main

* add: pytest configuration with perf marker

Add pytest.ini to configure test markers:
- perf: for performance tests excluded from regular runs
- setup: for setup tests that run before other tests

The perf marker is excluded by default via addopts, ensuring
performance tests only run via 'just test-perf'.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: exclude perf tests from test-all command

Update Justfile to exclude both 'setup' and 'perf' markers from
test-all and _test-all-individual recipes. Previously only excluded
'setup', which caused performance tests to run and slow down the
regular test suite.

Also add test-perf recipe to explicitly run performance tests.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: allow 'just test' to run perf tests

Override pytest.ini's default marker exclusion in the 'test' recipe
by passing -m "" (empty marker filter). This allows users to run
individual test files including perf tests via 'just test <file>'.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* add: client-side rate limiting with TokenBucket algorithm

Implements proactive rate limiting to avoid 429 errors rather than
reactively retrying them.

Key changes:
- Add TokenBucket class for thread-safe rate limiting (1000 req/min)
- Configure 50-token burst capacity for initial request batches
- Remove 429 from retry status_forcelist (now prevented by rate limiter)
- Add performance test validating rate limiter with 250 parallel workers
- Test confirms 100% success rate at ~1049 req/min with no 429 errors

This approach is more efficient than retry-based rate limiting as it
prevents rate limit errors proactively, reducing overall request latency
and eliminating wasted retry attempts.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* add: configurable rate limit via CORTEX_RATE_LIMIT env var

Allows testing higher rate limits to determine if actual API limit
is higher than documented 1000 req/min.

Changes:
- Read rate limit from CORTEX_RATE_LIMIT environment variable
- Default to 1000 req/min if not set
- Allows runtime testing of different rate limits without code changes

Usage:
  export CORTEX_RATE_LIMIT=1500
  cortex backup catalog --export-dir ./test

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* add: --rate-limit CLI flag for configurable rate limiting

Adds global CLI flag to configure API rate limit alongside existing
CORTEX_RATE_LIMIT environment variable.

Changes:
- Add --rate-limit/-r flag to global options
- Pass rate_limit to CortexClient initialization
- Help text shows environment variable and default (1000 req/min)

Usage:
  cortex --rate-limit 1500 backup catalog --export-dir ./test

Or via environment variable:
  export CORTEX_RATE_LIMIT=1500
  cortex backup catalog --export-dir ./test

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: make scorecard exemption tests idempotent

- Moved CORTEX_API_KEY_VIEWER patch from decorator to context manager
- Added cleanup logic to revoke existing exemptions before creating new ones
- Cleanup runs with admin key (has revoke permission) while request uses viewer key (creates PENDING exemptions)
- Tests now pass even when exemptions exist from previous runs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* fix: remove rate limiter initialization log message (#168) 

Removed INFO log message that appears on every CLI invocation which could
impact applications parsing CLI output.

Fixes #167

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <[email protected]>

* fix: change default logging level from INFO to WARNING

- Users no longer see INFO log messages by default
- Still shows WARNING (slow requests) and ERROR/CRITICAL if they occur
- CLI output is cleaner and more suitable for parsing by other tools
- Users can enable full diagnostics with -l DEBUG or -l INFO

Fixes #170

* fix: initialize results and failed_count before directory check in import functions

All _import_* functions now initialize results=[] and failed_count=0 before
checking if directory exists. This prevents UnboundLocalError when importing
partial exports that don't include all resource types.

Fixed functions:
- _import_catalog: Added results=[] and failed_count=0
- _import_plugins: Added results=[] and failed_count=0
- _import_scorecards: Added results=[] and failed_count=0
- _import_workflows: Added results=[] and failed_count=0

Fixes #171

* fix: only retry on 429 rate limit errors, not 5xx server errors

Changed status_forcelist from [500, 502, 503, 504] to [429] to avoid
wasting time retrying requests that are unlikely to succeed. Client errors
(4xx) and server errors (5xx) typically won't succeed on retry, while rate
limit errors (429) benefit from retry with backoff.

Fixes #172

* Revert: Undo direct merges to staging (#176)

* Revert "Merge branch '172-retry-only-429' into staging"

This reverts commit 052796e, reversing
changes made to 5be1748.

* Revert "Merge branch '171-import-partial-export' into staging"

This reverts commit 5be1748, reversing
changes made to b095f88.

* Revert "Merge branch '170-default-logging-none' into staging"

This reverts commit b095f88, reversing
changes made to 7b20357.

* fix: change default logging level from INFO to WARNING (#177)

- Users no longer see INFO log messages by default
- Still shows WARNING (slow requests) and ERROR/CRITICAL if they occur
- CLI output is cleaner and more suitable for parsing by other tools
- Users can enable full diagnostics with -l DEBUG or -l INFO

Fixes #170

* fix: initialize results and failed_count before directory check in import functions (#178)

All _import_* functions now initialize results=[] and failed_count=0 before
checking if directory exists. This prevents UnboundLocalError when importing
partial exports that don't include all resource types.

Fixed functions:
- _import_catalog: Added results=[] and failed_count=0
- _import_plugins: Added results=[] and failed_count=0
- _import_scorecards: Added results=[] and failed_count=0
- _import_workflows: Added results=[] and failed_count=0

Fixes #171

* fix: only retry on 429 rate limit errors, not 5xx server errors (#179)

Changed status_forcelist from [500, 502, 503, 504] to [429] to avoid
wasting time retrying requests that are unlikely to succeed. Client errors
(4xx) and server errors (5xx) typically won't succeed on retry, while rate
limit errors (429) benefit from retry with backoff.

Fixes #172

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

* chore: update HISTORY.md for main

* add: tests for iconTag parameter in entity-types create

- Add iconTag to cli-test.json with valid value (Cortex-builtin::Basketball)
- Add test to verify iconTag is returned correctly after create
- Add test for invalid iconTag (API accepts and uses default icon)
- Add test data file for invalid icon scenario

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* add: document HISTORY.md merge conflict resolution in CLAUDE.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: Update urllib3 to >= 2.6.0 for CVE-2025-66418 and CVE-2025-66471

Addresses security vulnerabilities in urllib3 versions < 2.6.0.

Closes #186

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* add: Document branch naming convention in CLAUDE.md

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: Sync homebrew formula with tap and update urllib3 to 2.6.3

- Updated homebrew/cortexapps-cli.rb to match current tap formula
- Updated urllib3 resource from 2.4.0 to 2.6.3 (addresses CVEs)
- Added documentation about homebrew dependency update limitations

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: GitHub Actions <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: 3 people

CLAUDE.md

@@ -133,6 +133,12 @@ Follow the conventions in `STYLE.md`:
 
 ## Build & Release Process
 
+### Branch Naming Convention
+Use the GitHub-recommended format: `<issue-number>-<short-description>`
+- Example: `186-fix-urllib3-cve` for issue #186
+- Use lowercase kebab-case for the description
+- Keep the description concise (3-5 words)
+
 ### Release Workflow
 1. Create feature branch for changes
 2. Merge to `staging` branch for testing
@@ -146,6 +152,16 @@ Follow the conventions in `STYLE.md`:
    - Docker Hub (`cortexapp/cli:VERSION` and `cortexapp/cli:latest`)
    - Homebrew tap (`cortexapps/homebrew-tap`)
 
+### Homebrew Dependency Updates
+The `mislav/bump-homebrew-formula-action` only updates the main package URL and SHA256. It **cannot** update the `resource` blocks for Python dependencies (this is a documented limitation of the action).
+
+When updating Python dependency versions (e.g., urllib3, requests), the homebrew formula in `cortexapps/homebrew-tap` must be updated manually:
+1. Clone the `cortexapps/homebrew-tap` repository
+2. Update the resource blocks in `Formula/cortexapps-cli.rb` with new URLs and SHA256 hashes from PyPI
+3. Alternatively, use `brew update-python-resources cortexapps-cli` locally and copy the output
+
+**Important**: The `homebrew/cortexapps-cli.rb` file in this repository should be kept in sync with the tap formula for reference. Update it when making dependency changes.
+
 ### Commit Message Format
 Commits should be prefixed with:
 - `add`: New features
@@ -155,6 +171,18 @@ Commits should be prefixed with:
 
 Only commits with these prefixes appear in the auto-generated `HISTORY.md`.
 
+### HISTORY.md Merge Conflicts
+The `HISTORY.md` file is auto-generated when `staging` is merged to `main`. This means:
+- `main` always has the latest HISTORY.md
+- `staging` lags behind until the next release
+- Feature branches created from `main` have the updated history
+
+When merging feature branches to `staging`, conflicts in HISTORY.md are expected. Resolve by accepting the incoming version:
+```bash
+git checkout --theirs HISTORY.md
+git add HISTORY.md
+```
+
 ### GitHub Actions
 - **`publish.yml`**: Triggered on push to `main`, handles versioning and multi-platform publishing
 - **`test-pr.yml`**: Runs tests on pull requests

HISTORY.md

@@ -6,6 +6,18 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 <!-- insertion marker -->
+## [1.7.0](https://github.com/cortexapps/cli/releases/tag/1.7.0) - 2025-11-19
+
+<small>[Compare with 1.6.0](https://github.com/cortexapps/cli/compare/1.6.0...1.7.0)</small>
+
+## [1.6.0](https://github.com/cortexapps/cli/releases/tag/1.6.0) - 2025-11-14
+
+<small>[Compare with 1.5.0](https://github.com/cortexapps/cli/compare/1.5.0...1.6.0)</small>
+
+### Bug Fixes
+
+- remove rate limiter initialization log message (#169) #patch ([015107a](https://github.com/cortexapps/cli/commit/015107aca15d5a4cf4eb746834bcbb7dac607e1d) by Jeff Schnitter).
+
 ## [1.5.0](https://github.com/cortexapps/cli/releases/tag/1.5.0) - 2025-11-13
 
 <small>[Compare with 1.4.0](https://github.com/cortexapps/cli/compare/1.4.0...1.5.0)</small>

data/import/entity-types/cli-test.json

@@ -1,5 +1,6 @@
 {
   "description": "This is a test entity type definition.",
+  "iconTag": "Cortex-builtin::Basketball",
   "name": "CLI Test With Empty Schema",
   "schema": {},
   "type": "cli-test"

data/run-time/entity-type-invalid-icon.json

@@ -0,0 +1,7 @@
+{
+  "description": "This is a test entity type definition with invalid icon.",
+  "iconTag": "invalidIcon",
+  "name": "CLI Test With Invalid Icon",
+  "schema": {},
+  "type": "cli-test-invalid-icon"
+}

homebrew/cortexapps-cli.rb

@@ -2,40 +2,80 @@ class CortexappsCli < Formula
   include Language::Python::Virtualenv
   desc     "Command-line Interface for Cortexapps"
   homepage "https://github.com/cortexapps/cli"
-  url "https://files.pythonhosted.org/packages/9e/09/b639040aa375def127ee54e3d41c5159c67b9eff33418cfe852498e716e7/cortexapps_cli-0.1.0.tar.gz"
-  sha256  "d4fedbe9d258771ba4bc357e62ae0a8c3e62a8eb891c93d247b6791feea6e12a"
+  url "https://pypi.io/packages/source/c/cortexapps_cli/cortexapps_cli-1.7.0.tar.gz"
+  sha256  "a0f464cfbd0c870587c50cdfdd992f76ba128b8d0eb0bec66900a9d1c7be1942"
   license "MIT"
 
   depends_on "[email protected]"
 
   resource "certifi" do
-    url "https://files.pythonhosted.org/packages/98/98/c2ff18671db109c9f10ed27f5ef610ae05b73bd876664139cf95bd1429aa/certifi-2023.7.22.tar.gz"
-    sha256 "539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"
+    url "https://files.pythonhosted.org/packages/73/f7/f14b46d4bcd21092d7d3ccef689615220d8a08fb25e564b65d20738e672e/certifi-2025.6.15.tar.gz"
+    sha256 "d747aa5a8b9bbbb1bb8c22bb13e22bd1f18e9796defa16bab421f7f7a317323b"
   end
 
   resource "charset-normalizer" do
-    url "https://files.pythonhosted.org/packages/63/09/c1bc53dab74b1816a00d8d030de5bf98f724c52c1635e07681d312f20be8/charset-normalizer-3.3.2.tar.gz"
-    sha256 "f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"
+    url "https://files.pythonhosted.org/packages/e4/33/89c2ced2b67d1c2a61c19c6751aa8902d46ce3dacb23600a283619f5a12d/charset_normalizer-3.4.2.tar.gz"
+    sha256 "5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63"
+  end
+
+  resource "click" do
+    url "https://files.pythonhosted.org/packages/b9/2e/0090cbf739cee7d23781ad4b89a9894a41538e4fcf4c31dcdd705b78eb8b/click-8.1.8.tar.gz"
+    sha256 "ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a"
   end
 
   resource "idna" do
-    url "https://files.pythonhosted.org/packages/8b/e1/43beb3d38dba6cb420cefa297822eac205a277ab43e5ba5d5c46faf96438/idna-3.4.tar.gz"
-    sha256 "814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4"
+    url "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz"
+    sha256 "12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"
+  end
+
+  resource "markdown-it-py" do
+    url "https://files.pythonhosted.org/packages/38/71/3b932df36c1a044d397a1f92d1cf91ee0a503d91e470cbd670aa66b07ed0/markdown-it-py-3.0.0.tar.gz"
+    sha256 "e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb"
+  end
+
+  resource "mdurl" do
+    url "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz"
+    sha256 "bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"
+  end
+
+  resource "pygments" do
+    url "https://files.pythonhosted.org/packages/7c/2d/c3338d48ea6cc0feb8446d8e6937e1408088a72a39937982cc6111d17f84/pygments-2.19.1.tar.gz"
+    sha256 "61c16d2a8576dc0649d9f39e089b5f02bcd27fba10d8fb4dcc28173f7a45151f"
   end
 
   resource "pyyaml" do
-    url "https://files.pythonhosted.org/packages/cd/e5/af35f7ea75cf72f2cd079c95ee16797de7cd71f29ea7c68ae5ce7be1eda0/PyYAML-6.0.1.tar.gz"
-    sha256 "bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"
+    url "https://files.pythonhosted.org/packages/54/ed/79a089b6be93607fa5cdaedf301d7dfb23af5f25c398d5ead2525b063e17/pyyaml-6.0.2.tar.gz"
+    sha256 "d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"
   end
 
   resource "requests" do
-    url "https://files.pythonhosted.org/packages/9d/be/10918a2eac4ae9f02f6cfe6414b7a155ccd8f7f9d4380d62fd5b955065c3/requests-2.31.0.tar.gz"
-    sha256 "942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
+    url "https://files.pythonhosted.org/packages/e1/0a/929373653770d8a0d7ea76c37de6e41f11eb07559b103b1c02cafb3f7cf8/requests-2.32.4.tar.gz"
+    sha256 "27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422"
+  end
+
+  resource "rich" do
+    url "https://files.pythonhosted.org/packages/a1/53/830aa4c3066a8ab0ae9a9955976fb770fe9c6102117c8ec4ab3ea62d89e8/rich-14.0.0.tar.gz"
+    sha256 "82f1bc23a6a21ebca4ae0c45af9bdbc492ed20231dcb63f297d6d1021a9d5725"
+  end
+
+  resource "shellingham" do
+    url "https://files.pythonhosted.org/packages/58/15/8b3609fd3830ef7b27b655beb4b4e9c62313a4e8da8c676e142cc210d58e/shellingham-1.5.4.tar.gz"
+    sha256 "8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de"
+  end
+
+  resource "typer" do
+    url "https://files.pythonhosted.org/packages/c5/58/a79003b91ac2c6890fc5d90145c662fd5771c6f11447f116b63300436bc9/typer-0.12.5.tar.gz"
+    sha256 "f592f089bedcc8ec1b974125d64851029c3b1af145f04aca64d69410f0c9b722"
+  end
+
+  resource "typing-extensions" do
+    url "https://files.pythonhosted.org/packages/d1/bc/51647cd02527e87d05cb083ccc402f93e441606ff1f01739a62c8ad09ba5/typing_extensions-4.14.0.tar.gz"
+    sha256 "8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4"
   end
 
   resource "urllib3" do
-    url "https://files.pythonhosted.org/packages/af/47/b215df9f71b4fdba1025fc05a77db2ad243fa0926755a52c5e71659f4e3c/urllib3-2.0.7.tar.gz"
-    sha256 "c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84"
+    url "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz"
+    sha256 "1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"
   end
 
   def install
@@ -44,14 +84,24 @@ def install
 
   def caveats
     <<~EOS
-      Add the following line to your ~/.bash_profile
-      export PATH="#{bin}:$PATH"
+      To make the CLI available in your SYSTEM path, run this command to add the path to your shell's profile.
+
+      Not sure what shell you are using?  Run this command:
+      echo $SHELL
+
+      Bash:
+      export PATH="#{bin}:$PATH" >> ~/.bash_profile
+
+      zsh:
+      export PATH="#{bin}:$PATH" >> ~/.zprofile
 
       Restart your terminal for the settings to take effect.
+
+      Run 'cortex version' to verify.
     EOS
   end
 
   test do
-    assert_match "Cortex CLI #{version}", shell_output("#{bin}/cortex -v")
+    assert_match "#{version}", shell_output("#{bin}/cortex version")
   end
 end

poetry.lock

@@ -19,7 +19,7 @@ classifiers = [
 python = "^3.11"
 requests = "^2.32.4"
 pyyaml = ">= 6.0.1, < 7"
-urllib3 = ">= 2.2.2"
+urllib3 = ">= 2.6.0"
 typer = "^0.12.5"
 click = "<8.2"
 

pyproject.toml

@@ -12,6 +12,18 @@ def test_resource_definitions(capsys):
     response = cli(["entity-types", "list"])
     assert any(definition['type'] == 'cli-test' for definition in response['definitions']), "Should find entity type named 'cli-test'"
 
-    cli(["entity-types", "get", "-t", "cli-test"])
+    # Verify iconTag was set correctly
+    response = cli(["entity-types", "get", "-t", "cli-test"])
+    assert response.get('iconTag') == "Cortex-builtin::Basketball", "iconTag should be set to Cortex-builtin::Basketball"
 
     cli(["entity-types", "update", "-t", "cli-test", "-f", "data/run-time/entity-type-update.json"])
+
+
+def test_resource_definitions_invalid_icon():
+    # API does not reject invalid iconTag values - it uses a default icon instead
+    # This test verifies that behavior and will catch if the API changes to reject invalid icons
+    response = cli(["entity-types", "create", "-f", "data/run-time/entity-type-invalid-icon.json"], return_type=ReturnType.RAW)
+    assert response.exit_code == 0, "Creation should succeed even with invalid iconTag (API uses default icon)"
+
+    # Clean up the test entity type
+    cli(["entity-types", "delete", "-t", "cli-test-invalid-icon"])